Cyber Monday survival guide Part 2

This is part 2 of my 2 part series.

For Part 1, go here: http://malwareaware.blogspot.com/2013/11/cyber-monday-survival-guide-part-1.html

Tip #5: Scan the computer you are using for malware.
If the computer you are using is already compromised, you might as well broadcast your personal information. Making sure that the computer is clean puts the odds back in your favor.

Tip #6: Use strong passwords.
Using strong passwords will make it harder for cybercriminals to break into your accounts. And I have talked about strong and secure passwords before.

Tip #7: Avoid strange computers whenever possible.
Computers are a bit like public restrooms. If it is not yours or you do not know who has been in, you don't know what has been going on. Which is one of the reasons why I am afraid of public restrooms.
Even worse with computers. People cannot install malware onto a toilet (yet).

Tip #8: Beware of fake deals you get in your inbox.
Unless you are on a company's emailing list, or you have bought from them, you should not be getting offers from them in an email. This advice also applies to social media websites. And do not fall for coupon scams that ask for personal info in exchange for a chance to win some big prize.

Tip #9: Trust your intuition.
You know what they say: If it looks, sounds, or feels too good to be true, it probably is. This advice should not be lost on anyone. If something just does not feel right to you, it is at least worth a closer look. By doing this, the most you have to lose is a few minutes of your time, while you stand to gain the knowledge to make the right choice.

Tip #10: Delete your internet history.
Remember how you said that you were going to be "napping"? If anyone in your family is a cyber detective like me, you are likely going to want to keep all this from them.
In Firefox: Click on the orange Firefox tab in the upper left hand corner, then go to history, then click clear recent history. Make sure all checkboxes in the new window are checked, and set it for however long you have been "napping".

Google Chrome: Go to your History in the options icon in the upper right hand corner, then click clear history.
Internet Explorer: Click on the options cog in the upper right hand corner, then go over to safety, then click Clear Browser History, then make sure all checkboxes are checked with the exception of preserving your favorite websites.

Please tread carefully if you are using a computer that is not yours. And by and large, the true decision of what to delete and what to leave blank is to be made on a case by case basis.

Thank you for reading. I invite readers to comment with any questions or comments.

Read More

Don't mind this feedshark code.

<a href="http://www.hypersmash.com">HyperSmash</a>

Read More

How to remove Windows Cleaning Toolkit (Rogue)

Alright, there's a new rogue antivirus program making the rounds called Windows Cleaning Toolkit. It's part of the same family as Windows Expert Console, and thus will have the same removal guide.

For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.

A removal guide follows. And this one is a bit different from the rest, but this is the simplest way to remove it.

Step #1: On the scanner which tells you that you are "infected" click Remove All. And yes, this seems counter-intuitive considering that it is a rogue, but just go with it and stay with me on this.

Step #2: On the new web page that opens, you should see a button on the bottom right of the screen that says "Click here if you already have an Activation Code." Click on that button.

Step #3: Put in the following activation code: 0W000-000B0-00T00-E0020
Please note that if you are on the infected computer while reading this guide, you can copy and paste this code in.

Step #4: Even though the rogue is now subdued, it could still cause issues with removal. So we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/

Step #5: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 6.

Step #6: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Step #7: Run the downloaded installer and install Malwarebytes Anti-Malware.

Step #8: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.

Step #9: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 10.

Step #10: When the scan is complete, it will open a message box. Click OK, and then click show results.

Step #11: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.

Step #12: Enjoy your computer which should now be free of Windows Cleaning Toolkit.

Update: 11/27/2013 8:30 AM CST.
---------------------------------------------------------------------------------------------------------------

I've received reports that in more then a few cases, the above removal guide does not work properly. After further investigation, the culprit seems to be another variant of this rogue with the same name. If this is the case with you and the guide does not work, please follow these instructions to help you manually remove the rogue.

Step #1: Reboot your computer. As soon as you see anything on your screen, press the F8 key.

Step #2: On the boot menu, choose Safe Mode with Command Prompt.

Step #3: Once the computer has started up, in the command prompt window, type in regedit and press enter.

Step #4: On the left side of the new window, navigate to the following location: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\

Step #5: Highlight Winlogon.

Step #6: Double-click Shell and clear the entry and replace it with "explorer.exe" (without quotes)
 

Step #7: Run explorer.exe.
 

Step #8: Navigate to %appdata% and delete guard-xxxx.exe.
 

Step #9: Reboot into regular mode.

Step #10: Your computer should now be free of the rogue. But it does not hurt to run a full scan with MalwareBytes just like you would have done in the above removal guide. So once you have done this, follow Step 6 and onward of the removal guide above this one.

Read More

How to remove Windows Expert Console (Rogue)

Alright, there's a new rogue antivirus program making the rounds on the internet. It's called Windows Expert Console.

For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.

A removal guide follows. And this one is a bit different from the rest, but this is the simplest way to remove it.

