Friday, 27 March 2009

How to safely remove FAKE Antivirus 360

*IMPORTANT: Fake software can be removed without having to purchase any removal software. Also, you do NOT need to WIPE your hard drive and reinstall the Windows operating system.

We searched the web for a fix to our problem – couldn’t find one for antivirus 360. Here were the symptoms we identified on a PC:

  • Windows registry would only stay open for 10 seconds
  • Windows CMD would not open
  • Anti-virus and Firewall were disabled and removed
  • Windows Security Center disabled – you don’t see the shield
  • Browser redirected to malicious websites
  • Not able to download or update ANY security products

We suggest you use Malwarebytes which does a great job of removing most of the malicious files. Before you install Malwarebytes (or any security software including being able to download windows updates) you need to search for and remove the following entries, otherwise Malwarebytes (or any other security software) will not work properly, download or install:

  • Winconfig.dll
  • A360.exe
  • Winsystems.dll
  • DELETE all files in the "PREFETCH" folder
On deletion of the above files, you can now download and install Malwarebytes.

TIP: We couldn’t update so we had to update the database manually. Click here for manual download.

Here are the keys, data items, files and folders that you should remove:

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Explorer\Browser Helper Objects\{d263fa6d-84cc-48a8-9af6-c664362b7a5b}

HKEY_CLASSES_ROOT\CLSID\{d263fa6d-84cc-48a8-9af6-c664362b7a5b}

HKEY_LOCAL_MACHINE\SOFTWARE\UAC

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\UACd.sys

Registry Data Items:

HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\Homepage

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter)

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter)

Folders Infected:

A360 (Rogue.A360Antivirus)

Files Infected:

A360.lnk

Help.lnk

Registration.lnk

A360.lnk

Microsoft\Internet Explorer\Quick Launch\A360.lnk

C:\WINDOWS\system32\uacinit.dll

C:\WINDOWS\system32\UACftdrxsnm.dll C:\WINDOWS\system32\UACpulqeavn.dat C:\WINDOWS\system32\UACrtaxtmsn.log

On completing this scan/removal and rebooting Malwarebytes you should now be able to update automatically (and other security software including windows update should now be ok too)

Installing Antivirus and a Firewall

You should now install your antivirus (this will also activate the appropriate product updates as well as Windows Security updates – you should now see the Windows Security Shield in the TASK BAR).

We use avast! – download, install and run a boot scan (it will prompt you to do this after installation) which should find these infected files:

C:\documents and settings\user\local settings\Pgmm.ltm [Trojan]

C:\DOCUME~1\user\LOCALS~1\PGMM.LTM [Trojan]

C:\WINDOWS\system32\kernel32.dll

C:\WINDOWS\system32\winsock.dll

C:\WINDOWS\system32\wsock32.dll

You will be advised to restart your PC.

Having restarted your PC you will now need to download and install a Firewall. We recommend ZoneAlarm and it is 100% FREE!

For added assurance I suggest you download Spyware Terminator. It’s 100% FREE and will monitor every action. It also comes with a handy ‘Safe Web Search’ tool which places a GREEN shield next to safe websites.

Lastly you will need to update Windows Security. Click here.

* Be very careful when making any changes to the Windows Registry. We suggest you make a Windows Registry backup before making any changes.

Click here to learn more about the threats you face when shopping online.

Safe surfing folks!

Julian

Posted by Julian at 17:41 0 comments Links to this post

Labels: , , ,

Thursday, 19 March 2009

Online bank fraud is on the rise

Online bank fraud is one of the fastest growing crimes in the world. There are many methods in which your personal and financial information can be stolen from you. To find out some of the most popular ways in which cyber criminals do this - click here

Remember: Fraudsters have only one thing on their mind - Making money out of you!

Update: Trying to remove Antivirus 360, Antivirus 2010? Download Malwarebytes - click here
You might not be able to update the virus definitions database - click here

Safe surfing folks!
Julian

Posted by Julian at 18:39 0 comments Links to this post

Labels: , , ,

Tuesday, 10 March 2009

Clickjacking - stopping it isn't easy!

Clickjacking refers to stealing a user click on a website to do something that the user wouldn't intentionally do. Those who are non-technical will probably start to wonder what all this means.

Now think - Javascript. Anything can be triggered with Javascript - which isn't good news for webmasters and those of us fighting hackers and stopping fraud. Hackers know how to trigger a user click using a Javascript event which means anything can be achieved when this is triggered. I always suggest to friends and our members to 'disable' javascript in their browsers. But, there is a big but....

Some additional research has found that clickjacking can work without javascript - so disabling javascript doesn't remove the exploit opportunity. Simply put - a malicious website can make the user believe they are clicking an element (piece of code/link/banner) on the top of the front page but instead the user is clicking an element on top of a hidden page. Clever stuff indeed.

Stopping clickjacking isn't easy. Currently there is no fix which stops a clickjacking attack. Webmasters though, can stop their website from being loaded in an iFrame* by using some simple code. The code will allow a visitor to be redirected to a website without the iFrame.

The major problem for users is the way browsers handle HTML and CSS (including the z-index property of the CSS style sheet) and specifically iFrame's. You could use a text based browser - Lynx and/or if you use Firefox use the Firefox 'NoScript' extension which blocks embedded content from untrusted domains. Technical users will find setting up these features very easy indeed - non-techies though may struggle with this.

*is an HTML element which makes it possible to embed a HTML document inside another HTML document.

Safe surfing folks!
Julian

Posted by Julian at 10:14 0 comments Links to this post

Labels: , , , ,

Thursday, 5 March 2009

iPhone- Warshipping


Not much is mentioned about "Warshipping" - too technical for most springs to mind.. Alas I was blown away by the very word! I thought it related to "World of Warcraft". Lots of laughter on that one. Still it's worth a brief explanation on what it is and what it can do....

A guy called David Maynor from ErrataSecurity is the author of a new term called "Warshipping". Warshipping is when a new device capable of sniffing WiFi traffic is being shipped to a company, thus entering the physical boundaries that are off-limits to a wardriver.

Davids research managed to prove that you can ship an iPhone to any company and with battery running for 5 days it will stay connected with WiFi in passive mode to collect as much information as possible and return it back to the owner through a reverse (3G) connection.

Anyone thought about how easy it could be for the iPhone under 3G to be able to receive commands to receive a malicious file and transmit it over the company network?

Safe surfing folks!
Julian

Posted by Julian at 10:16 0 comments Links to this post

Labels: , , , ,

Subscribe to: Posts (Atom)