December 21, 2010

Manually Remove Antivirus GT

Antivirus GT is a rogue antispyware program that is distributed to computers through Win32/FakeXPA Trojan virus. Once computer is infected, Antivirus GT completely takes over the system. You start receiving tons of fake pop up messages stating about some malicious files detected that may cause security issues to your system.The parasite starts to scan user’s PC and displays fictitious scan results. They usually state your system is at high security risk and to prevent more damage you supposedly have to download and purchase its registered version. Do not believe any information it spreads because it is a fraud. malware only gains you to buy illegal program. It is not worth spending your money because it neither has an ability to detect nor remove computer threats therefore it is not being trusted.
Turn off your system restore before you begin this process

Manual Antivirus GT removal

Stop these Antivirus GT processes:
antivirus GT.exe
avgt.exe
Disable these Antivirus GT DLL files:
MicrosoftExtensions.dll
Remove these Antivirus GT Registry Entries:
HKEY_CURRENT_USER\Software\EVA246
HKEY_CURRENT_USER\Software\WinFD
HKEY_CLASSES_ROOT\CLSID\{3304F17F-732C-4AC6-BF67-DBDC8B88C11F}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3304F17F-732C-4AC6-BF67-DBDC8B88C11F}
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “AVGT”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform “WinNT-EVI 05.07.2010″
Remove these Antivirus GT files:
c:\Documents and Settings\All Users\Start Menu\AVGT\
c:\Documents and Settings\All Users\Start Menu\AVGT\AntivirusGT.lnk
c:\Documents and Settings\All Users\Start Menu\AVGT\Uninstall.lnk
c:\Program Files\AVGT\
c:\Program Files\AVGT\antivirusGT.exe
%UserProfile%\Desktop\AntivirusGT.lnk
C:\Documents and Settings\[User Name]\Local Settings\Temp\MicrosoftExtensions.dll

Download Antivirus GT Removal Tool 1.0

Antivirus GT Removal Tool 1.0Antivirus GT Removal Tool is a small and easy-to-use application designed to delete fake Antivirus GT from your computer. Antivirus GT is a fake antivirus program which intends to make some profit from the user of the infected computer. viagra for sale in ireland It is installed to the computer when the user accidentally used a fake online scanner which will produce fake result.This result will state that the computer is infected and urge you to download and install Antivirus GT. Once installed, it will run automatically when the system boots. However, it does not do what it claims to be. After scanning the computer, it still states that the computer is infected with malware.

Permalink • Print • Comment

August 11, 2010

The “M” Word – Protecting Yourself from Malware

The “M” Word – Protecting Yourself
from Malware

By Bryan Lambert – August 8, 2010

In this year, 2010, malware seems to be as ubiquitous as the air we breathe. While computer users today are much more savvy against the threat of malware, there’s still more that we can do. In this Tech Tip we’ll look at some very practical things to do to keep yourself protected as well as some things that you can do if you have inadvertently picked up some malware on any of your PC computers .

Protecting Your Computer

In a nutshell this is what you’ll need to keep your computer humming along:

  1. Have some kind of anti-malware protection on your computer and keep it current. While many new notebook computers and PCs come with trial anti-malware software, it is up to you to keep it current (for a price). There are, however, free alternatives.The viagra and premature ejaculation foremost among them is Microsoft’s own Security Essentials. It doesn’t come with Windows, but can be easily downloaded and installed. Other free programs include the popular AVG ; AVast , Avira and BitDefender (they have paid versions as well) while the usual suspects round up the paid products: MCAfee , Norton , Panda , Kaspersky and Trend Micro . This is not an exhaustive list by any means as there are many other free and paid programs that can be used.
  2. Keep your computer up to date.You can rely on automatic updates, but to be sure that nothing is being missed you may want to manually run updates from time to time – particularly on the Operating System and the Web Browser.For example, in Windows Vista and 7, click on Start button and in the search box type in Windows Update – the first program listed will be the Windows Update program. Click on this and check if you have any updates to run. In XP, go into the Control Panel and click on Windows Update there.With the browser, if you are running Windows Explorer, your Windows Update will update that. With other browsers, check their help files for how to update them. Besides that, also be sure that you have your firewall up and running.
  3. Don’t fall for bogus phishing scams, fake anti-virus scans, software from “nowhere.” Because of increased protection, malware programmers are hitting the most vulnerable target in the chain – you. If they can get you to install the program from a fake anti-virus scan that pops up while you’re surfing,a bogus link in your e-mail, in your messenger or on a website then they get by all those protections that have been carefully laid in place. Just don’t do it.

