Friday, June 27, 2008

Malware Removal - Where to draw the line

A little intro first...
As many of you know (or don't know), I guide people with removing malware from their computers, or help them with other Windows issues not related with malware. This mainly happens via forums and newsgroups. I used to guide people via mail as well, but quit that since I don't have the time for that anymore.
"Step by step" instructions are really needed since many people don't know much about computers and without detailed instructions, they could make things worse. Hence, even when detailed instructions are given, with screenshots/whatever included, some still have problems to perform the steps properly.
Yes, a lot of patience is needed in many cases.
Many already asked me why I am doing this, offering almost all of my free time as a volunteer to help other people online. Well, there are several reasons why I am doing this...

1st... My hunger for knowledge. I love to learn and want to learn something new everyday. Fixing computers is like solving a puzzle for me, to find the cause and try different solutions. It's always a challenge to find and understand the cause in the first place. Without a cause, you can't offer a proper solution either.
In case of malware removal - it's a challenge to find the loading points, what it changes/modifies, how it behaves in general - and based on that you can give the proper instructions how to remove it and restore whatever it has broken/modified.
Next time if you see the same problem again, then you already know how to deal with this - something you've learned and remembered.
I don't want to give instructions/solutions if I don't understand them in the first place, because that wouldn't make sense and I learn nothing from this.

2nd... As I said, many people still don't know much about computers. I don't really see this as a problem, as long as they know how to secure their computer. Unfortunately many don't know anything about this. They don't even know what an Antivirus/Firewall is, why it is needed and what the dangers of the internet are. Many don't take this serious either and always think that this won't happen to them - until it happens (sooner as they think).
Another lesson learned I hope. Some will never learn as I explained here - or don't see the need why to secure their computer as explained here.
Prevention is better than removal... and that's what I try to teach these people. If more people would take this more seriously, secure their computers and always be careful where they surf, what links to click and what they download, then I'm sure that the internet would be a bit more safer place for anyone.

3rd... I just love to help people in general. If they ask for help and I know how it can be solved or where to find the solution, why wouldn't I help them then? A simple "Thank You" afterwards, the appreciation you get already means a lot to me. I'm always glad that I could teach something and hope that they will learn from it as well.

Also, Budfred's Rant: Volunteers and Malware Criminals sums it up nicely with more reasons why I am doing this and as you'll also read there, volunteers don't always get the appreciation for what they are doing.

Through the years, malware has become more difficult to find (rootkits etc..), more stubborn to remove and more nastier in general. One click on a file or link can already download and install a huge malware bundle where many different infections are installed.
You see popups all the time, your desktop wallpaper has been changed with a "fake alert", displaying that your computer is infected (well, it IS infected, but these "fake alerts" ask to purchase their own product in order to remove the malware they installed in the first place).
Although the fake alerts and popups/advertisements you get is the most annoying part and look the worst, as a matter of fact, it's the least of your concerns. What is hiding in the background is a more serious issue. Trojans in general, such as backdoors, password stealers, keyloggers etc.. all have their own purposes and may damage a lot!
And as I said, all of the above can be installed via one single click on one link or file! Hence, I've even seen file infectors/worms/bots joining the party as well.
Problem is still, many are not aware what the other malware does, or is capable of - and are already satisfied if the annoying popups don't display anymore, their desktop background has been fixed etc..
Then they don't need further help anymore because they think that their issue is already resolved while the biggest problem is still present, silently doing its job in the background. They are not aware that their computer is still severly infected and badly compromised... and responsible for infecting other computers on top.
And what is worrying me the most is that some don't even care - as long as the annoying popups are gone.

Malware compromises/damages a lot, that's a fact - and especially in case of a severly infected computer, even if I clean the malware off the computer, I cannot guarantee that the computer will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I cannot promise that I can repair all the damage it caused... Even after cleaning the malware, errors may still be present afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution. Although I love to solve puzzles, I'm sometimes wondering if it's really worth it in such cases.