Step #1: On the scanner which tells you that you are "infected" click Remove All. And yes, this seems counter-intuitive considering that it is a rogue, but just go with it and stay with me on this.

Step #2: On the new web page that opens, you should see a button on the bottom right of the screen that says "Click here if you already have an Activation Code." Click on that button.

Step #3: Put in the following activation code: 0W000-000B0-00T00-E0020
Please note that if you are on the infected computer while reading this guide, you can copy and paste this code in.

Step #4: Even though the rogue is now subdued, it could still cause issues with removal. So we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/

Step #5: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 6.

Step #6: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Step #7: Run the downloaded installer and install Malwarebytes Anti-Malware.

Step #8: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.

Step #9: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 10.

Step #10: When the scan is complete, it will open a message box. Click OK, and then click show results.

Step #11: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.

Step #12: Enjoy your computer which should now be free of Windows Expert Console.

Update: 11/27/2013 8:30 AM CST.
---------------------------------------------------------------------------------------------------------------

I've received reports that in more then a few cases, the above removal guide does not work properly. After further investigation, the culprit seems to be another variant of this rogue with the same name. If this is the case with you and the guide does not work, please follow these instructions to help you manually remove the rogue.

Step #1: Reboot your computer. As soon as you see anything on your screen, press the F8 key.

Step #2: On the boot menu, choose Safe Mode with Command Prompt.

Step #3: Once the computer has started up, in the command prompt window, type in regedit and press enter.

Step #4: On the left side of the new window, navigate to the following location: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\

Step #5: Highlight Winlogon.

Step #6: Double-click Shell and clear the entry and replace it with "explorer.exe" (without quotes)
 

Step #7: Run explorer.exe.
 

Step #8: Navigate to %appdata% and delete guard-xxxx.exe.
 

Step #9: Reboot into regular mode.

Step #10: Your computer should now be free of the rogue. But it does not hurt to run a full scan with MalwareBytes just like you would have done in the above removal guide. So once you have done this, follow Step 6 and onward of the removal guide above this one.

Read More

Malware Predictions for 2014.

What if you could see into the future? Or at least get a glimpse into the future of technology. More specifically malware, because that is what this blog is here for.

Using what we know about malware today, we can make predictions about what we might be seeing in the future. This predictions are not random, but actual diagnostic reasoning that gives us a clue as to what is coming.

In short, this blog post gives us a glimpse into what's coming to the world of malware very soon.

#1: Malware targeted at Windows XP will rise dramatically.

Reasoning: Malware writers have done this before; when Microsoft stops supporting an operating system, they use exploits that will not be patched to infect users with malware. That being said, none of that can compare with the amount of malware that we have today. This is something that I am certain of. The temptation of Windows XP will be too much for malware writers to resist.

Predicted Probability: 100%

#2: CryptoLocker-style ransomware will become more common.

Reasoning: Would you say making $5 million in one month is profitable business? How about if you have to do nothing but make changes to a program and get paid?

The writers of CryptoLocker have proven this: The type of infection that they put out is an effective way to make money. And because most modern malware is meant to make money in some way, malware writers will flock to this type of ransomware.

Predicted Probability: 90%

#3 New conventional malware will go down (But that’s not a good thing.)

Reasoning: Antivirus software has become better at detecting new malware throughout the years. And detection rates have remained high for some time now with the exception of malware that conventional antivirus software just is not equipped to really handle. Because of this, less money will go into the pockets of malware writers. And as I have said before, if the writers are bankrupt, they cannot make more malware.

The downside? Malware writers will see this and will realize that the old business model just is not working anymore. This plays into my first two predictions quite nicely. They will make their attacks more complex and harder for antivirus software to detect effectively.

Predicted Probability: 75%-80%

#4: Smart TVs will become a vector for infection.

Reasoning: Those newfangled Smart TVs can only get smarter. They will get smarter to the point that they might even be able to replace computers to a degree. Malware writers will see this and will start making some sort of malware for the Smart TV.

The prediction is a bit like rolling chicken bones for me. I predicted this privately last year, and that did not happen. My theory on that is that I predicted it too early.

Predicted Probability: 35%-55%

#5: Rogue antivirus software will become obsolete. (On Windows computers at least)

Reasoning: Rogues have been a dying breed of malware for about three years now. And throughout those three years, a few security professionals (and myself) have said that by next year, rogues will be dead. They’re dying, they are not completely dead yet.

Antivirus software has gotten a lot better at detecting this type of malware, where before no antivirus could really touch them. Then again, a lot more people know about rogues then they did back in 2006 when they first started infecting people.

The downside? We only just this year saw rogues starting to really look to other platforms. I’m sure that some of my readers will remember what I have said about Android rogues.

I’m not going to put 100% behind this one because the writers of this type of malware could still have something up their collective sleeve that we have not seen before. But with the fact that there are less and less rogues, this seems like a sound prediction to make.