OK – you got “something” – Now what?

No computer is perfect – even with all your protections in place, something may slip through. If something does, there are things that can be done to minimize damage and risk.

  1. If you have access to a second computer, download onto a flash drive some tools to scan and hopefully fix your PC. Typically you can grab one or two antivirus programs available (I’d recommend AVG or AVast mentioned earlier) and a good, free anti-spyware program (I highly recommend Malwarebytes ). Install these on the infected computer and run a full scan on the computer. Depending on how bad the infection is, you may need to pull the computer off the Internet while running these scans.If you can get to the Internet, then be sure to get the latest updates for these programs. You may also look into running either Panda’s or Trend Micro’s online scanner programs. Be sure to scan ALL drives.
  2. If you have second computer or the infected computer has access to the Internet – then simply look up your computer’s symptoms online to see what other people are seeing and possible ways to fix it. There will be some dead ends, but often you can find out what is causing you the problems as well as how to fix it.
  3. After all the scans, run the more advanced tool, HijackThis from Trend Micro (a free tool) to see exactly what is running. HijackThis also gives you the ability to manually remove items as well.While you are at it, you can also run Trend Micro’s other free tools, RUBotted and RootkitBuster . If you cannot make heads or tails of the log files from HijackThis, there are many sites out there that will help you with it.
  4. If all else fails, you can always format and restore your PC back to the original configuration.

What about everyone else?

What about other Internet connected computers and devices that aren’t Windows based? Are they vulnerable to malware ? You bet that they are!This includes Linux; FreeBSD; OSX and UNIX based computers; Android; BlackBerry; iOS; Microsoft and Symbian based SmartPhones/devices. Is there anything that you can do to protect yourself here?There is.

Besides making sure that you are up-to-date on all the latest software patches, just know what kind of software and apps you are loading. Many companies, such as Symantec and others , are now making security software for these other non-Windows based operating systems and devices.

While there hasn’t been widespread infections in the past – it doesn’t mean that they won’t be the target in the future – remember, there is no such thing as a perfect, invulnerable OS.Of course, it’s up to you if you to do this if you think you may need protection on these other items.

Wrapping it up

Keeping your PC safe isn’t rocket science. It involves keeping your security software, operating system and other software up-to-date; watching what gets installed on your computer and knowing what to do if something gets through. When it comes to security, no one tip can possibly cover everything. So, we open this up to you too – what do you use personally to keep your computer safe.

Permalink • Print • Comment

February 11, 2009

Don’t be a victim of Sinowal, the super-Trojan

Woody Leonhard By Woody Leonhard

The sneaky "drive-by download" known as Sinowal has been, uh, credited with stealing more than 500,000 bank-account passwords, credit-card numbers, and other sensitive financial information.

This exploit has foiled antivirus software manufacturers time and again over the years, and it provides us in real time a look at the future of Windows infections.

Imagine a very clever keylogger sitting on your system, watching unobtrusively as you type, kicking in and recording your keystrokes only when you visit one of 2,700 sensitive sites. The list is controlled by the malware's creators and includes many of the world's most popular banking and investment services.

