[love2teach956]

I seem to be doing ok today. I went to Yahoo homepage, went to Craigslist for autos, CarMax, and to Raley's store to renew my medicines. I haven't seen a pop up yet!!

Yay!

[Advertisements]

Unless you see other problems I think we are done and can clean up

 

Copy the following:

 

 
:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
 

Right click on OTL and Run As Administrator.   In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

 

That will get the last of the malware off the system.

 

 

 

You can uninstall or delete any tools we had you download and their logs. 

 

If we ran Combofix:To uninstall combofix, copy the next line:

 

"%userprofile%\Desktop\combofix.exe" /Uninstall

 

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.

then right click, Paste, then hit Enter.

 

 

 

OTL has a cleanup tab but DO NOT USE IT!.  There are reports that it leaves the PC unbootable.  Instead just delete  OTL.exe and the folder c:\_OTL.

 

To hide hidden files again:

 

Vista or Win7

 

# Open the Control Panel menu and click Folder Options.

# After the new window appears select the View tab.

# Remove the check in the  checkbox labeled Display the contents of system folders.

# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.

# Check the checkbox labeled Hide protected operating system files.

# Press the Apply button and then the OK button and exit My Computer. 

 

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  

 

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 

 

Unless you have the latest version of Avast which has its own update checker:  To help keep your programs up-to-date you should download and run the UpdateChecker: 

http://www.filehippo.../updatechecker/

(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it.  Exception is MSN messenger which appears to be part of Windows.)

If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

 Seems to work best if Firefox is the default browser.  Windows always hides its icon so you need to unhide it.  Click on the up arrow to the left of the clock.  Then click on Customize.  Maximize the window so you can see all of the options.  Scroll Down and find the File Hippo UpdateChecker and change its Behaviors to Show Icon and Notifications.  OK.  When you reboot you should see the icon.  It will take it a minute to finish checking then it will put up a bubble if you need to update something. Click on the bubble and it should open in your browser.  (Seems to work best if it uses Firefox.  If you do not use Firefox as your default browser then right click on the icon and click on Settings. Then on Results.  Change the Open Results in Default Browser to Custom Browser and then select the line that has Firefox.exe in it.  While there, also check Hide Beta Versions.  OK. )  You will see a list of programs that have updates with green down arrows next to them.  You do not need to download any Beta Versions.  There is an option Settings to Hide Beta Versions.  I do not advise updating Windows Messenger unless you really use it so I right click on the Icon and Customize Results then find Microsoft Messenger and change Show All Releases to Hide All Releases.  OK. 

 

You can also try Secunia PSI http://secunia.com/v...l/download_psi/  Same kind of info.  You don't need both.

If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.

 

If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.

http://www.crystalidea.com/speedyfox .  Close Chrome/Firefox. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow.

 

Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.com before you open them.

 

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

 

CryptoPrevent

 

http://www.foolishIT.../cryptoprevent/

 

The free version does not update on its own so you should check for updated versions once in a while.

 

 

 

If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

 

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:

http://www.java.com/...lugin_cache.xml

Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.

Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

 

Make sure Windows Updates is turned and that it works.  Go to Control panel, Windows Updates and see if it works.  

 

 

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm

(The name means something like "clean place" in one of the local native-American dialects)

 

Ron

 

 

[RKinner]

Unless you see other problems I think we are done and can clean up

 

Copy the following:

 

 
:Commands
[CLEARALLRESTOREPOINTS]
[Reboot]
 

Right click on OTL and Run As Administrator.   In the Custom Scans/Fixes box at the bottom, paste in the copied text (Ctrl + v) and then hit Run Fix.

 

That will get the last of the malware off the system.

 

 

 

You can uninstall or delete any tools we had you download and their logs. 

 

If we ran Combofix:To uninstall combofix, copy the next line:

 

"%userprofile%\Desktop\combofix.exe" /Uninstall

 

Start, All Programs, Accessories then right click on Command Prompt and Run As Administrator.

then right click, Paste, then hit Enter.

 

 

 

OTL has a cleanup tab but DO NOT USE IT!.  There are reports that it leaves the PC unbootable.  Instead just delete  OTL.exe and the folder c:\_OTL.

 

To hide hidden files again:

 

Vista or Win7

 

# Open the Control Panel menu and click Folder Options.

# After the new window appears select the View tab.

# Remove the check in the  checkbox labeled Display the contents of system folders.

# Under the Hidden files and folders section select the radio button labeled Do not Show hidden files and folders.

# Check the checkbox labeled Hide protected operating system files.

# Press the Apply button and then the OK button and exit My Computer. 

 

Also make sure you have the latest versions of any adobe.com products you use like Shockwave, Flash or Acrobat.  