Predicted Probability: 85%

Thank You for reading. I invite readers to comment with any questions or comments.

Read More

Cyber Monday survival guide Part 1.

I in no way advocate camping out at a store on Black Friday in order to get a good deal on that special something you have been eying. For one thing, you have to spend time away from your family. For another, you risk getting killed or tossed around by the crowd. And yes, that has happened before, and odds are it will happen again this year.

An alternative is Cyber Monday, taking place the Monday after Thanksgiving, this day allows you to find good deals online. Searching online will prevent you from getting (physically)  tossed around, and you can look while at your house or wherever you are staying under the guise of "taking a nap."

The issue? Cybercriminals will be shopping too, and not for DVD players. They will be shopping for anything they can steal from you. With that in mind, I've put together a little guide that might just help you avoid getting infected with malware, or having your identity stolen. Both of which will likely ruin your Happy Holidays.

Tip #1: Guard your credit card well. The most important tip on this guide is to protect your credit card. If you get anything from this guide, please let it be this.

When shopping online, the only you generally need to enter in a payment are the numbers on both sides of the card, and your PIN number. Needless to say, if these get in the wrong hands, it can get bad quickly. So be careful who you entrust them with.

Tip #2: Shop at secure websites only.

When you go to pay for something online, there should be a locked padlock somewhere in your browser. This tells you that the website is using HTTPS, which makes it harder for hackers to eavesdrop and capture your information. If there's no padlock, shop somewhere else. Even if it costs a bit more, it is worth it to keep your info away from prying eyes.

Tip #3: Stick with the websites you know if at all possible.

Try and stick with websites that you know are legit. Or if you need to go to a website that you don't know of, a quick online search will give you reviews and complaints.

Tip #4: Read the fine print.

^{In today's modern world, companies can get away with putting in small text called "fine print." And what is even worse is that almost no one ever reads this to the point where they understand it and they know their options if say, they want to return something.}

OK, I'm not as sneaky as most companies, and that's a good thing. Either way, the message is clear: Read the fine print.

More to come in Part 2.

Read More

CryptoLocker now setting aim at UK.

"Let the invasion begin" should have been the foreword-going mantra for those that made CryptoLocker. But as we know of no mantra, we assume that there is none.

The National Crime Agency has issued an alert regarding CryptoLocker: http://www.nationalcrimeagency.gov.uk/news/256-alert-mass-spamming-event-targeting-uk-computer-users

CryptoLocker has been going strong since September of this year. During that time, it seems to have mostly targeted the US, until now.

The NCA is estimating that emails with the CryptoLocker attachment may have reached the tens of millions.

An investigation has been launched to see where the email addresses are from and where they are being used. I personally think that the email addresses are spoofed, therefore finding the source will not really be all that helpful.

As of this writing, Bitcoin is valued at about $574 a coin. Meaning that anyone forced to pay the ransom late now has to pay the ten Bitcoins which at this point means $5,740

This is all the news that I have not said before in a blog post.

Thank you for reading. I invite readers to comment with any questions or comments.

Read More

CryptoLocker Post #10

OK, from what I have gathered, this is my 10th blog post regarding CryptoLocker. And if you are reading this, you likely already know what it is. But for those of you who have not heard any computer security news for the past two months, CryptoLocker is a piece of file encrypting ransomware that you can learn more about by looking at my other posts regarding it.

Not a whole lot more to talk about that is new. CryptoLocker is still being spread via email as an attachment. This attachment is normally a executable that is in a zip file format. This file can be unzipped to find the executable that you can then run.

But something new-ish is that the zip file is now password protected. This is a measure used to prevent mail filters that companies are setting up from blocking files with a .zip file name extension. Because these filters are not made to block password protected files.

This is both a good sign and a bad sign.

It is a bad sign because the makers of CryptoLocker are monitoring to see what methods are working to prevent infection.

It is a good sign because companies are now paying attention to CryptoLocker.

I do not see this issue with CryptoLocker going away any time soon. Granted, we may find the makers of CryptoLocker. But that will not stop other creative malware writers from making their own CryptoLocker. The cybercriminals who made this know that this makes money.

But I do know that when this method gains popularity with malware writers, they will make mistakes. Whoever made CryptoLocker did not cut any corners. We will be able to exploit mistakes in order to find a way to defeat this.

But until then, we must press on the fight against CryptoLocker.

And with that, I deliver the following sentence. A plea, a promise, a call:

We must stand united to repel CryptoLocker and other such invaders from our internet.

Thank you for reading, I invite readers to comment with any questions or comments.

Read More

The latest and greatest ways to block CryptoLocker.

I've written quite a few blog posts about this ransomware. So by now I am just going to assume that everyone has read it. And odds are, if you are reading, you know what it is anyway.

There are now two ways that can be used to block CryptoLocker from encrypting your files. One of which I have already talked about, but for the sake of convenience, I will talk about it here as well.

