[Biscuithd]

How are things working now? Are you still getting that persistant pop-up?

[Advertisements]

The pop-up is gone.

Explorer still does not work correctly. Explorer does open but it is totally blank. No preference opening page is set. I can navigate to some sites by typing the address directly in the bar but not all pages or sites load and the links on some pages won't work. After typing in a password the page doesn't change. Geekstogo is working fine though.

I have gotten a pop-up notification messages from Dell saying that I haven't set up Automatic backup and recovery schedules and haven't signed up for automatic updates. I am wondering if I should do so? Please advise.

Thanks Holly

[AuntieHolly]

The pop-up is gone.

Explorer still does not work correctly. Explorer does open but it is totally blank. No preference opening page is set. I can navigate to some sites by typing the address directly in the bar but not all pages or sites load and the links on some pages won't work. After typing in a password the page doesn't change. Geekstogo is working fine though.

I have gotten a pop-up notification messages from Dell saying that I haven't set up Automatic backup and recovery schedules and haven't signed up for automatic updates. I am wondering if I should do so? Please advise.

Thanks Holly

[Biscuithd]

The pop-up is gone.

Good news!

Explorer still does not work correctly. Explorer does open but it is totally blank. No preference opening page is set. I can navigate to some sites by typing the address directly in the bar but not all pages or sites load and the links on some pages won't work. After typing in a password the page doesn't change. Geekstogo is working fine though.

 

Let's try resetting IE. The instructions below show work for your version of IE. If they are not exact, then they should be fairly close.

To reset Internet Explorer settings

1. Close all Internet Explorer and Windows Explorer windows that are currently open.

2. Open Internet Explorer by clicking the Start button . In the search box, type Internet Explorer, and then, in the list of results, click Internet Explorer.

3. Click the Tools button , and then click Internet options.

4. Click the Advanced tab, and then click Reset.

   Select the Delete personal settings check box if you would also like to remove browsing history, search providers, Accelerators, home pages, Tracking Protection, and ActiveX Filtering data.

5. In the Reset Internet Explorer Settings dialog box, click Reset.

6. When Internet Explorer finishes applying default settings, click Close, and then click OK.

7. Close Internet Explorer.

   Your changes will take effect the next time you open Internet Explorer.

I have gotten a pop-up notification messages from Dell saying that I haven't set up Automatic backup and recovery schedules and haven't signed up for automatic updates. I am wondering if I should do so? Please advise.

You should have a backup and restore plan. I can't speak to Dell's plan as I've not used it. For Windows systems I usually just buy an external disk (USB connect disk) and use that for backup. That doesn't mean Dell is bad, I just don't know about it.

 

Yes, you should signup for Automatic Updates.

 

Navigate this way and select Start (Button in Lower Left), Control Panel, All Control Panel Items, Windows Update, Change Settings. Then you'll find a pull down to set up Automatic Updates.

 

Once you have reset IE, give it a try and let me know how it works.

[AuntieHolly]

Everything seems to be working fine thanks to you. No glitches yet. Next steps?
Holly

[Biscuithd]

Most excellent news!!

 

Ok, although I don't expect there to be too much, let's clean out the junk and low level stuff.

 

Scan with AdwCleaner

 

Please download AdwCleaner by Xplode and save the file to your desktop.

 

• Right-click on icon and select Run as Administrator to start the tool.

• Follow the prompts and click Scan.

• Upon completion, click Report. A log (AdwCleaner[R*].txt) will open.

 

Please include the contents of that file in your reply.

 

Fix with Junkware Removal Tool

 

Please download JRT by Thisisu and save the file to your desktop.

Temporary disable your AntiVirus and AntiSpyware protection - instructions here.

 

• Right-click on icon and select Run as Administrator to start the tool.

• Follow the prompts and let this process run uninterrupted.

• This scan can take a while, depending on your System specs.

• Upon completion, a log (JRT.txt) will open on your desktop.

 

Please include the contents of that file in your reply.

 

Do not forget to re-enable your previously switched off protection software!

Please also manually reboot your machine after this procedure.

 

We'll search for some remnants that might be hiding.

 

Please download Malwarebytes Anti-Malware and save it to your desktop.

• Install the progam and select update

 

• Once it has updated select Settings > Detection and Protection >Tick Scan for rootkits

 

• Go back to the Dashboard and select Scan Now

 

• If threats are detected, click the Apply Actions button, MBAM will ask for a reboot

  

• On completion of the scan (or after the reboot) select View Detailed Log

Select Export > Select text file and save to the desktop.

 

 

Please post that log for my review.

