virus

How To: Remove Vista AntiVirus 2012

Posted by Rick on in Technology How To's 0 Comment

How To: Remove Vista AntiVirus 2012

Vista AntiVirus 2012, also known as Windows XP Home Security 2012 is one of the viruses/malware programs running around that masquerades as an anti-virus program.

Unfortunately it’s not. It uses various browser holes to install itself and then pretty much disables the computer until the user puts their credit card number in. Once the program is “bought” it goes idle and pretends to scan for viruses, but as far as I can tell never actually finds anything.

Caution, these directions have you editing the Registry. They do not tell you how to do so, but tell you what keys to delete. Deleting the wrong keys can severely mess up your computer! If you are not comfortable doing this, take your computer to someone who is.

First Step is to go into Task Manager and kill ppn.exe

Then in your registry delete the following keys:
HKEY_USERS.DEFAULTSoftwareMicrosoftInternet ExplorerBrowserEmulation “TLDUpdates” = ‘1’
HKEY_CURRENT_USERSoftwareClasses.exeshellopencommand “(Default)” = ‘”%LocalAppData%kdn.exe” -a “%1” %*’
HKEY_CURRENT_USERSoftwareClassesexefileshellopencommand “(Default)” = ‘”%LocalAppData%kdn.exe” -a “%1” %*’
HKEY_CLASSES_ROOT.exeshellopencommand “(Default)” = ‘”%LocalAppData%kdn.exe” -a “%1” %*’
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellopencommand “(Default)” = ‘”%LocalAppData%kdn.exe” -a “C:Program FilesMozilla Firefoxfirefox.exe”‘
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetFIREFOX.EXEshellsafemodecommand “(Default)” = ‘”%LocalAppData%kdn.exe” -a “C:Program FilesMozilla Firefoxfirefox.exe” -safe-mode’
HKEY_LOCAL_MACHINESOFTWAREClientsStartMenuInternetIEXPLORE.EXEshellopencommand “(Default)” = ‘”%LocalAppData%kdn.exe” -a “C:Program FilesInternet Exploreriexplore.exe”‘
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center “AntiVirusOverride” = ‘1’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftSecurity Center “FirewallOverride” = ‘1’

Lastly delete the following files:
%AllUsersProfile%Application Datau3f7pnvfncsjk2e86abfbj5h
%LocalAppData%kdn.exe
%LocalAppData%u3f7pnvfncsjk2e86abfbj5h
%Temp%u3f7pnvfncsjk2e86abfbj5h
%UserProfile%Templatesu3f7pnvfncsjk2e86abfbj5h

Reboot your computer and everything should be gone.

Again, if you’re not comfortable editing registry files, please take the computer to someone who is.

Digital Protection Malware virus

Posted by Rick on in Microsoft, Technology How To's, virus 0 Comment

Digital Protection Malware virus

There is a new major malware virus going around right now. This one is “Digital Protection” and infects computers after the user gets one of those pop-ups that says “You have a virus!”

The odd thing about this one is that it’s also taking over the Windows Updater program, so it can’t be used to download new security patches and fixes from Microsoft.

It’s also loading itself multiple times into the Windows registry. Below are step by step instructions on how to remove it. http://www.geekstogo.com/forum/Removal-instructions-Digital-Protection-t274218.html

This is a nasty removal process so if you’re not familiar with editing the Windows registry, I highly suggest you take this somewhere professional.

How to report Internet Fraud

Posted by Rick on in Scams, Security, Technology How To's 3 Comments

How to report Internet Fraud

Internet Fraud is on a rise. As more and more people get online around the world, more viruses are created to steal information, and more people see the anonymity of the Internet as a good way to steal, fraud rates will continue to rise.

Common fraudulent acts range from using stolen Paypal accounts to pay for eBay or Craigslist products. Sending people fake checks for significant amounts of money over the selling price and asking for the extra back, or the common “Nigerian 419  Scam,” where you’re contacted (usually via email) for help moving large amounts of money from another country. But they quickly ask you to send a couple of thousand dollars as a “transfer fee” and none of the money is ever seen again.

