Saturday 30 March 2013

False Positive: Ikarus and Comodo detecting TDSSKiller as a Trojan horse

This awkward moment when you realize that your favorite rootkit removal utility is detected as malware. I probably wouldn't even have noticed, but I got an email from my reader Matt who apparently has been been having some problems with malicious software lately. He said, that TDSSKiller (the tool I like a lot and usually recommend to my readers) is actually a Trojan horse. Obviously, this can't be true, so I though maybe he downloaded an infected TDSSKiller variant from some naughty site, so that would explain everything. He then quickly replied to me that he downloaded TDSSKiller from Kaspersky's site and that's clearly not the case. Comodo antivirus blocked the file when Matt executed it. I had to see it for myself, so I downloaded TDSSKiller on my computer and then uploaded it to VirusTotal. Surprise, surprise, it's indeed a Trojan with detection ratio: 2/46. Since I was too lazy to install Comodo and Ikarus, I decided to use Hitman Pro. It uses Ikarus antivirus engine, so it should detect TDSSKiller. Yep, we have a false positive here. Matt was right.



Tdsskiller.exe was detected as Trojan.Crypt by Ikarus antivirus. Comodo detected it as Packed.Win32.MUPX.Gen. Software packaging issues or something like that I guess.



However, I can assure you guys that TDSSKiller is a genuine and safe utility. It's a false positive and it's just a matter of time when the issue will be resolved. So, don't worry. The funny think is, though, tdsskiller.exe has a valid certificate, just like it should be, signed by COMODO.



Yeah, COMODO, the one that detects it as Packed.Win32.MUPX.Gen a the moment. Well, what can I say, this is not the first time when antivirus companies are flagging each others tools as dangerous :) Unfortunately, such things happen from time to time.

Thursday 28 March 2013

Remove Price Peep (Uninstall Guide)

Price Peep is a web browser add-on which injects ads into the web pages you visit. Sometimes ads are highly targeted and sometimes they are rather random. It shouldn't be hard to guess that they collect and analyze information about your browsing activity. For example, if you recently searched for laptops, it's very possible that you will see burning laptop deal ads from various online stores, including Amazon and many other well known companies. Of course, there are also many not so well known companies that are happy to pay for possible customers. Technically, it's not malware, nor it is a virus as some of you may think. However, I agree, it's a potentially unwanted application/adware. It's up to you to decide whether you want to keep it or not. Personally, I hate pop-ups ads, so would definitely uninstall it. Besides, I don't feel comfortable knowing that some app is collecting information about my browsing activity.

It's probably happened to most of us and just a quick search in Google will turn up dozens of forums of bewildered and frustrated PC users asking how and why 'such and such' an add-on has all of a sudden appeared on their computer. Whether it's a Price Peep extension or some sort of browser hijacker, these potentially unwanted applications are usually just that – unwanted and seemingly uninstalled by you, so how did they get there?



Tempting as it is to immediately lay the blame at the door of our anti-virus software, it's not actually its fault, because whilst PUA's are annoying they're actually also incredibly sneaky. Think back to when you first started seeing ads you've never seen before. Chances are you downloaded some software right beforehand.

This is how potentially unwanted programs, including PricePeep, work; whilst occasionally they might take the form of a pop-up on an online shopping website and will try and direct you to a certain seller, shop or amazing special offer, they are most often to be found lurking in the background of software downloads.

As strange as it may seem some of the most well-known names in internet software do try and sneak the odd PUA or two past us! We all trust, and many of us use, Adobe Reader, Java, Flash Player and Foxit Reader but in fact if you install or update one of these on your PC you're likely to have some unwanted add-on foisted upon you too.

You know when you download something and it shows window after window and has you clicking on button after button saying 'Next' or 'Continue'? This is precisely when you're liable to end up with something unwanted on your computer. Normally the PUA will be briefly mentioned and will have a tick or check box next to it – for example 'We recommend installing some toolbar' – however the check box – and here's the catch – will have already been ticked.

Occasionally some potentially unwanted applications will be completely hidden and have no warning whatsoever but thankfully this is not a common occurrence.

Well, yes, generally speaking it is, particularly when you take into consideration that the companies concerned hope that you will blame your anti-virus for being defective and letting something slip through the net, but if questioned they will tell us 'we should have read the small print' or 'should have paid more attention' – and to be perfectly honest, they do have a point.

The problem is, and most of us are probably guilty of it – in fact if we've ever had an unwanted home page, search engine or tool bar installed, then we're definitely guilty of it – installing software is not the most interesting of computer-based tasks. I for one have installed or updated plenty of software on my laptop and sat there glassy eyed clicking 'Next', 'Next', 'Next' only to then be outraged when a search engine I've never seen before suddenly appears in the right hand corner of my screen asking me what I want to look for!

If there's one semi-silver lining to the Price Peep cloud it's that this application is not normally malicious or virus causing, however it has often been added to gain unauthorized access or to monitor the sites you visit and your computer usage. Which in itself isn't particularly appealing. However, some PUA's can actually be useful if you know how to use them, for example a system administrator in a corporate environment (who probably pays much more attention to these things than your average home user!) may choose to install certain remote administration tools, FTP servers or port scanners – hence the use of the word 'potentially' in the title.

If you're not a system administrator though and the sight of your beloved Google or Firefox browser being replaced by some search engine imposter or your computer screen is covered with ads there really is only one thing to do: slow down when you're downloading software, don't just unthinkingly click 'Next!' in every window, but stop to take a moment and see exactly what you are installing along with your chosen software.

To remove Price Peep pop ups from your computer, please follow the removal instructions below. I've already tried uninstalling it from Control Panel but you are still stuck with Price Peep, then scan your computer with recommend anti-malware software and make sure all the web browser extensions are gone. You may even have to uninstall recently install software because sometimes, this PUA comes bundled with other software.

