Thanks to a new virus which makes users believe all of their data has been deleted, computer users everywhere are in mass panic and repair shops are busier than ever. This new virus is pure genius and is, as old-school hackers would put it, a “truly righteous” hack. It exploits a loophole in Java which gives the virus god-rights on the computer and installs without the user ever knowing. Unlike most viruses today which trick the user into thinking they have a virus and clicking ‘OK’ to clean it up (which actually installs it), it is embedded in webpages which use Java and installs silently. And since nearly everyone has Java turned on to surf the internet, it installs quietly and effortlessly. Suddenly, all the computer’s files, icons and folders are “gone.” Panic ensues as users frantically try to figure out how to recover their “lost” data. But what has really happened is that the virus has simply hidden every file on the computer! Genius, right? I can only imagine the developers are sitting back having a good laugh about it all.
So what do you do if you get hit by this lovely virus? A non-techy person could take it to a computer repair shop and spend anywhere from $85-$150 to get it fixed. Or for you geeks, you could fix it yourself using the following steps:
(Please note the following steps are for experienced users only – if you are not comfortable performing any of the below steps, take the computer to a professional!)
1) Immediately boot into Safe Mode (with networking) and do not leave this until you are done! (Mashing F8 at the boot screen will do this on most computers – read the boot screen if F8 doesn’t do the trick)
- If you have to reboot at any time, make sure you boot back into Safe Mode!
2) Download and run RKill: http://www.bleepingcomputer.com/download/anti-virus/rkill. This will terminate the virus from running and allow you to clean up the computer. Any of the download links should work – they just have various names to confuse viruses.
3) You need to be able to see the folders/files which are hidden. To do this, do the following:
- Click your start menu
- In the ‘run’ field, type “cmd” and hit enter
- Type: c:*.* /d /s –h
- **The virus may make files read-only as well. If so, include –r.
- **If the virus makes files system files, add –s.
- Do NOT add any unnecessary –r or –s commands. Only use these commands if needed.
4) Make sure you have the following programs installed and updated:
- Microsoft Security Essentials (http://www.microsoft.com/security_essentials/)
- Super AntiSpyware (http://www.superantispyware.com)
- Remove ANY other antivirus program you have as most don’t live up to their promises and often do more harm than good (ESPECIALLY Norton, McAfee and AVG).
5) Run a FULL scan on both Security Essentials and Super AntiSpyware.
6) Clean up your registry! (If not comfortable with this, pay for a professional cleanup!)
- Go to Start –>Run–>’regedit’ and hit enter, then ‘Ok’ or ‘Yes’
- Go to HKEY_CURRENT_USER–>Software–>Microsoft–>Windows–>CurrentVersion–>Run
i. Remove anything which looks suspicious and is not a file you recognize. For instance, an entry with a name like FKA546542EJJAL and stored in a temp file is probably a virus (EXAMPLE ONLY). This is also a good time to remove unnecessary programs from starting up at boot time.
- Go to HKEY_CURRENT_USER–>Software–>Microsoft–>WindowsNT–>CurrentVersion–>Winlogon
i. Again, remove anything suspicious. If you don’t see anything obvious, DO NOT DELETE ANYTHING.
- Go to HKEY_USERS–>’user name’ or ‘.DEFAULT’–> Software–>Microsoft–>Windows–>CurrentVersion–>Run
i. Remove suspicious files as mentioned above
ii. Do this for EVERY user
- Go to HKEY_LOCAL_MACHINE–>SOFTWARE–>Microsoft–>Windows–>CurrentVersion–>Run
i. Remove suspicious files (be EXTRA careful here as some of these files are necessary for system files to run at startup. Again, if not sure, take it in for a professional cleanup!)
- Go to HKEY_LOCAL_MACHINE–>SOFTWARE–>Microsoft–>WindowsNT–>CurrentVersion–>WinLogon
i. Double click on ‘Shell’ and make sure it ONLY says ‘explorer.exe’. If there is anything after it, delete it!
ii. Double click on Userinit and make sure it ONLY says ‘C:Windowssystem32userinit.exe,”. If there is anything after it, delete it!
7) Lastly, do a quick file cleanup
- Go to C:WindowsSystem32
i. Sort by Date Modified – click twice so you see the most recent date on top
ii. Going from the date you got infected (hopefully you are doing this the same day or the next day) remove any files which look suspicious (yet again, if you don’t know what you are doing, take it to a professional!)
- Go to C:Windows and do as above but look at folders as well as files
- Delete cookies and temp files (any self-respecting geek knows how to do this already)
So by now you have:
1) Made your files viewable and usable again
2) Removed the virus and any associated viruses or malware through using the recommended software
3) Removed registry entries to prevent anything bad from loading on startup and thus re-infecting your machine
4) Removed any negative system entries which may also be contributing to the problem.
You might have even discovered you had other spyware, malware or viruses you didn’t know about throughout all this. But if you did everything correctly, you should be clean. If not, now is definitely a good time to take the computer in for a professional cleanup as your machine likely has bigger problems than you were aware of. Good luck!
**Please note that running these commands will make EVERY file on the system viewable and editable, including previously hidden system files you shouldn’t mess with. Use extreme caution when working with files after doing this. If you aren’t comfortable with this, consider paying for a professional cleanup.