The first step in reporting fraud is to gather your evidence. Good portions of such reports go unanswered and forgotten because of the lack of evidence. Providing ample and accurate proof will greatly increase the chances of action being taken by Law Enforcement. When reporting fraud and scams, use this template to provide your evidence. Keep in mind that some online forms may not have room for all this info, but it’s good to compile it before submitting.

Name: Address:

Phone Number:

Email:

Other Contact info: (IM ID, Forum Name)

Scammer’s Name:

Address:

Phone Number:

Email:

Other Contact info: AIM or Yahoo IM ID, Forum Names, AKA names. Also include any other email addresses, phone numbers or physical addresses known. Essentially any way used to contact you should be cataloged here.

Nature of Fraud/Scam:  Give a brief description, i.e. “Was contacted by person to…”

Estimated Value Lost: Use a range for actual goods, or the sell price of the goods. Otherwise use the actual cash value.

Timeline Description: This is the important section. Provide a day-by-day, hour-by-hour account of the transaction and what went wrong. Cut and Paste Chat Logs, Screenshots (if possible,) and all emails. Be sure to present everything in chronological order as it happened.

Links to evidence: Provide links to forum posts, screenshots of emails and IM logs, etc.

There are several places you can report fraud to depending on where in the world you are.

Online Fraud Complaint Forms:

In the United States:

The Internet Crime Complaint Center: <a href=”http://www.ic3.gov”>http://www.ic3.gov</a>

National Fraud Information Center <a href=”http://www.fraud.org/info/contactnfic.htm”>http://www.fraud.org/info/contactnfic.htm</a>

In Canada:

Royal Canadian Mounted Police:

<a href=”https://www.recol.ca/intro.aspx?lang=en”>https://www.recol.ca/intro.aspx?lang=en</a>

Other Countries: Please look in comments below, or post if you know your countries web page.

Once you’ve filled out the online forms, it’s a good idea to directly contact any of the below Law Enforcement Agencies. All of these agencies (except maybe City and County Police Departments) have an electronic crime agency who will take your information. In some cases you may be referred to another person, or group. Expect to get a bit of run around but do not take it personally. Remember to be polite and patient when explaining the nature of the fraud.

Local FBI Office: http://www.fbi.gov/contact/fo/fo.htm

Local Attorney General: http://www.naag.org/

Local U.S. Secret Service Electronics Crime Division: https://www.treasury.gov/services/report-fwa/Pages/ReportFWA.aspx

Local State Police: http://www.statetroopersdirectory.com/

Local County Police Department: Varies, search Google for your County Name, Police Department and Electronic Crimes Division

Local City Police Department: Use the same search term above

If someone scammed you out side of your country, the Federal Trade Commission has a special site for these complaints. https://www.econsumer.gov/pls/econsumer/wimsnery2$com.main?p_lang_seq=1

A lot of scams involve Paypal due to the ease of setting up accounts or stealing the information from others. Their claims page is located at: https://www.paypal.com/us/cgi-bin/webscr?cmd=_comres_flow&trans_id=

Phone: 1-888-221-1161×8232 ; or 402-935-2050

If a company or business scammed you there are a couple of good places to report them to.

Better Business Bureau

FTC Complaint Center

Also be sure to report them to your and their Attorney General’s Office.

The United Postal Service is especially tough on scammers and fraud via Mail. If you sent a Money Order via mail, or goods and didn’t get anything in return they want to hear from you. Their online form is located at: http://postalinspectors.uspis.gov/forms/MailFraudComplaint.aspx

The Postal Service is very tough on fraud and scamming. To help them out it’s always a good idea to use Delivery Confirmation when sending large amounts of money, checks, or even expensive goods.

UPS has an online claim section too, https://www.ups.com/myups/login?returnto=https%3a//wwwapps.ups.com/webClaims/create%3floc%3den_US%26report_type%3d1&reasonCode=-1&appid=CLAIMS

Reporting fraud and scams is time consuming, but every bit helps. If you’re short on time at least submit reports to the first two links. Remember, the scammers aren’t going to stop if they get away with it. All it’s going to take is one or two to get caught as warnings to the rest.