Do you have any additional information or questions on this adware? Post your comment or question below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Price Peep removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Uninstall Price Peep application from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the Price Peep application and other applications you have recently installed.



Simply the application and click Remove. If you are using Windows Vista, Windows7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove Price Peep from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove the Price Peep Chrome extension:




Remove Price Peep from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Click Remove button to uninstall Price Peep Firefox extension. If you can't find the Remove button, then simply click on the Disable button.




Remove Price Peep from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. Click Remove/Disable button to remove Price Peep from Internet Explorer.



Share this information:

Wednesday 27 March 2013

Remove Solid Savings (Uninstall Guide)

You know how annoying it is when you're used to using Google Chrome as your chosen browser, you're happy with your choice of home page when you log on to your PC or laptop and you're more than happy with the way your toolbar functions and then suddenly – boom – seemingly out of nowhere you have a whole host of new Solid Savings pop-ups and ads littering up your screen?

Unless you're one of the (very) lucky ones it's probably happened to you at some point. It's certainly happened to me and it's both annoying and somewhat bewildering. What are these and toolbars and browser helper objects – and perhaps more importantly – where on Earth did they come from?

Like me you've probably been somewhat taken aback to suddenly find that Google Chrome is no longer your search engine of choice or that you simply do not understand what the devil is going on with that weird little coupon popups that you've never seen before, and more disconcertingly, you wonder if you're going mad because as far as you know, you sure didn't log on to your laptop late last night after a few drinks thinking it was a good thing to install them!

Ladies and gentlemen, meet the PUA's or the PUP's – or for those who like to know what their acronyms actually mean, the Potentially Unwanted Applications or Potentially Unwanted Programs. Solid Savings by 215 apps web browser extenions is one of these. You may also have heard the term foistware used to describe them and in fact all three terms do explain the situation rather neatly. Basically you have had something - an application or a program - installed on your computer that you potentially do not want. In other words it has been 'foisted' upon you.

Click to Continue > by Solid Savings



Sounds rather ominous doesn't it? Well the good news is that on the whole Potentially Unwanted Applications are usually harmless i.e. they're not normally bugs or malicious viruses; however that doesn't mean that they're not annoying! On the other hand, Solid Savings Chrome extension and browser add-ons for web browsers can be easily classified as adware. Let's face it: you've chosen to use Google or Mozilla Firefox as your browser, you may have chosen your personal website as your go-to home page and you sure as hell liked your tool bar that you've spent the last goodness knows how many years using without any problems - and why shouldn't you?! Not to mention all those annoying popups you see visiting online stores.

So, to answer the sixty million dollar question; what are these Potentially Unwanted Programs and how and why do these uninvited PUP's appear on your laptop, PC or tablet all of a sudden, especially when you have an anti-virus installed.

The thing here is to not start blaming your anti-virus; it's not its fault. In fact to be honest the only one at blame is you. Or me. All of us! We let these PUA's invade our computers, but to be fair, they are incredibly sneaky.

Solid Savings pop up on certain shopping sites and aim to direct you towards a particular shop, vendor or special offer but the majority of them 'tag along' with software downloads. Think back to when you first noticed that ugly little search box sitting in the corner of your screen begging you to use it, or to when no matter how many times you tried to search for something with Google or Firefox your PC kept reverting back to some other hitherto unseen browser. Now think back and remember if you'd downloaded something just before that. Chances are you probably did.

Well, don't we all! But actually it might surprise you to learn that many of the trusted names in software do actually 'foist' unwanted applications or programs on to us. Or at least they try to. We all know and trust Skype, Adobe Reader, Flash Player and Foxit Reader right? Well in fact they are just some of the well-known names that use PUP’s, PUA’s, Foistware – whatever you want to call them.

What happens is that when you download, let's say, the latest version of Adobe Reader from non-official website how it works is that a Potentially Unwanted Program will be surreptitiously lurking in the background, be it a new tool bar, browser or home page. Have you ever noticed that when you're downloading something you need to click on seemingly endless 'Next' or 'Continue' buttons which take you to new windows? Hidden in some of these windows will be text saying something along the lines of 'Install This Really Annoying New Tool Bar or some other web browser add-on' – now normally you wouldn't want to install a really annoying new tool bar when you're perfectly happy with the one you've already got, but what if this box was already pre-ticked and you didn't notice…?

Well, sorry to break it to you but there is only one way; the next time you download something stop and read the small print and be sure to un-check anything that you don't actually want to install.

So, as I said, Solid Savings is adware, it collects certain information about you and your browsing habits, including search terms, think you are looking for and then sends all this information to third party ad network. The ad network then send a response instantly with possible deals to this app. This is how it works. Huge privacy issues in my opinion. That's why I recommend you to remove Solid Savings from your computer. If you can't uninstall or don't know if you removed it properly, please follow the removal instructions below.

As always, post your comment or question below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Solid Savings removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Uninstall Solid Savings application from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove the Solid Savings application and other applications you have recently installed.



Simply the application and click Remove. If you are using Windows Vista, Windows7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.


Remove Solid Savings from Google Chrome:

1. Click on Chrome menu button. Go to ToolsExtensions.



2. Click on the trashcan icon to remove the Solid Savings Chrome extension:





Remove Solid Savings from Mozilla Firefox:

1. Open Mozilla Firefox. Go to ToolsAdd-ons.



2. Select Extensions. Click Remove button to uninstall Solid Savings Firefox extension. If you can't find the Remove button, then simply click on the Disable button.





