A-Tec Computer

Home    -    Repair    -    Malware Removal    -    Windows 10    -    Contact    -    About Me    -    My Location    -    Computer Tips




Malware Removal

You have found one of central Kentucky's experts on malware removal.  I've removed more than enough of today's modern malware to know how it operates, how to detect it, how to safely remove the associated files/registry entries and how to reverse the varied damages it causes.

Fake Update Notices

They are everywhere on the Internet.  Unless you are adept at what needs updating on your computer and how to do it, you should seriously question warnings about outdated software that you encounter on the Internet.  The tip-off is usually a full page popup telling you you need to update your "browser" or "Flash Player".  Some notices informing you of an outdated browser are legit but do not ask you to click on anything.  The Adobe Flash plug-in on Firefox and Internet Explorer needs to be periodically updated but this should be done manually and NOT by clicking a button of link. Update Adobe Flash here https://get.adobe.com/flashplayerBe sure to uncheck the free offers on that page before hitting the download button.

If you use both Internet Explorer and Firefox, each of those uses a different flash update.  If you go to the Adobe update page linked above, the page knows which update to give you by which browser you are using.  You will need to go there using IE and also go there using Firefox.  Note that the Internet Explorer version that comes on Windows 10 is updated automatically by Microsoft and is not updated manually.

Call me if in doubt.  Stay frosty.

Fake Warnings

Not malware but if you are gullible, these can cost you money.  DO NOT CALL THE PHONE NUMBERS!!.  This is a scam.  Becoming very common, these fake warnings are typically encountered when someone clicks a link in FaceBook or similar and a full-page popup covers the screen.  The design is meant to scare the user into calling a phone number to fix a critical system or security issue.  This is a fake.  Don't call the number or you will be inviting the devil into your computer.  Sometimes these popups are persistent and can be difficult to close.  Try Task Manager and close the web browser.  Sometimes it's necessary to do a restart on the computer but be sure to do a proper restart and don't just hold the power button in.

Some browsers will remember the previous problem upon reopening and will ask if you want to reload the page(s) you were on last.  Of course, you don't so say no.

Below are some example of these full size popups.  Most resemble Blue Screens of Death (BSOD).  Remember - the Internet doesn't warn us.  It tries to trick us and generate revenue.  Don't be fooled by these and once clear of the popup, don't go back to the place where it occurred.

See the section below called "Calls From Microsoft" for more details about the scam.

Calls From "Microsoft"

Another fake.  Another attempt to trick the user into letting someone into their system who will want to charge money to "fix" it.  It's a simple confidence scam where the scammer gains access to the owner's machine with their permission and once connected, they run a built-in password utility called syskey.exe and gives the machine a login password.  They do it in front of your eyes but you won't know what it is because it's an unfamiliar utility even to most techs and they also do it very quickly.  In less than 5 seconds they can lock a machine down:

1st Screen

2nd Screen                                                                 3rd Screen

The scam continues... once the victim suspects a scam, they hang up and the first time they restart the computer they will be locked out.  Then they count on the victim hitting the redial button out of desperation and wiring over the demanded ransom money.  This will probably be futile because it will be a different scammer on the line and that one won't know what the first one used as a password.

If you have been victim, do not restart or shutdown your computer, but DO disconnect it from your network by unplugging your Ethernet cable or powering down your modem and then CALL ME.  The encryption can probably be reversed but if not, your data can be accessed, saved, and Windows reinstalled.  Please do not pay these crooks the ransom.



This one is a recent threat with incidents showing up in my area in the fall of 2014.  Symptoms include slow computer speeds, maxed-out CPU, and programs locking up.  It seems to hog the local Internet gateway at the expense of other users' Internet speeds.  Since regular virus and malware scanners don't detect it, many people may have this one and not know it.  Reported delivery methods are by emailed attachments pretending to be a report from UPS, USPS, Fed Ex, etc. informing the potential victim of a missed delivery or late shipment.

Poweliks doesn't deposit a file, gives no false warnings, doesn't try to pose as a legitimate program and doesn't present itself in way that is common to past malware.  It adds hidden code to the registry and causes existing Windows processes to surge while sending data packets to an IP address in country called Kazakhstan.  What is being passed through this connection is unknown.