Troubleshooting: Facebook constantly logs out in Safari

Posted by Rick on in Apple, Technology How To's, troubleshooting 2 Comments

**Update** Facebook made updates that fixes this problem.

Troubleshooting: Facebook constantly logs out in Safari

A recent problem has cropped up with the latest version of Safari, 3.2.1 and Leopard 10.5.6. When using Facebook (and possibly other websites such as Last.fm, Gmail, and Twitter, that require authentication to login,) users are finding that they constantly have to re-login again. Of course this gets annoying, and makes accessing those sites nearly impossible. This problem is bad enough that it could even be affecting Firefox users too.

The culprit maybe partially on Facebook’s side as they attempt to combat the recent virus threats and the Leopard/Safari upgrade may be coincidence. Another guess is that Apple changed how multiple programs handle cookies and this is causing issues.

In addition users of iPhones and Adium in conjunction with Facebook seem to have a high chance of having an issue. Using Facebook Chat in Adium and on the iPhone is one of the culprits.

While not a guarantee, here are some possible fixes.

iPhone Users: (may have to be jailbroken to work, I do not have an iPhone to confirm)
1.) Download a terminal program for the iPhone
2.) chown -R mobile /var/mobile/
3.) Power Cycle the iPhone

It seems that the /var/mobile directory is owned by the root user instead of mobile and is causing some of these problems problems.

Adium Users:

  • Disconnect from Facebook or Google Chat before logging in to Facebook or GMail

    • Safari: One or all of these options may be needed to fix

  • Disable Private Browsing (Under Safari Menu, the Private Browsing)
  • Empty Safari Cache (Safari Menu, Empty Cache)
  • Clear Cookies (Safari Menu, Preferences, Security, Show Cookies, Remove All)
  • Reset Safari (Safari Menu, Reset Safari)
  • Reinstall Safari (Download from here)
  • Remove Autofill (Safari Menu, Preferences, Autofill, User Names and Passwords, Edit, remove the site that is having issues)
  • Remove Keychain Entry (Applications/Utilities/Keychain Access. Remove affected site, then go to Menu, Keychain First-Aid, then Repair.)
  • Delete cookie.plist file (/User Home Directory/Library/Cookies/Cookie.plist)

    • Advanced Safari Tip: Enable Developer menu using the command line: defaults write com.apple.Safari IncludeDebugMenu 1 or download Safari Enhancer and clear cookies from this menu.

    Dashboard:

  • Disable any Web Clippings

    • If any of these do work, or you have another solution (or a question about the above,) let me know in the comments and I’ll see what I can do.

    How To: Clean “Your internet access is going to get suspended” Virus

    Posted by Rick on in Microsoft, Technology How To's, virus 0 Comment

    How To: Clean “Your internet access is going to get suspended” Virus

    I was recently sent a copy of the “Your internet access is going to get suspended” virus. Which is really annoying since my Bit Torrent and P2P use is limited to Magnatune and downloading ISOs of Linux/BSD systems.

    So, seeing a lack of responses from the big companies on how to remove it, I sacrificed my one Windows machine to it in an attempt to figure out how to fix it. This is a down and dirty fix, but it worked.

    Installing the Virus is easy, download the ZIP file, open it, then run the .EXE file inside.

    The Virus installed a new winlogin.exe file. Unluckily this can’t just be removed. After pulling the network cable to keep the machine from reinfecting itself, boot into safe mode. At the command prompt, delete the Winlogin.exe file, along with krnlcab.sys, cabpck.dll, and k86.bin from the System folder.

    At this point follow these directions to extract a new winlogin.exe from the original install CD. Remove tmp/msi_setup/* then reboot the computer and double check that the three files above are still gone, and the winlogin.exe has the new date.

    Plugin the network cable and immediately do a software update. I found that SP3 had to be reinstalled, but it worked fine.

    This is down and dirty, only worked on XP, and is potentially system breaking. If you are not confident in the directions above, wait for the Anti-Virus vendors to create an official fix.