Milagro Technologies
Computer Support for Your Bottom Line
Home
About Us
Contact Us
Site Map
Tips
Documentation
Affiliates
The Milagro Team
Microsoft Licensing Optio
Business and Our Society
South Austin Businesses
Products and Services Log
Linux Tips
Cloud Developments
Office Live Workspace
We use Microsoft Office Live Workspaces for important customer information, like Maintenance Notes, Project Plans, System Documentation, Task Lists and Status updates.
 
Documentation Sample
The picture below is a sample of our customer online information.  Once you become a Milagro Technologies customer, you will have one of these pages, accessible by your designated team members.  This makes it easy to stay abreast of important changes and provides access to your important system information from anywhere.

 
What's This Cost?
Too many technical service operators put documentation at the end of the list of things they really should do.  We endeavor to break that habit and make the information available to you at any time from any place where you can find a web browser.  Office Live Workspace is provided by us at no additional charge.
 
A Sample Workspace

 

 

 

Documents and Links from the Tips Section

 

Rogue Antivirus links:

 

Wikipedia: http://en.wikipedia.org/wiki/Rogue_security_software

Microsoft: http://www.microsoft.com/security/antivirus/rogue.aspx

 

A sample log from MalwareBytes scan:  The items were deleted manually after the log printed.

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4322

Windows 5.1.2600 Service Pack 3 (Safe Mode)
Internet Explorer 8.0.6001.18702

7/17/2010 3:27:06 PM
mbam-log-2010-07-17 (15-27-06).txt

Scan type: Full scan (C:\|)
Objects scanned: 580406
Time elapsed: 1 hour(s), 24 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\AVSolution (Trojan.Agent) -> No action taken.

...removed key

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\<user>\Local Settings\Temp\tzSMIFqhKncQDoYzkgxZ.exe (Malware.Gen) -> No action taken.

...deleted
C:\Documents and Settings\<user>\Local Settings\Temp\VfTXWxAvTZNldFrXHhce.exe (Malware.Gen) -> No action taken.
...deleted

C:\RECYCLER\S-1-5-21-3884518717-285076776-3069251248-1013\Dc2.dll (Trojan.Hiloti) -> No action taken.

...deleted
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP1370\A0107554.exe (Malware.Gen) -> No action taken.

This scan was the second and a number of items were removed in the first pass.  Manually inspect c:\windows and c:\windows\system32 for any strange looking executable files like "qckmulfw.exe". 

 

Also when done scanning you may need to open Internet Explorer and reset your proxy settings (Tools/Internet Options/Connections/LAN Settings) to "automatic".  The rogues install a proxy program to intercept your web requests and then change the proxy setting in IE so it will use their bogus proxy program.

 

There are quite a few articles in forums on how to manually remove these vermin also.  Just enter "rogue antivirus remove" in Google.

 

It wouldn't hurt to scan a 3rd time or until MalwareBytes doesn't turn up any more bugs.

 

Also, consider using the Microsoft Windows Defender and Malicious Software Removal Tool.  Both free from Microsoft.

 

General Clean-Up Procedure

 

We assume you know your way around the registry and Windows system files - if not, be very careful changing or deleting registry keys and executables unless you are pretty sure they are malware-created.

 

Disconnect the infected computer from the network.  If wireless, turn off the radio using the available switch or function key.

 

Use a clean computer to download MalwareBytes and put the install file on a USB memory device so you can transfer it into the infected computer.

 

Shut down and restart in Safe Mode.  After the power-on self test where typically you see the manufacturer logo (e.g. Dell) and the memory test bar, the screen goes blank for a second or two.  During this period, hit F8 until you get the Safe startup screen from Windows.  It will be black and white, text only and have selections for Safe Mode, Safe Mode with Networking, and Safe Mode with Command Prompt.  Choose Safe Mode.

 

The rogue may or may not show up in Safe Mode depending on how much opportunity it has been given after infection. 

 

Insert your USB memory device and copy the MalwareBytes install file to the desktop or other directory.  Double-click to install.

 

Once the MalwareBytes install is done, perform a quick scan and remove all the malware items found.  It may require a reboot to complete.  If you reboot, use the same procedure to get into Safe Mode.

 

Then run MalwareBytes quick scan again and remove the items listed.

 

Then run MalwareBytes Full Scan.  This could take a while depending how many files are on your disk.

 

If the rogue has installed itself completely, it will probably have a directory under c:\program files.  It might be called AVSuite, Defense Center, or many other names.  It will be recently installed and will not show up as an installed program in the Windows Control Panel / Add & Remove Programs (XP).  Try to delete the folder.  If there is a .dll or .exe that won't delete, search for that file name in the registry.  Once found, modify the value to blank.  Then restart - stay in safe mode, and the directory should delete successfully.  Empty the trash. 

 

Then restart and log in as the user who reported the infection.  It should be cleared up.  If not, go back to Safe Mode and repeat the process.  Use a clean computer to Google search for the cleanup instructions for the variant you have.  If you don't see any bad behavior at this point, run the Malwarebytes full scan again and remove any threats.

 

Review any current knowlege you find via internet searches and see if you need to find and destroy any other artifacts.  Often the infection appears to be gone, but there is one little executable sitting out there in your system waiting to be fired off so it can start the infection again.

 

The rogue may have disabled your legitimate anti-virus and anti-spyware software; in fact it may have completely removed it.  Reinstall and run scans before you put the computer back on the network.