jump to navigation

What Computer Viruses Are and What They Can Be Up To July 9, 2009

Posted by computerhelpandsupport in Computer Help, Virus.
Tags: , , , , ,
1 comment so far

Computer Viruses are small software programs designed to ruin computer’s functionality without any prior knowledge or permission of the user. An infected computer can affect another computer if its host is taken to the uninfected computer. There are several modes of computer virus transmission. It can easily be sent over the Internet or by carrying it on a removable medium such as a floppy disk, CD, or USB drive. It can stop to infect your computer by using anti-virus support software program.

Viruses damage computers by deleting files, infecting programs, or reformatting the hard disk. Some of them can just replicate and strengthen their presence by presenting text, video, audio messages. Such viruses often cause erratic behavior and lead to system crashes. Examples include opening a document infected with a macro virus, using an infected disk, network drive, and other media. As long as the virus remains active on the computer, it has the ability to copy itself to other files or accessible disks.

The more a virus replicates unnoticed, the more it gets successful in its aim. Computer viruses generally follow two methods to avoid recognition:

•    By encrypting their code to escape detection.
•    By disabling the options to view macros.

There are some old viruses which ensure the last modified date of a host file to be the same as when the file was infected. However, such an approach cannot deceive anti-virus software created to catch and remove these craps.

Some viruses have ability to damage files without increasing their sizes or damaging the files by overwriting unused spaces of executable files. They are better recognized as cavity viruses. Computer viruses such as the CIH virus, or Chernobyl Virus, infect Portable Executable Virus.

Some viruses prevent detection by ending the tasks associated with antivirus software before it can detect them. Anti-virus and PC security products are required to be updated or replaced to stay in step with increasing advancement in computers and operating systems.

Source:  http://EzineArticles.com/?What-Computer-Viruses-Are-and-What-They-Can-Be-Up-To&id=2271809

How Do You Remove Conficker Worm Files? April 29, 2009

Posted by computerhelpandsupport in Computer Help, Operating System, Software Issue, Virus, Windows Vista, Windows XP.
2 comments

Need Virus Removal help to figuring out how to delete Conficker Worm files? While there’s some risk concerned, and you should only manually remove Conficker Worm files if you’re comfortable editing your system, you’ll find it’s fairly easy to delete Conficker Worm files in Windows.
How to delete Conficker Worm files in Windows XP and Vista:
1. Click your Windows Start menu, and then click “Search.”
2. A speech bubble will pop up asking you, “What do you want to search for?” Click “All files and folders.”

Conficker Worm Removal Tips

Conficker Worm Removal Tips

3. Type a Conficker Worm file in the search box, and select “Local Hard Drives.”
4. Click “Search.” Once the file is found, delete it.
How to stop Conficker Worm processes:
1. Click the Start menu, select Run.
2. Type taskmgr.exe into the the Run command box, and click “OK.” You can also launch the Task Manager by pressing keys CTRL + Shift + ESC.
3. Click Processes tab, and find Conficker Worm processes.
4. Once you’ve found the Conficker Worm processes, right-click them and select “End Process” to kill Conficker Worm.

How to remove Conficker Worm registry keys

How TO Remove W32/Koobface.worm April 10, 2009

Posted by computerhelpandsupport in Computer Help, Virus.
1 comment so far

This post provides further information about virus removal, W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.(Net-Worm.Win32.Koobface.b (Kaspersky)

A new variant of Koobface.worm has been seen spreading. It creates a copy of itself in %WINDOWS% directory as:

* freddy35.exe

(where %WINDOWS% is the Windows directory e.g. C:\Windows)

It connects to the following domains and IP to send informations and receive command through HTTP request.

* 1dns2[blocked].com
* temp2[blocked].com
* wm210[blocked].com
* open21[blocked].com
* er21[blocked].com
* websrv[blocked].com
* rserve[blocked].org
* 94.142.129.[blocked]

Issued commands includes downloading and installing new malware.

STARTONCE|http://www.blankpages.be/[blocked]/websrvx.exe
START|http://www.blankpages.be/[blocked]/captcha6.exe
STARTONCE|http://www.blankpages.be/[blocked]/kaka.exe
FBTARGETPERPOST|10
RAZLOG|1
#BLACKLABEL

Downloaded malwares are identified as PWS-LDPinch, Generic Downloader.x and Puper.

– Update December 8, 2008 –

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.eweek.com/c/a/Security/Koobface-Virus-Turns-Up-on-Facebook/?kc=rss

A new variant of Koobface.worm has been seen spreading on Facebook. The worm sends messages with a link like the one shown below, to FaceBook users.

It also downloads malwares(identified as BackDoor-AWQ.b trojan and Generic Backdoor trojan) from the following remote server:

*     ipluginu.cn
*     currentsession.net

The downloaded malwares further download other malwares.