Remove Solid Savings from Internet Explorer:

1. Open Internet Explorer. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.



2. Select Toolbars and Extensions. Click Remove/Disable button to remove Solid Savings from Internet Explorer.



Share this information:

Tuesday 26 March 2013

Identity Theft Protection – How to Stop Your Life Being Hacked

As anyone who is unfortunate enough to have been a victim of identity theft can tell you, it is one of the most upsetting and extremely annoying non-violent crimes to deal with. Both the invasion of personal privacy, the feeling of ‘why me?!’ and the aftermath of having to sort out and untangle the ensuing mess can be horrific.

Unfortunately, too, identity theft is becoming increasingly common and shows no signs of abating, with experts saying that the crime increased in both 2011 and 2012. In fact it is estimated that 5% of all adult US citizens fall victim to ID theft at some point in their lives. And it’s costing us: again industry experts estimated that back in 2007 between a staggering 8 million and 15 million Americans had their identity stolen or fell victim to fraud, with the average loss of someone who has had their identity stolen being $691 and a person that has had a false account opened in their name losing an average of $1066. That’s not small change by any means!

Examples of Identity Theft

Generally speaking identity theft falls into two main categories; once a criminal has your personal details they will either commit what is known as ‘new account fraud’ – basically opening a new bank account in your name, or ‘account take over fraud’, which again is exactly what it sounds like – using the money in your account to pay for goods or services for their own pleasure or need.

As undesirable as this sounds for your financial situation – because let’s face it – who can afford to lose $1000 just like that? – it is actually a huge pain to sort out the nightmare of identity theft and is something that can have a knock on effect for years after the crime. You might think it is as simple as calling your bank and proving that you were in New York City when your credit or debit card was being used in San Francisco, and speaking from personal experience I was ‘lucky enough’ to be able to do just that when I noticed that one of my bank accounts was seriously depleted. Luckily I had proof that I was actually at home during the dates my account was being used and not on a shopping spree buying car parts in the Philippines, of all things!

However, I think in hindsight I was fortunate, and whilst it did take a call to my bank and some paperwork needing to be signed and sent back, it was relatively painless to deal with. But millions of people are not so lucky and the impact on your reputation if you’ve fallen victim to identity theft can have some pretty devastating repercussions.

The Reality of Identity Theft and why ID Theft Protection is Crucial

Imagine you’ve just applied for your dream job, you’ve found a home that couldn’t be any more perfect for raising your family in if you tried or you want to apply for a credit card or loan to book that retirement cruise around the world that you’ve been promising yourselves for years. All of your plans can be laid to waste if you’ve been unlucky enough to be singled out by some ruthless con artist who decides that they are more entitled to the contents of your bank account – or even your good name – than you are.

When you apply for a job, a bank loan, a credit card, a mortgage, a rental agreement or even a cable account the majority of companies will contact one of the three big credit bureaus in the States - TransUnion, Equifax or Experian - so that they can obtain a copy of your credit report. All well and good you say, I have nothing to hide. Maybe you don’t but what if, without your knowledge, someone has opened a bank account in your name and run up horrific debts? What if someone has stolen your identity and is actually committing crimes in your name? If that’s the case, you can be pretty sure that you can kiss goodbye to that dream home or that long-planned vacation and instead say hello to months, possibly even years, of hassle spent trying to clear your name instead.

It’s not only the time-consuming factor, but the fight to prove your identity can actually end up costing you thousands of dollars too. Which doesn’t seem very fair at all, does it? Therefore, it’s starting to become clearer why identity theft protection is actually something that we all need to give a little more thought to.

How Do I Know if I am a Victim of Identity Theft?

The shocking thing is that many of us have been, or even are, victims without even knowing it. If you’re not one of those organized people who rigorously checks their bank statements every month, fraudulent activity can be so subtle that you may not have noticed that anything is wrong and it can be months, or even years, before a few random, unidentified credit card bill charges suddenly take a more serious turn for the worst and you get turned down for a new mortgage or job, you’re presented with a whopping great credit card bill one month or – and imagine this – the police turn up on your doorstep wanting to question you in connection with a crime! The impact on your reputation, employability and credit rating can be devastating for years to come.

Luckily, there are steps you can take and identity theft protection services can be invaluable in providing alerts and alarms when unusual changes have been made on your credit rating report. For a small fee these services will let you know if any new accounts have been opened in your name - although you will still need to check your bank statements personally to make sure that any items or services purchased have been bought by you and you alone. Select id theft protection service wisely because not all companies are honest about what they doing. You may be considering ID Watchdog Platinum a similar identity theft protection service.

Many banks these days will also let you sign up for an email or SMS alert to let you know when your debit or credit card has been used, which is a great way of instantaneously keeping track of payments leaving your account.

Another more drastic option is to ‘freeze’ your account. This means that rather than relying on credit report or bank alerts or paying to monitor your credit rating, the credit agencies won’t release your credit report at all. The service costs a small fee but it’s not a very convenient move if you want to apply for a mortgage or a job or even change the providers of your cable as you will need to pay to unfreeze the account and do so well in advance if you wish to make your credit rating report available to a prospective employer, service or lender.

What Can I Do? 15 Identity Theft Protection Tips

If all this is sounding like too much doom and gloom, don’t worry because besides using the established identity theft protection services, there are things that you can do proactively to help cover yourself and they don’t have to involve a whole lot of effort. Let’s take a look:

1) Get into the habit of regularly checking your credit report, let’s say every three months: make sure the information is correct and that there are no unrecognizable accounts listed or use recommended identity theft protection tools.

2) Never, ever click on a link in an email that’s purporting to come from your bank or other ‘trusted’ source that asks you to verify your account. Your bank won’t do this via email and it’s extremely likely that this is a phishing attempt. And it’s not just banks – unscrupulous fraudsters are very good at faking emails ‘from’ eBay and other selling platforms too – all with an aim to getting their hands on your buyer, seller or PayPal account details.

3) The same goes with phone calls. If someone claiming to be from your bank calls asking for you to give them account details over the phone: don’t! Hang up and call your bank’s helpline to verify this instead.