 

[AuntieHolly]

Ok here are the logs:

Adwcleaner:
# AdwCleaner v3.311 - Report created 31/10/2014 at 10:28:51
# Updated 30/09/2014 by Xplode
# Operating System : Windows 7 Professional Service Pack 1 (64 bits)
# Username : Holly - HOLLY-PC
# Running from : C:\Users\Holly\Desktop\AdwCleaner.exe
# Option : Scan

***** [ Services ] *****


***** [ Files / Folders ] *****

File Found : C:\Users\Public\Desktop\eBay.lnk

***** [ Scheduled Tasks ] *****


***** [ Shortcuts ] *****


***** [ Registry ] *****


***** [ Browsers ] *****

-\\ Internet Explorer v11.0.9600.17344


-\\ Google Chrome v38.0.2125.111

[ File : C:\Users\Holly\AppData\Local\Google\Chrome\User Data\Default\preferences ]

Found [Search Provider] : hxxp://search.aol.com/aol/search?q={searchTerms}
Found [Search Provider] : hxxp://www.ask.com/web?q={searchTerms}

*************************

AdwCleaner[R0].txt - [987 octets] - [31/10/2014 09:51:16]
AdwCleaner[R1].txt - [908 octets] - [31/10/2014 10:28:51]

########## EOF - C:\AdwCleaner\AdwCleaner[R1].txt - [967 octets] ##########


Jrt log:
unkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Professional x64
Ran by Holly on Fri 10/31/2014 at 9:57:06.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-534934637-3198636804-1178557441-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/31/2014 at 9:59:19.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Malware log:
unkware Removal Tool (JRT) by Thisisu
Version: 6.3.3 (10.21.2014:1)
OS: Windows 7 Professional x64
Ran by Holly on Fri 10/31/2014 at 9:57:06.82
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~




~~~ Services



~~~ Registry Values

Successfully repaired: [Registry Value] HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-19\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-20\Software\Microsoft\Internet Explorer\Main\\Start Page
Successfully repaired: [Registry Value] HKEY_USERS\S-1-5-21-534934637-3198636804-1178557441-1001\Software\Microsoft\Internet Explorer\Main\\Start Page



~~~ Registry Keys



~~~ Files



~~~ Folders



~~~ Event Viewer Logs were cleared





~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Scan was completed on Fri 10/31/2014 at 9:59:19.47
End of JRT log
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Regarding AdwCleaner, I only scanned per your instructions. Should I have also cleaned? Thanks Holly

[AuntieHolly]

The Malware log was left off so here it is.

 

Malware:

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 10/31/2014
Scan Time: 10:14:35 AM
Logfile: scan log malware.txt
Administrator: Yes

Version: 2.00.3.1025
Malware Database: v2014.10.31.09
Rootkit Database: v2014.10.22.01
License: Trial
Malware Protection: Enabled
Malicious Website Protection: Enabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Holly

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 317401
Time Elapsed: 6 min, 13 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)

(end)

 

 

Thanks Holly

[Biscuithd]

You did everything perfectly!

 

One last scan and one preventative program. Although you had a particularly nasty ransomeware program on your machine, there are others that are even worse (if you can imagine). CryptoPrevent will protect your computer from many flavors of Ransomeware. 

 

I am also going to have you scan you computer with ESET. Sometimes ESET takes a long time to run, so maybe set it up to run overnight while you're sleeping. Last, I want to recheck all your products for versioning.

 

CryptoPrevent install this programme to lock down and prevent crypto ransome ware

 

Scan with Security Check

Please download Security Check by Screen317 and save it to your desktop.

• Right-click on icon and select Run as Administrator to start the tool.
• Follow onscreen instructions inside the black box. This scan won't take long.
• Soon a notepad document called checkup.txt will open automaticaly.

Please include the content of that document.

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Remove found threats is unchecked.
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!

 

Last, let me know if everything is still working properly.

[Biscuithd]

We're you able to complete the last updates and scans?

[AuntieHolly]

Been busy with work. Am working on last instructions now. Will send logs when finished. Thanks. Holly

[AuntieHolly]

Here is the security check log:

 

 Results of screen317's Security Check version 0.99.89  

 Windows 7 Service Pack 1 x64 (UAC is enabled)  

 Internet Explorer 11  

``````````````Antivirus/Firewall Check:`````````````` 

 Windows Firewall Enabled!  

McAfee Anti-Virus and Anti-Spyware   

 WMI entry may not exist for antivirus; attempting automatic update. 