Do you have it?  Open Task Manager and look at the running processes.  If you see multiple high-memory occurrences of dllhost.exe *32 with the COM Surrogate description or something similar with the *32 suffix, you might have it.  Since we don't know what is being passed to or from the programmed IP addresses, it would be wise to shut down the computer until the code is removed.


Also known as "ad fraud" and "click fraud".  The main symptom is a very slow computer and in Internet Explorer's history you might see a list of sites that you have not visited.  Look at the Processes tab in Task Manager and check the running processes.  If you see explorer.exe with a number higher than 100 K up to 2,000 K or five to ten processes with the same name using 20-100K each, you may have it.

This type of malware causes your computer go to marketing web sites behind your back with the goal of creating revenue where site owners get paid by advertisers when someone visits their sites.  This type of malware can use up bandwidth as well as processing power.  Since it easily slips by antivirus programs, you should check your running processes often.

CryptoLocker, CTB-Locker, et al.

CryptoLocker and other data-encrypting malware are the worst ones I've seen.  These actually destroy your personal data like pictures and documents and offer to restore them after you pay a high ransom (hundreds) which may or may not work.  Here is a printable handout.

The user gets tricked into running the installer by way of an Internet script-based tripwire loaded from an ad or more often from an enticing email attachment pretending to have a report from FedEx, UPS, USPS, PayPal, your ISP, the IRS, etc..  The installer file is activated, the single-file launcher application is placed in a hidden directory and the single-line instruction is added to the registry.  Then it runs from inside and begins to encrypt certain file types.  Encryption means your files are locked.  The files this one goes after are your important personal data like office documents and pictures.  Sometimes the files are encrypted and then your antivirus detects and removes the program.  If this happens, you won't get an announcement or a way to pay ransom.

Protection: Suspect all attached zip files and emailed web links.  A zip file attached to your email is the danger signal.  Don't fall for the trick.

Suspect every email.  Don't be a "clicker".  Suspect emails that look like they are from legitimate businesses such as the Better Business Bureau, credit card companies and airlines.  These companies do not send out emails with zip attachmentsDelete any emails like I have described.

What if you already have it?

If you get CryptoLocker or CTB-Locker and your files are worth the ransom it is requesting, the malware files(s) and associated registry entries holding part of the encryption key must not be removed until after the ransom has been paid and your files are decrypted.  There are people who have reportedly paid the ransom and have had at least some of their data successfully unlocked.

Again... once tricked, the only way to regain access to locked data is to pay the ransom as instructed by the malware's splash screen:

Data Protection.  An important general safeguard is keeping your data backed up and protecting it with the right method.  I have a section about backing up data on my Computer Tips page but unless you know how CryptoLocker works and take extra precautions, your backed up data may not be safe from it.  From what I have read from IT professionals and those who have experimented with this rattlesnake, the encryption path follows drive letters and encrypts common personal data files it finds on that path.  Meaning if you use an external backup drive and it is connected to your computer using an assigned a drive letter or you have manually created a network share on another computer and mapped it using a drive letter, CryptoLocker can find the drive or shared folder and encrypt the data THERE as well.

To check if your external data is vulnerable, go to Computer (My Computer) and if your backup destination sits on the same page as your C: drive and has a drive letter (e.g. E:, F:) or is mapped with a drive letter, your data is not safe.

Here's an important thing to remember... if you have an automated backup program and it runs after your local files are encrypted, those backup files can be replaced with encrypted versions.  So if you get CryptoLocker, immediately remove the connected destination drive you use for backups or disable your cloud-based backup until your computer is clean.

My recommendation is to use more secure data backup and storage options which include using Network Attached Storage (NAS) instead of a USB or firewire-connected external drive.  If you have mapped network shares that are on host servers, remove the drive-letter maps and use UNC shortcuts (\\%host computer%\%network share%) instead.  Of course burning your data to a recordable CD or DVD is safe, albeit outdated and cumbersome, just be sure to remove the disk from the tray if it is not finalized and closed by your disk-burning software.

My personal NAS choice is a Synology DS213j which is a dual-disk unit already configured for RAID 1 (mirrored).  The NAS is connected to your router by Ethernet cable and is accessible by approved computers on your network.  Note that these units do not normally come with hard drives - you typically add those yourself.  The total cost of a NAS storage system is the enclosure plus the drives.

