Malware

What To Do When You Encounter A Windows PC Error Message

What To Do When You Encounter A Windows PC Error Message

Are you fed up with your computer’s slow speed?

Are error messages, such as file type errors. a common occurrence on your Windows computer?

If you answered Yes, then this article is all you need to get rid of your computer woes forever.

In this article, we will discuss tips that will allow you to troubleshoot common Windows PC errors, such as .pcb file type errors on your own.

Tip#1 Perform a malware scan

Did you know that malware infection is often the root cause of a myriad of computer errors, such as the .daa file type error?

Malware programs, if present on your computer, can create havoc by deleting or altering various files and eating into your computer resources. In case you notice symptoms, such as a sudden increase in errors, or a drop in your computer’s performance, it is likely your computer’s security is breached.

The solution is to run a complete malware check on your Windows computer. To do this, first update your security tool with the latest malware definitions and security updates. Next, isolate your PC by disconnecting it from the Internet and from any network share that it is attached to. Now, restart your computer in Safe Mode and run a thorough malware scan. The simple steps illustrated below take you through how to start Windows in Safe Mode:

  1. Close all the running programs and restart your computer.
  2. As Windows reloads, press and hold the F8 key.
  3. Select the Safe Mode option using the arrow keys in the Advanced Windows Boot Option Menu and press Enter.

To ensure that all threats present on your PC are detected and deleted and quarantined, we recommend that you run the scan twice.

Update your Windows, driver, and software files

The next step is to update your Windows, driver, and software files.

  • Updating Window files – Windows PC’s come with a useful built-in Automatic Update feature that ensures new Windows updates are automatically downloaded and installed on your Windows computer. Ensure that this option is enabled on your computer. In case, you are using a version of Windows prior to Windows ME (Automatic Update feature was first introduced with Windows ME) then you will need to manually download any new updates and security patches available for your version of Windows from the Microsoft website.
  • Updating Software files – Many software too have an Update tool that you can use to update the software files. If the feature is absent in some of your installed software, then for these applications manually download the new updates by visiting the software manufacturer’s website.
  • Updating third-party drivers – When it comes to updating third-party drivers, you have two options – update drivers manually or use a reliable third-party driver update tool.

Use a reliable file extension repair software

A lot of file type errors, such as .aspx file type errors occur due to damaged file openers. The issue can be fixed by deploying a reliable file extension software. Such software fixes the damaged file openers, providing you quick access to files generating errors.

2 comments - What do you think?  Posted by Jimmy Daniels - January 29, 2011 at 9:28 pm

Categories: How To, Malware, Microsoft News, Tips, Windows Update   Tags: , , , , ,

More on Antivirus XP 2008

Had another user who had been infected by the Antivirus XP 2008 malware, I noticed they had both hit the same website at least once, myspacecdn.com, I haven’t checked it yet as I don’t have a machine handy that I can blow out, so I will have to check it later. The main install file seems to be ccwjgn.dll which gets run from the following registry key:
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWinlogonNotify, it runs the popup from a program in the TEMP folder in Windows to get you to launch the install. The process is listed as a .tmp in Task Manager, usually with a weird name like ttC.tmp.exe or something similar.

On this machine, however, they set a explorer.exe registry key here, HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options, and Windows explorer could not run, I am assuming they were redirecting it to run some other malware and then starting explorer, but Virusscan deleted the file they were using, so, Windows just sat there. You could run Task Manager by hitting control-alt-delete, so that allowed me to run regedit, navigate to the key and delete the explorer.exe value out, which then allowed Windows explorer to run. After the desktop loaded, the Antivirus XP popup came up, I ended the process using Task Manager, I deleted all the files out of the Windows temp folder, found the programs/dll files in the System 32 folder, two of them this time with the lphctp9j0ea5j.exe and blphctp9j0ea5.scr type of names and after rebooting I was able to delete the ccwjgn.dll file.

I then ran the latest version of Spybot, which found some other stuff and removed them. No more popups or nag screens trying to get her to install their malware.

