Antivirus

i uninstalled Microsoft security essentials because to me its the worst antivirus so i use superantispyware and avast so to me superantispywarre is the best one because it finds trojans and key gens and ms doesnt

Why is Microsoft Security Essentials bad? I think it's good because I have used it on 3 of my computers and they all seem to run pretty good.
 
Interested to see this thread. On Monday I bought a new Notebook. I was braced for the Windows 8 operating system (yuck!) but not the bundled Norton 'security' (thanks PC World!) No matter I thought, I'll just disable that, enable Windows Firewall and Defender then uninstall the Norton malware. But no! both MS Firewall and Defender are disabled by Norton and cannot be re-enabled. So I called Customer Service (thank god, not the Indian Service Centre). They got me to download and install the Norton Removal Tool (clearly uninstall just isn't enough for this beast!) Following this, MS Firewall was back, but not Defender. No problem, said Customer Service, just 'refresh' all your Windows 8 settings. I rang off (mistake). 30 minutes later, my Windows installation was 'refreshed' - so was Norton as it had re-installed itself!

Not wanting to bother Customer Service again (for the time being), I chose to temporarily activate Norton so at least I could go online and get my machine set up and running.

Today I discovered, having done scarcely any browsing with my new Notebook, that a delightful piece of malware 'Browser Defender' had installed itself on my machine and was hogging 15% of CPU. Norton appeared to have switched itself off having offered no defence to this intrusion. Fortunately, I managing to uninstall Browser Defender and then run Malwarebytes and Spybot and carry out various scans which identified and eliminated dozens of malware changes which Norton utterly failed to spot.

LATEST: I'm now getting a message from Windows Action Center telling me that antivirus and firewall are turned off. Norton, it goes without saying, claims to be switched on and working. Who to believe?

I don't doubt the benefits to PC World of having a tie-up with Symantec, but what about their customers? Any advice about how I get rid of this crap from my Notebook?

Paul
 
Interested to see this thread. On Monday I bought a new Notebook. I was braced for the Windows 8 operating system (yuck!) but not the bundled Norton 'security' (thanks PC World!) No matter I thought, I'll just disable that, enable Windows Firewall and Defender then uninstall the Norton malware. But no! both MS Firewall and Defender are disabled by Norton and cannot be re-enabled. So I called Customer Service (thank god, not the Indian Service Centre). They got me to download and install the Norton Removal Tool (clearly uninstall just isn't enough for this beast!) Following this, MS Firewall was back, but not Defender. No problem, said Customer Service, just 'refresh' all your Windows 8 settings. I rang off (mistake). 30 minutes later, my Windows installation was 'refreshed' - so was Norton as it had re-installed itself!

Not wanting to bother Customer Service again (for the time being), I chose to temporarily activate Norton so at least I could go online and get my machine set up and running.

Today I discovered, having done scarcely any browsing with my new Notebook, that a delightful piece of malware 'Browser Defender' had installed itself on my machine and was hogging 15% of CPU. Norton appeared to have switched itself off having offered no defence to this intrusion. Fortunately, I managing to uninstall Browser Defender and then run Malwarebytes and Spybot and carry out various scans which identified and eliminated dozens of malware changes which Norton utterly failed to spot.

LATEST: I'm now getting a message from Windows Action Center telling me that antivirus and firewall are turned off. Norton, it goes without saying, claims to be switched on and working. Who to believe?

I don't doubt the benefits to PC World of having a tie-up with Symantec, but what about their customers? Any advice about how I get rid of this crap from my Notebook?

Paul

You made two mistakes; #1 you bought something from PC World #2 You bought something with Windows 8 installed.
 
snip: ~ Today I discovered, having done scarcely any browsing with my new Notebook, that a delightful piece of malware 'Browser Defender' had installed itself on my machine and was hogging 15% of CPU. Norton appeared to have switched itself off having offered no defence to this intrusion. Fortunately, I managing to uninstall Browser Defender and then run Malwarebytes and Spybot and carry out various scans which identified and eliminated dozens of malware changes which Norton utterly failed to spot.
I was wondering, when you have malware, where is it installed. Does it hide in secret places in your PC ... or is it blatently named in "Programs And Features" ?
 
I was wondering, when you have malware, where is it installed. Does it hide in secret places in your PC ... or is it blatently named in "Programs And Features" ?

Sometimes yes and both. There are some so-called applications which install themselves in the Programs and Features with an uninstaller, but this doesn't work like you think it should. The uninstaller will got through the motions in many cases but the application will reinstall its self upon reboot or internet access. The reason is there are hidden files associated with the installer that detect when the application has been removed. This is where the various tools come in such as Procexp (Process Explorer) from Mark Russinovich. He wrote this as part of the System Internals Suite and is available for free from Microsoft's TechNet website.

