Head of ChronoPay

Several botnets were shut down and the CEO of rogue parmacy and fake antivirus credit card processor was  arrested recently. This resulted in the significant drop of malicious software activity in August. Many took time to celebrate and rightfully so. However, I do not think this is the end of Fake AVs or malware in general.
First, some background. The days of malware made by computer nerds for fun are long gone. The most of malware is created for profit, and as long as you see something on your PC, you can safely assume that it is for profiting. Fake AVs are best known and annoying nowadays as they collected payments directly by asking to pay for non-existing full version.  To make you pay, they scare you with non-existing threats for your PC. There were some variations with this, like recent PC Repair malware that scares with hardware errors instead of viruses, but the way they collect payment is the same: They ask for you to pay directly.

These payments cannot be processed easily, as every bank, Visa and Master Card looks for scams. Thus payment gateways are major bottleneck and risk point for malware makers. And taking even single of them down (not the website, but the company itself) hurts each of them significantly. Differently from malware skins and websites, it is more complex and costly task.

So, what will happen once the payment gateway gets down? There are many ways malware makers can still make money, and our experience shows that they do exactly that.

For example, we see a rise of clickjacking attacks, which forces user to click on their affiliated links that might not be harmful per se. The user is redirected from “real” websites or search results to the websites malware makers insert. The owners pay malware makers for traffic or sales.  Some of them are innocent, some just do not care about the source of the traffic. The famous google redirect virus, though there are other implementations as well.

Another possible way to make money for malware makers is distributing legal anti-malware or anti-virus programs instead of fake ones. This is illegal according to affiliate guidelines of all legitimate affiliate networks, but they might hope not to be caught. While there are various opinions which software is more likely to be distributed illegally, I would say this is not important at all. This can happen and will happen with all legitimate malware removal programs.  We have seen such things in the past as well.

Thirdly, one could spice up things with using other, non-security related programs that will require payment. This is already happening with VLC, which “paid version” is distributed by malware makers. There are affiliate programs for various codec packs as well, which are distributed by malware makers.

And lastly, they could return to adware or spyware model of operation, which pays less than others, but has less risks as well.

Thus it is highly obvious that we will not see less infections in the long run. What we see is the result of both some security program makers and PC owners focusing on visible forms of malware and judging amount of infections from that.

Now worst thing one can do is purchasing fake AVG antivirus 2011. Even if one agreed to spend some money on antivirus, the credit card details are likely to be misussed by the makers of the fake antivirus. Thus it is best to change compromised credit card in your bank.
If you look for solution for Fake AVG Antivirus 2011 problems, try my guide at 2-viruses.com. Alternatively, Malware researcher Xilibox created a tool to help register this rogue for free. However, whatever way you choose, scan your PC with decent anti-malware tools afterwards. Do not leave trojans around, or you will see new skin of this rogue family again.
Funnily enough, this is not a sole rogue that impersonates AVG these days – Here is MCAVG too. AVG is doing something right, I think.

• “Drive C initializing error” – You would not be able to load OS on such corrupt Hard drive
• GPU Ram temperature to high – it would require either stopping graphically intensive operations or installing a hardware cooler, not some sort of software
• “Hard drive doesn’t respond to system commands” And how do that software gona fix this?

To make a point, Ultra Defragger tries to simulate system malfunction. It will stop programs and files from execution couple times before you will be able to lauch them. Good thing this is not permanent and you can execute almost any program despite Ultra Defraggers scare tactics.
However, if you think everything Ultra Defragger does are harmless, you are wrong. Its makers are out for money, and they infected your PC. They might have opened way for other parasites that might be loaded on command, or Ultra Defragger might get more nasty with time. Thus you should remove Ultra defragger as soon as possible.
The best way to remove ultra defragger is cleaning up TEMP folders in safe mode. That is where it resides. Read my full manual removal guide on 2-viruses.com and do not forget to scan with good malware removal programs afterwards to make sure you got every piece of this malware out.
It is very likely that you would not had got Ultra defraggers infection if you got Spyware Doctor, full version of Malwarebytes or full Internet Security Suite from one of major antivirus vendors.