If you have a USB drive you are using for backups and replacing it is not feasible, physically disconnect it from your computer when it is not being accessed during backups.

FBI, Homeland Security "Viruses"

These types first appeared in 2012 and pretend to be something produced by the US Government. The user is seemingly locked out of thier computer with no way in aside from paying a fine.  Don't worry.  This isn't the government.  The story usually goes that your computer has been scanned and illegal downloaded content has been detected.  If you have a webcam and at a previous time unwisely gave the Flash browser plug-in global permission, it may even show your image.

It will describe a way to stay out of prison by entering a number from a pre-paid money card which can be bought at any store.  Don't do it.  Money cards are basically cash.  You'll lose your money and your computer will still be "locked".  Don't do the MoneyPak thing.  Call me to remove this.


Classic Malware

Not as prevalent these days but in the classic malware, the user landed on a web page, a script from an ad was triggered and the user was tricked into installing it on their own computer by clicking the OK button or the X on a script-generated popup.  Below are some examples of these dangerous trip-wires:

Pop-up viewed on a Windows 7 or Vista Machine (Internet Explorer)

A couple viewed on a Windows XP Machine

Windows 7 / Vista (Internet Explorer)

Windows 7 / Vista (Firefox)

Windows 7 (Internet Explorer)

Look familiar?  These simple-looking pop-ups are what I call malware trip-wires and they do not come from your anti-virus.  Look at them again and commit them to memory because there is a similarity - they want you to click on them.  These are FAKE warnings loaded onto your browser by way of scripts from web pages and if you interact with these pop-up windows, you will install malware on yourself.

Don't click the OK or Cancel buttons or even the "X" - these and similar pop-ups must be closed by using Task Manager.  Right-click on the clock in your tray and choose Task Manager.  Click the Application tab and "End Task" the pop-up and the web pages that appear in this list.



What's the difference between a virus and malware?

Computer viruses are so named because they operate similarly to the viruses that invade our own bodies.  A computer virus is caught by exposure and then replicates itself.  It spreads internally within the system, spreads to other computers, and it even mutates.  Viruses are usually created with the goals of random malicious damage and also maybe to give its creator some satisfaction and notoriety among his peers.  Most viruses are written to spread automatically and take on lives of their own.

But malware as discussed here refers to programs that were written to cause specific changes to a computer's software and settings.  This type of malicious software installs behind the user's anti-virus, takes advantage of the way Windows operates and alters critical key areas that greatly reduce a computer's functionality to the point of being unusable.

The end-goal of most of today's common malware seems to be to force the user to a web site that promises a removal tool in exchange for a fee.  For this reason, these types of malicious programs have also been called ransom-ware.

Once the initial trip-wire has been clicked on, an animated pop-up window posing as a virus scanner loads onto the screen.  Examples: 

The type of pop-ups above are meant to trick the user into believing that an official virus scan is taking place and that the scan is detecting a large list of viruses, Trojans, and other nasties.  These pop-up scanners are fakes as well as the list of infections that it shows that it has found.  Common names that these things use includes Antivirus 2010, Antivirus 2011, SecurityTool, Win 7 Security 2012, AV Security 2012, XP Home Security 2012, etc..

Once infected with this type of malware, the user's Internet connection is sometimes cut off or altered where only certain sites can be accessed - it might open your web browser to strange-looking search sites or blank pages but it usually makes a site available where a credit card or bank account number can be entered to pay for a "cure".  The desktop wallpaper might be changed to have a scary message and as long as the malware is on the user's system, the random pop-up warnings and fake scans will continue.

Other damages brought forth in a full-blown infection causes programs to not open, prevents the user's real anti-virus from loading, sprinkles distasteful icons on the desktop, and the system will slow to a crawl as random pop-ups repeat themselves.  With a certain malware family, the fake scanner and its message load immediately at boot-up and Windows fails to load.

Recent infections cause the disappearance of the Windows Security Center service and will hijack web searches to land on other rigged and potentially dangerous "search sites".

There are a few malware types that hide files and shortcuts.  Your Desktop, the Programs list and User Documents directories will seem to be empty.  Careful with this one.

The screenshot above is an extreme example but is representative of the varied
types of pop-up "warnings" that can happen in a full-blown malware infection.