With Procexp, which can get around the malware in many cases because some malware will disable Task Manager, you can suspend the processes from the malware. With the malware suspended, other tools can be run to remove the bug from the system. Using this process, among others, I have about a 95% success rate with malware removal.

John
 
I was wondering, when you have malware, where is it installed. Does it hide in secret places in your PC ... or is it blatently named in "Programs And Features" ?

A common form of malware isn't really malware as such because you install it yourself. Commonly when you install software there will be boxes already ticked such as as "Install Delta Search Toolbar" and you will be in such a hurry you will leave them ticked. They pretend to be Google Chrome and you may not even notice them until you try to remove them. When you do, expect much swearing.
Google Images is heavily infected with nasty stuff and it is best avoided if you can.
 
I use YouTube and Google Images thousand of times per month ... what location are these nasty little gremlins hiding at ?

I run Norton 360, and MS Security Essentuals, and Malwarebytes, and they rarely show any infections.

Norton is always showing: "Blocked Fake Blah Blah Virus Toolkit"
 
Last edited:
A common form of malware isn't really malware as such because you install it yourself. Commonly when you install software there will be boxes already ticked such as as "Install Delta Search Toolbar" and you will be in such a hurry you will leave them ticked. They pretend to be Google Chrome and you may not even notice them until you try to remove them. When you do, expect much swearing.
Google Images is heavily infected with nasty stuff and it is best avoided if you can.

I use YouTube and Google Images thousand of times per month ... what location are these nasty little gremlins hiding at ?

I run Norton 360, and MS Security Essentuals, and Malwarebytes, and they rarely show any infections.

Norton is always showing: "Blocked Fake Blah Blah Virus Toolkit"

Lewis is correct. This is one of the many infection vectors, as they call it. These add-ons are nasty crapware that gets in the machine. Spigot Search is the latest. Others include that horrific WeatherBug which causes such poor machine performance, you'll think you're running a '486 instead of an i7!

The asynchronous downloads, as Lewis mentions, is really all about the web these days and the way these things work is simple, though very nasty, because they make use of how the internet and HTML, and AJAX works. The biggest and worst infection vector is right off of the search pages. Never, ever, ever, click on a search link on a Google webpage unless you know what you are looking for. And, more importantly, if you need to click on a link, go for those on the lower pages. The even better way to choose a link is to type the link in yourself once you find it. You'll understand this methodology in a minute.

The malware-writers infect a website and change where the web links point. The link will display properly, but the underlying code points to a new location in the HFREF code. The new location is most likely their hacked FTP server that contains the pop-up ad which says something like "Your machine is infected with a Viruses! Install our fake antivirus (fill in the name of your favorite company here. They usually pick someone such as AVAST, AVG, MALWAREBYTES, even NORTON, or many others, or even their own fake product such as Antivirus 2013 Ultimate Virus Fighter (name made up here). The problem is you can close the window, however, they have now snuck down code in the background. This is by using asynchronous exchanges. In the old days, webpages would be downloaded singly. In other words, you'd download and wait, and wait, and wait some more for your page to display then you'd go on to download the next one. With the newer, faster networks, multimedia, JavaScript, and other coding, webpages can be downloaded in the background while you are viewing the one in front of you. This is how Google Earth works. How could you view this continuous slice of earth so quickly if you waited for each and every page to download. The same with viewing movies on YouTube, or other multimedia applications on the web. There's nothing wrong with this underlying technology when it's used for good purposes, such as online mapping and movies, however, there are always those that will find ways to make goods things work for bad reasons.

So... getting back to our example here. You've clicked on a link, thinking you've picked the correct one on Google Search. This brought up another website that displayed an advertisement you couldn't close right away. Then your browser crashes, locks up, or just plain disappears from view. You are infected now! The software has downloaded a dropper to your machine and put in hooks into your browser. The hooks are what caused your browser to crash, and this doesn't just happen to Internet Explorer. I've seen this with Chrome, Firefox, and even Opera. This by the way, is how this stuff enters into the Apple Macintosh computers too. Yes, Apple computers get viruses!

The little dropper now waits for a bit, perhaps until your next reboot or maybe an hour or two. The reason for the wait is to throw you off track. In the older versions of this hack, the dropper would go right back out to the network and download the rest of the fake product and underlying malware bits. So now by waiting a bit, they'll throw the average user off track. You reboot your machine for any number of reasons and the dropper does its thing by downloading the rest of the code. Remember, today the networks are a lot faster so these small bytes of data can sneak in without too much notice. The code is now installed and ready for action.