4) Shred all of your personal documents before throwing them away to avoid them being retrieved by ‘dumpster divers’. If you can’t afford a shredder an old fashioned hole punch will do the job just as well. This is a tried and tested non-technical way of fraudsters obtaining social security and credit card numbers as well as bank account details.

5) Obviously you can’t shred birth certificates, passports, tax returns, insurance policies and so forth but make sure they are securely locked away at home. Consider investing in a safe and either hide it well or bolt it to the floor.

6) We know we should do it but how many of us are guilty of being a little too slapdash when using the ATM? Try using the ‘two finger pointing’ method: hover both fingers over the keypad but only use one to type as this makes it extremely difficult for anyone to identify your pin number.

7) Likewise, always check before withdrawing money and if the ATM appears to have been tampered with in or around the card slot or has any strange devices attached to it, don’t use it as it may have had a card reader installed or inserted.

8) Perhaps it goes without saying but try and memorize pin numbers, account numbers and passwords and whatever you do, don’t write them down on scraps of paper!

9) You need to order blank checks? Have them delivered to your bank for you to collect rather than having them sitting in your mailbox waiting for some light-fingered thief to come along and take them.

10) If you order a new bank card don’t just forget about it. Wait the recommended amount of days and then if it still hasn’t arrived, contact your bank and ask them if anyone has contacted them with a change of address request. If yes – stop that card immediately.

11) Don’t just shred your bank statements and personal documents; shred (or hole punch!) junk mail too – destroy all those ‘convenience checks’ and pre-approved credit card offers so no-one else can take up the offer on your behalf. 12) Buy a mail box with a secure lock, or better still, use a post office box.

13) Is a company asking you for ‘unique ID’? Do they really need your social security number? Ask if you can use a driver’s license or birth certificate instead.

14) To be on the safe side, don’t leave sensitive documentation on your computer any longer than is necessary – print it off and lock it away. (In your new safe!)

15) If you save passwords in a software program such as Password Agent on your PC or laptop and have had to take it in for a repair or overhaul, as soon as you get it back, change all of your passwords. And not just your banks’ passwords but your email, eBay, Amazon and Facebook passwords too.


Finally, as unlikely as it may seem at the time if you’re in a relationship be a little bit careful about what information you share with your partner (and the same goes for friends too – no matter how trusted). Most of us have had a relationship fail at some point in our lives, and for whatever reason, often one person can be left feeling hurt, confused…and sometimes looking for revenge. It may sound cynical but just being a little discerning about what information you allow girlfriends, boyfriends and even husbands, wives and civil partners access to can save you a whole lot of heartache of a different kind in the event a relationship breaks down.

To Summarize

ID theft protection doesn’t have to be a horror story; in fact the nightmare comes only after you’ve been unlucky enough to fall victim to this awful crime. Taking some, or all, of the steps listed above, whether it’s signing up with identity theft protection services, placing a freeze on your credit report, buying a safe to keep valuable documents in or even a hole punch to destroy bank statements and credit card slips before you throw them in the trash can go a long way towards making sure you’re doing everything you can to protect yourself, your family, your reputation and your home.

When you look at it objectively identity theft protection is a whole lot simpler than sorting out the aftermath of the actual crime of identity theft , so isn’t it about time you took some action and started making your hard earned money – and your good name – more difficult for someone to steal?

Sunday 24 March 2013

Remove PC Fix Speed and 24x7 Help (Uninstall Guide)

PC Fix Speed is a system optimizer, mainly Windows registry fixer/cleaner. The only reason I'm writing about it is because I recently got lots of questions from my readers asking if PC Fix Speed is a virus or not? The short answer is: No. But is it truly legit and useful? Security experts and technology experts in general have differing opinions on the value of registry cleaners and system optimization applications. Honestly, I'm not a fan of registry cleaners. The only one I use is CCleaner because it's free and does the job pretty well. Of course, there are other great applications to choose from, for instance Registry Mechanic by PC Tools and PC TuneUp by AVG. Both are well known companies in computer and internet security market. I would call these white hats because they do not report false positives and normally give you fairly honest and technically correct scan results. There are, however, grey or blacks hats, just like rogue applications. Such registry cleaners basically claim that your computer could run a lot faster if you removed hundreds or sometimes even thousands of supposedly identified registry and system errors, unwanted files, etc. For the truth to be told, such applications display highly exaggerated scan results identifying insignificant problems or errors as quite important or even critical ones.



It's not very uncommon for Windows registry to pick up lots of unnecessary registry entries that are created when you install or remove software. They may indeed slow down your computer, this is way using a legit registry cleaner from time to time is obviously not a bad idea at all. In fact, I recommend you to use a registry cleaner every once in a while.

To see how PC Fix Speed actually works, I installed it on my test machine. A clean install of Windows XP, fully updated and without any noticeable errors. I ran a quick scan with this PC optimization software and after a few minutes I saw the results: 65 issues were found on my computer. Not bad, from what I've read about this software on the internet I was expecting a lo more issues and errors. Since these were only minor issues I decided to continue with errors.

After a few minutes I got a pop-up notification claiming that PC Fix Speed has found 54 registry errors. Not sure what happened with 11 previously reported errors they just vanished. I guess that's a good thing :) Needles to say, such misunderstanding do not add value and trust for PC Fix Speed.



Oh and by the way, I forgot to mention that the registry cleaner came with this rather interesting application called 24x7 Help. Its icon (a woman with a headphone) appears at the top of any open window, for example Google Chrome:



Apparently, it's some sort of tech support available by phone. Some people reported that the application says "Microsoft trained technicians are standing by ready to help you solve all your PC issues and more" which was quickly identified as a scam by Microsoft engineers. The current 24x7 Help application doesn't provide such information, so it's remain unclear whether or not they are really Microsoft trained technicians. I have to admit it's unusual and for me quite annoying. Besides, it suprising how such a small app's functionally rely on three actively running processes:
  • App24x7Help.exe
  • App24x7Hook.exe
  • App24x7Svc.exe
Clearly unnecessary stuff. It's up to you if you want to keep it or not. I would remove it.