 

Whether you use adobe reader, acrobat or fox-it to read pdf files you need to disable Javascript in the program.  There is an exploit out there now that can use it to get on your PC.  For Adobe Reader:  Start, All Programs, Adobe Reader, Edit, Preferences, Click on Javascript in the left column and uncheck Enable Acrobat Javascript.  OK Close program.  It's the same for Foxit reader except you uncheck Enable Javascript Actions. 

 

Unless you have the latest version of Avast which has its own update checker:  To help keep your programs up-to-date you should download and run the UpdateChecker: 

http://www.filehippo.../updatechecker/

(You don't need to download Betas and if there is a program you don't use you can just uninstall it rather than update it.  Exception is MSN messenger which appears to be part of Windows.)

If you get a blocked program notice after installing updatechecker then change it to not run at start then manually run it once a week.

 Seems to work best if Firefox is the default browser.  Windows always hides its icon so you need to unhide it.  Click on the up arrow to the left of the clock.  Then click on Customize.  Maximize the window so you can see all of the options.  Scroll Down and find the File Hippo UpdateChecker and change its Behaviors to Show Icon and Notifications.  OK.  When you reboot you should see the icon.  It will take it a minute to finish checking then it will put up a bubble if you need to update something. Click on the bubble and it should open in your browser.  (Seems to work best if it uses Firefox.  If you do not use Firefox as your default browser then right click on the icon and click on Settings. Then on Results.  Change the Open Results in Default Browser to Custom Browser and then select the line that has Firefox.exe in it.  While there, also check Hide Beta Versions.  OK. )  You will see a list of programs that have updates with green down arrows next to them.  You do not need to download any Beta Versions.  There is an option Settings to Hide Beta Versions.  I do not advise updating Windows Messenger unless you really use it so I right click on the Icon and Customize Results then find Microsoft Messenger and change Show All Releases to Hide All Releases.  OK. 

 

You can also try Secunia PSI http://secunia.com/v...l/download_psi/  Same kind of info.  You don't need both.

If you use Chrome/Firefox/IE then get the AdBlock Plus Add-on.  Go to adblockplus.org with each browser and get the add-on.

 

If Chrome/Firefox is slow loading make sure it only has the current Java add-on.  Then download and run Speedy Fox.

http://www.crystalidea.com/speedyfox .  Close Chrome/Firefox. Hit Optimize.   You can run it any time that Chrome/Firefox seems slow.

 

Be warned:  If you use Limewire, utorrent or any of the other P2P programs you will almost certain be coming back to the Malware Removal forum.  If you must use P2P then submit any files you get to http://virustotal.com before you open them.

 

Due to a recent rise in the number of Crytolocker infections I am now recommending you install:

 

CryptoPrevent

 

http://www.foolishIT.../cryptoprevent/

 

The free version does not update on its own so you should check for updated versions once in a while.

 

 

 

If you have a router, log on to it today and change the default password!  If using a Wireless router you really should be using encryption on the link.  Use the strongest (newest) encryption method that your router and PC wireless adapter support especially if you own a business.  See http://www.king5.com...-120637284.html and http://www.seattlepi...ted-1344185.php for why encryption is important.  If you don't know how, visit the router maker's website.  They all have detailed step by step instructions or a wizard you can download.

 

Special note on Java.  Old Java versions should be removed after first clearing the Java Cache by following the instructions in:

http://www.java.com/...lugin_cache.xml

Then remove the old versions by going to Control Panel, Programs and Features and Uninstall all Java programs which are not Java Version 7 update 25 or better.  These may call themselves: Java Runtime, Runtime Environment, Runtime, JRE, Java Virtual Machine, Virtual Machine, Java VM, JVM, VM, J2RE, J2SE.  Get the latest version from Java.com.  They will usually attempt to foist some garbage like the Ask toolbar, Yahoo toolbar or McAfee Security Scan on you as part of the download.  Just uncheck the garbage before the download (or install) starts.  If you use a 64-bit browser and want the 64-bit version of Java you need to use it to visit java.com.

Due to multiple security problems with Java we are now recommending that it not be installed unless you absolutely know you need it.  IF that is the case then go to Control Panel, Java, Security and slide it up to the highest level.  OK.