GFI VIPRE Antivirus is one of the best solutions available in the market regarding operating systems security. With a lot of versatility, GFI VIPRE offers tons of options and configurations to deploy on client or server machines, plus is very simple to install.
Operating systems security against malware and virus is a key factor in every organization, even though most small or mid-size companies avoid this matter. GFI VIPRE Antivirus provides the simplicity and scalability any company should be looking for in security solutions.
Some of the most important features included in GFI VIPRE Antivirus are:
Simple installation and environment configuration: The platform does not require complex configurations. For a complete detailed step-by-step check this link.- Centralized management: Central console to administer all your clients and the possibility to delegate read-only permissions to operators.
- Easy deployment: Fast and several options to discover machines, plus automatic deployment included. If clients are not available, MSI manual installation can be used.
- Scalability: You can configure different sites and different policies that will be handled by GFI VIPRE Antivirus, making possible to protect all necessary computers with different options among them.
- High compatibility: Windows 2000 SP4 or newer operating systems are supported as client machines (Windows 7 included of course).
- Flexible reporting: Vast options to configure reporting within your environment.
- Very low resources necessary: GFI VIPRE Antivirus represents one of the antiviruses that require a very small portion of your machine resources, making it completely silent and transparent to users.
Here’s a comparison from the most used antivirus and the CPU usage when a scan is running:
As a quick reference, here’s an overview about the process of implementing GFI VIPRE Antivirus (detailed step-by-step here):
- Review requirements for server and client machines.
- Define the type of machines and the behavior you would like to be present in the antivirus software, depending on the machine category.
This will be represented in the policy we can configure for each category we decide (for example: mobile computers will have a more restrictive policy than the workstations).
- Install GFI VIPRE Antivirus.
- Create and configure system policies to apply agent machines.
- Add agents and validate VIPRE installation. The platform provides the possibility for automated installation and of course manual.
- Run a manual scan in agents to validate current health status of your clients. Automatic scans in agents can be configured but we can also trigger manual scans whenever we need.
- Generate reports using Report Viewer.
- Configure any additional sites and permissions for different type of users. We can have simple operators to the platform using the GFI VIPRE console.
You can download the free trials for GFI VIPRE Antivirus in this link.
Koobface Trojan is back, and now it comes with a few surprises for some friends: Infecting Mac OS X and Linux OS. Intego, the Mac Security Blog, informed that this virus is spreading through social networks and does affect Mac computers as well as Linux.
Koobface appears in social networks like Facebook, Twitter and MySpace and now they will not infect only Windows computers. One of the common messages we should receive indicating the presence of Koobface: “Is this you in this video?” once we click on the link it will try to run an applet from Java which will install a malware in the OS.
As for Windows, Koobface will run a local web server and an IRC Server, acting as a Botnet and as a DNS changer; and of course will try to reproduce to other computers.
Intego assures that the Intego VirusBarrier X6 and X5 detect and eradicate this malware, but we must avoid running any unknown Java applet in our computer, and if so, we should detect an installation is running and quickly cancel it.
Mozilla official blog recently announced the removal of an add-on which was transmitting personal and confidential data from users to a remote site.
The add-on is called (or was) Mozilla Sniffer, which it was uploaded on June 6th to the official add-on site from Mozilla. And it was downloaded by 1800 users and 334 had this add-on active. The behavior of this add-on apparently took all of the private browsing data from users (like user names and passwords), and send it to a remote site.
Since Mozilla blacklisted this add-on; all of those who had it working should see this feature disabled from their browsers.
Mozilla also makes a contradictory statement about this situation:
“Mozilla Sniffer was not developed by Mozilla, and it was not reviewed by Mozilla. The add-on was in an experimental state, and all users that installed it should have seen a warning indicating it is unreviewed. Unreviewed add-ons are scanned for known viruses, trojans, and other malware, but some types of malicious behavior can only be detected in a code review.”
But later in the same article:
“Having unreviewed add-ons exposed to the public, even with low visibility, has been previously identified as an attack vector for hackers. For this reason, we’re already working on implementing a new security model for addons.mozilla.org that will require all add-ons to be code-reviewed before they are discoverable in the site”.
Damn right you’ll be reviewing those add-ons! If you are publishing add-ons, features and options for your product within your site, you should be aware there’s a responsibility behind it.
Microsoft has been working for a long time now in giving a good and reliable antivirus platform for all users. And when I say “for all users” I mean a free one. Seems that the dream is about to become true today: Microsoft Security Essentials will be release to the public as the free antivirus solution from Microsoft.
Microsoft Security Essentials will be replacing Windows Live OneCare as the security suite for viruses and malware. The suite can be installed in Windows XP, Vista and 7; and seems that already has a good review about the protection you can achieve, by giving you a shield for 97,8% of the existing malware in the web.
On the other side, some of the other reviews this antivirus platform has received so far say that the engine inside it is a little bit slow and intrusive with other applications.
And of course, leaders from other security solutions already are trying to tear this solution down, like McAfee: “will compete against other free solutions by offering limited security functionality”; or Symantec saying it is a “thin defense” and not giving you any type of antispam or identity safeguards.
Let people decide then.
