News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

AskWoody Plus Newsletter Logo
ISSUE 18.17.F • 2021-05-10

In this issue

SAFETY: Anatomy of a malware

Additional articles in the PLUS issue

PUBLIC DEFENDER: Buy the drives you need before ‘chia’ gets them all

LANGALIST: From bad to worse: A repair goes awry

BEST UTILITIES: Freeware Spotlight — O&O Lanytix

ON SECURITY: Is the cloud unsafe?

ADVERTISEMENT
FastMove

Got a New PC? Move EVERYTHING to It with FastMove for Only $9.95!

Did you get a new laptop and now need to figure out an easy way to move all your software, user profiles, settings and files to it? FastMove will do it for you automatically! Grab your copy today with an exclusive 80% discount + 2 FREE gifts and effortlessly transfer user accounts, settings, software, files, and more!

Transfer EVERYTHING the Easy Way with
FastMove for Only $9.95!


SAFETY

Anatomy of a malware

Ben Myers

By Ben Myers

Things are not always as they seem. What might appear to be a devastating, PC-destroying piece of malware can sometimes be a spoof.

Recently, a client gave me his laptop, which displayed a frightening message as soon he logged in (see Figure 1). This variety of malware is all too popular. Here is a step-by-step process to remove it, expecting that the antivirus software installed in the computer cannot do its job. Along the way, you will see where malware is often hidden.

A scary malware display
Figure 1. A very scary-looking malware message, taken by a hand-held camera

And, NO! The malware did not do as it claimed. But it hoped to scare owners into calling the area-code 704 number at the bottom of the screen, a cellular number in the Charlotte, North Carolina area. The scammer on the phone would hope to take your credit-card information and run up some charges.

At the heart of this scam is software called Supremo, claimed to be remote-access software similar to RDP, AnyDesk, TeamViewer, UltraVNC, LogMeIn, and others. Like those programs, Supremo allows the scammer to gain remote access to your computer, after which your passwords and personal financial information are at serious risk of theft. Beware! You can find very positive reviews of Supremo via a Google search, as well as possibly bogus or obsolete instructions for its removal. Supremo may have an honest and legitimate purpose, but its association with this malware is an enormous red flag.

The first breakthrough

The initial screen displayed was much larger than shown, with the telephone number below the bottom of the screen. There is nothing to lose by trying the usual browser shortcut Ctrl+Minus to shrink the text size. Surprise! This worked, so the red screen appeared in a browser window.

Next, Ctrl+Alt+Del was not inhibited. It brought up the usual choices, so I clicked Task Manager, after which the laptop looked and behaved normally, except for the red screen in the background. Great! I was able to click the start menu, run programs, and terminate programs unimpeded.

Often there are nasty files with a hidden attribute lurking in various folders. When examining a computer for malware or a virus, unhide protected operating-system files and show hidden files, folders, and drives as follows:

  • Open the old Control Panel by typing Control Panel into the Windows search bar, then click File Explorer Options.
  • Click the tab View, then click the radio button Show hidden files, folders, and drives underneath Hidden files and folders.
  • Remove the check from the checkbox Hide protected operating system files (Recommended).
  • Windows will complain with the dialog box shown in Figure 2.

Protected Operating System Files Warning
Figure 2. Windows’ Protected Operating System Files warning dialog

  • Click Yes.

Remember to hide files and folders again when this spelunking expedition is over.

Clean up

Before doing anything further, take the time to clean up the system.

  • Open Windows Explorer and type %temp% into the address bar.
  • Select all files with Ctrl+A, then Delete.
  • Windows will be unable to delete files in use by apps that are currently running and will present a dialog box asking what you want to do. Check Do this for all current items and then click Skip.

%temp% is the folder where many Windows programs store data temporarily and, like little children, do not clean up after themselves. If thousands of files and folders are allowed to accumulate in %temp%, a system will simply crawl. (On my workstation, %temp% expands to C:\Users\benmy\AppData\Local\Temp.)

A Discovery

Continuing with the same Windows Explorer window you have been using, follow these steps:

  • Change the address bar to C:\windows\temp.
  • Select all files with Ctrl+A, then Delete.
  • Windows will be unable to delete files in use by apps that are currently running and will present a dialog box asking what you want to do. Check Do this for all current items and then click Skip.

C:\windows\temp is the other folder used for temporary files created by both Windows and some Windows apps. It gets just as little attention as %temp% and thus accumulates just as much detritus.

Here’s the very interesting discovery. After deleting all possible files from Windows’ own temp folder(s), this infected system still showed the folder SupremoRemoteDesktop. That means it was in use, a vital clue about the malware.

By proxy

The next step was to use the Chrome browser to find out more about this scam. Chrome complained that it could not access the Internet and suggested fixing the laptop’s proxy settings. To do this, click Settings (for Windows, not Chrome), then Network and Internet, and, finally, Proxy.

The proxy settings on this laptop were definitely unusual, with Use setup script set to On and a Script address of nbgvjgjgdjfjf, which makes no sense at all. Clear the Script address field and change Use setup script to Off.

The radio button Use a proxy server was set to On with an address of http://gjgjfgjgfgfjjggj using Port 80. These values are nonsense, too, so clear both the address and the port, then set Use a proxy server to Off.

Once again, Windows will be unable to delete files in use by apps that are currently running, and it will present a dialog box asking what you want to do. Check Do this for all current items and then click Skip.

The seemingly random proxy information serves no additional purpose beyond blocking Internet access, a move clearly designed to cause more panic on the part of the user — assuming he or she ever gets this far.

After resetting the laptop’s proxy, I downloaded the latest free CCleaner program and used it to clean up files and the Windows registry.