The first way is a tool that blocks the execution of the ransomware. Because the ransomware executes from appdata, which is not a place where many applications execute from, this can be used against the ransomware by blocking anything from running from appdata.

This tool was made by FoolishIT and can be downloaded here: www.foolishit.com/download/cryptoprevent/

For more info on this tool, go here: http://www.foolishit.com/vb6-projects/cryptoprevent/


The second way is a way to block the ransomware from encrypting your files.

This way is part of the public beta of HitmanPro.Alert and can be used along with the first method of blocking CryptoLocker.

HitmanPro.Alert was made by SurfRight, and you can find more info and download the beta here: http://www.surfright.nl/en/cryptoguard

Please note that these tools can be used together without any conflicts arising. It is also important to note that these tools can only help you if you are not infected with CryptoLocker. They will not help you if you are already infected.

With both the anti-malware community and the mainstream media being on high alert from this ransomware, I can see a turn in the tide happening soon against this ransomware. Although I cannot forecast in what way it will take form, I know that it will happen.

Whoever made this ransomware has angered too many to continue infecting people. Sooner or later, the good guys win. This is how it has always been, and this is how it will continue.

Thank you for reading, I invite readers to comment if you have any questions or comments.

Read More

CryptoLocker as of 11/3/2013

If you have read my other posts on this, you know. But for those of you who do not, there is a piece of ransomware that has been making the rounds on the internet since September of this year. And what have given it the ability to spread for this long is the fact that it actually encrypts your files.

I'm not going to go into it all here, because that's what my other posts are for. You can just read the other posts under "The CryptoLocker Saga" label in order to find everything I know about this ransomware.

The purpose of writing this blog post is to inform users of two recent changes with CryptoLocker.

Change #1: Some of the newest variants of CryptoLocker delete all Shadow Copies of your files. This leaves your only options being to restore from backups or to pay the ransom. And attempting to pay the ransom is the perfect way to talk about the second change.

Change #2: Say you have run out of time to pay the ransom. The clock has gone down to zero, and you without any backups, have no way of recovering your files.

Those who made CryptoLocker are now operating a website which allows you to download the public and private key for your copy of the ransomware as well as a decrypter. Although there is one issue that some people might have with this. To pay the ransom before time runs out costs 2 Bitcoins or the equivalence in the form of money loaded onto a GreenDot MoneyPak card. To pay it after time runs out costs 10 Bitcoins. This converts into $2,100 US Dollars.

So, about $400 before time runs out, $2,100 after time runs out. It does not surprise me that those who make CryptoLocker are doing this. I'm sure that quite a few people are desperate to get their files back. This is somewhat smart considering that the page is completely independent of how much time the ransomware says you have.

Thank you for reading. Feel free to comment if you have any questions or comments.

---------------------------------------------------------------------------------------------------------------

Updated 11/7/2013:

The price of the "late payment" option keeps going up along with the price of Bitcoins. As the price goes up for one Bitcoin (about $300 at this point), the price of the late payment will go up (about $3,000 at this point.)

I would highly recommend that if you are infected with this, you make it your top priority to determine if you have any other options then to pay the ransom. If you find out before time is up, you can still pay the $300 flat rate via a GreenDot MoneyPak card. At this point, it will save you $2,700, but this figure can change. And if Bitcoin takes a big dive, odds are good that those that make CryptoLocker will no longer take it.

Read More

Summing Up CryptoLocker.

After a month, the news of the CryptoLocker ransomware has finally hit the mainstream media. Leaving me questioning where they have been.

I was one of the first to report on it, and as far as I can tell, the first independent blogger to report on it.

Unfortunately, along with the mainstream coverage of this ransomware comes quite a bit of dangerous misinformation. This blog post will attempt to gather the truth about what we know in order to help those infected.

Infection:

As of now, the infection seems to be spreading through email. In the office, this email may claim to have a new protocol that needs to be looked at. At home, it may claim to be from Fedex or UPS. This email claims that you have a package waiting for you and you need to print out a receipt to claim it.

In either case, the attachment is a zipped up executable that contains the ransomware. You go to unzip it and read the "document" when all of a sudden, CryptoLocker pops up.

At this point, you are now infected. There's no going back from here. Your files are encrypted.


Encryption:

CryptoLocker does not lie when it says it encrypts your files. It encrypts files with RSA 2048 bit encryption. Which is a very safe encryption that has never been broken and likely will not be for at least another 10 years.

This means that you cannot decrypt the files.

Recovery of Files:

If you do pay the ransom, the program does actually decrypt your files. And while I would not advocate paying the ransom, it may be needed if you have exhausted all other alternatives. You know you are just encouraging the writers to keep making ransomware, but your files might be worth more to you then the $300 it demands.

Another way is with a program called Shadow Explorer. This program finds Shadow Copies of your files that are saved at System Restore points.

The bad news is that it only works with Computers running Windows XP with the second service pack installed or higher. With the exception of the home oriented editions of Windows Vista. And Windows 8 does not have it enabled by default.

