[drmomentum]

OK, I guess there's still some concerning stuff here. One problem: the logfile that ESET created has almost zero information in it, but I happened to export the threat list it created, so I'm including that as well.

 

----------------------------------------------------------------------------

 

Malwarebytes Anti-Malware

www.malwarebytes.org

 

Scan Date: 10/4/2014

Scan Time: 7:59:48 AM

Logfile: mbytes.log

Administrator: Yes

 

Version: 2.00.2.1012

Malware Database: v2014.10.04.08

Rootkit Database: v2014.09.19.01

License: Free

Malware Protection: Disabled

Malicious Website Protection: Disabled

Self-protection: Disabled

 

OS: Windows 7 Service Pack 1

CPU: x64

File System: NTFS

User: James

 

Scan Type: Threat Scan

Result: Completed

Objects Scanned: 420446

Time Elapsed: 20 min, 28 sec

 

Memory: Enabled

Startup: Enabled

Filesystem: Enabled

Archives: Enabled

Rootkits: Enabled

Heuristics: Enabled

PUP: Warn

PUM: Enabled

 

Processes: 0

(No malicious items detected)

 

Modules: 0

(No malicious items detected)

 

Registry Keys: 0

(No malicious items detected)

 

Registry Values: 0

(No malicious items detected)

 

Registry Data: 0

(No malicious items detected)

 

Folders: 0

(No malicious items detected)

 

Files: 2

PUP.Optional.StmSetup, C:\Users\James\AppData\Local\Temp\Temp1_CamStudioSetup_v2.7.2.zip\CamStudioSetup_v2.7.2.exe, Quarantined, [1273608fafcc340210458177cf35e51b], 

PUP.Optional.StmSetup, C:\Users\James\Downloads\CamStudioSetup_v2.7.2.zip, Quarantined, [166fc629c3b8f442d580ae4a59abdc24], 

 

Physical Sectors: 0

(No malicious items detected)

 

 

(end)

 

 

log.txt from ESET:

ESETSmartInstaller@High as CAB hook log:

OnlineScanner64.ocx - registred OK

OnlineScanner.ocx - registred OK

 

ESET_SCAN exported file list:

C:\Program Files\CamStudio 2.7\BunndleOfferManager.exe a variant of Win32/Bunndle potentially unsafe application

C:\Users\James\AppData\Local\Temp\optprosetup.exe multiple threats

C:\Users\James\AppData\Local\Temp\is1955396272\43BD3C70_stp.EXE a variant of Win32/Bunndle potentially unsafe application

C:\Users\James\AppData\Local\Temp\is1955396272\40CAB6DA_stp\OptimizerPro3108.exe a variant of Win32/AdWare.SpeedingUpMyPC.N application

C:\Users\James\Downloads\advanced-systemcare-setup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application

C:\Users\James\Downloads\asc-setup-v5.exe Win32/ELEX.AH potentially unwanted application

C:\Users\James\Downloads\cbsidlm-cbsi134-Some_PDF_Images_Extract-SEO-10836441.exe a variant of Win32/CNETInstaller.B potentially unwanted application

C:\Users\James\Downloads\cbsidlm-cbsi176-PeerBlock-SEO-75328692.exe a variant of Win32/CNETInstaller.B potentially unwanted application

C:\Users\James\Downloads\cbsidlm-tr1_10a-Spotify-SEO-10912348.exe Win32/DownloadAdmin.G potentially unwanted application

C:\Users\James\Downloads\cbsidlm-tr1_7-Edraw_Mind_Map-SEO2-197599.exe Win32/DownloadAdmin.D potentially unwanted application

C:\Users\James\Downloads\cbsidlm-tr1_7-Freeplane-SEO2-75445848.exe Win32/DownloadAdmin.D potentially unwanted application

C:\Users\James\Downloads\ccsetup407.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\James\Downloads\ccsetup411.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application

C:\Users\James\Downloads\cnet_SyncBack_Setup_zip.exe a variant of Win32/InstallCore.D potentially unwanted application

C:\Users\James\Downloads\FoxitReader502.0718_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

C:\Users\James\Downloads\FoxitReader543.0920_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application

C:\Users\James\Downloads\FreeVideoToAudioConverter.exe Win32/OpenCandy potentially unsafe application

C:\Users\James\Downloads\TuneUpInst-3.0.5.0.exe Win32/OpenCandy potentially unsafe application

E:\My Documents Old\Downloads\is360setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application

 

 

 

-James

[Advertisements]

OK, I guess there's still some concerning stuff here.

