Malware refers to software that “junks up” your computer and does annoying and malicious things like launch popup windows, sends spam, or redirects your web browser. Malware is similar to a virus, but often has a profit motive and relies on user deception rather than security flaws to run on a system.

Posts

A picture of AVG PC Tuneup in action.

PC TuneUp Software: Great in Theory, Awful in Practice

This is a story about automated PC TuneUp software and how it can go horribly wrong.

Background

A client brought me 4 new PC’s to setup at his business.  This involves completing the Windows setup wizard, installing his software, porting over his data, updating, and setting up security.  In this instance the client bought his own antivirus: AVG Zen Protection, which comes with AVG’s PC TuneUp.

AVG PC TuneUp and products like it function similarly: analyze your computer, find ways to free up resource and make it faster, and implement them more or less automatically.

That all sounds great. PC’s do need regular maintenance. The promise of software like PC Tune-Up is that it will act as a mechanic who shows up and changes your oil and checks your filters  without ever being asked.  That’s fantastic. Until it’s not.

The PC TuneUp Problem

After installing AVG with PC TuneUp, the software went to work trying to determine how badly this brand new computer needed optimized. It found things.  So many things. Out of sheer curiosity I actually allowed it to implement the solutions it recommended on one of the 4 PC’s.

It felt no faster.  But it did render the application the client depends on to do  business totally unusable.  PC TuneUp tries to be helpful by creating a restore point.  I rolled back to the restore point and the application still wouldn’t run.

The problem was caused by the fact that PC TuneUp had disabled one of it’s services. When I went to re-enable the service, I found that it wasn’t being disabled the standard way, so using the Windows Services console to start the service failed. In the end I ended up removing PC TuneUp completely.  If that’s how it’s going to behave, I certainly can’t send it into production.

The Bottom Line on PC TuneUp

I’m not writing to talk smack on the entire AVG product line. I still use AVG for antivirus. But PC maintenance is best left to folks that understand the implications of their actions.  PC TuneUp and products like it take a shotgun approach to optimization: they try to intelligently determine what programs and services can safely be disabled, but it’s safe to say PC TuneUp isn’t running Ex Machina level artificial intelligence because it seems to have no problem erring on the side of disabling things you need.

So if your computer is slow, don’t choose some automated optimization tool like PC TuneUp that errs on the side of speed, not safety. Call a professional.

Exploring Donation Based Services

In the last video I talked about a some ways that website owners and software vendors use to make money from you on the Internet.  The reason I described them is because the methods folks use to make money have a direct effect on your Internet experience.

Some of these methods are obvious, others hide behind camouflage and masquerade as something they’re not. Some of the methods are completely safe, and others are very dangerous.

Unfortunately it’s not so easy to tell what’s what on the Internet sometimes.  So in this video we’re going to exploring the first money-making method that I talked about: donation-based sites and services.  I’ve got some very good examples to show you along with some important lessons to learn along the way.

Wikipedia

The first example is Wikipedia.  You’re probably heard of Wikipedia but if you haven’t, it’s a free online encyclopedia that’s updated by its users and a panel of expert editors that keep the content authentic, accurate, and well-cited.  Wikipedia is also completely donation-based.  So let’s check it out.

I’m going to open a web browser and go to www.wikipedia.org, and when I get there I need to select my language.  Once I’m on the home page for  Wikipedia I’ll notice that there is no obvious page content asking for payment and no advertisements.  Well if I look close enough I can see a “Donate to Wikipedia” link on the site’s main navigation.  They also have a “Wikimedia Shop” where you can buy Wikipedia branded merchandise.  Let’s click on the donation link.

What we see is a pretty typical Donation Page: it has a brief message from the Wikipedia founder calling you to action, and it has a form requesting a donation amount and donation method.