That's Sinowal, a super-Trojan that uses a technique called HTML injection to put ersatz information on your browser's screen. The bad info prompts you to type an account number and/or a password. Of course, Sinowal gathers all the information and sends it back home — over a fancy, secure, encrypted connection, no less.

Washington Post journalist Brian Krebs wrote the definitive overview of Sinowal's criminal tendencies in his Oct. 31, 2008, column titled "Virtual Heist Nets 500,000+ Bank, Credit Accounts" — a headline that's hard to ignore. Krebs cites a detailed analysis by RSA's FraudAction Research Lab: "One Sinowal Trojan + One Gang = Hundreds of Thousands of Compromised Accounts."

Sinowal has been around for many years. (Most virus researchers nowadays refer to Sinowal as "Mebroot," but Sinowal is the name you'll see most often in the press. Parts of the old Sinowal went into making Mebroot. It isn't clear whether the same programmers who originally came up with Sinowal are also now working on Mebroot. Mebroot's the current villain.)

Microsoft's Robert Hensing and Scott Molenkamp blogged cialis generic best price about the current incarnation of Sinowal/Mebroot back in January. RSA has collected data swiped by Sinowal/Mebroot infections dating to 2006. EEye Digital Security demonstrated its "BootRoot" project — which contains several elements similar to Sinowal/Mebroot — at the Black Hat conference in July 2005.

That's a long, long lifespan for a Trojan. It's important for you to know how to protect yourself.

A serious infection most antivirus apps miss

I haven't even told you the scariest part yet.

Sinowal/Mebroot works by infecting Windows XP's Master Boot Record (MBR) — it takes over the tiny program that's used to boot Windows. MBR infections have existed since the dawn of DOS. (You'd think that Microsoft would've figured out a way to protect the MBR by now — but you'd be wrong.)

Vista SP1 blocks the simplest MBR access, but the initial sectors are still programmatically accessible, according to a highly technical post by GMER, the antirootkit software manufacturer.

The key to Sinowal/Mebroot's "success" is that it's so sneaky and is able to accomplish its dirty work in many different ways. How sneaky? Consider this: Sinowal/Mebroot doesn't run straight out to your MBR and overwrite it. Instead, the Trojan waits for 8 minutes before it even begins to analyze your computer and change the Registry. Digging into the MBR doesn't start until 10 minutes after that.

Sinowal/Mebroot erases all of its tracks and then reboots the PC using the adulterated MBR and new Registry settings 42 minutes into the process. Peter Kleissner, Software Engineer at Vienna Computer Products, has posted a detailed analysis of the infection method and the intricate interrupt-hooking steps, including the timing and the machine code for the obfuscated parts.

Once Sinowal/Mebroot is in your system, the Trojan runs stealthily, loading itself in true rootkit fashion before Windows starts. The worm flies under the radar by running inside the kernel, the lowest level of Windows, where it sets up its own network communication system, whose external data transmissions use 128-bit encryption. The people who run Sinowal/Mebroot have registered thousands of .com, .net, and .biz domains for use in the scheme.

Wait, there's more: Sinowal/Mebroot cloaks itself entirely and uses no executable files that you can see. The changes it makes to the Registry are very hard to find. Also, there's no driver module in the module list, and no Sinowal/Mebroot-related svchost.exe or rundll32.exe processes appear in the Task Manager's Processes list.

Once Sinowal/Mebroot has established its own internal communication software, the Trojan can download and run software fed to it by its creators. Likewise, the downloaded programs can run undetected at the kernel level.

Sinowal/Mebroot isn't so much a Trojan as a parasitic operating system that runs inside Windows.

Windows XP users are particularly vulnerable

So, what can you do to thwart this menace? Your firewall won't help: Sinowal/Mebroot bypasses Windows' normal communication routines, so it works outside your computer's firewall.

Your antivirus program may help, for a while. Time and time again, however, Sinowal/Mebroot's creators have modified the program well enough to escape detection. AV vendors scramble to catch the latest versions, but with one or two new Sinowal/Mebroot iterations being released every month, the vendors are trying to hit a very fleet — and intelligent — target.