 

Make sure Windows Updates is turned and that it works.  Go to Control panel, Windows Updates and see if it works.  

 

 

My help is free but if you wish to show your appreciation, please donate to Kwiaht instead of me. It's a local environmental organization that I volunteer with: http://www.kwiaht.org/donate.htm

(The name means something like "clean place" in one of the local native-American dialects)

 

Ron

 

 

[love2teach956]

.Thanks very much. Can you tell how long her Microsoft Essentials Security is goodf for? I just renewed my McAfee for my laptop and can cover up to 2 more computers. Which one do you think is better?

Again, thank you so much. She only 19, a jr college student working 30 hr a week and trying to save up for a car...There's always something isn't there?

Thank you again, I will go over all this with her so she understands what she needs to do to keep her laptop safe. Have a wonderful weekend.

[RKinner]

MSE has been back-burnered by MS (they use a beefed up Windows Defender on Win 8) and it seems to be getting weaker.  McAfee is a waste of money.  The free Avast is much better:

 

Download the installer:

 

http://files.avast.c...virus_setup.exe

 

Uninstall MSe.  Reboot.  Right click on the installer and Run As Admin.  They do sometimes try to push Google Chrome, Google toolbar or Dropbox but you just have to uncheck them during the install or after the first reboot.  They will also try to talk you into the paid version but the Basic version is what we want.  

 

Stick with Avast for a while and see how you like it.  Some people object to the voice notification of updates.  To turn it off, click on the Avast ball then on Settings then on Appearance.  Then on Sounds and uncheck Automatic Updates OK.  (It will still update it just won't tell you about in a loud voice in the middle of the night.)

 

They have also started using their info popup to try and get you to upgrade so I go into Settings, Appearance, Popups and change the first two to 1 second.

 

If you haven't registered already then right click on the orange ball and select Registration Information and click on the link.  (They just want you name and email address).  The registration is good for 12-14 months then you will need to register again.  They will, of course, try to talk you into buying the product but you can always register again for another year free tho it may not be the default.

 

 

To run a boot-time scan with Avast (this is one of their better features as it loads before windows completely comes up so has a better chance of finding rootkits and other malware but it takes a long time so I let it run while I sleep)

First mute the speakers so it won't wake you up when Windows loads.  Click on the Orange ball.  Click on Scans.  Change Quickscan to Boot-time Scan.  Click on Settings.  Where it says Heuristic Sensitivity click on the last rectangle so that all of them are  orange and it says High.  Check both boxes.  Then change When a threat is found ... to:  Move to Chest.  OK.  Now click on Start.  Close the Avast window and then reboot.  The scan will start.  It will tell you where it will save the report.  Usually it's 

C:\ProgramData\AVAST Software\Avast\report\aswBoot.txt but it might change so verify the location.  When Windows loads Click on the Orange Ball then Scan, Then Scan History (at the bottom of the page). Click on the last scan and then Detailed Report.  If it found anything then open the aswBoot.txt file and copy and paste it. 

[love2teach956]

I'm working on installing Avast tonight. Will let you know how things go.

[love2teach956]

I ran the Avast today and here is the report:

 

