[unsmiley]

Did this work? I hope I have attached the log in a compressed format.

Attached Files

•  aswBoot.zip   103.67KB   104 downloads

[Advertisements]

So Norton is not the only one which detects the problem. Most of the files were in Norton's quarantine but there were so many that the chest got full. You need to click on the Avast ball then on Maintenance then on Virus Chest and empty the chest then let it run again tonight to make sure you have it all. You definitely need to upgrade to either the latest Adobe Reader or the latest Foxit. (I'm not sure Foxit is keeping up with the attacks. I know Adobe Reader is.) I expect some website you visit regularly is infected. Avast will warn you if that is the case. You will see a bright red popup in the lower right and it will block access to the site. I also see signs of a Java based infection so clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml
Then make sure you have the latest Java which today is 7 update 25. Once you update, I'd go into the Control Panel, Java, and then Security. Slide it up to the highest security level and then if you don't use Java everyday I would uncheck Enable Java Content in Browser. OK. If you go to a website that absolutely needs Java you will have to go back in and check the box again.

[RKinner]

So Norton is not the only one which detects the problem. Most of the files were in Norton's quarantine but there were so many that the chest got full. You need to click on the Avast ball then on Maintenance then on Virus Chest and empty the chest then let it run again tonight to make sure you have it all. You definitely need to upgrade to either the latest Adobe Reader or the latest Foxit. (I'm not sure Foxit is keeping up with the attacks. I know Adobe Reader is.) I expect some website you visit regularly is infected. Avast will warn you if that is the case. You will see a bright red popup in the lower right and it will block access to the site. I also see signs of a Java based infection so clear the Java Cache by following the instructions on
http://www.java.com/...lugin_cache.xml
Then make sure you have the latest Java which today is 7 update 25. Once you update, I'd go into the Control Panel, Java, and then Security. Slide it up to the highest security level and then if you don't use Java everyday I would uncheck Enable Java Content in Browser. OK. If you go to a website that absolutely needs Java you will have to go back in and check the box again.

[unsmiley]

I ran a second AVAST boot time scan & it again picked up thousands of infected files (33239) and filled the virus chest. Again many infected files were unable to be taken care of due to their sheer number. Do I keep scanning like this until all are removed? Can this virus chest in AVAST be enlarged? Is there another way to remove these in bulk? Could the virus be "replicating" making it difficult to eradicate by this method?

I did not know the new log file would overwrite the old one and be given the same name, but I don't think this should be a problem.
I tried to attach last night's log file but I got an error message trying to zip it and it was automatically renamed "aswBoot.zip.tmp" and when I attempted to attach that file, website says "you aren't permitted to upload this kind of file." If you need last night's scan log, let me know what to do to send it to you.

[RKinner]

Sorry for the delay. Internet was down all day yesterday and just came back about 5 minutes ago.

You can click on Settings and then Virus Chest then change Maximum Size of Chest to 0. Alternatively you can just let it delete everything it finds. Go back in to Security, Antivirus and under the settings for the Boot-time scan change it to Delete. OK

[unsmiley]

OK I will let it delete everything it finds for the next scan. Do you need a copy of the most recent AVAST scan log?

I cleared the Java cache & updated it as per your instructions. I also updated my version of Fox-It Reader. The reason I switched to Fox-It was my belief that my "bloodhound" problem was some type of exploit of Adobe Reader.

[RKinner]

Might as well attach the log if you can.

I expect that since both programs work about the same they may both be vulnerable to the same exploits. In any case anything that interfaces with the Internet (as Java, Adobe Reader and Foxit do) needs to be kept up to date.

[unsmiley]

Here's the new log attached. I may do a boot scan now (and have AVAST delete what it finds) rather than wait to do that in the overnight period. Let me know what else you need.

Attached Files

•  aswBoot.zip   206.55KB   114 downloads

[RKinner]

That's all I need right now. Go ahead and let it run the boot-time scan again (if you haven't already started).

[RKinner]

After you finish the scan make the following changes to your PDF reader:

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program. There is an exploit out there now that can use it to get on your PC. For Adobe Reader: Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript. OK Close program. It's the same for Foxit reader except you uncheck Enable Javascript Actions.

This helps eliminate a possible threat.

[unsmiley]

I completed the scan - it found 33116 infected files; new report attached below. They show up in the scan results in AVAST, even though the action was "delete." Should I highlight them and delete them? I also changed the javascript preferences in Foxit as per your instructions. As an aside, after the scan was completed and while the computer was booting up, I got a tiny message in the lower right hand corner (rest of the screen was black for a while) something to the effect that Windows 7 is not genuine. It then booted up normally. My Windows is genuine!

Anyway, what's next?

Attached Files

•  aswBoot.zip   302.34KB   105 downloads

[RKinner]

Sometimes Windows gets upset when certain files get scanned. You should be able to reactivate it:

http://windows.micro...n-this-computer

I think the files were really deleted. You do have two corrupt archives which you should manually delete:

C:\Users\RR\Downloads\Touch Pro2 apps\NYDNPocketPC2005.CAB
C:\Windows\Installer\af9a1d0.msi

I would run the boot-time scan one more time just to be sure but I think you got it all. Does your hard drive have more space now?

[unsmiley]

Yes the hard drive has more space. It has 76.1 GB free of 187 GB -- I think it was down to 13 GB before we started, although I don't know what my "normal" baseline was.

I manually deleted the two files you said were corrupted and then I emptied the virus chest.

I will run another boot-time scan tonight and send you the report. I will worry about reactivating Windows 7 after that.

[unsmiley]

AVAST Boot time scan results: "no virus found." Anything else do do?

Some questions:
1. When doing a Boot time scan, in "settings" should areas to be scanned be "All hard disks" and/or "system drive"? I did check both but I am not sure that was necessary but I did not know what system drive refers to.

2. What type of AVAST scans should I do in the future? Full System scans?

3. Should I delete Symantec Endpoint Protection? If so, how will I know if those temp files start accumulating again? (The Symantec dialog box listing all those files that popped up each time was annoying but at least it notified me that malware was detected.) Will AVAST pick them out like Symantec did? After constantly manually deleting the quarantined files in Symantec why wasn't my system clean? Will similarly nfected files just pop up again?

4. Is it safe to delete old Malwarebytes logs?

5. Re: Windows reactivation: Is it necessary? In Control Panel/System and Security/System it says "Windows is activated" and gives my Product ID #.

[RKinner]

The full Avast scan should be good enough except when a system is infected with something which prevents it from running. System Drive is the drive that Windows is installed on - usually C:. All drives is what it says and will check anything else that is connected like a thumbdrive or external drive.

I think we have proven that Avast can detect the problem so I don't see any reason to keep Norton. You will probably need to reactivate the Norton drivers and services using Autoruns in order to remove Norton. Make sure you run the Norton Removal Tool also: ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe
Obviously Norton has a problem cleaning its Quarantine folder - or you just told it to hide them rather than delete.

You can remove any MBAM logs.

You only need to reactivate if it is saying your copy is not legal. If the error has gone away then don't worry about it. If you still have the error and reactivating doesn't help you can try a System Restore to a time before we ran the boot-scan. If all else fails you will have to call Microsoft and get them to fix it.

[unsmiley]

So do you think I am good? Anything else to do in cleaning my computer?

If not, what, if any, of the tools I downloaded for your evaluation should I keep?

I've noticed two new things: (1) All file full name extensions are now visible, and (2) Some folders in My Documents now have a picture of a lock next to their icons, and when I click on those it tells me the folder is unavailable to me ("access is denied"). These folders appear to be duplicates of unlocked folders with the same names in the Documents library.