So, if you run Windows 8, you may want to make a change in case you do get infected.

You can find how to activate File History here:

http://windows.microsoft.com/en-us/windows-8/how-use-file-history

http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

Removal:

Recovering the encrypted files may be the hard part, but removing the actual ransomware is easy. Although you should not do this unless you know you have Shadow Copies of the encrypted files that you can get. For your convenience, the guide below deals with removal including recovering your files.

Step 1: Download Shadow Explorer here: http://www.shadowexplorer.com/downloads.html

Step 2: Run the executable and install Shadow Explorer.

Step 3: Select the disk name and time you wish to restore from. This time should be before the infection took place.

Step 4: Right click on a folder and click export. You will then be asked where you want to export to. Export to a convenient location for you.

Step 5: Repeat step 4 until all folders and files have been restored.

Step 6: Download and install MalwareBytes Anti-Malware from here: http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html?part=dl-10804572&subj=dl&tag=button

Step 7: Once you have installed MalwareBytes Anti-Malware, run a full scan. This scan will take some time, most likely over an hour depending on how much you have on your computer. So I suggest you do something else while remaining in close distance to the computer to that you can check on the scan every 15 minutes.

Step 8: Once the scan is finished, you will be alerted that malware was found. Please click OK on this message box to view the infections.

Step 9: If an infection is not checked, leave it alone. These are PUPs and are not harmful.

Step 10: Click on remove selected and allow it to restart your computer when prompted.

Step 11: Your computer should now be free of the CryptoLocker ransomware.

Please note that this removal guide might not work in some cases. If this is the case, you may be forced to reinstall the ransomware via the link given on the desktop wallpaper it sets. Once you have done this, you have no option remaining but to pay the ransom via the following ways:

GreenDot MoneyPak

Bitcoin

Ukash

For info on how to prevent yourself from getting infected with CryptoLocker, please read this blog post: http://www.malwareaware.com/2013/10/cryptolocker-prevention.html

Thank you for reading. Feel free to comment if you have any questions or comments.

Read More

CryptoLocker Prevention.

It's been some time since I last wrote about the ransomware called CryptoLocker. A piece of ransomware that actually encrypts your files so that you cannot access them without paying the ransom.

Fortunately, a utility has been written by FoolishIT which will set up software restriction policies on Windows. These restriction policies will prevent the execution of CryptoLocker. And they will also prevent the execution of the now included Zbot Trojan.

What follows is a step by step guide to setting the restriction policies up using the utility.

Step #1: Download the utility here: http://www.foolishit.com/download/cryptoprevent/

Step #2: Make sure that the open with Windows Explorer option is selected and then click on the Open button.

Step #3: Somewhere at the top of the Windows Explorer window, you should see an option to extract all files. Choose that option and extract the files to the folder.

Step #4: Double click CryptoPrevent.exe to execute the utility.

Step #5: On the screen that just popped up, press OK.

Step #6: On the new screen, make sure all checkboxes are checked.

Step #7: Click on the Block button. This shall set up the restriction policies which will prevent the execution of CryptoLocker.

Step #8: To make sure it worked, click on the Test button. It will return with either success or failure. Success means that the included test executable was able to get through. Failure means that it was blocked.


If you find that the restriction causes issues with some of your applications, you can go back to the utility and click on the Undo button to remove the changes. After you are done with that application, you can go back and click on the Block button again to set up the restrictions again.

Please note that this utility merely prevents you from getting infected. It does no good if you are already infected.

For more info about the utility, please visit this website: http://www.foolishit.com/vb6-projects/cryptoprevent/

Thank you for reading. Feel free to comment if you have any questions or comments.

Read More

How to remove the Cyber Command of New York Ransomware.

Alright, there's a new piece of ransomware making the rounds. It's called the Cyber Command of New York Ransomware.

This ransomware is a variant of the infamous Reveton ransomware, also known as the FBI MoneyPak Ransomware.

The following is a removal guide for this ransomware.

Step 1: Get a flash drive that can store at least 32 MB

Step 2: On an uninfected computer, go to http://www.bleepingcomputer.com/download/hitmanpro/ and download the bit version corresponding to the bit type of the uninfected computer.

Step 3: Once the file has been downloaded, insert the flash drive you are going to use.

Step 4: Run the downloaded file.

Step 5: Once you see the start screen of Hitman Pro, click on the little picture of a person preforming a kick at the bottom of the window.

Step 6: You will now see instructions on how to create the Kickstarter Live USB. Click on the flash drive you will be using, then press install kickstart. You will then be presented with a warning that the flash drive will be erased. Click on yes to continue.

Step 7: Once the files have been downloaded and installed onto the flash drive, click the close button and take out the flash drive.

Step 8: Insert the flash drive into the infected computer with the computer turned off. Turn it on and then look for info on how to access the boot menu. If you cannot see any info, keys commonly used for the boot menu are F8, F11, or F12.