Update: I thought I had it until I updated to Windows XP Service Pack 3 and after rebooting I received the daggon popup again. More deleting and rebooting, after awhile I gave up and tried the free version of AVG, it found about 40 or so driver files that were infected and cleaned those and she has been running Antivirus Xp 2008 free for a couple hours now. So, for everyone who just wants it removed without knowing how or why, run AVG as Spybot doesn’t seem to clean it yet.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - September 11, 2008 at 12:04 pm

Categories: Antivirus XP 2008, Malicious Websites, Malware, Spyware Info, Windows XP   Tags: , ,

AntiVirus 2008 Infections Getting Pretty Sneaky

The other day I had a user call me to let me know their PC was getting an error message and that her co-worker had tried to fix it for her but couldn’t. The computer was off when I got there and when it booted up, it went to a blue screen of death with the problem listed as “Panic Stack Switch”, and, although that is an actual error message, it made me believe that it was a fake message, as I had never seen it before and had not searched for any occurrences online. While I was reading the error message though, the user hit her spacebar and the blue screen immediately went away to show me one of those your infected backgrounds that malware, such as Win Antivirus 2008 uses. You can imagine my surprise as the computer should not boot into windows after a blue screen of death, so this was yet another indicator that malware was involved, so I just went about cleaning the machine.

It was infected with the AntiVirus, or Win AntiVirus, XP 2008 malware, and was surprisingly simple to remove, certainly a lot easier than other infections I had dealt with, probably because Spybot and her antivirus software was blocking portions of it. All I had to do was delete the folder the malware was in, I believe it was called rchpcg or something similar, I used the Sysinternals program autoruns to remove any programs that were set to run automatically that shouldn’t, a couple had names something like blphctp9j0ea5.scr or lphctp9j0ea5j.exe or something similar, don’t quote me on those, and I went ahead and removed some of those programs that run in the background just to check to see if their software needs updated, etc, stuff no one really needs running all the time.
Read more…

Be the first to comment - What do you think?  Posted by Jimmy Daniels - August 28, 2008 at 11:08 am

Categories: Antivirus XP 2008, Malicious Websites, Malware, Security, Spyware Info   Tags: , ,

Google Search Results Poisoned Again

Yesterday I mentioned that some Google search results contained many malicious sites trying to, among other things, install Spy-shredder, a rogue antispyware program. Google removed many of those sites, but according to the Sunbelt Blog, the same group and a new group are now re-poisoning the search results again with fresh .cn domain sites. The new group appears to be trying to get traffic to make money with, using affiliate programs, etc.

Google has removed the sites responsible for the recent massive Google poisoning attack.

However, we’re seeing indications that another attack may be on the way. We have seen another spate of websites freshly registered, using the similar .cn domains. There seem to be two different groups here. Source: HEADS UP: More Google poisoning on the way?

My advice is still good from yesterday, watch for the gibberish domain names, if it doesn’t make sense when you look at it, don’t click on it. They noted that they are not serving any exploits, but this could change very quickly at any time.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - November 30, 2007 at 9:00 pm

Categories: Malicious Websites, Malware, Security   Tags:

Be Careful Searching This Holiday Season

Sunbelt Software, one of the leading developers of security software and hardware, has found large amounts of websites that are there only to stuff malware onto your computer, and these websites are listed high on search terms for search engines like Google, Yahoo and Live. A user whose patches are not up to date that clicks on one of these websites, will be force fed a diet of malware that could cause their machine to just die, or worse, monitor and track everything they do online.

The good news is, if you are fully patched, you shouldn’t have much to worry about, also, if you actually look at the websites you are going to visit before you click them, you can tell if they are good results or not. All of the websites I have seen listed are nonsense name, .cn domain names, etc. Check out this image that I grabbed from the Sunbelt site.

Malware Links

See all of the domain names that are in the highlighted red boxes? Those are the types of domains they are using, as an example, lkasjdfkjt.com, so don’t click on any of those links, also be careful of the .cn domain names, as they are using many of those. Google has been notified of the problem and have already removed some, but I can still find some of the sites right now, so there is more work to be done.

As the guy from Hill Street Blues used to say, “Hey, lets be careful out there.”

Here are some mentions about this problem on the Sunbelt and other sites.

BREAKING: Massive amounts of malware redirects in searches The original post about this problem from Sunbelt Software, here is a follow up post from them, Malware redirects: The aftermath.

Update: Subverted search sites lead to massive malware attack in progress Trojans, rootkits, password stealers hit users who click on a bad link after a search.

Malware Poisoning Results for Innocent Searches Tens of thousands of malware-serving pages, crafted to reach a high search engine ranking, are showing up in the first page of returns from Google, Yahoo and Live.

1 comment - What do you think?  Posted by Jimmy Daniels - November 28, 2007 at 4:04 pm

Categories: Adware, Malicious Websites, Malware, Security   Tags:

Security, Mostly Malware, News

Microsoft patents the mother of all adware systems Instead of quoting the whole article or trying to re-write it here, click the link and read for yourself some of the information unearthed in a patent filing by Microsoft which Ars Technica says would be the mother of all adware. But that?s a good thing because the patent says so. “It would inspect “user document files, user e-mail files, user music files, downloaded podcasts, computer settings, computer status messages (e.g., a low memory status or low printer ink),” and more. How could we have been so blind as to not see the marketing value in computer status messages?” Sounds great……not.