Peter Kleissner told me, "I think Sinowal has been so successful because it's always changing … it is adjusting to new conditions instantly. We see Sinowal changing its infection methods and exploits all the time."

Similarly, you can't rely on rootkit scanners for protection. Even the best rootkit scanners miss some versions of Sinowal/Mebroot. (See Scott Spanbauer's review of free rootkit removers in May 22's Best Software column and Mark Edwards' review of rootkit-remover effectiveness in his May 22 PC Tune-Up column; paid subscription required for the latter.)

Truth be told, there is no single way to reliably protect yourself from Sinowal/Mebroot, short of disconnecting your computer from the Internet and not opening any files. But there are some historical patterns to the exploit that you can learn from.

First of all, most of the Sinowal/Mebroot infections I've heard about got into the afflicted PCs via well-known and already-patched security holes in Adobe Reader, Flash Player, or Apple QuickTime. These are not the only Sinowal/Mebroot infection vectors by a long shot, but they seem to be preferred by the Trojan's creators. You can minimize your risk of infection by keeping all of your third-party programs updated to the latest versions.

Windows Secrets associate editor Scott Dunn explained how to use the free Secunia Software Inspector service to test your third-party apps, and how to schedule a monthly check-up for your system, in his Sept. 6, 2007, column.

In addition, according to Peter Kleissner, Sinowal/Mebroot — at least in its current incarnation — doesn't infect Vista systems. Windows XP remains its primary target, because Vista's boot method is different and its User Account Control regime gets in the worm's way.

Don't look to your bank for Sinowal safeguards

So, you'd figure the banks and financial institutions being targeted by Sinowal/Mebroot would be up in arms, right? Half a million compromised accounts for sale by an unknown, sophisticated, and capable team that's still harvesting accounts should send a shiver up any banker's spine.

I asked Rob Rosenberger about it, and he laughed. Rosenberger's one of the original virus experts and was also one of the first people to work on network security at a large brokerage firm.

"I'll be labeled a heretic for saying this, but … from a banking perspective, frauds like this have never qualified as a major threat. A banker looks at his P&L sheets and writes off this kind of fraud as simply a cost of doing business. Such fraud may amount to billions of dollars each year, but the cost is spread across all sectors of the banking industry all over the world.

"Banks have dealt with this kind of fraud for many, many decades," Rosenberger continued. "Forget the Internet — this kind of fraud existed back in the days of credit-card machines with carbon paper forms. The technology of fraud gets better each year, but this type of fraud remains consistent. From a banking perspective, the cost to obey government regulations dwarfs the cost of any individual case of fraud."

If the bankers aren't going to take up the fight against Sinowal/Mebroot, who will? The antivirus software companies have a long tradition of crying wolf, and their credibility has suffered as a result.

In this particular case, the major AV packages have failed to detect Sinowal/Mebroot over and over again. It's hard to imagine one of the AV companies drumming up enough user interest — or enough business — to fund a mano-a-mano fight against the threat. Besides, the AV companies are chasing the cows after they've left the barn, so to speak.

The folks who make malware these days constantly tweak their products, often using VirusTotal or a proprietary set of scanners to make sure their programs pass muster. A day or an hour later — before the AV companies can update their signatures — the bad guys unleash a new version. AV companies know that and are moving to behavioral monitoring and other techniques to try to catch malware before it can do any harm.

The only company that seems to be in a position to fix the Master Boot Record problem is Microsoft. But it's hard to imagine MS management devoting the time and resources necessary to fix major security holes in a seven-year-old product, particularly when XP's successors (I use the term lightly) don't appear to have the same flaw.

This is short-sighted, however. It's only a matter of time before Sinowal/Mebroot — or an even-more-dangerous offshoot — finds a way to do its damage on Vista systems as well.