First of all, many people believe that it is more than enough to use one security program to get rid of rogue anti-spywares. Basically, they believe that “out of sight” is equal to “out of the system”, which is not true. In many cases a particular anti-spyware may seem to have removed a rogue anti-spyware, but it might leave traces – files, registry entries and so on, but most importantly rootkits and trojans. For those who don’t know what a rootkit is, in layman’s terms, it’s a process that hides from other processes on an system. This process can do a lot of bad things, even allow hacker to have privileged remote access to the system, or download other programs on command. So, basically, if your fail to remove rootkits after an infection, your system might still be part of a botnet, and it might get reinfected.

Multiple security tools generally solve the problem: there are ones that are better against malware, and then there are those, which work better against rootkits – do your research and choose accordingly. The most prevailing rootkit family today is TDSS. These are often the culprit behind browser redirection on systems that have no other infection signs.  At the moment good choice of tools would be TDSS Killer together with couple anti-malware tools like Spyware Doctor or Malwarebytes. I have good results with Hitman Pro as well.

This, however, is not the whole story. Another important thing you have to make sure of is that you update your software. Not just windows, but also your other software, especially your browser and browser plug-ins – these may be exploited to infect your system. Keep your system up-to-date and protected, so you will not need to spend long hours repairing it from infections.

Meet ThinkPoint – a new fake Antivirus that is spread by the same set of trojans originally focusing on Antispy Safeguard. Now you do not have to download one of five rogues. You get ThinkPoint silently installed by default.
First thing you see is a fake Microsoft Security Essentials window that starts scanning your PC. It will state, that your PC is infected with Trojan, for example Trojan.Horse.Win32.PAV.64.a. It will ask for reboot to finish removal procedure. After a reboot you get a completely new fake AV window instead of MSE.

Thinkpoint will claim that it restored some infections, but restoring infected “browsers” requires a heuristical, paid module. It will not allow you to uninstall the “antivirus”, as your settings do not allow “unprotected” startup, and it will block execution of majority of legitimate programs claiming that you are infected.

It will also show various warnings about hackers attacking PC. These messages can be discarded, however it will not allow you launching them. In fact, it might even change permissions to stop execution of legitimate programs when virus is inactive.

The best way to stop thinkpoint and remove this scam is to stop its processes by pressing ctrl+shift+esc and stopping process hotfix.exe. Afterwards, launch explorer.exe as a new process and download a good malware remover like Malwarebytes or Spyware doctor. Check our Thinkpoint removal guide for full file names and removal instructions.

You should never Pay for rogue antivirus programs like ThinkPoint. You give away your credit card details to scammers that way.

There are several flavors of google redirect virus. The first one is simple proxy server, set up in each of affected browsers. All internet connections are passed through rootkit or trojan process and each link might be redirected to other website. A good antivirus or anti-malware tool should get rid of this type of infection, though in case of rootkit one needs TDSS killer by kaspersky lab or similar tool. There are other families of rootkits that have effect like that too. Quite typically, after removing malware processes internet stops working completely and one has to remove proxy server manually.

In some cases it is just an malicious browser add-on. If only one program is affected an no proxy is set up in that program, browser addons are the culprit. A good malware remover takes care of this problem as well and completely. Malwarebytes, superantispyware and Spyware Doctor are programs to choose from.

Some of the redirects might affect DNS server. This is done either in HOSTS file, or in TCP/IP settings of your internet connections. In ultimate cases it might affect your router as well. Some of these things are harder to detect, and can be repaired manually or by specific programs only.

We have written a nice guide about removing Google Redirect viruses on 2-viruses.com in the past and most things apply. If spyware Doctor or other remover does not help, try running combofix or going through that guide.
is a group of trojans and rootkits that redirect user searches to undesired websites. Such behavior can be noticed during rogue antivirus attacks as well, when search is hijacked and no legitimate malware remover companies are displayed or accessed in results. Thus Google redirects are quite dangerous. These redirects might affect other websites (or search engines) as well.