Ransomware… Holding Corporate America Ransom! Have you been targeted by ransomware? Did you get a message similar to this one?

“Hello, your files are encrypted with RSA-4096 algorithm (http://en.wikipedia.org/wiki/RSA). You will need at least few years to decrypt these files without our software. All your private information for last 3 months were collected and sent to us. To decrypt your files you need to buy our software. The price is $300. To buy our software please contact us at: tristanniglam@gmail.com and provide us your personal code -xxxxxxxxx. After successful purchase we will send your decrypting tool, and your private information will be deleted from our system. If you will not contact us until 07/15/2007 your private information will be shared and you will lost all your data — Glamorous team.”

Prevx.com says hold up before you pay anything, they already have a decryptor for the files. They have a good program, it has removed some stuff on computers I have scanned that nothing else would, Spybot, Adaware, Ewido, etc.

How Good Are You at Recognizing Fake Websites and Spam Emails ? Think you are good at spotting phishing websites and emails? Take the test from McAfee and see for yourself.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - July 18, 2007 at 2:42 am

Categories: Adware, Malware, Ransomware, Security, Spyware Info   Tags:

Scan Your Computer For Free

Here I am listing all of the free online scans for your computer, spyware, virus, registry, process and some great utilities at the end. I’m also listing some of the free tools, like SpyBot, Ad-Aware, etc.

Windows Live OneCare works quietly in the background on your computer, so you don’t have to worry about nasty interruptions from viruses, spyware, hackers, and other unwanted intruders. It also goes beyond security, regularly backing up all your important files and cleaning up and tuning up your computer to help keep it running at top speed. Because you have better things to do with your PC. Download the free trial.

Free Online Spyware Scan This scan is free and will remove what it finds, although, it doesn’t try to find the more complicated stuff as it could not remove it without installing software on your computer.

Housecall Free Online Virus Scanner from Trend Micro.

CSShredder CoolWebSearch is notorious for keeping you from removing their crap from your computer, download this special tool just for removing all of the 100′s of different versions of CoolWebSearch.

CoolWebSearch installs dozens of bookmarks, mostly to porn Web sites, on your desktop, changes your home page without asking, and continually changes it back if you attempt to correct it. Furthermore, it significantly slows down the performance of your PC, and introduces modifications which cause Microsoft Windows to freeze, crash or randomly reboot.

Spybot Search and destroy This is not an online scanner, but it is free and it does remove almost everything. You should always have a couple tools you scan with because none of these tools can remove everything.

Ad-Aware This is also a tool and not a free online scan, but the software is free and it is one of the top spyware and adware removers.

Free Performance scan.

Registry Booster – FREE Registry Scan This registry scanner will clean and optimise your system, free it from registry errors and fragmented entries.

SpyEraser – FREE Spyware Scan Does not remove any spyware, requires you to purchase the program to remove the spyware.

ProcessLibrary.com – FREE Process Directory – Free Process Directory, resources and tools for anyone who immediately wants to know the exact nature and purpose of any process running on your PC.

WinTasks 5 Pro – Increase System Security & Performance WinTasks 5.0 Professional provides you with a wealth of information and a powerful set of tools that will help you enhance the protection against system security threats while dramatically increasing computer performance. The award-winning WinTasks 5.0 Professional is the most reliable and intuitive software that enables you to fully take charge of your computer.

WinBackup 2.0 – Secure Your Data Today! Awarded Best Backup Software by Computer Shopper and termed “exceptionally simple to use” by PC World, WinBackup 2.0 Standard is now the obvious choice for home and small office users. Being one of the most efficient and reliable backup solutions available WinBackup 2.0 Standard will help you save both time and money.

1 comment - What do you think?  Posted by Jimmy Daniels - May 27, 2007 at 4:15 pm

Categories: Malware, Security, Software, Spyware Info   Tags:

Latest Skype Worm – W32/Pykse.A

A new piece of malware called W32/Pykse.A by Symantec, Mal/Pykse-A by Sophos and W32/Pykse.worm.a by Mcafee is making the rounds through Skype. This worm affects Windows only, and it spreads by sending a message with a malware link to all online friends in Skype’s contact list using the Skype API, that looks like a picture on a website, once clicked, it runs the malware, sets Skype to do not disturb and then sends a message to everyone in the user list. Here is some of the stuff it does when the link is clicked.