Last, but not least, both applications PC Fix Speed (virus) and 24x7 Help are promoted via freeware and kinda misleading ads. Probably this is the reason why some people say they didn't install neither of these intentionally or knowingly. Here's one of many ads that are used to promote this registry cleaner:



It pretends to scan my computer. This immediately reminded me all those fake online malware scanners used by scammers to promote rogue antivirus software. Finally, some people just couldn't remove this software from their computers. Maybe there were some technical problems or something, but they simply couldn't. So, to remove PC Fix Speed and 24x7 Help from your computer, please follow the removal instructions below.

Have you had experience with PC Fix Speed on your computer? Post your comments and questions below.

Written by Michael Kaur, http://deletemalware.blogspot.com



PC Fix Speed and 24x7 Help removal instructions:

1. First of all, download recommended anti-malware software and run a full system scan. It will detect and remove this infection from your computer. You may then follow the manual removal instructions below to remove the leftover traces of this browser hijacker. Hopefully you won't have to do that.





2. Remove PC Fix Speed and 24x7 Help from your computer using the Add/Remove Programs control panel (Windows XP) or Uninstall a program control panel (Windows 7 and Windows 8).

Go to the Start Menu. Select Control PanelAdd/Remove Programs.
If you are using Windows Vista or Windows 7, select Control PanelUninstall a Program.



If you are using Windows 8, simply drag your mouse pointer to the right edge of the screen, select Search from the list and search for "control panel".



Or you can right-click on a bottom left hot corner (formerly known as the Start button) and select Control panel from there.



3. When the Add/Remove Programs or the Uninstall a Program screen is displayed, scroll through the list of currently installed programs and remove PC Fix Speed (current version 1.2.0.24) and 24x7 Help.



Simply select each application and click Remove. If you are using Windows Vista, Windows 7 or Windows 8, click Uninstall up near the top of that window. When you're done, please close the Control Panel screen.

If you can't remove it through Control Panel, then you will have to remove both applications manually.

  • C:\Program files\PC Fix Speed\
  • C:\Documents and Settings\All Users\Start menu\Programs\PC Fix Speed\
  • C:\Program files\24x7Help\

Friday 22 March 2013

This website has been blocked for you! removal instructions

This website has been blocked for you! - if your web browser is driving your crazy with this fake warning then your computer is certainly infected with a Windows Hosts file hijacker. After installing a few Trojan horses on my test machine I noticed this fake notification of possible spam bot activity. So, at least in my case, this infections was dropped by a Trojan horse. However, it could be that you got infected in completely different, though, very unlikely.

The fake notification says:

This website has been blocked because of your recent activity. Your actions have been marked as spam bot like, to visit this website again follow instructions on the left. This is made for security reasons. Please take your time to go through the verification process to restore you access to blocked websites, thank you for your time!

Click here to unblock



Once installed, a Trojan horse modifies Windows Hosts file by adding at least 300 new lines. All pointing to scammers' web server instead of Youtube, Google, Facebook, Paypal, Wikipedia and many others. It may even lock the file, so that you couldn't easily change these modifications. The modified Hosts file with newly added values may look like this:



As you can see, whenever you try to access some popular websites you will get this fake error message because your web browser loads content from scammers' web server instead of Google's, Amazon's, etc. Basically, it will block each website that were added to Windows Hosts file. The list may be slightly different of course.

This website has been blocked for you! scam message will ask you to verify that you are a human and not a computer by filling in the survey. DON'T! It will show you a survey where you have to enter your phone number and by completing the survey you automatically agree that you will pay $5 a week for a service you definitely do not need. I'm sure that there are even more expensive surveys, so please DO NOT fill any surveys!

Here's the bottom line, if you want to get rid of this annoying "This website has been blocked for you!" scam message, you must to recreate Windows Hosts file using Microsoft' Fix it tool (download link is given below) or edit it manually. Basically, you need to remove all these lines created by a Trojan. Finally, you MUST scan your computer with recommended anti-malware software to remove the culprit of this infection. If you won't the fake message may appear on your computer screen once again. To remove this malware from your computer, please follow the removal instructions below.

Do you have something to say about removing the This website has been blocked for you! scam message? Post your comment or question below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



This website has been blocked for you! removal instructions:

1. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.





2. Reset Windows HOSTS file.

Go to: C:\WINDOWS\system32\drivers\etc.
Double-click "hosts" file to open it. Choose to open with Notepad or any other text editor.



The Windows hosts file should look the same as in the image below (Windows XP). There should be only one line:

127.0.0.1 localhost (Windows XP)

127.0.0.1 localhost ::1 (Windows Vista/7/8).

If there are more lines, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034



Alternate method: to reset the Hosts file back to the default automatically, download and run Microsoft Fix it tool and follow the steps in the Fix it wizard.

3. Remove malicious extensions from your web browser.

Google Chrome:
1. Click on Chrome menu button. Go to ToolsExtensions.
2. Click on the trashcan icon and remove the extensions that might be causing the fake warning to show up. Basically, remove all extensions that you didn't install. It's perfectly OK to remove all extensions since by default Google Chrome comes without any extensions.

Mozilla Firefox:
1. Go to ToolsAdd-ons.
2. Select Extensions. Remove all extensions that you didn't install. Please note, by default Firefox comes without any extensions.

Internet Explorer:
1. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.
2. Select Toolbars and Extensions. Remove all add-ons that you didn't install or you believe may cause those annoying pop-ups to show up.

