Recently in Virus / Spyware Category

Got virus now can't change background

By Tom Fitzgerald on May 29, 2009 11:00 PM | No Comments

Thanks for providing the smitRem tool, it was great at getting rid of the installed program and pop-up.  After running it though, my display still stays with the basic blue background.  If I try to change the wallpaper in display settings, I cannot select any of the patterns and the scrollbar does not move.  I think that the "desktop" tab of the display settings has been faked somehow.  The various files like 'aquarium, ascent' aren't actually .bmp's in the Windows directory.  This is the same problem that I noticed before I ran smitRem.  I have used webshots for wallpaper and while that runs fine, it does not change the wallpaper image either.  Is there something else that I still have to remove?

Here is a shot of the desktop settings that I am talking about.

Answer:

http://www.freecomputeradvice .net/downloads/fixreg.zip

Will that solve that, just download and run those to items. You may have to restart. 

How to remove stealthy programs

By Tom Fitzgerald on May 26, 2009 10:59 PM | No Comments

I came across a particularly nasty virus lately and I wanted to share some techniques on how to remove this virus and other virus programs that work the same way. The customer came in and said his laptop was running slow and thought he may have a virus. First things first, run HiJack this and remove anything that looks suspicious, restart and run it again and find all the ones I just removed that came back. This is common, you remove them; they come back, so I make a note of those files and restart into Safe Mode and then manually delete those files. Ok done; however upon restarting I still have pop up advertisements.

 I run SysInternals Process Manager to view all processes currently running on the PC and I find nothing out of the ordinary. Very strange. This is where things start to get confusing, how are these advertisements showing up if no running processes are creating them?

 Tis is a good time to introduce another tool by SysInternals; File Monitor. This program will show you a running list of all the files that are currently being accessed by the operating system. Now we can get a clear picture of not only the running processes itself but the files that are being accessed. If you look at the screen shot below you will see one file in particular that looks suspicious, fccax.dll. It appears over and over again, a quick Google search reports that is in fact SpyWare. So now what? Lets delete it. However we cannot delete it now because it is in use, restarting into Safe Mode won't work either, its still in use. Insert your Windows XP CD and boot to it, at the first screen hit 'R' and get into the recovery console. Now you can delete the file.

How to use Hijack This

By Tom Fitzgerald on May 2, 2009 10:56 PM | No Comments

Upon running HiJack This you will get to the screen shown below. Want you want to do here is click on 'Do a system scan only'. This will scan your PC for startup programs, located in the registry, startup folders, etc. Basically this will return a list of programs that start when your computer starts up. We want to see this information so we can identify bad things and remove them.

We will now have a screen similar to what is shown below. This is where it gets a little difficult because bad programs don't exactly pop up and say 'I'm bad, remove me'. However some of them do give good clues. Here are a few.

  • Some SpyWare programs hide themselves as a 'search bar' of some sort, so the location will be C:\Program Files\SuperCoolSearchBar
  • Some SpyWare programs have random names and live in the system32 directory, for example C:\Windows\System32\ajeiej2la.exe
  • Static entries in the host file is typically bad, shown below. Remove them.

Keep in mind these are only a few and you have to be careful not to remove something you need, because unlike msconfig there is no going back after you remove an entry.

Conflicker Virus - Apparently NOT a hoax

By Tom Fitzgerald on April 27, 2009 9:18 PM | No Comments
Well I know I'm a few days behind on this but the Conflicker is most definitily not a hoax. Reports show that the virus has activated and the infected clients are starting to attack others. If you are interested in this topic at all, I'm sure you already read this somewhere else - no use in me just repeating old news.

What I would like to talk about is some of the interesting technical things about this virus. First of all how it spreads its a little unique. Most virus programs spread in either email 'Click here for your free e-card!' or through a flaw in a web browser, or even a flaw in Windows. What's unique about this virus it uses a security flaw in Windows to infect USB drives. This to me just sounds really clever. A lot of people may not use virus protection or run updates on old computers that don't get on the Internet. Computer users think because the machine is not connected to the Interner that they are safe. Well now if you plug in a USB drive from an infected machine - you aren't.

Let's talk about what the virus actually does once it infects you.

Deletes and system restore points you may have made. Geez how heartless can you be?
Next it connects to its home base and downloads a update.
Now the virus installed a small web server on the infected machine and then gives that info to other infected machines.
So now the infected computer can spread the virus without the home base being involved.