That's the main disadvantage if you guide people via forums etc, because instructions should be followed asap - and this is not always possible. Also, Internet connection is needed to read the instructions and in case of severly infected computers, I recommend that they disconnect from the internet asap and use another computer to read the instructions from. Unfortunately, this is not always possible either since not everyone has a spare computer.
If I guide someone with cleaning a severly infected computer, it is my responsibility to make them aware of what state their computer is in, how severly infected/compromised it is, they should change passwords afterwards etc etc.... and I won't promise them a clean computer afterwards - because that would be a lie.
I've seen cases where volunteers are helping a user with a severly infected computer, this already for weeks....
And that's why in such cases, I throw in the towel more often and ask to backup important data, then format and reinstall Windows. Not because I give up, but rather because it's really not worth it to clean this mess up manually and then on top restore (if possible) whatever the malware has broken/modified. In such cases, a format and reinstall is the fastest and especially the SAFEST solution.
As a matter of fact, I think it would be irresponsible of me to guide people with manual removal in such cases, knowing that removing the malware from severly infected computers takes a lot of time, especially if you're doing this via online instructions and every single minute that this computer is connected with the internet, it may download more malware, spread more malware, collect more info, send more SPAM etc....
Also, if file infectors are game, in 80% of the cases, I recommend a format and reinstall anyway if an AntiVirus scanner is not able to disinfect the files (properly). Unless the person knows what files are corrupted and knows how to replace them with a clean one. But then again, it's no guarantee that everything will work properly again and the infection will be really gone.

Another article regarding this is:
When Should I Format, How Should I Reinstall.

That's why.... Where to draw the line? When to recommend a format and reinstall?

Saturday, June 21, 2008

Dutch users Alert! - Beware of fake Tax forms - episode 2

This is a follow up to my previous blog post here
Thanks to Jan (who was infected with this one) for sharing the samples. Some were detected by most Antivirus scanners. Others weren't detected at all, so I've sent them the samples.
It is confirmed now.. This one spreads via IM (Messenger - Windows Live Messenger). And since this is a worm, a lot of others may be infected with this one as well.
I don't know via which url yet (will find out later)

Some of the files it drops:

%systemdrive%\svchost.exe and %systemdrive%\smss.exe

svchost.exe is already detected by most scanners as Backdoor.Win32.VB.bsf. The author is Dutch, that's for sure.
As a matter of fact, Roel (Kaspersky) already posted about a variant of this one earlier. See here:

svchost.exe and smss.exe have several different loading points. The main ones are:

* HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

* HKCR\exefile\shell\open\command
%systemdrive%\svchost.exe "%1" %*

This means, the fileassociation for exefiles is replaced with the malicious file. So if the file is removed, the exeassociation will be broken en you won't be able to run exe files anymore.
To fix this, go to start > run > type "" (without the quotes). In the command prompt, type: ftype exefile="%1" %*
This restores the default association for exefiles.

* HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Generic Host Process for Win32 Services=%systemdrive%\svchost.exe
Session Manager SubSystem=%systemdrive%\smss.exe

+ some extra policies:


In case you were infected with this one, please make sure you change all your passwords afterwards as they may be known.
As a matter of fact, make sure you don't get infected with this one in the first place - so always be careful with clicking links in IM, even when they come from friends. Verify with the sender first if the link was sent intentionally or not.

Friday, June 20, 2008

How to guide people with fixing their computers

Rule number 1: Always stay serious, don't try to laugh, no matter what.

Here's a collection of funny quotes or subjects from people who needed help with their computer. They were posted at several different forums and via chat support.
Most were collected from geekstogo forums, bleeping computers, SWI and some Dutch forums.

My favorite top 10:


If I do get a new comp
Ill get windows 98
saves memory

Good idea!!

Subject: "Problem with massages popping"

I wouldn't mind the massages.

miekiemoes: Did you perform a scan or anything else before this happened?
user: brainscan

Guess what.. the brain was severly infected!

Internet explorer was changed to pizza SLICE.

With extra anchovies, olives and mozzarella??

Subject: "virus will not leave me alone!, please help me before my brain explodes!"

Please format and reinstall your brain asap!

The 4 pins that are missing are around the edge of the 'gold triangle' in the corner of the CPU. I have tried replacing the pins by placing a piece of copper wire in the slot where the missing pins are but I think that might be the cause of my PC crashing so I have taken them out.