You now get a pop-up screen that says "Antivirus 2013 Ultimate Virus Fighter". The interface is fake, though it shows multiple viruses, usually 35 or more, and there's a scanner screen showing a progress bar. You try to cancel the virus scan, but you can't. The thing brings up a pop-up window or windows that prevent you from closing down the program.

You now reboot the machine. Nope it scans again, and now worse, your start menu and desktop have disappeared and it says to remove these viruses, buy our product for $99.99!

You are now in a panic! Don't ever, ever, buy that product. All you're doing is sending money to some Eastern European mafia gang. Seriously! The majority of this malware is written by Eastern European college students looking for quick beer money. They either purchase a kit, or are handed the kit to write the code and they're paid $30.00 for the code, which is bought by the Eastern European or Russian mobs.

You said that your Norton 360 found the code. This is possible, but after the fact, once it's installed. The full infection has never been removed and the problem now is the code will be replaced upon the next connection to the network. Again, they also infect Windows recovery files as well. If you attempt to do a system restore, you'll find that you'll receive the virus back. They also infect the system files which are protected and are replaced by Windows upon reboot. This puts the virus code back in, making the removal difficult. As I said, the best way to remove this is to run a separate product. There are many of them out there for this, but are best left for the professional IT person to use. If you are interested in removing these infections, at your own risk, visit: www.bleepingcomputer.org

John
 
A postscript from me - used the Norton removal tool again, but Windows Defender still not usable. Customer Service now advising me to re-install Windows. Don't like this idea so install Kaspersky instead, which I use on my main PC and trust (up to a point). Cost £40. Hmmm....

After reading John's post, above, however, I do wonder whether it's worth going on line at all!

Paul
 
A postscript from me - used the Norton removal tool again, but Windows Defender still not usable. Customer Service now advising me to re-install Windows. Don't like this idea so install Kaspersky instead, which I use on my main PC and trust (up to a point). Cost £40. Hmmm....

After reading John's post, above, however, I do wonder whether it's worth going on line at all!

Paul

Paul,

I know how you feel! When I was working last year, I removed probably 15-20 of these infections a week. The sales people were doing simple Google Searches and clicking on links. It was and still is an awful time consuming process to remove the infection.

Kaspersky is an okay product, but since these critters sneak in and around the installed antivirus, you could end up with an infection anyway. Regarding your machine, the experts are probably correct. It sounds like the infection had destroyed some critical files in the operating system, rendering the Windows Defender useless. The problem is what other files are broken, and there is no way of knowing so the best bet is to reinstall and be done with it.

John
 
Of course it goes without saying that if you know what you are doing and take precautions, you don't get much if anything in the way of problems. I get no issues with Google searches or Google Images but only because I have a pretty much locked down system with anything that is blockable blocked.
Sadly these days most Computer users do not know enough to avoid the numerous problems you can get.
Been pretty much clean here since the last century. I have however cleared thousands of infections from other peoples machines. Bleeping computer is a good place to start for those who know what they are doing with a PC and already know their way around the file systems, services and registry but you must follow the advice to the letter or you may make things considerably worse, especially when using combofix!
 
The problem is what other files are broken, and there is no way of knowing so the best bet is to reinstall and be done with it.

Does SFC still exist in Win8? It does in Win7 and might just sort out Defender assuming of course you have an OS disk?
 
Hi John, Paul and everybody.
Sorry to hear about your problems Paul especially as they seem to have been created by Currys probably doing a deal with Norton regarding having their software on Currys laptops and PCs. Having said that, I have been running Norton antivirus and Internet Security on my home computers for more than 10 years and have never had any problems.

We now have 13 computers in the offices which are maintained by a computer guy (Mark) on a contract basis and he has put Norton software on all those machines and I have to say we have never had any problem with infection since the business started as far as I am aware. Mark usually comes into the offices once a week or fortnight to just go through the machines to keep them up to speed and on song as you might say. All of us are always on the Internet searching any number of websites for court or industrial tribunal landmark rulings as well as a huge amount of research on injury compensation etc.

Therefore with all that going on Mark may have found infections while carrying out servicing but it must have been minor as no one has reported anything as serious as the cases you describe John in all the eight years the business has been running. To be honest I have never really asked him what he does or what he may have found in the machines for as long as they keep running with no problems to us, that is all we are looking for.

Without wishing to go off topic in your thread paul, we recently at home have bought a smart TV at Currys with full Internet access through Google’s search engine. There is no antivirus on that and as far as I can see no one is advising that we should have any. Now that does worry me as the television was very expensive and surely someone is going to dream up a virus to infect them at some time or other.

Perhaps John with your expertise and experience in computers you could advise on the above.

Bill
 
Last edited:
Here is an example:
Malwarebytes results: "Below is a list of malicious software found on your system ... Close all unnecessary applications to ensure total threat removal" ... Remove All ?

