Examples of viruses

SOME EXAMPLES OF MALWARE THAT PCR HAS REMOVED

Most of the viruses below all do the same thing. They lock down your computer's functionality so that you can't use it, they offer to SELL you a remedy that looks official, but in doing so they try to get you to give them your credit card information. Understand that Microsoft NEVER asks you for money to "activate" ANY Microsoft "repair software" that came pre-installed on your computer as a trial version or otherwise. Sometimes users download and install Microsoft Security Essentials antivirus software, but this software is and always has been 100% FREE and does not need to be "activated", "registered", "upgraded" or otherwise paid for. So any time a pop up mysteriously asks you to pay money to fix your computer be on alert! Do NOT pay for anything! If you already have then CANCEL your credit card immediately!

BELOW: The "Win 7 Antivirus 2012" trojan. Make no mistake: This supposed "antivirus program" is fake. There is no such program. The list of viruses shown in its "system scan" is fake, but your computer is indeed infected. Win 7 Antivirus 2012 is the virus! Like most trojans, this one has windows that pop up constantly, telling you that your computer is infected and that you need to pay to remove viruses from your computer. The goal of the bad guys who released this virus is to get your credit card information. Don't ever be tricked into volunteering your credit card information to pay for this fake "antivirus software". PCR can remove these and all other viruses from your computer...

BELOW: This "Security Tool" trojan virus is perhaps the most common trojan virus. It is often "invited" in by other viruses. Make no mistake: This supposed "antivirus program" is fake. There is no such program.

BELOW: The "Antispyware Soft" trojan virus is also very common...

BELOW: This one completely shuts down your system. Each time you restart your computer it displays this Russian text.

BELOW: The "Security Shield" trojan virus is NOT part of the Windows operating system. It is a fake alert aimed at obtaining your credit card information....

BELOW: The "Windows Repair Module" trojan virus is NOT part of the Windows operating system. It is a fake alert aimed at obtaining your credit card information....

BELOW: The "Windows Process Regulator" trojan virus is NOT part of the Windows operating system. It is a fake alert aimed at obtaining your credit card information....

BELOW: The "MS Removal Tool" trojan virus has nothing to do with Microsoft. It is a fake alert aimed at obtaining your credit card information...

BELOW: The "ThinkPoint" trojan virus is launched at startup and continues to pop up...

BELOW: the "Windows Remedy" trojan virus which invites other viruses onto the infected computer, often including a nasty rootkit which prevents access to Microsoft's Windows update page and prevents Security Essentials from being installed. Make no mistake, it is NOT part of Windows. Windows Remedy is a fake "program"...

BELOW: "Antimalware Doctor" is itself a virus. Its pop-ups appear to be part of Windows. Make no mistake, it is NOT part of Windows. Antimalware Doctor is a fake "program"...

BELOW: This "Total Security" trojan virus also renders a computer useless until removed...

BELOW: "The XP Internet Security 2010" trojan virus....

BELOW: After just one reboot, the "Virus Protector" trojan virus takes over your computer to the point that ONLY IT launches at startup! Like all of these "fake alerts", this one tries to get you to unwittingly volunteer your credit card information...

BELOW: Once removed, the "Desktop Security 2010" trojan virus typically disables your Internet connection as a parting gift! PCR can remove this virus from your computer and fully repair the damage it leaves behind...

BELOW: The "Protection Center" trojan virus...

BELOW: The "Antivirus7" trojan virus...

BELOW: This one calls itself Security Essentials but it certainly is NOT Microsoft's Security Essentials anti-virus software, which is actually completely free and looks nothing like this pop-up "fake alert" window:

BELOW: The "Control Center" Trojan virus...

BELOW: Some malware looks exactly like Windows XP's own Security Center. Note the bad English: "No antivirus software found on your computer or they are out of date" - A hallmark sign of malware. The real Microsoft XP Security Center (located under START > Control Panel) never has any such "install" button (pointed out below by the green arrow). When you click the "install" button you get directed to a site that lures you into entering your credit card information...

BELOW: The above fake alert viruses try to get you to click a link where the "bad guys" hope you will enter your credit card information.

This site looks official, but it is run by bad people who only want your credit card information. If you have entered your credit card information on one of these sites then call your bank immediately to cancel your credit card!...

BELOW: Once a computer is infected with this virus, upon reboot, an adult web page (with Russian text) appears over the desktop. This virus completely disables everything including task manager (ctrl + alt + delete). The images cannot be closed out until the virus is removed, usually by first manually repairing it with a registry editing offline boot CD...

BELOW: The "Google Redirect Virus" hijacks your browser when clicking to visit certain websites. It redirects your browser to strange, unrelated sites such as florida-traffic.com and others...

