Computer Store
store.prestwood.com
-Collapse +Expand
Tech
Search Tech Group:

Advanced
-Collapse +Expand Tech Store
PRESTWOODSTORE

Prestwood eMagazine

July Edition
Subscribe now! It's Free!
Enter your email:

   ► KBComputer TechSoftware   Print This    All Groups  
 
Tech Software:
How to Manually Remove Fraudulent Scareware That Malware Scanners Cannot Get Rid Of
 
Posted 13 months ago on 6/28/2019
Take Away:

This article discusses an unconventional and manual technique I sometimes use to flush out malware that escapes conventional scanning programs.

KB103865

I have encountered many situations in my computer repair business involving one or more pop up screens that appear soon after Windows starts up that shows there is an alarming number of viruses in the computer. The screen is usually multi-colored and the title of the pesky software reads something like “Pro AntiVirus XP”, “Security System”, “Live Antivirus” or some other professional sounding bogus name. This is called scareware. It is designed to frighten you into thinking your PC is being overrun by a virus infestation. And then the message says they want your credit card number so they can “remedy the problem and have your computer running like new”. Sadly, I know several customers who sent in their money in exchange for solutions that never arrived.

Many people who are plagued with this problem may try to do a full scan with good, well known malware scanners and sometimes it will flush out the problem. But there are other instances when it can’t eliminate the culprit malware that is driving you nuts and wasting your valuable time. If the security software scanners can’t remove it, then where do you go from here to fix the computer problem?

I have used a manual malware removal technique to get these pests out of computers for many people. I didn’t get training for it at some school, I just learned through trial and error. The first step is to locate where the menacing executable malware file is on the PC. This option may not necessarily work, because of the type of malware causing havoc, but in many cases it is. First click the Windows start button to bring up the main program menu. At the bottom of this, you will see a text box for entering commands. Now, you want to key in “msconfig” and press the enter key. Next, you will see a small dialog screen appear with several tabs near the top. Click on the “Startup” tab and you will see a listing of various programs that launch into the memory with the start of Windows. You will notice there are 5 columns: Startup Item, Manufacturer, Command, Location and Date Disabled. Now, the 2 columns you want to pay attention to are “Startup Item” and “Command”. If the scareware “exe” file is present in the “msconfig” screen, you will typically see a jumble of letters and/or numbers under the “Startup Item” column such as “ldwsedk32”, “qyw7ed”, etc. It will be suspicious, because it is automatically generated from a malicious program rather than a real person. In the “Command” column, it will display the folder location of the culprit “exe” file. In Windows Vista, 7, 8, 8.1 and 10 it may look this: C:\Users\[User]\AppData\[random].exe, where “random” will be a jumble of letters and/or numbers as previously mentioned. Other variations may include:

C:\ProgramData\[random].exe

C:\Users\[User]\AppData\Local\[random].exe

C:\Users\[User]\AppData\LocalLow\[random].exe

C:\Users\[User]\AppData\Roaming\[random].exe

Now, you need to go into Control Panel and then click Folders Options->View to enable “Show hidden files, folders and drives”. The scareware file may be hidden, so this invisibility mask needs to be lifted so you can see it and delete it. This brings me to my next point.

Since the scareware “exe” file is running on your PC, you typically won’t be able to delete it in normal Windows start up mode. If you try, you will get an “Access denied” message.

The PC needs to be restarted in “Safe Mode” so the scareware doesn’t launch and can be deleted and then emptied from the Recycle Bin. After this emergency start up mode is up and running, just go to the path you found in the “msconfig” utility to locate the scareware “exe” file name and delete it. It is typically a colored icon once you see it in its “folder hideout”. Lastly, it may be a good idea to do a registry scan to remove any residual entries of this and other malware that have invaded your computer.

The best way to get rid of stubborn scareware “exe” files may not always be the conventional way via security software scanners. Given the nature of these pesky things, you may have to get creative and “think outside the box” to weed them out of your PC. The method I have explained is one way to do it, but there may be a number of other techniques, too.


Comments

0 Comments.
Share a thought or comment...
 
Write a Comment...
...
Sign in...

If you are a member, Sign In. Or, you can Create a Free account now.


Anonymous Post (text-only, no HTML):

Enter your name and security key.

Your Name:
Security key = P147A1
Enter key:
Article Contributed By Douglas.M:

Please visit my software developer website for more information about my services. I offer application development as well as Android app coding services. My developer skills are best suited to dealing with custom software projects. I can perform programming for Corel Paradox as well as C# Sharp and PHP.

In my local area of northeast Ohio, I can cater to computer repair and "fix my computer" issues.

Use my contact web page today to reach me about any software design ideas you have.

Visit Profile

 KB Article #103865 Counter
229
Since 6/28/2019


©1995-2020 PrestwoodBoards  [Security & Privacy]
Professional IT Services: Coding | Websites | Computer Tech