RansomWare – Support.com-techsupport513.com

Background

Playing around with Chrome earlier today and ran into this RansomWare.

Chrome

Textual:


** STOP: 0x0000007E (0xFFFFFFFFFC000000047, 0xFFFFFF800002EB5B48)
Serious security threats have been detected on your computer. Your personal photos, credit card information and passwords may be compromised.

It is highly recommended you do NOT continue using your computer until you've contacted an official technician. Your IP 10.0.1.4 may be under attack.

Please call this number as soon as possible.
CALL 855-464-6657 (PRESS 1)
An official technician will help you remove any adware/spyware on your computer.

Image:

supportCropped

 

 

Firefox

The same error appears in Mozilla Firefox, but it is not nearly as imposing as the dialog box is not modal and one can close the tab.

 

Site

The URL of the site that was menacing me is support.com-techsupport513.com

 

Immediate Help

Chrome

Chrome Task Manager

Here is how to close the RansomWare Tab.

  1. In Chrome, try to access Chrome’s Task Manager by clicking the Shift-Esc key combination
  2. In our case, that key combination is already in-use by the “Intel Management and Security Software”.  More later on configuring the Intel Tool to use an alternate key combination
  3. If by chance, you are able to bring up Chrome’s task manager it might not be visible or quickly overlaid by the Ransomware.  If so, please re-arrange your windows and look for it
  4. Another way of accessing Chrome’s Task Manager is to try launching a new Chrome Application\Window altogether and accessing the Task Manager from that window.
    • One of the many good things about Chrome is that it’s Task Manager lists all opened Tabs, not just the ones in the current application
    • But, the chances of you being able to launch a new Chrome Application is a bit slim, as the message box is quite modal for all Chrome Apps
  5. If you are able to access the Task Manager
    • Select the “Tab:Security Warning” row
    • Once the troubling tab is selected, Click the “End Process” button

 

Task Manager – Google Chrome

taskmanager-SecurityWarning

 

Brute Force Kill

If you are on unable to access Google Task Manager and close the specific Tab, I will suggest that you use Windows Task Manager and kill your Chrome’s processes.

Though one can use Microsoft Spy++ to identify the Windows handle and convert the App’s Process ID from Hex to Decimal and attempt to close of a singular process, it seems all Google’s processes are often terminated.

 

Workaround

Network

One possible work-around for malfeasance web sites is to null them out via your local hosts file.

To your C:\Windows\System32\drivers\etc\hosts file, add support.com-techsupport513.com and set the IP Address to 127.0.0.1.

hosts

 

Thankfully some routers and Wireless Access Points allow one to generalize this for all hosts using that gateway.

 

Chrome

Only Allow Pop-Ups for specific Web Sites

It is a good practice to return your Chrome Settings to only allowing Pop-ups from specific web sites.

Advanced Setting

  1. In Chrome, access Advanced Settings/Content Page ( chrome://settings/content )
  2. In the Pop-ups group-box, select the “Do not allow any site to show pop-ups (recommended )
  3. Explicitly add sites that you will like to permit pop-ups by clicking the “Manage exceptions…” button

 

Pop-ups

ContentSettings-Popups-After

 

Pop-ups Exceptions

PopUpException

 

KeyStroke Combination Struggle

Unfortunately, identical KeyStroke combinations can be preferred by various Vendors and Applications.

Google Chrome wanted to register Shift-Esc.

keyStrokeCombinationShiftEscCropped

But, “Intel Management and Security Status” launched prior to Google Chrome, and it already requested and registered that key combination.

Our options included preventing the Intel’s tool from auto-starting or changing it’s hotkey.

The default hotkey is shown below:

WhatIsIntelAMT

 

We changed it to Shift-F10.

ShiftF10.20151230.0729PM

Anti-Virus Boot CD – Avira

Background

These days family and friends call every so often saying that their computer has a Virus, and they need help right this very moment.

Connect and Fix Problem

If they are far away, they might want you to connect remotely and fix the problem.

That works, but I will suggest that you take this has a teaching opportunity for youself and a learning experience for the person in need.