 

Don't worry, we'll get it all

 

 

One problem: the logfile that ESET created has almost zero information in it, but I happened to export the threat list it created, so I'm including that as well.

 

Excellent "catch" on your part!

 

Clean Temporary Files with TFC

Please download TFC by OldTimer and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Close any open programs and save your current work.
• Click the Start button to begin. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a couple of minutes.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

This tool doesn't generate any report. Instead I recommend to keep it for good maintenance of your machine.

 

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Remove found threats is checked. (Different than last time)
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!

[Biscuithd]

OK, I guess there's still some concerning stuff here.

 

Don't worry, we'll get it all

 

 

One problem: the logfile that ESET created has almost zero information in it, but I happened to export the threat list it created, so I'm including that as well.

 

Excellent "catch" on your part!

 

Clean Temporary Files with TFC

Please download TFC by OldTimer and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Close any open programs and save your current work.
• Click the Start button to begin. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a couple of minutes.
• Once it's finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

This tool doesn't generate any report. Instead I recommend to keep it for good maintenance of your machine.

 

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Remove found threats is checked. (Different than last time)
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!

[drmomentum]

ESET did the same thing as before, no logfile written out. I saved out the Found Threats, though (see below).

 

The other tool cleaned up quite a bit of temporary file "cruft." 

 

--------------------------------------------------------------

 

C:\Program Files\CamStudio 2.7\BunndleOfferManager.exe a variant of Win32/Bunndle potentially unsafe application deleted - quarantined

C:\Users\James\Downloads\advanced-systemcare-setup.exe a variant of Win32/Toolbar.Widgi.B potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\asc-setup-v5.exe Win32/ELEX.AH potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\cbsidlm-cbsi134-Some_PDF_Images_Extract-SEO-10836441.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\cbsidlm-cbsi176-PeerBlock-SEO-75328692.exe a variant of Win32/CNETInstaller.B potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\cbsidlm-tr1_10a-Spotify-SEO-10912348.exe Win32/DownloadAdmin.G potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\cbsidlm-tr1_7-Edraw_Mind_Map-SEO2-197599.exe Win32/DownloadAdmin.D potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\cbsidlm-tr1_7-Freeplane-SEO2-75445848.exe Win32/DownloadAdmin.D potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\ccsetup407.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

C:\Users\James\Downloads\ccsetup411.exe Win32/Bundled.Toolbar.Google.D potentially unsafe application deleted - quarantined

C:\Users\James\Downloads\cnet_SyncBack_Setup_zip.exe a variant of Win32/InstallCore.D potentially unwanted application deleted - quarantined

C:\Users\James\Downloads\FoxitReader502.0718_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined

C:\Users\James\Downloads\FoxitReader543.0920_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask potentially unsafe application deleted - quarantined

C:\Users\James\Downloads\FreeVideoToAudioConverter.exe Win32/OpenCandy potentially unsafe application deleted - quarantined

C:\Users\James\Downloads\TuneUpInst-3.0.5.0.exe Win32/OpenCandy potentially unsafe application deleted - quarantined

E:\My Documents Old\Downloads\is360setup.exe a variant of Win32/Toolbar.Widgi potentially unwanted application deleted - quarantined

[Biscuithd]

ESET did the same thing as before,

 

Not exactly the same. This time it quarantined and/or deleted what we needed it to, so we're good there.

 

 

no logfile written out. I saved out the Found Threats, though (see below).

 

Glad that you saved the file. I need to update that set of instructions. My other set indicates that the user has to do what you did.

 

 

The other tool cleaned up quite a bit of temporary file "cruft."

 

Yup, it does a good job!

 

Alright, from my perspective we're pretty close to the finish line. How about you? Questions for me or issues with the machine?

[drmomentum]

It looks really good!

 

I am interested in preventing future infections, and I'm particularly worried about problems like Cryptolocker and Cryptowall. Especially because if anyone in my family becomes infected, our shared NAS will be hit.

 

So, two questions: 

 

1) Aside from the usual behavioral recommendations to not click strange links in emails and stay off suspicious websites, are there useful precautions I can take (and help my family take) against ransomware infections?