Step 9: Restart your computer and start tapping the indicated key. If one key does not work restart the computer and try another key on the above list.

Step 10: Now, select the flash drive with the Kickstart program installed and press enter. Once you see the new screen, press 1.

Step 11: Windows will load normally. After you log in, you will see the ransomware. Wait 15-20 seconds and you will see the Hitman Pro start screen. Click next to start the scanning process.

Step 12: Click No, I only want to perform a one-time scan to check this computer. Then click next.

Step 13: Once Hitman Pro has finished scanning, it will display a list of malware that it found. Click next, and if prompted, choose the 30 day free trial. Hitman Pro will now reboot your computer. Once it boots up, it will be free of the ransomware.

Read More

How to remove Antimalware (Rogue)

There is a new rogue antivirus program making the rounds on the internet. It's name is Antimalware. Original name, right?

For those of you who do not know, a rogue antivirus program is a piece of malware that pretends to be an antivirus program. It then scans your computer and detects threats that are not actually on your computer. It is just trying to make you purchase it.

A removal guide follows:

Step #1: Reboot your computer into safe mode with networking. To do this, turn the computer off and turn it back on. Immediately after you press the power button to turn the computer back on, press the F8 key on your keyboard repeatedly until you come to a menu that gives you options such as Safe Mode. Use the arrow keys on your keyboard to select Safe Mode With Networking.

Step #2: To make sure that the rogue will not interfere with removal, we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/

Step #3: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 4.

Step #4: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Step #5: Run the downloaded installer and install Malwarebytes Anti-Malware.

Step #6: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.

Step #7: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 8.

Step #8: When the scan is complete, it will open a message box. Click OK, and then click show results.

Step #9: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.

Step #10: Enjoy your computer which should now be free of Antimalware.

Read More

How to remove Security Cleaner Pro (Rogue)

There is a new rogue antivirus program making the rounds on the internet. It's called Security Cleaner Pro.

For those of you who do not know, rogue antivirus software is a piece of software that attempts to scare you into buying it by claiming that you computer is infected with malware. The malware it claims is on your computer is not on your computer.

What follows is a removal guide for this rogue antivirus.

Step #1: Reboot your computer into safe mode with networking. To do this, turn the computer off and turn it back on. Immediately after you press the power button to turn the computer back on, press the F8 key on your keyboard repeatedly until you come to a menu that gives you options such as Safe Mode. Use the arrow keys on your keyboard to select Safe Mode With Networking.

Step #2: To make sure that the rogue will not interfere with removal, we must run Rkill. Download iExplore.exe here: http://www.bleepingcomputer.com/download/rkill/

Step #3: Run the downloaded executable. It will open a black box, this is normal. Once the black box has closed on its own, proceed to step 4.

Step #4: Download Malwarebytes Anti-Malware from here: http://www.bleepingcomputer.com/download/malwarebytes-anti-malware/

Step #5: Run the downloaded installer and install Malwarebytes Anti-Malware.

Step #6: Once the program is installed, it will automatically open a window. Once this window is open, click Perform Full Scan, and then click the scan button.

Step #7: As this scan will take some time, I suggest you do something else while remaining in close proximity to the computer so you can check on the scan every once in a while. Once the scan is complete, proceed to step 8.

Step #8: When the scan is complete, it will open a message box. Click OK, and then click show results.

Step #9: Click Remove Selected. If Malwarebytes prompts you to restart your computer, please allow it to do so.

Step #10: Enjoy your computer which should now be free of Security Cleaner Pro.

Read More

How to remove the United Kingdom Police ransomware.

There is a new piece of ransomware making the rounds on the internet. It is called the United Kingdom Police ransomware.

Like most ransomware, this one locks up your computer and claims that you have violated some law that you have not violated. The ransomware demands money for the unlocking of your computer via a prepaid card such as a GreenDot MoneyPak card. And like most ransomware going around today, I will provide a removal guide for this ransomware.

Step 1: Get a flash drive that can store at least 32 MB

Step 2: On an uninfected computer, go to http://www.bleepingcomputer.com/download/hitmanpro/ and download the bit version corresponding to the bit type of the uninfected computer.

Step 3: Once the file has been downloaded, insert the flash drive you are going to use.

Step 4: Run the downloaded file.

Step 5: Once you see the start screen of Hitman Pro, click on the little picture of a person preforming a kick at the bottom of the window.

Step 6: You will now see instructions on how to create the Kickstarter Live USB. Click on the flash drive you will be using, then press install kickstart. You will then be presented with a warning that the flash drive will be erased. Click on yes to continue.

Step 7: Once the files have been downloaded and installed onto the flash drive, click the close button and take out the flash drive.

Step 8: Insert the flash drive into the infected computer with the computer turned off. Turn it on and then look for info on how to access the boot menu. If you cannot see any info, keys commonly used for the boot menu are F8, F11, or F12.