Anti-Virus Boot CDs

Thankfully, there is a slew of Anti-virus Boot CDs available today.

Tim Fisher has a good list.

Name GUI/ Text? Functionality Tutorial
Anvi Rescue CD  GUI 1) Nice familiar MS Windows type interface
2) Check Memory
3) Check Disk for defects
AVG Rescue CD  Text  1) Network How it works

http://www.avg.com/us-en/avg-rescue-cd

Avira Rescue System  GUI 1) Auto-updates Virus definitions before initiating Virus Scan
2) Definition Updates can not be scanned
How to use the Avira Rescue System
BitDefender  GUI 1) Supports installation of Remote Access program
Comodo Rescue CD GUI and Text 1) Download Virus signature updates
2) Browse Internet
3) Access File and Folder Explorer
Introduction to Comodo Rescue CD
Dr. Web LiveDisk  GUI 1) Choice in whether to download updates How does to work
F-Secure Rescue CD  Text 1) Cannot skip automatic updates of Virus signatures (-)
2) No GUI ( – )
3) Textual Only – Does not allow mouse interaction ( – )
Kaspersky Rescue CD  GUI 1) Virus signatures have to be downloaded Create Boot CD and Boot Computer

Start a Scan

Lab

What use is reviewing a Virus cleansing tool without actual viruses.

Can’t ship and load actual viruses, but we can play with placebos.

Eicar.Org

Thankfully, Eicar.org have some available @ http://www.eicar.org/85-0-Download.html.

VirusFileList

Download

On the computer that we are using, we have an active virus detection tool.

It is Microsoft’s System Center Endpoint Protection.

Microsoft’s System Center Endpoint Protection

We need to disable real-time protection and exclude our targeted folder.

Real-time protection
Before

SettingsAndRealTimeProtection-Current

After

SettingsAndRealTimeProtection-Post

Excluded Files And Locations

We excluded E:\downloads\eicar.org

ExcludedFilesAndLocations
With the changes summarized above taken, we were able to download the fake viruses.

Avira Rescue System

Here is a quick summary on my recent experience with the Avira Rescue System.

Boot Options

When the Avira Disk is booting, we are presented with the option of :

  1. Avira Scan
  2. Check Memory
  3. Check Disk for Defects

Welcome

The first screen is the Welcome screen.

Please click on the “Start Wizard”.

Welcome

Wizard – Step 1 of 3: Partition Selection

Thankfully, unlike some other tools, the Avira tool displays the actual Windows Disk drives (C:, D:, E:).

This makes it easy to know that the drives are actually present and allow us to narrow our processing to specific drives or a combination of drives.

WhatDoYouWantToScan

Wizard – Step 2 of 3: Scan and Repair

Here is what we see as the drive is being scanned…

ScanAndRepair-Detections

Wizard – Step 2 of 3: Scan and Repair ( Wizard finished successfully )

Once the scanning is completed, we get a definite view of the number of files actually infected.

WizardFinishedSuccessfully

On the next screen we reviewed the list of files identified and chose to delete the ones that were actual viruses.

Please keep in mind that there were some false positives, as well.

As this is a public forum, will not disclose the false positives.

Other Functionalities

gparted

The tool comes with gparted.

The Windows drives are exposed and mounted as /target; i.e. /target/C: and /target/E:

GParted

With this knowledge we can directly explore our Windows Drive:

Folder

I will suggest that screenshots and downloads are kept in your exposed Windows Drives.

Screen Shots

Screenshots can be captured via Alt-PrtSc.

Network, Internet and Browser

As discussed, we get Network, Internet, and Firefox access.

Summary

Found the Avira tool to be capable and easy to use.

I especially like the fact that it comes bundled with a Disk and Memory checker modules; the reason being that Disk and memory issues can sometimes be confused with Virus bouts .

Kaspersky – Rescue CD – Stuck at “Creating Swap file”

Background

Having a slow PC day on one of the servers in our LAB.  Unfortunately, it is a left over MS Windows 2003 Server.

And, so I am thinking it could honestly be anything; including viruses.

Kaspersky Rescue-CD

Brought out my old and very reliable Kaspersky Rescue CD.