It would have been better if you used electrical wire.

You know I hear something in the PC box going, like little dominos falling really fast all the darn time or like there is a bleeping little mouse in there playing a bleeping cadence on a bleeping little snare drum all the bleeping time...

From a Dutch forum:
Heb een scan met verschillende progamma's gedaan maar niets gevonden. Als ik de pc opnieuw opstart krijg ik een soort alarm te horen wat een minuut lang blijft afgaan. Daarna wordt mn scherm zwart en verschijnt er een hele rij kaarsjes, die een voor een worden opgelicht....

I scanned my system with several different programs but nothing was found.
When I restart my computer, I hear an alarm for about one minute.
Then my screen goes black and afterwards, a row of candles appear on my screen which get enlighted one by one...

Happy NewYear!!

I am also thinking of making my monitor black and white to make those
viruses and trojans think i have an ancient pc and not worh attacking.

Best prevention ever! Thanks for the tip!

And the Winner is:

Today I tried to hide my lunch bar chocolates from my brother by taping them to the inside of the side panel of my pc(total disregard for PC components I know but no way was he getting me booty) Any how the tape didn't hold and the chocolate wound up in one of the fans(not a pretty sight) -sigh-. Pc is still fine though (thank God)

you forgot to add the milk for making the chocolate mousse

Feel free to add more in the Comments section below :)

Monday, June 16, 2008

Dutch users Alert! - Beware of fake Tax Forms

This is especially a warning for Dutch users (from the Netherlands). There's malware spreading where it changes your startpage to a random dutch site (.nl domain - which is a compromised/hacked site) , presenting you with this:

Full screenshot of the form:

NOTE.. This is NOT from the legitimate site as they DON'T ask you for this info (PINCode etc).
Even though it says it's from, it's NOT. Only the template from was used here, not the form itself.
Also note the "Microsoft Certified" and "Comodo Hacker Proof" logo to make it look like a legitimate site.

This piece of malware is especially designed to target Dutch users in order to steal their banking info.

I found this out yesterday while I was helping a user with an infected PC. The PC was severly infected/badly compromised...
There was also a .bat file present, with the command to change the Internet Explorer startpage to a random .nl site with this fake tax form.
I'm still waiting for the samples and more info how this user got infected in the first place.
I guess this infection is spread via MSN, however, I cannot tell for sure yet. The samples and extra info should tell...

So beware when you see similar forms... especially when they ask to enter your PINCode.

Update... More info about the malware itself here:

Wednesday, June 11, 2008

Protect your family and computer with Windows SteadyState

If you're having kids who use the computer frequently, then it may happen once in a while that important settings were changed, or malware and other unwanted software was installed.
That's why Windows SteadyState may be the ideal program for you.

Windows SteadyState is mainly Parental Control software, where you can create several different user profiles and for each of the profiles you can set restrictive policies.
Example of Windows Restrictions, Feature restrictions and Block programs:

Also, under the general tab, you can set how long your kid may use the computer and you can lock the user profiles in order to prevent that they are making important changes.

But the feature I love the most is the "Windows Disk Protection".
With this option enabled, you can make all changes back undone - it clears all changes that were made during the last user session and resets it to the condition it was in before. A simple reboot is needed to reset it. You can also modify the settings and set it to retain changes temporarily + adjust the date when it should revert itself to a previous condition.
Or you can select to retain all changes permanently.

This is ideal in cases when the computer gets infected, or important settings were changed, or a program is causing problems after install or update etc etc..
As a matter of fact - anyone could use this feature if you like to test several settings on your computer, install software to betatest or perform any important system change if you're not sure what the outcome may be. Just revert to a previous condition if it didn't work out or retain the changes.

Windows SteadyState is for *FREE
*only for genuine Windows XP / Vista

Tuesday, June 10, 2008

Top Ten excuses why people don't want to secure their computer

1. I don't have anything valuable on my computer anyway, so I don't need to worry about someone taking it over.

Actually, you have something very valuable on your computer, especially if you are on a fast internet connection. You have bandwidth. A lot of malware is designed to take over your computer and use it as a server to attack other computer, distribute SPAM or even deliver more malware. It will also steal your data, passwords and account numbers, so the criminals can steal your identity and everything you own. Even if you only use your computer for gaming, there are people now stealing passwords for some computer games so they can steal any reserves you have built up online.