There are several flavors of google redirect virus. The first one is simple proxy server, set up in each of affected browsers. All internet connections are passed through rootkit or trojan process and each link might be redirected to other website. A good antivirus or anti-malware tool should get rid of this type of infection, though in case of rootkit one needs TDSS killer. There are other families of rootkits that have effect like that too. Quite typically, after removing malware processes internet stops working completely and one has to remove proxy server manually.

In some cases it is just an malicious browser add-on. If only one program is affected an no proxy is set up in that program, browser addons are the culprit. A good malware remover takes care of this problem as well and completely. Malwarebytes, superantispyware and Spyware Doctor are programs to choose from.

Some of the redirects might affect DNS server. This is done either in HOSTS file, or in TCP/IP settings of your internet connections. In ultimate cases it might affect your router as well. Some of these things are harder to detect, and can be repaired manually or by specific programs only.
We have written a nice guide about removing Google Redirect viruses on 2-viruses.com in the past and most things apply. If spyware Doctor or other remover does not help, try running combofix or going through that guide.

I have received an email from Linkedin today. It looked pretty much legitimate and first glance.

However, Not everything is THAT good. There are couple signs showing that the letter is not legitimate.

First, take a note to receiver address. The letter is not sent to me, but to several emails at once. This means same letter is sent to multiple addresses, which can not be true for personalized content : invitation requests and notifications about inbox messages.

Next tip is the URI in the links in the letter. All links are to single website : hxxp://xay10iob.info/ , which is not linkedin.

My suspicions were confirmed by visiting above mentioned link. After some redirections malware was stopped by my ESET Smart Security. After couple tries we noticed, that the first server redirects to multiple servers hosting various exploits. Some of them are cleaned already, but some are still active. The first link remains “clean” from malware, and initiates redirection only.

I recommend keeping your antivirus up to date and staying protected from similar threats. These exploits are not social network specific and you might get fake emails even if you are not registered in any of the networks.

Now the problem with financial advice websites is following: they might result in large losses or gains for a single person. The more person invests, the more person risks. Thus each financial website should care about how they are perceived by the visitors.

First of all, noone should trust financial website without proper contact information on it. Noone should listen to advice of instructor that forgets to introduce himself and give away all contact information required to contacting or investigating him. And yes, I think people should investigate websites before using the financial advice they provide.

Secondly, it is quite important to know the terms of service and disclaimer of the website.

• Do they stand for what they preach?
• Do they have financial interest in the tools or methods they recommend?
• Are they affiliated with someone?
• Are they getting paid for reviewing particular stock? There have be a compensation disclosure present in such cases (it is required by USA law, and many others).
• Do they follow their own advice?

If the answer is not clear or is omitted, you can be sure that there is something hidden there. They might hide the fact that they have interest in promoting something, and they might not use particular methodology themselves. Then you have to stay away from the website, as quite often it is just a scam.

Thirdly, even if they preach and promise some things, they have to disclose that this is an advice only. They cannot guarantee the same results as in the past. They cannot guarantee that there will be no market crash in the future, or that situation changes completely. They cannot guarantee that there will be no changes in taxes, social security policies and stuff like that.

And lastly, if anything looks too good to be true, it is not. Investments is all about taking and managing some risks. If the promised gains are huge, the losses might be huge too. Do not fall for this trap.

Personally, I like Motley fool as they follow good practices (well, except lots of promotional mails).

What is interesting, for 90% or more of people this answer has nothing to do with IQ, but with normal color vision. If you see colors normally, you will not have problems recognizing 74. What is more funny, the marketing team at moboo.me lacks IQ themselves, as simple research will show, that other numbers are not seen by color blind people either (some of them see nothing, some of them see number 21).

When visiting the Moboo.com one will notice some strange things. Like people score results look faked: too much repetitions of the same names, and the names (for Lithuanian version) look like from 50-60 years ago (yeah, the name popularity changed a lot here).