PUP.Optional.1ClickDownload.A - Registry key - HKCU\Software\1ClickDownload
PUP.Optional.SweetIM.A - Registry Value - HKLM\Software\Software\SweetIM|simapp_id
PUP.Optional.SweetIM.A - Registry Key - HKLM\SOFTWARE\SWEETIM

I once got "Funmoods Toolbar" from downloading Google Chrome ... it was pretty tough to remove
 
Last edited:
Hi Bill,

I hope all is going well for you and I sure wish you'd take your wife up on the retirement offer! :)

Anyway. Mark is probably finding, as you said, the minor things such as adware and bits of spyware which come in from time-to-time. This is why I run a scan daily on my home PCs. Interestingly, I rarely get infected and I think the last time I had a virus was over 10 years ago so my diligence must be paying off.

As far as these new smart TVs go, I have seen very few of them to comment on them directly. They probably run an embedded OS such as a form of Linux which is difficult to write malware for. This isn't to say that something like this isn't going to happen because once the malware writers find a backdoor, a loophole in the system, watch out! The floodgates will open the system up to all kinds of infections. We have to remember too that the bad guys go for the biggest target they can find. This is what has kept Apple out of the loop for so long. If you think about it who wants to go for a 10% share of the market (maybe more or less) if they can get more fish out of the other 88%, giving Linux and its relations a 2% market.

@Malc,

SFC is still available from the command prompt for Windows 8. It runs the same was as it always did in Windows 7. You are correct, the OS DVD maybe needed for the repairs.

John
 
Here is an example:
Malwarebytes results: "Below is a list of malicious software found on your system ... Close all unnecessary applications to ensure total threat removal" ... Remove All ?

PUP.Optional.1ClickDownload.A - Registry key - HKCU\Software\1ClickDownload
PUP.Optional.SweetIM.A - Registry Value - HKLM\Software\Software\SweetIM|simapp_id
PUP.Optional.SweetIM.A - Registry Key - HKLM\SOFTWARE\SWEETIM

I once got "Funmoods Toolbar" from downloading Google Chrome ... it was pretty tough to remove

Lol I was asked by a barman in a local pub to look at his laptop because he had lost his password and couldn't remember his email address. The first thing I saw was "Funmoods" and when I downloaded Malwarebytes Free it clocked up 416 infections before the lappy ran out of juice (he forgot to bring the charger!)
 
So should I delete these 3 supposedly malicious items, found by Malwarebytes ?

PUP.Optional.1ClickDownload.A - Registry key - HKCU\Software\1ClickDownload
PUP.Optional.SweetIM.A - Registry Value - HKLM\Software\Software\SweetIM|simapp_id
PUP.Optional.SweetIM.A - Registry Key - HKLM\SOFTWARE\SWEETIM

You never want to delete a falsely reported item
 
Last edited:
So should I delete these 3 supposedly malicious items, found by Malwarebytes ?

PUP.Optional.1ClickDownload.A - Registry key - HKCU\Software\1ClickDownload
PUP.Optional.SweetIM.A - Registry Value - HKLM\Software\Software\SweetIM|simapp_id
PUP.Optional.SweetIM.A - Registry Key - HKLM\SOFTWARE\SWEETIM

You never want to delete a falsely reported item

Remove SweetIM virus http://www.2-spyware.com/remove-sweetim-com-virus.html

Quote "Sweetim.com virus is a typical cyber infection that closely relies on browser hijacker helping it to continue redirections to various unwanted domains. Some of these domains are harmless (Search.Sweetim.com is harmless as well), but some of them may be filled with misleading advertisements and pop-up ads offering users to install various programs. Besides, this virus has also been found to alter user's homepage and add its own toolbar. If you have also been suffering from browsing problems associated with the Sweetim.com virus, keep in mind that you should never ignore such issues because they simply notify you about browser hijacker that has managed to infect your PC."
 
1ClickDownload could be related to the 1click downloader, if you installed it, if you didn't, get rid of it as it can be a few "other" things, at a guess it arrived with sweetim which needs getting rid of.

Malwarebytes is usually pretty good at getting it right, if in doubt check on their forums as any false positives will have been flagged.
 
One of the important things to remember with the malware is who really knows all of what it does, or do we really know what it is capable of once the hooks are in your PC. Seriously, once the malware writers have released the code, version 1.0, there are then variants of the same critter floating around. Remember, these come from a 'kit' that they purchase, complete with the interface. So once the bits are on your machine, there's a possibility of the program now sending personal information back to the hosts including banking information if they happen to install a key-logger or tracking programs.

Scary stuff!

John
 
Back
Top