05/04/2014 12:18
Scan of all local drives

File C:\Users\Ellery\AppData\Roaming\AffiliatedUpdate\UpdateProc\UpdateTask.exe is infected by Win32:Rootkit-gen [Rtk], Moved to chest
File C:\Users\Ellery\Downloads\setup.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Users\Ellery\FLV Player\Uninstall\__Uninstall_.exe is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\FRST\Quarantine\C\Users\Ellery\AppData\Local\Temp\ICReinstall_setup.exe.xBAD is infected by Win32:Adware-gen [Adw], Moved to chest
File C:\Qoobox\Quarantine\C\ProgramData\KeyboardVerifierPolicy.dll.vir is infected by Win32:MalOb-HO [Cryp], Moved to chest
File C:\Qoobox\Quarantine\C\Users\Ellery\AppData\Local\{02C2357F-6111-4C54-9AAC-B4FA3F1191E9}\chrome\content\overlay.xul.vir is infected by JS:Iframe-QO [Trj], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\[email protected]|>[Embedded_R#00290] is infected by Win32:BitCoinMiner-U [PUP], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\[email protected] is infected by Win32:BitCoinMiner-U [PUP], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\[email protected] is infected by Win64:ZAccess-A [Trj], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\assembly\tmp\U\[email protected] is infected by Win64:Alureon-G [Rtk], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir|>[Embedded_I#1ae7] is infected by Win32:Sirefef-PL [Rtk], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir|>[Embedded_I#2ee7] is infected by Win32:Sirefef-PL [Rtk], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir|>[Embedded_I#471f] is infected by Win32:Sirefef-JQ [Trj], Moved to chest
File C:\Qoobox\Quarantine\C\Windows\System32\consrv.dll.vir is infected by Win32:Sirefef-JQ [Trj], Moved to chest
File C:\Temp\t.msi|>cab1.cab|>IEOptimizer.dll is infected by Win64:BullSave-B [Adw], Moved to chest
File C:\Temp\t.msi|>cab1.cab|>IEOptimizer64.dll is infected by Win32:BHO-ALX [Trj], Moved to chest
File C:\Windows\Installer\1a412614.msi|>cab1.cab|>IEOptimizer.dll is infected by Win64:BullSave-B [Adw], Moved to chest
File C:\Windows\Installer\1a412614.msi|>cab1.cab|>IEOptimizer64.dll is infected by Win32:BHO-ALX [Trj], Moved to chest
File C:\Windows.old\Program Files (x86)\Microsoft Office\Office\FINDFAST.EXE is infected by Win32:MalOb-IJ [Cryp], Moved to chest
File C:\Windows.old\Users\Ellery\AppData\Local\Microsoft\Internet Explorer\Recovery\Active\{44841CE4-8C47-11DF-8D70-A4BADB95AB88}.dat|>TL5 is infected by VBS:Agent-KQ [Trj], Moved to chest
File C:\Windows.old\Windows\assembly\GAC_64\Desktop.ini is infected by Win32:Sirefef-PL [Rtk], Moved to chest
File C:\Windows.old\Windows\assembly\tmp\kwrd.dll|>[UPX] is infected by Win32:Malware-gen, Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H52YLL46\jxknptshmc-popcap-plants-vs-zombies[1].txt is infected by JS:ScriptIP-inf [Trj], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H52YLL46\tv-quotes[1].txt is infected by JS:ScriptIP-inf [Trj], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\17\279dfd1-5accef33|>main.class is infected by Java:Agent-AXI [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4ce2be02-6ca61b2e|>json\Option.class is infected by Java:Agent-ADL [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4ce2be02-6ca61b2e|>json\SmartyPointer.class is infected by Java:Agent-ZB [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4ce2be02-6ca61b2e|>json\ThreadParser.class is infected by Java:Agent-AEH [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\2\4ce2be02-6ca61b2e|>json\XML.class is infected by Java:Agent-ADT [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\d9769e0-44ed604d|>json\Option.class is infected by Java:Agent-ADL [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\d9769e0-44ed604d|>json\SmartyPointer.class is infected by Java:Agent-ZB [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\d9769e0-44ed604d|>json\ThreadParser.class is infected by Java:Agent-AEH [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\32\d9769e0-44ed604d|>json\XML.class is infected by Java:Agent-ADT [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\59\53c9d3bb-36402fc2|>main.class is infected by Java:Agent-AXI [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\1f75e909-6825cb96|>json\Option.class is infected by Java:Agent-ADL [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\1f75e909-6825cb96|>json\SmartyPointer.class is infected by Java:Agent-ZB [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\1f75e909-6825cb96|>json\ThreadParser.class is infected by Java:Agent-AEH [Expl], Moved to chest
File C:\Windows.old\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\9\1f75e909-6825cb96|>json\XML.class is infected by Java:Agent-ADT [Expl], Moved to chest
File C:\_OTL\MovedFiles\11162011_212519\C_Users\Ellery\AppData\Roaming\Imcuiqo\etycfa.exe|>[UPX] is infected by Win32:MalOb-IJ [Cryp], Moved to chest
Number of searched folders: 69174
Number of tested files: 1711965
Number of infected files: 39
 

[RKinner]

The top one is a rootkit so good you ran Avast.  (I don't really think it was active tho.)  The stuff in C:\Qoobox had already been removed by Combofix and that in C:\FRST\Quarantine by FRST.  The stuff in  C:\Windows.old is from an earlier install of windows and not active.    Rest appears to be adware installers which weren't active..  How is it running now?

[love2teach956]

Seems to be running well. I went to Google, Yahoo, the mlb.com page and her college page. No pop-ups.

Yay!!

[RKinner]

Good to hear.

[love2teach956]

Sounds like we're all okay now?

[RKinner]

Yep.