2. The antivirus companies are the ones who put out all those viruses so they can sell their programs anyway. If I install their program, it will install their viruses.

This is mostly one of the silliest myths on the web. It is true that there are rogues that try to trick people into buying their programs by claiming your computer is infected:

List of Rogue Programs

However, the legit companies wouldn't even consider risking their reputations to make a few extra dollars. If they are recommended by reputable sources, they are going to be safe and useful. You need to be sure the source is reputable though. The people that create viruses and other malware are criminals and many are now part of organized crime gangs that make millions by stealing from people like you.

3. Running a firewall slows down my games.

Most firewalls have settings to allow you to play games without removing that protection. Even a few minutes online without your firewall can leave you infected.

4. The programs are too complicated.

Most programs have simple modes that can be set to update automatically and protect you without you having to do much more than renew a subscription or download a major update about once a year.

5. I don't have any money and the programs are all expensive.

You can assemble a very effective set of security programs for free. Even if you pay a bit for a program, it is a lot less than what you will pay to get your computer fixed and possibly deal with having your accounts cleared out by criminals.

6. I have heard that WinXP Service Pack 2 and 3 will cause problems on computers and I don't want to risk it.

That is sort of like saying I will jump off of the cliff because I don't want to risk slipping on the rocks climbing down. SP2 is probably the most important security update that MicroSoft has released for any version of Windows to date. It is true that it caused problems in the first few months, but it has been out for more than 2 years and it is quite stable now. If you don't have it, you also don't have any number of other security updates and you are almost certain to get infected.

7. I have an illegal copy of WinXP and MS won't let me update it. It isn't fair because they make so much money anyway.

If you are running an illegal copy of Windows, do the rest of us a favor - buy a legal copy. When you get infected, you can become a zombie server for the criminals, distributing malware, SPAM and scams all over the web. If all the zombie systems were shut down today, the quantity of SPAM would slow from a tidal wave to a trickle. Don't contribute to the flood. If you don't believe you can afford a legal copy of WinXP, use a free install of Linux. There is no good reason to put yourself and the rest of us at risk.

8. I have never used security programs and I have never been infected.

Maybe, maybe not. Some of the most effective infections today are essentially invisible on your computer. They don't slow it down in a noticeable way, they don't popup ads and they don't do anything to attract your attention. They do quietly send your personal information to the criminals, they do use your computer as a zombie server and they do own your computer more than you do. The truth is, malware is getting more aggressive, harder to detect, harder to kill and almost unavoidable if you go online at all. If you are not armored, you are probably already infected or you will be.

9. It is my computer and it is only my problem if I get infected, so leave me alone!

Well, not really. It is your computer and it is mainly your problem if you get infected. However, if your computer becomes a server that sprays malware, SPAM and attacks against the rest of us, it becomes our problem too. As soon as you go online, you are part of a community and the decisions you make effect everyone in that community. If you don't mind people messing around with your personal information and possibly using it to steal all that you have, please at least consider the harm you may be doing to the rest of us.

10. I plan to install security programs, I just haven't had time yet.

If you are reading this, you are already online. If you are online, you are already at risk. I once fixed a problem with my firewall and had it uninstalled for a while. I went online for about 10 minutes to download a fresh copy and while I was online, my system was infected with the Welchia worm. TEN minutes I was online, only 10 minutes!! How long have you been running without security??

Copied/pasted with permission - Credit goes to Budfred (SWI Admin) - original article. For more similar articles/news/tips, subscribe to the SWI Newsletter.

Sunday, June 8, 2008

Increase of malware found on legitimate websites

According to ScanSafe, 68% of the Malware is found on legitimate websites nowadays. These sites were hacked as a result of SQL injection attacks or via stolen FTP credentials.
Malicious scripts and (hidden) iframes are added in order to infect the visitor with trojans, backdoors and password-stealing malware.
That's why you should always be cautious, because even known legitimate sites can't be trusted anymore.