Learning how to use the Internet safely is all about recognizing patterns.  So take a moment to explore Wikipedia and their donation page.  Wikipedia is a very popular website with a very positive public image.  People trust them, and I think it will pay off to internalize some of the features of a “safe” donation-based service

  • A prominent donation link
  • A positive public image
  • No advertisements
  • A donation form
  • A Call to Action from the site’s founder.

Obviously mileage may vary, but these are features to look for when you’re trying to decide if a website is donation-based and whether or not it’s actually safe.

Kahn Academy

 

Next let’s look at Kahn Academy.  Kahn Academy is a free online learning tool.  It’s not as old and entrenched on pop culture as Wikipedia, but Kahn Academy is still a very well-known and highly regarded resource in its own right.  If we go to the Kahn Academy website, we can immediately see how they get their funding: the big Donate tab on the top-level site navigation. If we click that link we see a page very similar to Wikipedia’s: No ads, a donation form, a Call to Action from the site’s founder.  What’s more is that Kahn Academy prominently displays their IRS Non-profit status.  While many free sites and services won’t have non-profit status, it’s certainly another item to add to the list of evidence for a site’s legitimacy if they do.

Camstudio

 

Finally, let’s take a look at Camstudio.  Camstudio is a free screen recording tool.  It’s completely free and donation based, but there are definitely some lessons to learn from the website and how the author presents their software.

If we search for Camstudio the first thing we’re going to notice is that in addition to the official website, there are dozens of “free download” sites also offering the software.  Now you’ll notice this for just about any software that you try to download from the Internet and it doesn’t say anything about Camstudio’s legitimacy that there are multiple download sites.  But what you need to remember is to always download from the official site when possible.  Let me show you why.

In the video you’ll see me click the link to download Camstudio from a download site called Softonic (I’m intentionally not providing a link to it).  I immediately notice a giant red flag: multiple, intentionally confusing download buttons.

Eventually I just pick a button and  it begins downloading a “downloader” for Camstudio.  A downloader is a program that downloads another program, and often a bunch of other junk along with it.  The Softonic download installs several junk programs on my computer along with Camstudio.  The PC Optimizer application that it installs obviously lies to me about the problems its finding with my computer, then wants money to install these imaginary problems. 

So now that we’ve explored an alternative download option and discovered why you should avoid them, let’s go to the official website.

You’re immediately going to notice the Donate button, but we’re also going to notice that the site serves advertisements as well.  Generally these ads are safe, but during my testing I found some ads that were not that resulted in ad-ware being installed on my computer.  I’m not mentioning any of this to pick on Camstudio: it’s a quality product.  But be aware that some sites and some programs will “mix-and-match” their revenue streams and understand that even a free, donation-based product can pose problems if you click and install without thinking.

In the video I click a suspicious advertisement on Camstudio’s home page. The ad runs a downloader called InstallIQ which installs Camstudio as well as RealPlayer, Google Chrome, Google Toolbar for Internet Explorer, and another PC Optimizer program.  Once again the Optimizer lies about computer problems that it detects and wants money to fix them.

Finally lets click the official download link and show you what a regular installation looks like.

In the video you’ll see that the official download for Camstudio takes just a few seconds.  After checking my desktop, Start Menu, and Control Panel I’ve verified that nothing installed other than the program I wanted.

This exercise has taught us to look for the following red flags when downloading free software:

  • The website states that it’s not affiliated with the program you are downloading
  • The website states that it may provide other offers during installation
  • The website provides multiple/intentionally confusing download buttons
  • The downloaded file is a “downloader”, not the actual program.
  • The downloaded file installs any sort of Registry Cleaner/PC Optimizer programs.  They’re almost always bogus.

Summary

Now that we’ve seen some examples you can identify donation-based software and services, you should understand that some websites use multiple revenue streams, and some donation-based programs can still be problematic if you download and install them without thinking.  In the next video we’ll explore some more money-making schemes you might run into on the Internet, and how you can avoid them.  Catch you later!