Why this is a big deal?

Anytime you have a virus attack like this its a big deal because so many infected computers are now working together. They could all be used at once to perform a denial of service attack on a site. What else Well, anything really. Since the virus can update itself we don't know what its capable of or what the true intentions are.

Why it's not a big deal

There's a cure and a removal tool! Also if your systems were patched on time you are already protected. Read more here.

Find Hidden Programs

By Tom Fitzgerald on April 2, 2009 10:55 PM | No Comments

If you are looking to find hidden programs on your computer there are a few ways to do this.

Find running programs

Probably my favorite program to find running programs is Process Explorer. Task Manager can be too basic and doesn't give you all the important details you need. Process Explorer is basically an advanced version of Window's Task Manager that tells us some vital information. Let's look at some of the differences. Task Manager (accessible by right-clicking on the taskbar then clicking Task Manager) allows you to view processes running by Windows. However some processes are hidden from this view. Take a look below.


Windows Task Manager

Now let's take a look at a screen shot of ProcessExplorer

If you have a virus - chances are you may see it listed here. Another great feature is you can right click on a program and find the exact path to the file. Then you can copy and paste that into OTMoveIt to quickly delete it.

You can see my moving my mouse over calc.exe it listed the path to the executable. I can also right click to stop it from running. This has many other uses; for example: if I notice each time I remove a entry from my startup file using msconfig that it comes back; I can watch the ProcessExplorer to see if a process is starting at the same time. The ProcessExplorer program will show a program for a few seconds after it has ran, so you can tell that a program just started and then abruptly stopped. Now just check the file name if its a random string of letters than you can assume its a virus program (in most cases).

Conflicker virus - hoax or what?

By Tom Fitzgerald on March 30, 2009 9:19 PM | No Comments
I've been reading a lot about the conflicker virus that is out there and soon to unleash fury on everyone on Wednesday. This is going to be a really short post but I just want to point out the highlights.

This virus has been patched in October in 2008.
If your Windows updates are up to date you're probably ok.
If your virus protection is installed and up to date, you are probably ok.
If you are concerned, download the removal tool and run it.
Complete information can be found here.
The bottom line is every few months I hear about  something like this. In this case there is absolutely no evidence anything will happen on Wednesday so like all other virus warnings - take them seriously and patch your systems. I'll make a post Thursday assuming Skynet hasn't taken over.

Spyware Quake Removal

By Tom Fitzgerald on March 21, 2009 10:54 PM | No Comments

It's very important that if you have not already done so that you visit http://windowsupdate.microsoft.com and keep your computer up to date. There is an very important update that fixes a flaw in Windows operating system that allows hackers to execute code on your computer when you visit an infected website.

Spyware Quake is fake antispyware 'tool' that comes up after you are infected. This program is totally false and needs to be removed as soon as possible. This virus is very simliar to Trojan.Spaxe

You will know if you are infected if you see a ballon at the bottom of your screen that says the following

Your computer is infected!
Critical System Error!
System detected virus
activities.  They may cause
critical system failure. Please
use antimalware software to
clean and protect your system
from parasite programs.
Click here to get all available
software.

Removal Directions

  1. Download and save smitRem.zip
  2. Reboot and start into Safe mode
  3. Extract smitRem.zip
  4. Open folder where smitRem.zip extracted then double click on RunThis.bat
  5. Remove the following files, (You may have to use KillBox to remove stubborn files that are in use. You may not have all of these files.)
    • c:\windows\system32\nvctrl.exe
    • c:\windows\system32\dfrgsrv.exe
    • c:\windows\system32\mssearchnet.exe
    • c:\windows\system32\stickrep.dll
    • c:\program files\spywarequake\
  6. After program runs you can safely restart the computer and the infection is gone! Be sure to always keep your Windows up to date! 

Removing a virus

By Tom Fitzgerald on March 5, 2009 9:57 PM | No Comments

Talk about frustration! You found the virus files using HiJack This, you remove them. Yet when you restart they reappear. When you try and manually delete the file you get an 'Access is denied' or something simliar. So what gives? Today we'll be going over some tactics on how to remove files that are in use and are  hard to delete.

Move It!