When the worm executes, it creates the following files, which have attributes set as hidden, read-only, and system:

%Temp%\[ORIGINAL FILE NAME EXECUTABLE].jpg
%Temp%\[RANDOM CHARACTERS].exe

The worm also creates the following files:

%System%\Invisible002.dll
%System%\Skype.exe

Next, the worm creates the following registry entries so that it executes whenever Windows starts:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run”SkypeStartup” = “%System%\Skype.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run”SkypeStartup” = “%System%\Skype.exe”

The worm also creates the following registry entries:
HKEY_CLASSES_ROOT\AppID”" = “Invisible”
HKEY_CLASSES_ROOT\AppID\Invisible.dll”AppID” = “”
HKEY_CURRENT_USER\Software\SkypeWorm\cfg”n” = “%Temp%\[RANDOM CHARACTERS].exe”

The worm creates registry entries under the following registry subkeys:
HKEY_CLASSES_ROOT\CLSID\{7FB39839-665D-4D47-873C-D3FD9009FC3B}
HKEY_CLASSES_ROOT\TypeLib\{7FB29539-665D-4D47-873C-D3FD9719FC3B}\1.0
HKEY_CLASSES_ROOT\Interface\{7FB19539-665D-4D47-873C-D3FD9719FC3B}

It then creates the following registry subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7FB39839-665D-4D47-873C-D3FD9009FC3B}

Next, the worm displays the following image:
%Temp%\[ORIGINAL FILE NAME EXECUTABLE].jpg Source: W32.Pykspa.A from Symantec

The risk is set to very low, currently, and if you practice safe computing, meaning you don’t click on every link that is sent to you, you will probably be okay, as it is necessary for you to click the link and visit the malicious site or sites. Here is some info that InfoWorld had.

The link also directs users to at least eight Web sites with information about Africa. It’s not clear what type of scam or harm those pages intend, but some of the sites have advertising on them, indicating that it might be a click-fraud scam, said Graham Cluley, senior technology consultant for Sophos. Click fraud refers to the various tricks used to get clicks on advertising banners, which generate revenue for Web page owners. Source: New worm wriggles around on Skype

Here is the image the worm sends out, so you will know what to look for.

W32/Pykse.A spammed image

Be the first to comment - What do you think?  Posted by Jimmy Daniels - April 17, 2007 at 12:42 pm

Categories: Malware   Tags: , , ,

The Grum Trojan

If you get an email trying to get you to download MSFT IE7.0 Beta 2, don’t. It is a spam email trying to get you to download a Trojan called Grum, and besides, if you have been paying attention, you’ll know that IE7 is already out and no longer even in beta. They even come with this nice, pretty graphic.

Grum Trojan

This thing was a bear to reverse, by the way. It performs a lot of remote thread injection and defense itself nicely. It blocks IDA Pro, it kills OllyDbg, it blinds a bunch of processes, and the main process (%User%\Local Setting\Temp\winlogon.exe) sleeps quietly if it?s being traced too much. This kept hosing up my XP analysis box. A pretty good sandbox analysis is on the Anubis project website. So far Anubis is the only sandbox that did anything useful with it. Here?s a list of domains we?ve seen used so far for this one (with many more missing from this list):

abnoba.net
66.98.149.237
cincinnatifeet.com
cyberbutt.com
gc-music.com
arrestingphotography.com
kcmancandy.com
manualshop.com.ar
monella.net
tvz-archive.com
nottyweb.com Source: Today?s Other Malware Threat: IE7.0.exe

Always beware of emails trying to get you to visit a website or download something, I know there are lots of newsletters that link to websites, but usually you subscribe to those, so you should know those are okay. Just pay attention, don’t run as administrator and keep anti virus and a spyware removal program handy.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - March 30, 2007 at 7:10 pm

Categories: Malware   Tags:

New Version of Warezov Spreading via Skype

Websense Security Labs announced that a new version of Warezov/Stration set of malicious code is spreading through Skype, the code does not infect the machine, but it does send a url with a link to download the code to the user’s contact list. The code, once ran, opens backdoors on the system and downloads more malicious code.

“Spammed” users receive a message that says Check up this and sends them a link to download the code. If a user clicks on the link, they are redirected until they eventually download a file named file_01.exe and they are prompted to run the program, as you usually are when you download something. The Trojan tries to send an email message through a Yahoo mail server, probably trying to contact the creator to let them know they have infected another computer, but the message fails because the mail server is not active.

Source: Malicious Website / Malicious Code: New Warezov spreading via Skype.

This is the same method of attack as this notice on the F-Secure site, it is using a new release of the code and new download urls.

Be the first to comment - What do you think?  Posted by Jimmy Daniels - March 24, 2007 at 6:41 am

Categories: Malicious Websites, Malware   Tags: ,

Next Page »