Also read: A May 2007 / May 2008 State of the Web Comparative

If you're on Vista, make sure UAC is enabled, so Internet Explorer runs under Protected Mode.
If you're on XP - you can read some tips here: How to Surf More Securely by gizmo.richards
In case you're using Firefox as your default browser, install the NoScript extension.

The Neverending Story

It's already more than 4 years that I clean severly infected computers.
In most of the cases, when I review the logs, I see more malware present than anything else.
Also, in most cases, many don't even have an Antivirus Scanner + Firewall installed and their Windows hasn't been updated for years.
Hence, they don't even know why the updates are needed for. Also, many of them don't have a genuine version of Windows installed anyway.
Some don't even know what an Antivirus Scanner or Firewall is.
For example, yesterday, I analysed a log from a severly infected computer and asked the guy why he didn't have an Antivirus and Firewall installed.

He: "Huh? I have an Antivirus and Firewall installed though"
Me: "Ok, can you tell me which one, because I can't see an Antivirus and Firewall present in your log"
He: "I have mailwasher!"

Mailwasher is a spam filter software - so not sure where he has read it was an Antivirus/Firewall.

And that's why we should "teach" these people about security. Why they need an Antivirus and Firewall and how to prevent malware. This is my main goal here... teach about prevention, how to keep their computer(s) clean/secure.

Unfortunately, many do know how to prevent malware, how to keep their computer(s) secure, but they just won't listen, mainly because they just don't care.
They also know how they got infected in the first place.. because they were warned many times before. But still, they just can't resist the use of illegal software/cracks/hacks whatever, even though they know that 80% of it is bundled with malware.
One single click on one of these "popular" crack sites may already download and install a huge malware bundle... and yes, they are also aware of this.
Oh well, not a big deal for them - They just post their problem at one of the forums/sites where they receive help for free. Once their system is "clean", they can hunt for more cracks/keygens again.
Yes! I've seen it too many times before.

"Hi, I visited a cracksite, downloaded and installed a crack - can you check if my computer is still clean?"
"Help! I downloaded and installed a crack from a torrent/P2P again and now my computer is acting weird.... again"
"I need help asap!! Keygen infected my computer again!"

Yes, in 80% of the cases, people get infected because of the use of illegal software/cracks/keygens/hacks... etc.
So I clean their computers and most important part, I tell them that they should stay away from illegal software, cracks, keygens etc, because they will get reinfected anyway if they don't change their surfing habits.
I also explain that there are many free alternatives and give them extra prevention tips.
I'm glad that many learn a lesson here, listen to my advise and make sure this won't happen again.

However, there are still a lot of others who don't listen and proceed with what they were doing before, even though they were warned.
Result.. 2 weeks later, they are back, asking for help to get rid of another infection, because they installed another crack which downloaded/installed malware again. Then they receive free help once again and one month later, they are back again. And this goes on and on and on...
I'm sorry, but I gave up on them. It's a waste of my time.
If they don't want to listen, they should take care of their own problems. In such cases, I recommend that they format and reinstall Windows (even though the malware can be cleaned easily).
Or I ask them to go to the local computer shop to get it fixed. It will cost them a lot of money and in most cases, they will just format and reinstall Windows anyway.
Maybe that will learn them since they have to pay for it - or since they have to start from scratch again.

"Was it really worth it??"
"Wanna use cracks/keygens again and go through the same scenario again?"
"Are you sure??"
- If there was an "Yes" button here, I'm sure some would click it - Ooh, they love to click Yes!

What I hear many times is:

"It's my computer - if I want to visit illegal sites/use cracks etc, it's my problem if I get infected."

Ok, so why are you asking for help in the first place? If it's your problem, you should take care of it.
And it isn't your problem ALONE. Your computer is responsible for infecting A LOT of other computers as well (depends on what malware is present).

"I blame my Antivirus because it didn't detect the malware".

You are the only one to blame!!!

Also, all their passwords and other sensitive data may be known... But do they really care???

Some will never learn, so this is a neverending story and unfortunately I can't help them anymore.
Oh well... maybe they will learn some day (when it's too late).

Monday, June 2, 2008

Virut is back again - sigh

Virut (PE_VIRUT.XZ in this case) is back again.