4. Download CCleaner and tidy up your computer, remove temp files, etc.

5. If the problem persists, please read this web document and follow the steps carefully: http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html

Thursday 21 March 2013

Remove Why do I see this page? virus - Attention Required survey scam

Why do I see this page? - Attention Required warning is a clear indicator that your computer is infected with malware which hijacks Windows Hosts file. Most of the time, this virus modifies Hosts files and denies or restricts access to the following websites:
  • Facebook
  • eBay
  • MySpace
  • Tumblr
  • Twitter
  • Google
  • Youtube
  • IMDB
  • and many other sites


The fake waning says:

We have noticed some unusual activity from you recently

To get Access to all of these pages again please verify that you are human

After completing a survey you will receive instructions how to access these pages again.


If you are unable to access one of the sites listed below or for example your favorite forum and you get this "Why do I see this page?" notification instead then you should either recreate or clean a Windows Hosts file. Please note that this virus is not the same for everyone. I've found a few samples that did more than just Hosts file hijacking. Virus also installed a potentially unwanted web browser extension and in one particular case, I even found Trojan.Droppper installed on my PC. Hosts file hijacking can hardly be introduced as something new. It's pretty much like a Trojan ransom infection, except that in this case you have to verify that you are a human first by doing a quick survey. Well, I actually did the survey but still could't access any of these sites, so it's not just another infection, it's even worse -- a non-working scam.

You may ask how do they block such popular sites? The answer is pretty simply. Each website has it's own IP address, so for example if you type facebook.com your web browser takes you to Facebook's main web server. What scammers did here, they basically instructed your web browser to use modified Hosts file and as a result all these sites are redirected through scammmers' web server where they inject the Why do I see this page? - Attention Required warning. Please note that your web browser still displays the correct URL but the content is completely different.

If your computer is infected, do not follow the on screen instructions and do not fill in any surveys, especially those which ask for personal information, for instance your email address or phone number.

To remove Why do I see this page? virus from your computer, please follow the removal instructions below. I hope this helps. If you have any other questions or maybe you would like to share the removal method that worked for you, please leave a comment below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com



Why do I see this page? removal instructions:

1. Download recommended anti-malware software and run a full system scan to remove this virus from your computer.





2. Reset Windows HOSTS file.

Go to: C:\WINDOWS\system32\drivers\etc.
Double-click "hosts" file to open it. Choose to open with Notepad or any other text editor.



The Windows hosts file should look the same as in the image below (Windows XP). There should be only one line:

127.0.0.1 localhost (Windows XP)

127.0.0.1 localhost ::1 (Windows Vista/7/8).

If there are more lines, then remove them and save changes. Read more about Windows Hosts file here: http://support.microsoft.com/kb/972034



Alternate method: to reset the Hosts file back to the default automatically, download and run Microsoft Fix it tool and follow the steps in the Fix it wizard.

3. Remove malicious extensions from your web browser.

Google Chrome:
1. Click on Chrome menu button. Go to ToolsExtensions.
2. Click on the trashcan icon and remove the extensions that might be causing the fake warning to show up. Basically, remove all extensions that you didn't install. It's perfectly OK to remove all extensions since by default Google Chrome comes without any extensions.

Mozilla Firefox:
1. Go to ToolsAdd-ons.
2. Select Extensions. Remove all extensions that you didn't install. Please note, by default Firefox comes without any extensions.

Internet Explorer:
1. Go to ToolsManage Add-ons. If you have the latest version, simply click on the Settings button.
2. Select Toolbars and Extensions. Remove all add-ons that you didn't install or you believe may cause those annoying pop-ups to show up.

4. Download CCleaner and tidy up your computer, remove temp files, etc.

5. If the problem persists, please read this web document and follow the steps carefully: http://deletemalware.blogspot.com/2010/02/remove-google-redirect-virus.html

AVASoft Professional Antivirus Firewall Alert removal guide

AVASoft Professional Antivirus Firewall Alert has blocked a program from accessing the internet – this and many other fake security alerts will be displayed on your computer if you install a rogue antivirus application called AVASoft Professional Antivirus. It's a fairly new scam to be aware of but it isn't entirely new from a technical point of view. All the rogue applications from this malware family were using the same "Firewall Alert" notification to scare users into believing that certain applications, mostly web browsers, are infected and should be closed to avoid possible data loss, etc.



AVASoft Antivirus will block web browser and other applications on your computer to protect itself from being removed. In the image shown above, you can see that the fake antivirus applications blocked Internet Explorer because it was infected with a computer worm called Svchost.Stealth.Keyloger. A computer worm with such name doesn't even exist. Besides, normally, worms do not steal sensitive information. What is more, if you take a closer look at the image, you will notice that scammers user completely differt infection name at the end of the fake secuerity warning - Lsas.Blaster.Keylogger. It says 'Continue surfing and allow Lsas.Blaster.Keylogger to send your credit card details to remove host'.

Please note that this fake application will display the same misleading warnings for pretty much every application including anti-malware software. Well, actually it will display two warnings, the other one is slightly different and claims that AVASoft Professional Antivirus has detected a harmful software that can lead to your 'PC crash'. Scary, isn't it?

To stop this fake Firewall Alert you will have to remove the rogue application and related malware. Hopefully, it didn't came bundled with rootktis. The removal guide is located here:

http://deletemalware.blogspot.com/2013/03/remove-avasoft-professional-antivirus.html

If you have any questions or need help removing it please leave a comment below. I'll be glad to help! One last thing, if you have succesfully removed this malware from your computer, you should really think about the most essential security measures you should implement right now. Why? Because, your antivirus isn't working as it should be. Each and every variant of this malware was detected by 11 or 12 antivirus products, sometimes even less. Suprisingly, all the top-notch antivirus products can't detected and block this infection which really worries me because most users use those heavily promoted ones. Antivirus software alone won't help, you should also use anti-malware software.