Other ways to tell if your computer is infected with malware...

BELOW: Most fake antivirus trojans disable basic Windows functions.

Press Control + Alt + Delete

This warning is usually due to registry damage caused by a virus..

CHECK TO SEE IF YOUR BROWSER HAS BEEN HIJACKED

Using Internet Explorer, run a Google search for "antivirus". The top search results usually include sites like free.avg.com , www.avast.com , www.mcafee.com , and www.kaspersky.com . Click to visit some of these sites. If your computer is infected with browser redirect malware, you will instead be redirected to other strange sites that have nothing to do with these sites. Below are the REAL sites....

Your computer may be infected with a dangerous virus without you even knowing. Some viruses run in the "background" as hidden processes. For example the Trojan "Spy Eye" attempts to connect to the Internet then sends your usernames, passwords, and other critical personal information to a remote computer on the Internet.

In this case, I physically disconnected the Ethernet cable from the computer. Each time the virus attempted to connect to the Internet a Windows 7 error message popped up (because I cut off the Internet connection). Under normal circumstances, even with the Ethernet cable connected, this error message should not appear. The logical explanation is a virus...

With the Ethernet cable reconnected I was able to use the program TCPView to see hidden processes related to network connectivity. A suspect connection to ikexpress.com is identified below...

A who is search reveals that ikexpress is a server hosted in France of all places! The computer was sitting idle so there was NO reason for it to be contacting an ipaddress in Europe. So this was obviously surreptitious activity...

Has your hosts file been changed?

Generally there are only two reasons why the "hosts" file on your computer would not display the normal default text (shown below). Either the company you work for changed the "hosts" file in order to restrict which websites employees visit, or a virus has altered this file.

It is VERY common that viruses alter the "hosts" file, so lets see if your hosts file has been altered by navigating to its folder location....

C:/Windows/System32/Drivers/etc/Hosts

Open and view the "hosts" file with wordpad or other document viewing program...

BELOW: A "normal" looking hosts file....

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost

An infected "hosts" file would have all sorts of strange web addresses listed below the last line of text.

There are normally 5 files located in the "etc" folder, namely hosts, imhosts, networks, protocal, services. If you can't even see a "hosts" file in the "etc" folder this could very likely be due to a virus infection. If Windows prevents you from opening the "hosts" file then this is often also a sign of virus infection.

PREVENTION:

Don't get caught by "fake alert" web pages...

According to Mark Hofman of SANS Internet Storm Center, there are over 52,000 infected websites out there trying to install executable files and other malicious code. Most attacks use components which are often hidden from visitors' eyes, aiming to redirect people to other more dangerous pages.

BELOW: This is a common "fake alert" web page that you may have stumbled upon. It appears to be part of the Windows operating system, but it is not! It tries to lure the user into clicking the "X", "cancel" or "remove all". DO NOT click EITHER one! Clicking either of these will prompt you to download and install a virus.

Note the multiple grammatical errors, poor diction and just plain fishy language, a sure sign of a hoax. Fortunately most viruses are written in countries such as Russia where English is not the main language....

BELOW: You need to exit this web page by simultaneously pressing the Ctrl + Alt + Delete keys (or Ctrl + Shift + Esc), then closing out your browser by selecting it and clicking "end task". Some browsers, such as Firefox, may revisit the same malicious web site when you re-launch the browser. To counteract this you can try unplugging your Ethernet cable until you can navigate away from the page.

The newest way that the bad guys are able to install viruses on your computer is to trick you into thinking that a video on a web page won't play because you don't have the proper player or plug-in installed on your computer.

BELOW: This is an actual snapshot of a webpage that had a link to a virus. It looks like a QuickTime or Flash movie, but actually it's just a picture with a link to an exe file that launches a virus. Also note the fake claims of "78,695 views" which is used to try to gain your trust...

If you click the play button, you are asked if you want to install a supposed "video plugin". Be very suspicious if you are already able to play videos on YouTube without any problem. Note below that "exonlinedata" is obviously not Macromedia (Flash), Quick Time, Windows media player, VLC media player or any other familiar name. If you click the "Run" button, a virus will install on your computer...

If the video doesn't play automatically when you click to "play" it, then be cautious even if it's a legitimate site. Sometimes the bad guys create web pages that mimic real websites such as YouTube, Facebook, MySpace, etc. When in doubt go to the REAL media player download site, such as Adobe's Flash site...

http://get.adobe.com/flashplayer/

Other signs of virus infection:

Does your computer run external drives at constant intervals? One current virus attempts to run external drives every 11 seconds as soon as a browser is launched.