The first and easier way to remove hard to delete files is to use a program called OTMoveIt! This thing is great, you type in the file name and then most of the time it deletes the file. Another great program is killbox. A great thing about both these programs that is if the program cannot be deleted, it will try and remove it on the next reboot. Something very useful for those hard to delete files.

Just to be safe

Sometimes even those great programs won't cut it. For extreme cases you may have to add an extra step or two. Fortunately its really easy - boot into safe mode. Yep when you are in safe mode Windows disables almost all functionality so hopefully that means these virus programs too.

Boot into Safe Mode by:

  1. Restarting your PC
  2. Press F8 until a menu comes up asking you to make a selection
  3. Choose Safe Mode and press enter

You're in. Now try the same process as above using the removal tools and good luck. If you still have problems leave us a note in our Ask A Question section.

Unable to change desktop background?

By Tom Fitzgerald on September 10, 2008 9:34 PM | No Comments

If you recently have been infected with a virus you may now be unable to change your desktop background. Typically the virus will replace your background with a big ugly. 'You are infected!' background. Of course it'll ask you to buy their 'cure' that will solve all of your problems. This is bad and we want to back to our World of Warcraft background. Here's how to do it.

I recently received this question.

"Thanks for providing the smitRem tool, it was great at getting rid of the installed program and pop-up.  After running it though, my display still stays with the basic blue background.  If I try to change the wallpaper in display settings, I cannot select any of the patterns and the scrollbar does not move.  I think that the "desktop" tab of the display settings has been faked somehow.  The various files like 'aquarium, ascent' aren't actually .bmp's in the Windows directory.  This is the same problem that I noticed before I ran smitRem.  I have used webshots for wallpaper and while that runs fine, it does not change the wallpaper image either.  Is there something else that I still have to remove?"

You can see in the above screen shot this user is unable to change their background. Fortunately for us this is actually pretty easy to fix and can be done with a simple registry edit. I have both of the registry files available for download here so here they are.

Protect your computer

By Tom Fitzgerald on August 31, 2008 9:37 PM | No Comments
If you own a computer there is a very good chance that your computer is infected with Virus or Spyware programs. They come in many shapes and forms and come at you from many different directions. There are also many tools to help you remove Virus infections once they happen, but the best bet is to avoid these problems all together. How you can prevent infections is what this article is all about.

Be careful of the web sites you visit

Many Virus / Spyware infections actually use exploits in the operating system itself to have their code automatically install when you visit an infected web site. This often happens when people visit certain web sites. For example certain adult web sites have been known to try and infect your unprotected computer with code that will take over your computer's modem and try to dial 1-900 numbers on your phone line. Some web sites will offer 'Free Screensavers', or other forms of something free, once installed the 'free' software will install Spyware that is very difficult to remove once installed. Unless you know it's from a trusted source, do not install any software from a web site. If you are browsing a web site and something pops up and asks to you install a plugin it is very important that you close that window, unless you trust that web site. Clicking 'Yes' on one of those windows may let in a stream of spyware programs.

Keep your Windows updated

Now that you are careful of what web sites you visit you must also make sure that your operating system is up to date. This is something that should be done regularly, basically when Microsoft discovers problems or security vulnerabilities with their software they fix it. If you never visit this site you will never get that update and your system will be vulnerable. Windows update doesn't only fix problems, but offers free upgrades to Windows components, such as Windows MovieMaker and Windows Media Player. These are great additions that are totally free! Windows users can visit http://windowsupdate.microsoft.com to update your system at anytime.

Protect yourself

Now that your computer is updated you still need additional software to be safe; Anti Virus software. There are many different versions to choose from, Microsoft OneCare, Norton Internet Security, McAfee, etc. I've had good success with OneCare, it costs $49.95 includes one year of updates and you can install it on three computers. Once installed it will automatically keep itself updated and continuously scan your system for any Virus or Spyware programs. If it finds anything that shouldn't be there it will automatically remove it for you. If you are running Windows XP you should also turn on your firewall. This can easily be done by clicking on Start then Control Panel, Network Connections, then right clicking on 'Local Area Connections' (If you are connected via a wireless network then you want to right click on 'Wireless Network Connection') then click on the 'Advanced' tab, Then switching the button to 'On'.

That is just three simple steps you can take to better prevent your computer from being infected with Virus programs.
« Tutorials | Main Index | Archives | Windows 7 »

Search