2) I'm using avast for anti-virus but plan on switching to a Symantec product soon. I'm worried about protection, but I also worry about impacting performance, since some of the hardware my family uses is already slow-ish. What is a sensible choice for antivirus/antimalware protection that people use if they're also concerned about performance?

 

Feel free to PM me if you want to get speculative and off the record with your answer.

 

Cheers and thanks for the help.

 

-James

[Biscuithd]

Hi James,

 

Here my Prevention information.

 

Importance of Regular System Maintenance:

I advise you read both of the topics listed below. The suggestions contained them, if followed, will go a long way toward keeping your Computer performing well.

Help! My computer is slow!

Also so is this:

What to do if your Computer is running slowly

Further reading/resources:

This is a very helpful/useful set of advice from Microsoft: Microsoft Safety & Security Center

As is this: Computer Security - a short guide to staying safer online

And these are worth reading also: Understanding Windows Firewall settings, Securing Your Web Browser and Securing Your Router.

Keep Your System Updated:

Microsoft releases patches for Windows and other products regularly:

 

• Click on Start(Windows 7) >> All Programs >> Windows Update.
• In the navigation pane, click Check for updates.
• After Windows Update has finished checking for updates, click View available updates.
• Click to select the check box for any found, then click Install.
• When completed Reboot(restart) your computer if not prompted to do so.

Plus check Automatic Updates is enabled.

Be careful when opening attachments and downloading files:

1 - Never open email attachments, not even if they are from someone you know. If you need to open them, scan them with your antivirus program before opening.

2 - Never open emails from unknown senders.

4 - Beware of emails that warn about viruses that are spreading, especially those from antivirus vendors. These email addresses can be easily spoofed. Check the antivirus vendor websites to be sure.

5 - Be careful of what you download. Only download files from known sources. Also, avoid cracked programs. If you need a particular program that costs too much for you, try finding free alternatives on FileHippo or MajorGeeks

Stop malicious scripts:

Windows by default allow scripts (which is VBScript and JavaScript) to run and some of these scripts are malicious. Use Noscript by Symantec or Script Defender by AnalogX to handle these scripts.

Avoid Peer to Peer software:

P2P may be a great way to get lots of seemingly freeware, but it is a great way to get infected as well. There's no way to tell if the file being shared is infected. Worse still, some worms spread via P2P networks, infecting you as well. It's really important, if you value your PC at all, to stay away from P2P file sharing programs, like utorrent, Bittorrent, Azureus, Limewire, Vuze. Criminals have "planted" thousands upon thousands of infections in the "free" shared files. Virtually all of these recent infections will compromise your Security, and some can turn your machine into a useless "doorstop".

I will further add; P2P software has the ability to create a direct conduit onto your computer, their security measures are easily circumvented, and Malware writers are increasingly exploiting them to spread their infected dross onto your computer. Further to that, if your P2P software is not configured correctly you may be sharing more files than you realise. There have been cases where people's address books, passwords, other personal, private and financial details have been exposed to the file sharing network by a badly configured P2P applications

My friendly advice is to avoid these types of software applications.

Consider the below extra/layered security for your machine:

Custom Host File:

A Hosts file is like a phone book. You look up someone's name in the phone book before calling him/her. Similarly, your computer will look up the website's IP address before you can view the website.

Hosts file will replace your current Hosts file with another one containing well-known advertisement sites, spyware sites and other bad sites. This new Hosts file will protect you by re-directing these bad sites to 127.0.0.1.

Here are some Hosts files:
 

• MVPS Hosts File
• hpHosts

Only use one of the above!

CryptoPrevent Tool:

How to prevent your computer from becoming infected by CryptoLocker

WinPatrol:

WinPatrol alerts you about possible system hijacks, malware attacks and critical changes made to your computer without your permission.

Download it from here.

You can find information about how WinPatrol works here.

[Biscuithd]

Alright, we seem to be done

 

Run Delfix at your leisure. You have the instructions in a previous post. Run MBAM and ESET every few weeks. You've already got protection for the Crypto stuff, so you're good there.

 

I'll keep this topic on for a day or so on the chance that you need me for something. Otherwise. Take care!! It's been a pleasure

[drmomentum]

You've been super helpful. Thanks so much for your time and advice!

[Biscuithd]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.