Expert Removal:

My malware removal technique is unique and was developed and perfected during countless and successful removals for customers.  It begins with identifying the family of the active malware and proceeds from there where I take actions in a certain order based on the malware type and damages present.  After my manual removal/repair, I perform system scans to be sure all remnants, hidden and dormant files from the present and past infections are gone and obscure settings are restored.

Removal attempts by random methods can make the problem worse.  As long as no one has tried to remove an infection with the wrong method, my expert removal and damage reversal technique never fails - I know how malware enters, where it goes, how it operates, where its trigger files reside, how to remove it, and how to reverse its damages.

Kitchen-sink approaches using random automated cleaners to remove malware can be destructive and will rarely detect and repair all the varied damages/changes that malware can do to Windows systems.  The Windows utility called System Restore should not be used against malware.  Invasive cures like ComboFix and SmitFraud Removal are rarely necessary - their use has unnecessary risks and they are not often successful on today's modern malware.

Again - removal attempts performed by the inexperienced can make the problem much worse and can make the repair process more difficult, time-consuming, and sometimes even prohibitive.

If you take your computer to most repair centers for malware/virus removal, the common solution is to reinstall Windows. This will be a costly service and will definitely remove the infection but it will also remove everything else - you will needlessly lose your user-installed programs and customization settings. They will also charge extra to back up your irreplaceable user data.

Reinstalling Windows is rarely necessary as a solution for viruses and malware.  My removal method is effective, safe, thorough and complete.  After I remove the malware and reverse the damages, I then check, tweak and tune the system to make it run faster than it did before the infection.

  A word of warning: I've seen machines that had irreparable damage after home virus removal attempts were performed.  You are taking your chances trying System Restore and some automated cleaners.

I understand the temptation, but please realize the risks of using blind, shotgun tactics.  I get great results manually removing fresh malware infections and have found that most malware-related damages that cannot be repaired easily by me are usually the results of actions having been taken beforehand by someone inexperienced trying to remove the malware.

Windows' System Restore used as a malware cure can cause instruction conflicts and errors which could bring blue screens or even cause the system to not load Windows.  This can be considered as part of the malware trap - either by design or by accident.  System Restore takes only certain settings back to an earlier date and does NOT remove the actual malware or root-kit files.  If part of the damage was to your userinit file and also to its associated registry instruction, running System Restore without repairing the userinit file first will prevent the user from logging into Windows.

The worst examples of botched attempts were caused by applications the owners ran which left their machines in a state with their network controllers not being able to obtain IP addresses automatically and not resolving DNS names.  This was not because of proxy server settings, corrupt DNS caches, or altered hosts files - this was actual damage to and deletion of files and instructions associated with the TCP/IP stack or Windows' DNS-related services and is sometimes not repairable.

Another critical situation involves the malware type that hides desktop files and the shortcuts that appear in the Programs list.  Doing the wrong thing with this one can cause these seemingly missing items to be permanently deleted. 

I can quickly get your computer back like it was if it is left alone.

At the first sign of malware, do not do a System Restore to an earlier date or throw automated removal programs at it.  Call A-Tec.  A computer infected with malware as described above if brought immediately to me, can be completely repaired without a reformat/reinstall.

Removal Fees:

The price I charge for malware removal is included in the house call or drop-off rate.  On a reasonably-fast machine, the removal, damage detection/reversal, 2nd opinion scanning procedure and system tune-up will last about 1-1 hours and if scheduled and brought to my shop, it can usually be done for the basic drop-off fee usually while you wait.  Of course malware can be removed onsite at your residence or business for the applicable one-hour house-call rate.

Some machines when stacked with CPU-taxing applications run painfully slow - thus slowing down the repair/scanning process considerably.  An additional fee of $30 per half hour may apply to onsite malware repair on very slow machines.  If your machine was really slow before the infection, the removal process will be slow as well.  You'll already know if you own such a machine and you may want to consider a Windows reinstall as the best solution.

Future Protection:

Since I am very familiar with the mechanics of malware and know how these things operate, I also know how they are best prevented.  After my malware removal process, I will explain how the malware got on your system, uninstall the anti-virus that didn't work, and will install my favorite user-friendly, lean-running anti-virus application at no additional charge.



Copyright 2019 A-Tec Computer