Step 9: Restart your computer and start tapping the indicated key. If one key does not work restart the computer and try another key on the above list.

Step 10: Now, select the flash drive with the Kickstart program installed and press enter. Once you see the new screen, press 1.

Step 11: Windows will load normally. After you log in, you will see the ransomware. Wait 15-20 seconds and you will see the Hitman Pro start screen. Click next to start the scanning process.

Step 12: Click No, I only want to perform a one-time scan to check this computer. Then click next.

Step 13: Once Hitman Pro has finished scanning, it will display a list of malware that it found. Click next, and if prompted, choose the 30 day free trial. Hitman Pro will now reboot your computer. Once it boots up, it will be free of the ransomware.

Read More

How to remove the PRISM/NSA Ransomware.

There is a new piece of ransomware making the rounds on the internet. It is called the PRISM ransomware. And there is another variant that has also been making the rounds called the NSA ransomware. The removal guide for both is the same, so I decided to kill two birds with one stone.

Like all ransomware, this one locks up your computer and claims that you have violated some law that you have not violated. The ransomware demands money for the unlocking of your computer via a prepaid card such as a GreenDot MoneyPak card. And like most ransomware going around today, I will provide a removal guide for this ransomware.

Step 1: Get a flash drive that can store at least 32 MB

Step 2: On an uninfected computer, go to http://www.bleepingcomputer.com/download/hitmanpro/ and download the bit version corresponding to the bit type of the uninfected computer.

Step 3: Once the file has been downloaded, insert the flash drive you are going to use.

Step 4: Run the downloaded file.

Step 5: Once you see the start screen of Hitman Pro, click on the little picture of a person preforming a kick at the bottom of the window.

Step 6: You will now see instructions on how to create the Kickstarter Live USB. Click on the flash drive you will be using, then press install kickstart. You will then be presented with a warning that the flash drive will be erased. Click on yes to continue.

Step 7: Once the files have been downloaded and installed onto the flash drive, click the close button and take out the flash drive.

Step 8: Insert the flash drive into the infected computer with the computer turned off. Turn it on and then look for info on how to access the boot menu. If you cannot see any info, keys commonly used for the boot menu are F8, F11, or F12.

Step 9: Restart your computer and start tapping the indicated key. If one key does not work restart the computer and try another key on the above list.

Step 10: Now, select the flash drive with the Kickstart program installed and press enter. Once you see the new screen, press 1.

Step 11: Windows will load normally. After you log in, you will see the ransomware. Wait 15-20 seconds and you will see the Hitman Pro start screen. Click next to start the scanning process.

Step 12: Click No, I only want to perform a one-time scan to check this computer. Then click next.

Step 13: Once Hitman Pro has finished scanning, it will display a list of malware that it found. Click next, and if prompted, choose the 30 day free trial. Hitman Pro will now reboot your computer. Once it boots up, it will be free of the ransomware.

Read More

How to get rid of the new ransomware for Mac.

Last July, I covered a new variant of the Reveton ransomware which affected Macs. Now there is a new variant for the Macs making the rounds. And this ransomware learned from the mistakes of the last variant by affecting Safari users as well as Google Chrome users.

Let me say that this is not really malware in the strict definition. But this malware attempts to get you to pay money in order to use your browser. And while "removal" is a bit more technical then the kind of stuff I normally talk about, most users will still be able to do this.

Google Chrome ransomware removal guide:

Step 1:  Type in the following URL without the quotes: "chrome://settings/clearBrowserData"

Step 2: Clear any data that appears to be related to this ransomware.

Safari ransomware removal guide:

Step 1: Click on the Safari button in the top bar on your Mac. (It will be near the apple you click on to turn off your Mac)

Step 2: Click on Reset Safari.

Step 3: Ensure that all checkboxes are checked and then click reset.

Thank you for reading. I invite readers to comment with any questions or comments.

Read More

How to be safer with Android.

With the rising popularity of Android malware that does not seem to be stopping any time soon, I thought it prudent to make a guide such as this which will help keep you a bit safer with Android. And I know that people who have been infected with something like Armor for Android will appreciate this. Because these tips are designed to help decrease the odds of that kind of thing happening again.

I could go through several tips for those that use Android devices, but they all boil down to two.

Tip #1: Be smart about what you download. The ability to download apps from anywhere with Android brings users a lot of freedom to seek out cheaper or free alternatives to overpriced software. But this also gives malware writers the freedom to write malware and disguise it as something else. As these are often disguised as apps, you can download malware onto your device without even knowing it.

To help prevent this, you can do three things.

1. Make sure you have the downloads from untrusted sources option unchecked. If you need the app and are sure that it is safe, you can easily enable it. And for those of you who are not sure, it gives you an extra few seconds to hesitate and decide that something is not right.