Wednesday 20 March 2013

Remove Ukash virus

It's pretty scary when your computer displays fake Metropolitan Police or Police Central e-crime Unit warnings instead of your favorite desktop theme. These scams are still heavily distributed via infected websites and spam. There are even more ransowmare scams and they all have one thing in common - Ukash. Don't get me wrong, Ukash is a legit company, it's just that scammers use this service to withdraw money. Ukash logo appears on pretty much every ransowmare warning, no wonder why people started to call it the Ukash virus. As you may know, the most recent examples are the law enforcement variants, mostly the FBI virus and Met Police virus.

Ransomware locks the screen of the infected computer, displaying a message purportedly from your local police department claiming that police officers have found illegal content on the computer and will certainly press charges unless of course you will pay the "fine", usually it's $300 or more. However, since it's a scam you shouldn't pay the so-called fine. Besides, there's not guarantee that you will regain control of your computer even if you pay the fine. Law enforcement agencies strongly recommend that you do not pay the fine and report the crime immediately.



Did you know that the first know version of ransomware appeared in 1989? Cool, isn't it? It was DOS program that required installation from a diskette that replaced the autoexec.bat file with a new one that counted the number of times a computer was rebooted and when the count reached 90 encrypted all the files on the computer making it unusable until the ransom was paid. The encryption algorithm was quite simple so it was easy to crack and defeat the virus. It's actually amazing to see that things work almost the same way nowadays as well as they did 30 years ago.

The next generation of ransomware showed up around 2005 in the form of cryptoware that started using public and private keys to encrypt the files on the infected computers. By the end of 2006 these ransomware programs started using even more sophisticated RSA encryption algorithm using longer encryption keys. None of these, however, used Ukash as a payment gateway.



First detected in 2011, Ukash virus is the most sophisticated and hardest to defeat virus of its kind. It uses a "drive-by download" method to infect computers. This means that you don't even have to click or download anything to become infected. All you have to do is visit an infected site. And we all know that scammers mostly tend to infect adult or warez sites, but the virus can be injected from any site so even if you practice safe surfing you can become infected.

Once you are infected, the virus freezes your screen and encrypts your files making your computer unusable. NOTE: not all variants of Ukash virus encrypt files. Usually, the screen is frozen to resemble a message from the FBI or another agency accusing you of committing a crime ranging from illegal copyrighted downloads to having illegal adult content stored on your computer. The virus captures your IP address and displays it the fake warning message and some particularly vicious versions will display a picture containing nudity or some other form of illegal adult content that they claim was found on your computer. Some versions even turn on your webcam and claim that they are monitoring you until you pay the fine. Remember, you have 48 hours to do that, hehe :)



The bottom line though is that if you use some common sense and have a basic understanding of our judiciary system you will quickly realize that this is a scam. If you are doing something illegal with your computer and the FBI or Met Police find out about it they will be knocking on your door with a search warrant, not sending pop up messages and locking your computer. Things like illegal adult material in general, and copyrighted files in particular usually carry prison terms and the FBI are not going to let you off the hook with a such a silly fine for these activities.

The presence of threats like this Ukash virus scam should make people realize the importance of backing up important files, so that they won't be lost once your computer is infected. You should also have real time malware detection installed on your computer to stop the virus from infecting your computer should you visit an infected site. But remember for this to be effective you must update it file every day, since the threats change daily. Most antivirus programs do this automatically each day.

If locking your screen and encrypting all your important files isn't bad enough the latest versions of the Ukash virus piggyback other Trojans to track keystrokes, capture usernames and passwords, etc. Additionally, installed malware may even scan your hard drive for personal information like bank account numbers and social security numbers and transmit this information back to cyber crooks.

Once the virus has encrypted your files there is little you can do to recover those files. This is why you should be diligent in keeping backups of these files on a removable media.

It is highly recommended that you take the infected computer to an expert to ensure that the virus and all associated malware is completely removed from your computer. Some versions of this virus can rebuild themselves if they are not completely removed.

Here are some things you can try if you want to remove it yourself:

The first thing you should try is to restart the computer and start tapping the F8 key to reboot into Windows safe mode with command prompt. Then simply follow the removal instructions below.

Some later versions won't let you start the system in safe mode. If that is the case you will have to create a bootable CD or flash drive using another computer. Again, detailed instructions are give below.

All in all, tt can be so difficult to stay ahead of the criminals, so the best defense is to backup your files regularly, install the latest updates for programs like Java and Adobe because they are continuously identifying and fixing vulnerabilities. Many antivirus packages can scan sites in advance and tell you explicitly that the site is safe, so you might want to consider only visiting sites that have been declared safe by your antivirus program.

Please follow the steps in the removal, guide below to remove Ukash virus from your computer.

Do you have any additional information or questions on this virus? Post your comment or question below. Good luck and be safe online!

Written by Michael Kaur, http://deletemalware.blogspot.com


Method 1: Ukash virus removal instructions using System Restore in Safe Mode with Command Prompt:

1. Unplug your network cable and manually turn your computer off. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key.



2. Make sure you log in to an account with administrative privileges (login as admin).

3. Once the Command Prompt appears you have few seconds to type in explorer and hit Enter. If you fail to do it within 2-3 seconds, the virus will take over and will not let you type anymore.

4. If you managed to bring up Windows Explorer you can now browse into:
  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter
5. Follow the steps to restore your computer into an earlier day.

6. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of this virus.


Method 2: Ukash virus removal instructions using System Restore in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "system restore". Or you can browse into the Windows Restore folder and run System Restore utility from there:
  • Win XP: C:\windows\system32\restore\rstrui.exe double-click or press Enter
  • Win Vista/7/8: C:\windows\system32\rstrui.exe double-click or press Enter
3. Select Restore to an earlier time or Restore system files... and continue until you get into the System Restore utility.