If Microsoft decides to take on Sinowal/Mebroot, the company is up against a formidable opponent that draws on many talented programmers. John Hawes at Virus Bulletin says "I recently heard someone estimate that a team of 10 top programmers would need four full months of work to put together the basic setup."

As Peter Kleissner puts it, "I personally think most people behind the [Sinowal] code do not know what they have done. I would bet that more than half of the code was written by students around the world."

Kleissner's in a good position to judge. He's a student himself, 18 years old. I'm glad he's on our side.

Permalink • Print • Comment

February 3, 2009

Little Snitch tattles on trojans

January 27th, 2009

Posted by Jason D. O'Grady

Network MonitorIn case you missed it, your Mac may be under attack. Especially if you have a taste for downloading Mac software that isn’t exactly, ahem, legal.

Last week I reported that a trojan horse called “iWorkServices” has was found in a pirated version of iWork ‘09 floating around on BitTorrent. Yesterday it came to light that another trojan has been found in a pirated version of Photoshop CS4.

Whether you play fast and loose with your software licenses is on your conscience (I certainly don’t recommend it) but one way to keep tabs on software that likes to call home is with cialis wholesale Objective Development’s Little Snitch 2.0 ($29.95). I hadn’t used it since version 1 and the recent rash of Mac trojans gave me a prefect excuse to try v.2.

Little Snitch informs you whenever a program attempts to establish an outgoing Internet connection. You can then choose to allow or deny this connection, or define a rule how to handle similar, future connection attempts. This reliably prevents private data from being sent out without your knowledge. Little Snitch runs inconspicuously in the background and it can also detect network related activity of viruses, trojans and other malware.

Once installed you’ll be amazed at all the things on your Mac that connect to the Internet in the background. Most of them probably have your approval, like all the apps that you allowed to “check for updates at startup?” and things like Software Update, dotmacsyncclient and Bonjour’s mDNSresponder. Those ones are safe to “allow” but if Little Snitch asks for approval for something unknown, deny the request then Google the name to see if it’s kosher.

Be warned though, the first time you install Little Snitch, you’ll be inundated with allow/deny requests and it can be exhaustive. (Hint: you can confirm an alert with Command-Return, Control-Return and Return-Escape). Clicking the Forever button helps you ignore approved outbound connections and it’s a small price to pay to be able to keep tabs on potentially malicious code.

A new Network Monitor feature (pictured) has been added in version 2 which alone is worth the price of admission. The beautifully designed window displays detailed information about all of the incoming and outgoing network traffic on your Mac. It only pops up when connections are active unless you check the small “stay visible” box at the top of the window. I find myself leaving the Network Monitor window visible and watching in awe as the packets flow by. If you decide to close it a subtle menu bar item will also keep you apprised.

Nice, tight bit of code. Highly recommended.

Permalink • Print • Comment

MacScan releases free Mac trojan removal tool

January 27th, 2009

Posted by David Morgenstern

With the arrival of yet another trojan targeting the Mac, antispyware vendor MacScan on Tuesday updated and renamed its trojan removal tool.

The previous version was called the iWorkServices Trojan Removal Tool, and SecureMac changed the program’s name to the iServices Trojan Removal Tool.  The company said the updated tool is also a free download and detects and removes the new variant trojan found on pirated versions of Adobe Photoshop CS 4 for Mac OS X.

This trojan is working its way around various P2P networks and with various packages as the vector for infections. The first version was discovered in copies of iWork 09, which was introduced at Macworld Expo earlier this month.

According to MacScan:

Like its predecessor, variant B obtains root privileges, and notifies the remote host of the infected computer’s location on the Internet. It is recommended users avoid downloading pirated copies of these programs. What’s more, it is anticipated that new variants will be discovered in the coming months in other software cialis weekend pill packages distributed by third parties over the Internet.

Permalink • Print • Comment
Next Page »
Made with WordPress and Semiologic • Sky Gold skin by Denis de Bernardy