The following files are added in %WinDir% folder:

*     %WinDir% \system32\splm\kbdsapi.dll
*     %WinDir% \system32\splm\lmfunit32.dll
*     %WinDir% \system32\splm\mcaserv32.dll
*     %WinDir% \system32\splm\ncsjapi32.exe
*     %WinDir%\system32\nScan\ecls.exe
*     %WinDir%\system32\nScan\ekrn.exe
*     %WinDir%\system32\nScan\ekrnAmon.dll
*     %WinDir%\system32\nScan\ekrnEmon.dll
*     %WinDir%\system32\nScan\ekrnEpfw.dll
*     %WinDir%\system32\nScan\ekrnScan.dll
*     %WinDir%\system32\nScan\em000_32.dat
*     %WinDir%\system32\nScan\em001_32.dat
*     %WinDir%\validate.inf

The following registry keys are added:

*      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\Intelli Mouse Pro Version 2.0B\StubPath: “%WinDir% \System32\splm\ncsjapi32.exe”
*      HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”
*      HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden: “2″
*      HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Intelli Mouse Pro Version 2.0B: “%WinDir% \System32\splm\ncsjapi32.exe”
*      HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\RunOnce\*Intelli Mouse Pro Version 2.0B*: “%WinDir% \System32\splm\ncsjapi32.exe”
*      HKEY_USERS\Software\Microsoft\Windows\nScan32\ExecuteDate: “14\8\2008″

Hosts file is modified to disable the compromised machine to access most of security web sites:

such as:

*     ar.atwola.com
*     my-etrust.com
*     trendmicro.com
*     norton.com
*     nai.com
*     sophos.com
*     etc

———————————-

W32/Koobface.worm spreads via Facebook and MySpace. Current variants only target either Facebook or MySpace specifically.

The following files could be created depending on the variant (the filepath is hardcoded):

*     C:\WINDOWS\fbtre6.exe
*     C:\WINDOWS\mstre6.exe
*     C:\WINDOWS\f49f4d98.dat
*     C:\WINDOWS\t49f4d98.dat
*    C:\WINDOWS\fmark2.dat
*    C:\WINDOWS\tmark2.dat

The worm can connect to the following domain to do a HTTP post command and receive instructions to download and execute additional malware files:

  • zzzping.com

Facebook users receives links to download the worm via Inbox messages from infected users while links are posted in MySpace commentaries when infected MySpace users log into their account.

Current variant of the worm is faked as a codec installer named as codecsetup.exe. When the worm is ran, a dialog box will pop up with the message “Error installing Codec. Please contact Antivirus support“.

More Info:

Additional Windows ME/XP removal considerations

New Virus “Conficker Worm” Start from Today April 1, 2009

Posted by computerhelpandsupport in Computer Help, Operating System, Software Issue, Virus, WINDOWS XP SHUTDOWN & RESTART TROUBLESHOOTING, Windows Vista, Windows XP.
add a comment

What is it ?
The “Conficker” worm / virus also known as “Downadup” infection, is actually a virus code programmed in such a way that it can infect your computer and spread itself to other computers across a network automatically, without human interaction.

Am I at risk of getting infected by Conficker worm?
Most antivirus software could detect and block the Conficker worm, so if you have updated antivirus software on your computer, you are at a much lower risk of being infected by the Conficker worm.

What does the Conficker worm do ?
One of its common version (Win32/Conficker.B) might spread through file sharing and via removable drives, such as USB drives (also known as thumb drives). The worm adds a file to the removable drive so that when the drive is used, the AutoPlay dialog will show one additional option.
The Conficker worm can also disable important services on your computer.

Example: The option Open folder to view files — Publisher not specified was added by the worm, and if used causes the virus to execute and spread further.
autoplay

How do I remove the Conficker worm?

If your computer is infected with the Conficker worm, you may be unable to download certain security products, such as the Microsoft Malicious Software Removal Tool or accessing certain Web sites, such as Microsoft Update. If you can’t access those tools, try using the Windows Live OneCare Safety Scanner.

A Security Advisory is also being sent out to all iYogi customers as a heads up, via email as well as an alert via Support Dock.

iYogi computer support technician provides help and support for conficker Worm virus removal support.

How to Protect Boot Sector from Viruses March 13, 2009

Posted by computerhelpandsupport in Computer Help, Operating System, Virus, Windows XP.
3 comments

This post provide computer support and technical tips and trick for Protect Boot Sector from Viruses in Windows.When you start your computer with a floppy disk that is infected with a virus, Windows is not capable of detecting it, which is true with many operating systems. Some viruses, such as the FORMS virus, may infect the boot sector of your hard disk drive

There is a misconception that if the partition of the hard disk drive is NTFS, the information in the partition is secure. NTFS, like other file systems such as File Allocation Table (FAT) and High Performance File System (HPFS), is not recognized until Windows starts the service for the file system. The boot sector is separate from the file system in that it is recognized by the system BIOS upon starting the computer.

In order to provide C2 level government security, the environment surrounding the system must meet the same level of security that Windows provides. The C2 standard requires physical security, such as locking the computer.