2. Look at permissions asked for with a fine tooth comb. Think about it, does a Christmas caroling app really need to monitor your phone calls? Permissions are often the issue for well intentioned users to cause issues. But thinking of what permissions are needed can be time consuming for most users. So I like to think of it in terms of what permissions I would ask for. Then I would think of what permissions I would ask for if I wanted this app to do something malicious. Ask yourself that and then look at the list of permissions. Which list is it closer to?

3. Only download from the Play Store. That overpriced software we were talking about? Odds are good that there is a cheaper version in the Play Store. In a world where there's an app for that, odds are good that someone is fed up with overpriced apps. And besides that, very few malicious apps have gotten through the security of the Play Store. I'm not saying that you should not download from regular online sources. Just look twice before you download.

Tip #2: Keep security software on your device. Even though you may be a pro at figuring out what apps are safe, you can still be the victim of drive by downloads. These types of downloads often contain Trojans which download and install themselves to your device without you seeing anything asking your permission.

This is why security software is a must.

There are quite a few apps which will help you stay secure, but one of my personal favorites is Avast Mobile Security. This app not only has a top notch antivirus scanner that protects you in real time, but it also has anti-theft components which can help you get your device back if it is stolen.

And one app that is being worked on is Malwarebytes Anti-Malware for the Android platform. It is not available yet, but I will be downloading it on my Android devices when it is.

Thank you for reading, I invite readers to comment with any questions or comments. And if you have a tip I missed, please comment and tell me about it.

Read More

How to remove Mobile Defender (Rogue)

There is a new rogue antivirus program affecting the Android platform. It is called Mobile Defender, and another variant is called Android Defender. It is a little bit like the $1.99 per week Armor for Android rogue that I talked about some time ago. It has no Trojan element and it is easy enough to remove. But because of the fact that it asks for quite a few permissions, it is important that you get this off of your Android device.

I'm not really sure if a removal guide is really necessary, because you have to change settings in order to download the app which is not from the Play Store. But the app claims to be WhatsApp when you go to install it, so no one can really be blamed if someone inadvertently installs it. With that in mind, I will go ahead with a removal guide.

Step #1: Go to Settings.

Step #2: Now go to Location and Security. This might also just be called Security depending on the version of Android you are running.

Step #3: Tap on Select Device Administrators, which might just be called Device Administrators.

Step #4: Uncheck or Deactivate Mobile Defender (or Android Defender depending on what variant you have.)

Step #5: Go back to the settings menu.

Step #6: Go to Applications.

Step #7: Press Manage Applications.

Step #8: Find the app.

Step #9: Press the app and choose to uninstall it.

Thank you for reading. I invite readers to comment with any questions or comments.

Read More

Recaping CryptoLocker.

This is going to be a recap post going over some of the stuff I have covered as far as the CryptoLocker ransomware.

It seems to be spreading via social media and old school email Trojans. So, it can be avoided via email by not downloading any exe files via email. And if the file name contains .zip, walk away.

Removing it is the easy part. You can remove it with the Kickstarter program of Hitman Pro, or Malwarebytes Anti-Malware in safe mode. Both of these have been proven to work with CryptoLocker. And when I say that removing it is the easy part, I am not joking. CryptoLocker encrypts your files with RSA 2048 bit encryption. This type of encryption has never been broken before and likely will not be broken for at least 10 years. So... no decryption tool can be written in the foreseeable future.

But there is a possible way to recover your files. In select versions of Windows, (Vista and 7) you can restore your files to a previous state using Shadow Explorer. Shadow Explorer is a freeware program that you can find on the internet. It does nothing but access the file restore function of Windows which is built-in to System Restore. Be careful to restore your files to a date before the event.

On Windows 8, if you do not already have File History enabled, it is too late if you are infected. File History is disabled by default, but you can enable it by following the guides that Microsoft provides for enabling it.

http://windows.microsoft.com/en-us/windows-8/how-use-file-history

http://windows.microsoft.com/en-us/windows-8/set-drive-file-history

If you do not have System Restore or File History enabled and you are infected, there is not much you can do. If there is no system restore point, then your only viable options left are to either pay the ransom, buy a new hard drive, or restore from a backup that you would need to have ahead of time.

If given the choice, I would buy a new hard drive rather then pay the ransom. You have no idea what you are funding when you pay the people who write the ransomware. And doing this only encourages these people to keep doing what they know is working.

However, I do understand the importance of restoring your files. And depending you the variant you have and what kind of hard drive you have, it can cost more to replace the hard drive then to pay the ransom.

Offline backups are the only surefire way to get all of your files back again. If you are now planing to do that in order to prepare for if you do get infected, I recommend an external hard drive. You can find one that holds 500 GBs for somewhere in the neighborhood of $50.

Thank you for reading. I invite readers to comment with any questions or comments.

And to those of you who have read every post I have written about this, I greatly appreciate it. I hope that this series of posts has not seemed boring or annoying. I really have tried to make it all nice and informative.

Thank You.

Read More