This one "spreads" via email with subject: "Important update from Microsoft Windows XP/2003 Professional Service Pack 2(KB946026)" or "Critical Security Update for Microsoft Windows (KB946026)".
From: Micrisoft Corporation 2008 ©
The link to the supposed WINDOWS-KB946026-X86-ENU download from Microsoft for the fix goes to this address:


Note: This is NOT the legitimate download from Microsoft here. The legitimate WINDOWS-KB946026-x86-ENU.EXE does NOT have above "Windows icon", but has the default exe file icon instead.
The file from the link in the mail doesn't install any updates, but installs Virut, a polymorphic appending file infector.

This one attempts to infect any accessed .exe or .scr files by appending itself to the executable. It contains an IRC-based backdoor that provides unauthorized access to infected computers.

Luckily, since this is an older variant - most Antivirus Scanners *should detect and delete it immediately. That's why it's really important that your Antivirus Scanner is up to date!

In case you are someone who just loves to click links in mails - even though your Antivirus Scanner alerts you - or you have an Antivirus where the trial already expired for a couple of months - or don't even have an Antivirus installed... Well, I can assure you, you'll really regret it if you open/run the file. Mainly because this is a file infector which infects legitimate exe and scr files, so these files may not be deleted, but disinfected instead. And a common problem I see with Virut is that in some cases (some variants), it contains a bug in the code and as a result it may misinfect a proportion of executable files. And because of that, an Antivirus Scanner cannot disinfect it properly either > result > a corrupted file.

That's why, if I guide someone with Virut present and their Antivirus cannot properly disinfect it, then I recommend a format and reinstall. Unless the person knows what files are corrupted and knows how to replace them with a clean one. But then again, it's no guarantee that everything will work properly again and Virut is gone.
A format and reinstall in this case is still the fastest and especially the safest solution.

So once again, make sure your Antivirus is always up to date!


Google Alerts - You should try it!

I'm actually suprised that many people never heard of Google Alerts. I'm using this Google feature for a couple of weeks now and, for me, it's very useful!

I have used a lot of other programs in the past, such as Copernic Search, which uses several different searchengines, but Google is still my fav searchengine since others don't display as many results. So that's why I switched to Google Alerts instead. No more programs to install since it's an "online tool".
For the Google Alerts, you just have to enter your search term and create an alert for it. It then notifies you by e-mail with the new results.

It offers six types of alert searches: "News", "Blogs", "Web", "Comprehensive", "Video" and "Groups".
You can also specify if you want the email with the results "Daily", "Weekly" or "As it happens". The "As it happens" doesn't work - although, not for me. That's why I've set it to daily.

A nice extra feature would be a "website watcher" included in Google Alerts (this for pages that don't provide Atom or RSS feeds) - where you have to enter the URL of a website, specify a filter (what changes to ignore) and Google notifies you of the changes being made on that page since your last visit. I already use another program for that, but it would be nice if this feature is also included in Google Alerts.

Sunday, June 1, 2008

Woopra - new real-time Web tracking and analysis application

Most people who run a website or have a blog have a Web tracking and analysis application present. Always useful to see how much visitors your Website/Blog has, where your visitors come from, what posts are popular etc etc...

I used to have SiteMeter "installed" - but I replaced it with W3Counter since it has more options, statistics etc. However, there's still something I'm missing - until I found Woopra. It really has all the options/statistics I want! I'm sure you're going to like the several features it offers. You can run it from the desktop and it even includes Real Time notifications.

Anyway... for me, It looks pretty neat. :)

I signed up today and I'm currently waiting for my approval. This may take a while according to their blog.
So I can't tell yet what to expect - but I'll update this blogpost with my thoughts/view once woopra is up and running.
And if I like it - then I'll replace my current w3counter with it.

I love to test new "goodies" - so what's next? :)

My blog was approved today (june 4), so Woopra is currently up and running.
I'm really impressed with all the options it contains. I even scared some visitors today with the chat feature :P (Don't worry, I won't use this feature often :D)
There are still some bugs present - but then again, this is also still a beta.
Can't wait for the final release. This is a keeper, that's for sure.