To protect your system from any type of virus infection in Windows and possibly recover the boot sector of the hard drive.

use one of the following methods:

* Remove any floppy disk in drive A after you shut down Windows.
* Configure the system BIOS to disable floppy disk booting (no floppy seek) or change the order of the boot process to hard drive first.
* Configure the system BIOS to enable system password protection.
* To fix the boot sector, start the computer with a MS-DOS system disk and run the following command:
fdisk /mbr
WARNING: If your hard drive was prepared by a third-party disk manager program, such as Ontrack Disk Manager, then the fdisk /mbr command removes the overlay program of that third-party disk manager, such as the Overlay Manager, and the drive no longer starts. Therefore, you must make sure that the drive was not partitioned with a third-party disk manager program before you use this command.
* Run the Repair utility to verify and recover Windows startup files.

The fdisk /mbr command works only on hard disk drives that are within the limitations of DOS. If you are accessing devices that are beyond the 1024 cylinder limit, you cannot run fdisk /mbr and you receive error code 1762.

If a virus has infected the Master Boot Record (MBR), you cannot run the Emergency Repair Disk until the virus is cleaned. Most virus programs have the same limitation as DOS so you cannot run a scan against the hard disk drive; however, DOS 6.22 Msav.exe will clean the MBR and RAM of the computer.

Note: If you have virus problems with your computer you can use virus removal services for protect your PC.

How to manually remove Antivirus 360 March 6, 2009

Posted by computerhelpandsupport in Computer Help, Virus.
add a comment

Antivirus 360 is a brand new fake spyware remover, program with evil intent. This post provides technical tips and steps for Antivirus 360 spyware removal.

Antivirus 360 can be removed manually by following the steps below.

Step 1:
Click Start and click Control pannel
Locate the Add/Remove Programs icon and double click it.
Locate and remove Antivirus 360 in the list of programs.
Restart your computer.

Step 2
Important This post contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs

Click Start , Click Run ,type in regedit, and click OK.
Locate the following registry entry and delete them:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “13376694984709702142491016734454
HKEY_CURRENT_USER\Software\13376694984709702142491016734454
Close Registry editor page.

Step 3
Search for the files and delete all of the following files that are associated with Antivirus 360 from your computer.

%UserProfile%\Start Menu\Antivirus 360\Help.lnk
%UserProfile%\Start Menu\Antivirus 360
c:\Program Files\A360
av360.exe
%UserProfile%\Start Menu\Antivirus 360\Registration.lnk
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus 360.lnk
av_360[1].exe
av_360.exe
%UserProfile%\Start Menu\Antivirus 360\Antivirus 360.lnk
%UserProfile%\Desktop\Antivirus 360.lnk
Antivirus 360.lnk

Step 4:

Remove all directories associated with Antivirus 360 by going to the C:\ProgramFiles\Antivirus 360 folder.
Restart your computer.

How to manually remove Antivirus XP Pro 2009 February 25, 2009

Posted by computerhelpandsupport in Computer Help, Virus.
3 comments

Antivirus XP Pro 2009 normally generates fake and misleading system popup error messages so end-users will be tricked into purchase Antivirus XP Pro 2009. This post help you to manually remove Antivirus XP Pro 2009 from your computer.  For more about Install Antivirus go to antivirus support services.

To remove the Antivirus XP Pro 2009 Follow the Steps:

Step 1 : Stop Virus Remover 2008 Processes:

Press Alt+Ctrl+Delete, then click on Task Manager.
Select the process antivirusxppro2009.exe and AntivirusXP.exe then click on End Process

Step 2: Find and Delete these Virus Remover 2008:

Click Start and then click on Search, then click on All Files and Folders
Type the filenames
antivirusXPpro2009.exe
c:\Program Files\AntivirusXP
c:\Program Files\AntivirusXP\AntivirusXP.exe
c:\Program Files\AntivirusXP\Infected
c:\Program Files\AntivirusXP\Suspicious
%UserProfile%\Desktop\AntivirusXP.lnk
%UserProfile%\Start Menu\Programs\AntivirusXP
%UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\AntivirusXP.lnk
%UserProfile%\Start Menu\Programs\AntivirusXP\AntivirusXP.lnk
%programs%\AntivirusXPPro2009\AntivirusXPPro2009.lnk
%programs%\AntivirusXPPro2009\uninstall.lnk
%program_files%\AntivirusXPPro2009\AntivirusXPPro2009.exe
%program_files%\AntivirusXPPro2009\uninstall.exe
%desktopdirectory%\AntivirusXPPro2009.lnk
Delete files one by one

Step 3 :Remove Virus Protector 2008 Registry Values:

Important This article contains information about how to modify the registry. Make sure that you back up the registry before you modify it. Make sure that you know how to restore the registry if a problem occurs

Click Start and then click on Run
Type in Regedit
Locate and delete the following registry value.
HKEY_LOCAL_MACHINE\software\AntivirusXPPro2009
HKEY_LOCAL_MACHINE\software\AntivirusXPPro2009 info
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run Antivirus XP Pro 2009
Close Registry editor