The test is really simple – most of questions should be known by any guy that finishes school or can Google. It is impossible to determine test results from such small amount of questions. However, the site will not provide results. You will be asked to provide your mobile number, and you will be subscribed to polyphonic melody service with DIFFERENT pricing through carriers ( the difference is 3x!). That means, they try to subscribe you to most expensive possible plan ever.

Do not fall for this scam!

The worst thing is that Security Suite tries to disable real security programs like antiviruses, antimalwares and similar. All of these programs fail to launch with message that the executable is infected or an error occurred. Most of the websites are unavailable as well, except ones that sell Security Suite’s “full version”. They are common phishing websites : no real key exists, nor security suite has any capabilities to delete a real infection.

Here a guide how to remove security suite:

1. Reboot, press F8, choose safe mode with networking. If it fails, continue anyways
2. Open Internet Explorer, choose Tools menu and select Internet Options, Click on the Connections tab and then on the LAN Settings button. Uncheck the checkbox labeled Use a proxy server for your LAN under the Proxy Server section and press OK. This should temporally fix internet connection. If not, you will need TDSS killer run on your PC, use Flash disk to install it on the infected PC. TDSS killer can be downloaded from here : http://support.kaspersky.com/viruses/solutions?qid=208280684
3. Then start task manager or process explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx  )  and stop all processes that are like combination of random letters.
4. Start MSConfig and disable all startup entries that launch processes from within your user directory, for example App Data folder… You might need to reboot after this step, to safe mode with networking again.
5. Scan with Spyware Doctor and remove everything it finds.

I recommend having full version of Spyware Doctor and ESET smart security to prevent such infections in the future, or decrease the risk to the minimum.

More information on how to get rid of security Suite can be found here.

First, stop looking for best security product. The status “best” is temporal at most. It also depends on your own needs for support, speed, level of protection  and configuration of your PC.  The key is having something that works and knowing its limitations. That way one can cover the unprotected holes with different software.

I use ESET’s Smart security as first line of defense. Having good antivirus is important, and ESET is known to provide quite good protection over the years. But Smart Security provides firewall functions as well. We started using it in 2006 or 2005, I believe. I have not used Kaspersky for a while, but it was long time ago. It is still good, though. As there are lots of other good tools.

Free  antivirus choices work well too. I have installed AVAST, Microsoft Security Essentials on different PC’s with quite good results, though most of Security/Internet Suites are paid. MSE is great as it does not asks for email. You could use PCTools Antivirus as well.

However, there are antiviruses, that have holes in free versions. For example, AVG lacks rootkit protection, but has a strong community that promotes it. It will remain a popular choice.

So, you have chosen antivirus, but there is a need for second opinion tool that targets fresher parasites and does not interfere with antivirus. There are couple categories of such tools. For example, Threatfire uses behavioral detection, which helps against new parasites.

Another class of second-opinion tools are Anti-malware tools. This term is misleading, though. Anti-virus tools protect from broadest spectrum of parasites. Typical Anti-malware tools protect from parasites that are not viruses (that is, modify other executable content). Though the term Malware includes viruses as well.  The problem is that while viruses are geared towards spreading around, malware is geared towards you: either steal or extort your personal information, get paid for advertisements that are shown to you.

Which anti-malware to choose? Personally, I run Spyware Doctor, and it is the tool I install most often for this purpose. I install free version from pack.google.com on all PC’s except mine usually, even if it is older and limited one.   My friends and family like free software Another free choices would by Spybot S&D, Spyware Terminator, etc.

Commercial anti-malware choices would be the Spyware Doctor, Spyhunter (though highly expensive), Malwarebytes anti-malware, Superantispyware. Although last 2 are marketed as free tools, they are not. Both of them are commercial tools without any real time protection in free version.  The free versions are great for malware removal, though. I have free versions of both installed for testing purposes, but  I am not planning on buying full versions of these.

For me SuperAntiSpyware is somewhat misleading, as it’s  free version starts at system startup and is running all the time. But it does not actively protect the PC, which might be missed by many users. My free version of Malwarebytes started at system startup as well, however exited soon after. I am unsure if this unnecessary startup was removed in fresh version.