Boot Into

Rebooted the computer, as it is a Dell, clicked F-12 to access the “Boot into” menu.

Chose CD Room.

Clicked on a few other options to ensure that I will actually boot into the Rescue CD.

Stuck

But, as happens, more so lately, I am stuck again..

Textual

Creating Swap file

Image

CreatingSwapFile

Clear Storage

Linus – X File Manager

Via the Linux File Manager, X File Manager, that comes with the Rescue Cd, accessed each MS Windows Drive and removed obvious clutter.

Btw, the underlying MS Windows folders are under the root\discs and are labelled C:, D:, E: based on the drives.

XFileExplorer

Microsoft – MS Windows – File Explorer

Shutdown the Rescue CD, booted into Windows, and cleared more file clutter.

Same Error

Same error “Creating Swap file“.

I love Lionel, but I am not rich.

And, so time is money.

What is running?

GUI

The bottom right panel of the screen has an indicator that shows high CPU Usage.

From that gauge, accessed the “Process Status” application.

2015-08-04_17.24.45

Quick Explanation:

  • We can see that the application responsible for creating the swap file is beating up our machine
  • The name of the application is ntfs-3g

Terminal Mode

Note that we can also get tabulate the most expensive applications via accessing the Terminal mode, and running top.

Abruptly Terminate “Swap File Creator” process

Launched a terminal window.

Noted that the process ID for the process that is creating the swapfile is 16201.

And, so issued:

Syntax:


   kill [process-id]

Sample:


    kill 16201

On to the Next One

The next step, post Swap file creation, kicks in.

That next step is the Network Configuration.

KillProcess

The Network Configuration is very important.

  1. It gets you back online
    • You really do need to be online to download latest security updates.  Please make sure you download these updates before running a virus check
    • You also have access to Google, blogs, and emails
  2. Unfortunately, the browser that is bundled is a bit dated and all the major email providers will complain.  Thankfully, Google will allow you access to a leaner HTML email reader

Microsoft – Windows – Start Up Warning – There was a problem starting “c:\Users\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll The specified module could not be found”

 

Prelude

My parent’s called last night and I knew I had to call them back.  They don’t call much as I am usually the one who needs them and initiate calls.

The only time they ever need help me is when they have computer problems.

 

Error Message

 

So yes they do have a problem.  Upon logging on they get an error stating:

There was a problem starting c:\Users\<user>\AppData\Local\Conduit\BackgroundContainer\BackgroundContainer.dll
The specified module could not be found.


Configuration

System Configuration – Autoruns

 

Background

Autoruns is published by Microsoft’s SysInternals “subsidiary”.   To fetch it, please access http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx and click on the “Download Autoruns and Autorunsc” link.

 

Scheduled Tasks

Let us review and possibly modify the Scheduled Tasks; to do so, please:

  • Run Autoruns
  • Access the “Scheduled Tasks” Tab
    • Look closely at any items that have “File not found” in their “Image Path” column
    • If you find any of them, please un-check them by clicking on the checkbox checkbox

 

ScheduledTasks

 

  • Access the “Logon” Tab
    • Look closely at any items that have “File not found” in their “Image Path” column
    • If you find any of them, please un-check them by clicking on the checkbox checkbox

 

Logon

 

 

  • Find everywhere
    • Access the Application Menu
    • Click on the menu item File \ Find…
    • In the Find dialog, enter container and make sure that “Matchwhole word only” and “Match case” are unchecked
    • Initiate the search by clicking on FindNext
    • Unchecked any found items

MenuItem--File-Find

 

 

Microsoft – Windows – Task Scheduler

Access Task Scheduler by do doing the following

  • From the Start menu, access “Control Panel”
  • In Control Panel, launch Administrative Tools and “Task Scheduler
  • In Task Scheduler, transverse to “Task Scheduler Library
  • On the top menu bar, click on the Triggers menu bar to order by the Triggering event
  • Ordering by the Triggering event will allow us to narrow down on the more likely “source” events, which are
    • At log on any user
    • At log on of <user>
    • At system startup
  • Our culprit probably has empty for “Last Run Result”
  • Jot down each likely item, right click on it, and from the drop-down menu select disable

 

 

Initial

TaskSchedulerLibrray

 

Disabled

Once disabled you will notice that have Disabled in their status column.