Removing ThinkPoint without Task Manager

A coworker brought me a laptop (accompanied by the required food bribery) and asked me to remove a virus that had started popping up.  I booted up the laptop and, not at all surprisingly, it was infected with a Fake Security Scanner of a new and particularly nasty variety. It was called ThinkPoint and it replaces explorer.exe as your Windows shell, so as soon as you login ThinkPoint is all you see and all you have the ability to interact with.

Other sites explain how to remove ThinkPoint and their instructions are accurate, assuming you can open Task Manager via CTRL+ALT+DEL or CTRL+SHIFT+DEL.  Unfortunately the variant I ran into disables Task Manager, so I had to find another way to interact with the computer.  Luckily, ThinkPoint is easily tricked.

  1. Inside ThinkPoint, click the Support button.
  2. The goal of malware like ThinkPoint is to get the user to purchase the “full version” of the software, and logically we know that purchasing the software will probably open a web page so we can input our credit card information.  So let’s play along… Click Install the Full Version with the required modules.
  3. This will open up an Internet Explorer page with no status bar and no menus. Click anywhere within the page, then press CTRL+L to open the Open Dialog. This will let us explore our computer from within Internet Explorer.
  4. Click Browse.
  5. Next to the File Name field, select All Files so we can browse all files, not just HTML files.
  6. Navigate to C:\Windows. Locate explorer.exe, right-click it and select Open. Congratulations, you can now do whatever you want! Now follow these instructions to remove ThinkPoint: http://www.2-spyware.com/remove-thinkpoint.html

Removing FakeSecScan (Fake Antivirus)

The FakeSecScan virus. You may know it as another name, such as Windows Antivirus 2010 or some other generic-but-legitimate sounding name. It pretends to be an anti-virus application that scans and finds viruses on your computer. The problem is, the program itself is the virus and it is lying about the other infections that is has “found.”

I’ve blogged about this all the way back in 2008 but since FakeSecScan continues to be one of the most prevalent virus infections out in the wild (and thus a big source of income for tech support professionals like me) I decided to revisit it.

How do you get rid of FakeSecScan? Let me save you some time and money. Download the free version of Malwarebytes Anti-Malware. Boot into safe-mode, install and run it.

Detailed Instructions on Removing Fake Antivirus Malware

  1. First you’ll need to download MalwareBytes Anti-Malware. If the malware is blocking you from downloading it, you’ll need to use another computer to download it. While your at it, download the latest updates for Malwarebytes as well.
  2. Boot into safe mode (press F8 when your computer boots).
  3. Install MalwareBytes and the updates you downloaded in step 1.
  4. Run a Full Scan with MalwareBytes and remove anything it finds.
  5. Reboot.

Your system should be clean now.  Here’s how to keep it that way!

Preventing Fake Antivirus Malware

  1. Install a quality Antivirus package. Prefer MalwareBytes Anti-Malware and Microsoft Security Essentials.
  2. Regardless of what Antivirus package you choose, don’t just install it with it’s default settings and ignore it.  Explore it. Tweak the settings so that it is performing daily updates (so it can recognize new viruses) and full scans (so it is actively searching for them).  Also I recommend having it automatically clean, quarantine, or delete all but the lowest level threats.
  3. Get to know what your antivirus software looks like, and never again click “Save,” “Run,” or “Open” to an antivirus program that isn’t the one that you installed yourself.  In fact never click “Save,” “Run,” or “Open” to anything that you don’t recognize.
  4. You see this video? Learn to recognize what fake antivirus malware looks like and how it behaves, then avoid it!

PDF Download: Beware of Fake Antivirus Programs

In the last few weeks I’ve worked on more than a dozen computers infected with some varient of the “Win32/FakeSecScan” virus which sneaks onto your computer by pretending to be legitimate antivirus software.  In an effort to help my clients avoid the headache and cost of a cleanup, I wrote this Beware of Fake Antivirus Programswhich describes how to identify and avoid the FakeSecScan virus. Feel free to Beware of Fake Antivirus Programs!