There are also toolbars, like SiteAdvisor or MyWot. They might provide some insight for safer browsing, but they will not protect from infected domains that fast. SiteAdvisor is more suitable for this, as it actually scans the websites for malware rather than being community opinion based.

To wrap it up, get Internet Security suite from any of major antivirus vendors. If you want to save some money, get free antivirus, and get firewall separately. Then you will need a second-opinion tools like threatfire and a good anti-malware with real time protection.  And some self-control not to click on every advertisement on the net

First of all, Antivir Solution Pro is distributed by security vulnerabilities, like infected Adobe PDF files, Javascript ads on various websites. This is a first sign that a software can not be trusted. Secondly, it will start showing popups and alerts blocking normal processes and limiting access to legitimate websites to scare user into downloading and buying its full version. Thirdly, Antivir Solution Pro might reconfigure the PC to allow easier reinfection in the future, by changing proxy settings, modifying way DNS addresses are recognized and downloading other parasites to weaken the PC.

Antivir Solution Pro can be removed by rebooting into safe mode and scanning the PC with Spyware Doctor or Malwarebytes. Full scan is strongly recommended. As the trojans might block the scan, it is highly recommended to disable the processes before the scan by killing all processes named with random letter strings (especially ending in tssd.exe). If such processes are successfully killed, One can run msconfig and remove startup entries referencing such processes. Still many of the infected files might be missed by manual removal, thus a single secure way is scanning with several automatic removal tools for Antivir Solution pro.
Full removal guide is available here : http://www.2-viruses.com/remove-antivir-solution-pro

I have reviewed MyWOT positively in the past, and the points are still valid. However, it is time to talk about several downsides of it (and why I see no real use for it in the future).

First, it works as global unlike button in security market. Lots of people know about it in this area and use it to manipulate listings. Experts do not rate good sites in this area – there are too many, and no one cares if they are not their own. For example, one negative review of one Rogue cleaner in my blog resulted at negative review in MyWOT of my site by him (with several accounts). I know pretty much, that some of other ratings are voted by people advertising similar or same products:)

Second, the toolbar itself is made in the way that suggest auto-confirming votes. It blocks all sites with negative ratings, and many of the negative ratings are reconfirmed by users which do not see the site itself. I had a looong discussion with MyWOT platinum member to remove his comment (and rating), which was made WITHOUT checking website. The mailing forth and back lasted couple days, and I the last mail I got was that he removed the comment and will check the website once he has time.

Third, the sources of auto-rating. MyWOT uses 3 sources (maybe more) to confirm that site is valid : hphosts, delicious and digg. First one is negative, other ones have no bigger impact. All of them have no real basis. Everyone can submit to digg and delicious. Listing in hphosts is not purely black or white either: some of listings are irrelevant (“marketing strategies”) , some are out of control ( IPs history) , some are valid (distribution of malicious software). However, I haven’t seen users evaluating these properly. Everyone would just vote all bards the same.

4th, the site banner issue. I do not think it is ok, but whatever. If people would like to pay for displaying how crowd things the site is secure, then it is great for mywot. All banners based on real testing are much more useful.

5th. Malware, response time and such. MyWOT will not rate sites at once. Thus malware sites will not be rated as dangerous on first vote. Next, lots of malware is spread through sites with good reputation. Like facebook. Thus it will not make web any safer.

To summarize, to protect from parasites I would advice to use Site Advisor Toolbar and not Mywot. However, MyWOT could become much better if adding some changes. For example, incorporating Site Advisors ratings (including possitive and negative sides), checking spent time on the site on rating, checking overall distribution of ratings, etc.

Somewhat funny note is that my site was rated badly by Site Advisor as well, as I have provided a link to Malwarebytes executable or download page (can’t remember). Later on I get my WOT ratings because I am one of the few people that does not advertise Malwarebytes as “the best single protection” or smth.

Additionally, recently it started using name “Green AV security Suite”. It looks like it is same parasite in general.