After the cleanup, it was time to see what Task Manager showed about Supremo. There were no programs running with that name, but the processes Supremo, Supremo Helper, and Supremo Service needed to be terminated.

Once the Supremo processes were terminated, it was possible to go back to C:\windows\temp and delete the folder SupremoRemoteDesktop and its contents, the programs responsible for the services. Finally, I emptied the Windows recycle bin of all this junk.

Why all the cleanup effort? For one thing, eliminating all these files reduces the time and effort required by your everyday virus- and malware-scanning apps. More importantly, files deleted during this process are extremely unlikely to be part of the malware. That’s because the malware’s files cannot be deleted while it is running; in effect, inability to delete is the detection method used by this approach.

Making sure

To be sure Supremo and all of its parts were nailed, I first downloaded Trend Micro’s HouseCall to scan for viruses. In this case, HouseCall found nothing. To be really sure, I also downloaded the trial version of Malwarebytes. It found one harmless bit of the malware — the threatening display of the red screen — which was just an image. To be sure a computer is truly back to normal, reboot it several times and use it a bit to see whether there are still any ill effects. Finally, reverse the File Explorer options, putting them back to their customary settings.

What caused Supremo to find its way into this laptop? Whatever the client did happened before he powered down and then powered up the laptop again to see the screen with the red background. Tracing the exact cause without a Windows flight data recorder is well-nigh impossible.

Be careful what you click, especially in emails.

Epilogue

Here is a short list of folders in Windows computers where malware and viruses are often found.

  • C:\windows\temp
  • %temp%
  • C:\windows, including any subsidiary folder containing executables, DLLs, or drivers
  • C:\{username}\AppData and subsidiary folders
  • C:\ProgramData and subsidiary folders
  • C:\Program Files
  • C:\Program Files (x86)

This particular malware variant buried itself inside Windows as services, so there was no need for it to add programs to the startup list or to create a folder for iteself in C:\Program Files (x86). Other kinds of malware and virus software find other places to hide themselves, often creating hidden folders.

As we figure out how to remove some species of malware, the perpetrators play whack-a-mole with us and move its various files and folders around. Google searches revealed several sets of instructions for the removal of Supremo, but these were decidedly different from what I did, possibly because an earlier version than this one had installed itself differently. Sometimes the developers of antivirus and antimalware are playing catch-up with us.

The best antivirus and antimalware protection is between your ears. Be careful what you click!

Questions or comments? Feedback on this article is always welcome in the AskWoody Lounge!

For over 20 years, Ben Myers has offered “cradle-to-grave” computer services for small businesses and individual computer owners — including building, upgrading, refurbishing, testing, repairing, and recycling of computer and network gear, primarily with Windows, some MacOSes, and Linux.

Stories in this week’s PAID AskWoody Plus Newsletter
Become an ASKWOODY PLUS member today!

PUBLIC DEFENDER

Brian Livingston

Buy the drives you need before ‘chia’ gets them all

By Brian Livingston

Prices of high-capacity solid-state drives (SSDs) have almost doubled at the producer level just in the past few weeks — and shortages are already affecting us. The cause is a new kind of cryptocurrency that demands vast amounts of disk space around the world for its financial network to function.

LANGALIST

Fred Langa

From bad to worse: A repair goes awry

By Fred Langa

Sometimes, well-intentioned repairs can actually make things worse than before. That’s what happened to a reader who was trying to correct a Windows login error but ended up with a completely unbootable PC!

Plus: The care and feeding of that little coin-cell battery on your PC’s mainboard.

BEST UTILITIES

Deanna McElveen

Freeware Spotlight — O&O Lanytix

By Deanna McElveen

When showing up at a new client’s small business, the first thing you need to know is where the heck everything is. Or maybe you just want to take inventory of your home network. This is the utility for you.

ON SECURITY

Susan Bradley

Is the cloud unsafe?

By Susan Bradley

During this year of the pandemic, we’ve pivoted from doing many things in person to many things online. In my industry, one of the key changes is moving from in-person meetings to online meetings via services such as Zoom, Google Meet, and Microsoft Teams. Another is doing more and more financial transactions online, including accounting for them.


You’re welcome to share! Do you know someone who would benefit from the information in this newsletter? Feel free to forward it to them. And encourage them to subscribe via our online signup form — it’s completely free!


RoboForm box

Like what you see in the
AskWoody FREE newsletter?

Become a PLUS member!

As a Plus member, you’ll receive the full newsletter, including all our great content about Windows, Microsoft, Office, 365, PCs, MS-DEFCON Alert notifications, useful and safe freeware, and Susan Bradley’s sought-after patch advice. Plus membership also allows continuous access to the complete archive of nearly two decades of Windows Secrets and AskWoody Newsletters.

Naturally, Plus members have all the benefits of free membership, including access to the popular AskWoody forums.

The cost? We’re supported by donations — choose any amount for a one-year membership. Every little bit helps.

 Join AskWoody PLUS Today!


Publisher: AskWoody Tech LLC (sb@askwoody.com); editor: Will Fastie (editor@askwoody.com).

Trademarks: Microsoft and Windows are registered trademarks of Microsoft Corporation. AskWoody, Windows Secrets Newsletter, WindowsSecrets.com, WinFind, Windows Gizmos, Security Baseline, Perimeter Scan, Wacky Web Week, the Windows Secrets Logo Design (W, S or road, and Star), and the slogan Everything Microsoft Forgot to Mention all are trademarks and service marks of AskWoody Tech LLC. All other marks are the trademarks or service marks of their respective owners.

Your subscription:


Copyright © 2021 AskWoody Tech LLC, All rights reserved.