Beware of phony or misleading malware rescue web pages

A search on an unfamiliar executable file brings you to a malware rescue page that says it's bad and you should download their software to remove. Here's how to tell if it's real.

binary code, magnifying lens, skull and crossbones
Thinkstock

Scammers and adware purveyors have long used the helpful nature of the internet to get more victims. In a world where the top search engines try their best to filter out the chaff, scammers still do their best to encourage victims to install unneeded and sometimes malicious software. They often succeed by using scare tactics and misleading information. My recent experience is an example and can serve as a warning to others.

My computer was acting slow and funky, especially when using Microsoft Outlook. I rebooted it, and then I saw some previously unannounced Microsoft Office patches automatically applying. This has happened to me two or three other times before where my Microsoft Office apps locked up and ground to a halt because some patches were trying to apply themselves.

After the patches applied, I ran Microsoft’s free Process Explorer with the VirusTotal option enabled, as I always do after my computer is running slow or acting funky. This rules out malware, just in case my patch issue was a false-negative coincidence.

Process Explorer runs every active executable’s and process’s hash result against Google’s VirusTotal database and reports how many antivirus engines flag each instance as malicious. Most of the things running on your computer will report something like 0/70, indicating that none of the 70 antivirus engines are finding what you report as malicious. That’s great.

Unfortunately, one or two antivirus engines will almost always report legitimate, non-malicious processes as malicious. In my long experience with running Process Explorer over thousands of computers, if what is reported is 1/x or 2/x, then it is always a false-positive report. Usually the false-positives are reported to these vendors and they fix their false finding within a day or two. You only need to worry if Process Explorer reports three or more antivirus engines as finding something malicious. Most malicious programs will be found by over a dozen antivirus engines. 

In this scenario, when I ran Process Explorer, it came up with a few 1/70 findings and a single 1/67 finding. I wasn’t worried that any of them were malicious, but I am a little tired of seeing conhost.exe instances appearing in false-positive reports. Conhost can represent any program running in Windows command window environment. Although it’s not exactly the case, I think of it as any program that wants to run in the older DOS prompt environment.

grimes rescue 1 Microsoft

Process Explorer scan results

I opened each reported conhost instance to learn more details. The first two were related to security software my company has installed to spy on me…err…I mean, to protect my workstation. The third, was related to an executable I wasn’t at the time familiar with called pcdrwr.exe.

grimes rescue 2 Microsoft

This conhost instance was related to an unfamiliar executable

Like I do with any unknown, newly discovered executable, I Googled it. I got the first page results shown below:

grimes rescue 3 Google

Google results for pcdrwi.exe

Is it really malware?

In the second-to-last search result, the words “PCdrwi.exe is a hazardous and destructive Trojan infection…” caught my eye, so I clicked on it. It brought me to the PCThreatsKiller.com information warning page:

grimes rescue 4 PCThreatsKiller.com

PCThreatsKiller.com warning for pcdrwi.exe

The page was full of very scary language and outcomes. In fact, I’m surprised it didn’t suggest that my eldest child would be stricken with the plague. Of course, they would be happy to have me download software they are promoting to get rid of the very dangerous malware:

grimes rescue 5 PCThreatsKiller.com

PCThreatsKiller.com malware removal instructions 

I have no idea if SpyHunter and Wipersoft anti-malware software are legitimate, or if they're adware or malicious programs. I just knew that I didn’t need them. Luckily, I’m experienced enough to realize that this site was giving me a whole lot of scare tactics without asking for a lot of detail. A malicious file name can be anything. I backed out and went to another Google result (see below), this time to one telling me it was a legitimate executable from Dell (I have a Dell laptop) called PC-Doctor, which I know Dell uses.

grimes rescue 6 Malwarebytes

Malwarebytes information on pcdrwi.exe

To confirm that what I had was a legitimate PC-Doctor process and not a killer virus program, I used Process Explorer to look directly at the pcdrwri.exe process (see below). It revealed that the process was signed and running from the normal PC-Doctor file location and that the actual file’s hash had been transmitted to VirusTotal and found clean (0/71). This meant that the original conhost finding was definitely a false-positive and PCThreatsKiller.com’s advice could be ignored.

grimes rescue 7 Microsoft

PC-Doctor is legitimate

Research both the malware and the malware rescue website

After doing more research I found plenty of other legitimate files that PCThreatsKiller.com was reporting as malicious. After researching the veracity of PCThreatsKiller.com, I found dozens of warnings like this one to other users not to use the site or its software.

grimes rescue 8 Web of Trust

Forum comments on PCThreatsKiller.com

The posted reviews didn’t surprise me. I don’t know if PCThreatsKiller.com and the software it promotes is malicious. What I can tell you is that any site telling you something is or isn’t good without giving other details to help corroborate the finding should raise a red flag. Malicious files can be named anything, and they often hide using legitimate file names. For PCThreatsKiller.com not to mention that pcdrwri.exe could possibly be PC-Doctor, and instead promote removal instructions or unnecessary software puts it in my forever not-going-to-use category.

These types of sites have been around forever. I remember searching for legitimate drivers to fight some IT problem I was troubleshooting, and Google and Bing would bring up these adware driver sites that always seemed to have the exact driver I was searching for. Except that these were never the legitimate drivers. They were malware, spyware or adware programs. PCThreatsKiller, regardless of its actual fitness, brought back these same feelings.

For years these types of sites proliferated across search engine results (called SEO poisoning). Both Microsoft and Alphabet have worked hard for years to lessen those potentially malicious or unnecessary bad results. It is a tough and losing battle. The bad (and less than helpful) stuff always leaks through.

The lesson is that your co-workers and admins need to be educated about these types of sites, ones that appear to be super helpful but aren’t as good as they first appear to be. If nothing else, any site claiming, by file name alone, that something is or isn’t malicious, isn’t worth a second of your time. It’s bad advice no matter what, and could easily be adding to your problems. Do your research.

Related:
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!