4. Select a restore point from well before the Ukash virus appeared, two weeks should be enough.

5. Restore it. Please note, it can take a long time, so be patient.

6. Once restored, restart your computer and hopefully this time you will be able to login (Start Windows normally).

7. At this point, download recommended anti-malware software (direct download) and run a full system scan to remove the this virus.


Method 3: Ukash virus removal instructions using MSConfig in Safe Mode:

1. Power off and restart your computer. As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press Enter key.


NOTE: Login as the same user you were previously logged in with in the normal Windows mode.

2. Once in there, go to Start menu and search for "msconfig". Launch the application. If you're using Windows XP, go to Start then select Run.... Type in "msconfig" and click OK.

3. Select Startup tab. Expand Command column and look for a startup entry that launches randomly named file from %AppData% or %Temp% folders using rundll32.exe. See example below:

C:\Windows\System32\rundll32.exe C:\Users\username\appdata\local\temp\regepqzf.dll,H1N1

4. Disable the malicious entry and click OK to save changes.

5. Restart your computer. This time Start Windows normally. Hopefully, you won't be prompted with a fake Ukash virus warnings.

6. Finally, download recommended anti-malware software (direct download) and run a full system scan to remove the virus.


Method 4: Ukash virus removal instructions in Safe Mode with Command Prompt (requires registry editing):

1. Reboot your computer is "Safe Mode with Command Prompt". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Command Prompt" and press Enter key. Login as the same user you were previously logged in with in the normal Windows mode.



2. When Windows loads, the Windows command prompt will show up as show in the image below. At the command prompt, type explorer, and press Enter. Windows Explorer opens. Do not close it.



3. Then open the Registry editor using the same Windows command prompt. Type regedit and press Enter. The Registry Editor opens.



4. Locate the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\

In the righthand pane select the registry key named Shell. Right click on this registry key and choose Modify.



Default value is Explorer.exe.



Modified value data points to Trojan Ransomware executable file.



Please copy the location of the executable file it points to into Notepad or otherwise note it and then change value data to Explorer.exe. Click OK to save your changes and exit the Registry editor.

5. Remove the malicous file. Use the file location you saved into Notepad or otherwise noted in step in previous step. In our case, Ukash virus was run from the Desktop. There was a file called movie.exe.

Full path: C:\Documents and Settings\Michael\Desktop\movie.exe



Go back into "Normal Mode". To restart your computer, at the command prompt, type shutdown /r /t 0 and press Enter.



6. Download recommended anti-malware software (direct download) and run a full system scan to remove the leftovers of this virus from your computer. That's it!


Method 5: Ukash virus removal using Kaspersky Rescue Disk:

1. Download the Kaspersky Rescue Disk iso image from the Kaspersky Lab server. (Direct download link)
Please note that this is a large downloaded, so please be patient while it downloads.

2. Record the Kaspersky Rescue Disk iso image to a CD/DVD. You can use any CD/DVD record software you like. If you don't have any, please download and install ImgBurn. Small download, great software. You won't regret it, we promise.

For demonstration purposes we will use ImgBurn.

So, open up ImgBurn and choose Write image file to disc.



Click on the small Browse for file icon as show in the image. Browse into your download folder and select kav_rescue_10.iso as your source file.



OK, so know we are ready to burn the .iso file. Simply click the Write image file to disc button below and after a few minutes you will have a bootable Kaspersky Rescue Disk 10.



3. Configure your computer to boot from CD/DVD. Use the Delete or F2, F11 keys, to load the BIOS menu. Normally, the information how to enter the BIOS menu is displayed on the screen at the start of the OS boot.



The keys F1, F8, F10, F12 might be used for some motherboards, as well as the following key combinations:
  • Ctrl+Esc
  • Ctrl+Ins
  • Ctrl+Alt
  • Ctrl+Alt+Esc
  • Ctrl+Alt+Enter
  • Ctrl+Alt+Del
  • Ctrl+Alt+Ins
  • Ctrl+Alt+S
If you can enter Boot Menu directly then simply select your CD/DVD-ROM as your 1st boot device.

If you can't enter Boot Menu directly then simply use Delete key to enter BIOS menu. Select Boot from the main BIOS menu and then select Boot Device Priority.



Set CD/DVD-ROM as your 1st Boot Device. Save changes and exist BIOS menu.



4. Let's boot your computer from Kaspersky Rescue Disk.

Restart your computer. After restart, a message will appear on the screen: Press any key to enter the menu. So, press Enter or any other key to load the Kaspersky Rescue Disk.



5. Select your language and press Enter to continue.



6. Press 1 to accept the End User License Agreement.



7. Select Kaspersky Rescue Disk. Graphic Mode as your startup method. Press Enter. Once the actions described above have been performed, the operating system starts.



8. Click on the Start button located in the left bottom corner of the screen. Run Kaspersky WindowsUnlocker to remove Windows system and registry changes made by this virus. It won't take very long.



9. Click on the Start button once again and fire up the Kaspersky Rescue Disk utility. First, select My Update Center tab and press Start update to get the latest malware definitions. Don't worry if you can't download the updates. Just proceed to the next step.



10. Select Object Scan tab. Place a check mark next to your local drive C:\. If you have two or more local drives make sure to check those as well. Then click Start Objects Scan to scan your computer for malicious software.



11. Quarantine (recommended) or delete every piece of malicious code detected during the system scan.



12. You can now close the Kaspersky Rescue Disk utility. Click on the Start button and select Restart computer.



13. Please restart your computer into the normal Windows mode. Download recommended anti-malware software (direct download) and run a full system scan to remove the remnants of Ukash virus and to protect your computer against these types of threats in the future.