 

TaskSchedulerLibrray-Disabled

 

 

Summary

Please try to restart your system and see if the problems goes away.

 

 

References

Question & Answer (Q/A)

 

Microsoft – Windows – Startup Apps

 

 

 

 

Kaspersky: Rescue Disk (v10): Error – Malfunction … Error code 9ABE0003

Introduction

A friend has this hard to remove virus and I know I hard to send him an Anti-Virus Rescue CD. I like Kaspersky for this type of issues.

Error

Before sending the CD, I tried it out on one of my PCs.

So I launch and clicked on “Start Objects Scan”.

But, getting the error pasted below:

Malfunction <> minutes ago, error code 9ABE0003.

Error-9ABE0003

To Fix

Get new virus definition files.

  • Access the tab “My Update Center”
  • The “Database Status” item will read “corrupted” and that is the tell tale sign that you need to remedify by updating your Virus Signature Datbase
  • Please click on the “Start update” button

It will likely a while to get the new Virus database signatures.

Once you have the new signatures, please retry your scan.

Microsoft – Windows – Another Day, Another Virus – This time did not bother to know its name

 

Picked up a friend’s laptop last night.

Tried starting it, but it was too slow.

Really can not be bothered to dig in too deep.

Knew it was a virus, and so attacked it soon as I got home.

Tried Kaspersky Rescue CD (https://support.kaspersky.com/viruses/rescuedisk), but after  20 to minutes, it was still at 1 to 2%.

Who has that much time on a Friday evening.

Rebooted and tried AVG Rescue CD (http://www.avg.com/us-en/avg-rescue-cd).

It appeared to be a bit faster.

Went to sleep and by mid morning it had completed its work.  Sleepily and stupidly agreed to  remove all found viruses.

Upon waking up, rebooted laptop and all is well.

One problem with the route I took is that one might not keep good record of each virus found and cleaned.

And, so I have to do more work reviewing auto-start Applications and reviewing applications in the “program and Features” applet.

One of those Applications is “Coupon Alert Toolbar”.

CouponAlertToolbar_v2

Trying to uninstall, brought up the error message stating “The specified module could not be found.”

It seems taking the high spirited brute force approach of cleaning via the Repair CD meant that I would end up with a few un-linked application handles.

To un-link I will have to directly to do so via the registry:

How to manually remove programs from the Add or Remove Programs tool
http://support.microsoft.com/kb/314481

  • In our case, we searched the for the Application’s name – “CouponAlert Toolbar”
  •  And, ended up @ “HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CouponAlert_2pbar Uninstall”

Registry-Uninstall__CouponAlert Toolbar

The pertinent registry entry that guides’s an un-install of “CouponAlert_2pbar” is:


Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall\CouponAlert_2pbar Uninstall]
"DisplayName"="CouponAlert Toolbar"
"HelpLink"="http://search.mywebsearch.com/mywebsearch/default.jhtml"
"Publisher"="Mindspark Interactive Network"
"UninstallString"="rundll32 C:\\PROGRA~2\\COUPON~2\\bar\\1.bin\\2pBar.dll,O"
"UrlInfoAbout"="http://search.mywebsearch.com/mywebsearch/default.jhtml"

 
 

It seems that “CustomAlert Toolbar” is linked to mywebsearch.  It is not always desirable.

So we saved the registry branch and manually deleted the entry for “CouponAlert Toolbar”.

The next time you access “Programs & Features” the deleted element (CouponAlert Toolbar) should be gone.

CouponAlertToolbar (no longer in registry)

There are other changes made to the Windows Core – Services, auto-run:

Services:

CouponAlertService

System Configuration Utility (msconfig.exe)

SystemConfiguration

  • Launch System Configuration ( msconfig.exe)
  • Access the Startup tab
  • Remove entries for “Coupon Alert Search Scope Monitor” and “Coupon Alert_2p Browser Plugin Loader”

Ready to return laptop.