`````````Anti-malware/Other Utilities Check:````````` 

 Adobe Reader XI  

 Google Chrome 38.0.2125.104  

 Google Chrome 38.0.2125.111  

````````Process Check: objlist.exe by Laurent````````  

 Malwarebytes Anti-Malware mbamservice.exe  

 Malwarebytes Anti-Malware mbam.exe  

 Malwarebytes Anti-Malware mbamscheduler.exe   

`````````````````System Health check````````````````` 

 Total Fragmentation on Drive C: 6% 

````````````````````End of Log`````````````````````` 

 

 

Here is the eset log;

 

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.7623

# api_version=3.0.2

# EOSSerial=6c5cdf2a660f9c4ca372501295dab7de

# engine=20948

# end=stopped

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2014-11-05 08:21:13

# local_time=2014-11-05 12:21:13 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode_1='McAfee Anti-Virus and Anti-Spyware'

# compatibility_mode=5129 16777214 100 97 821433 100741089 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 13119301 166762323 0 0

# scanned=18928

# found=2

# cleaned=0

# scan_time=252

sh=C6A6622783DFBCD4F8CD89BA36576B56004FEEE8 ft=1 fh=b477ca9ccb0cf89a vn="a variant of Win32/ExpressDownloader.K potentially unwanted application" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-534934637-3198636804-1178557441-1001\$RZOU0ZK.exe"

sh=25B9F4013FB34153FFA27E460D4B8594C79FE337 ft=1 fh=15384691e6094ee0 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe"

ESETSmartInstaller@High as downloader log:

all ok

ESETSmartInstaller@High as downloader log:

all ok

# product=EOS

# version=8

# OnlineScannerApp.exe=1.0.0.1

# OnlineScanner.ocx=1.0.0.7623

# api_version=3.0.2

# EOSSerial=6c5cdf2a660f9c4ca372501295dab7de

# engine=20948

# end=finished

# remove_checked=false

# archives_checked=true

# unwanted_checked=true

# unsafe_checked=true

# antistealth_checked=true

# utc_time=2014-11-05 09:17:29

# local_time=2014-11-05 01:17:29 (-0800, Pacific Standard Time)

# country="United States"

# lang=1033

# osver=6.1.7601 NT Service Pack 1

# compatibility_mode_1='McAfee Anti-Virus and Anti-Spyware'

# compatibility_mode=5129 16777214 100 97 824809 100744465 0 0

# compatibility_mode_1=''

# compatibility_mode=5893 16776574 100 94 13122677 166765699 0 0

# scanned=194126

# found=6

# cleaned=0

# scan_time=3207

sh=C6A6622783DFBCD4F8CD89BA36576B56004FEEE8 ft=1 fh=b477ca9ccb0cf89a vn="a variant of Win32/ExpressDownloader.K potentially unwanted application" ac=I fn="C:\$RECYCLE.BIN\S-1-5-21-534934637-3198636804-1178557441-1001\$RZOU0ZK.exe"

sh=25B9F4013FB34153FFA27E460D4B8594C79FE337 ft=1 fh=15384691e6094ee0 vn="a variant of Win32/HiddenStart.A potentially unsafe application" ac=I fn="C:\Program Files (x86)\Dell Backup and Recovery\Components\DBRUpdate\hstart.exe"

sh=34FD53AE4E9C519AE2F7BB0DBE612FFD92C3EB33 ft=0 fh=0000000000000000 vn="Win32/Poweliks.C trojan" ac=I fn="C:\ProgramData\RogueKiller\Quarantine\CB01AAC080A7AB24.reg"

sh=5C89FA148B67F67756CDEC111C53CBC42E36B8EB ft=1 fh=461b819c6c3a0012 vn="Win64/Bedep.C trojan" ac=I fn="C:\ProgramData\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\neth.dll"

sh=34FD53AE4E9C519AE2F7BB0DBE612FFD92C3EB33 ft=0 fh=0000000000000000 vn="Win32/Poweliks.C trojan" ac=I fn="C:\Users\All Users\RogueKiller\Quarantine\CB01AAC080A7AB24.reg"

sh=5C89FA148B67F67756CDEC111C53CBC42E36B8EB ft=1 fh=461b819c6c3a0012 vn="Win64/Bedep.C trojan" ac=I fn="C:\Users\All Users\{9A88E103-A20A-4EA5-8636-C73B709A5BF8}\neth.dll"

 

 

 

Antimalwarebytes is popping up quite frequently with messages: blocked outbound malicious, the majority are from internet explorer. Would those be from one of the trojans eset found?  Thanks, Holly

[Biscuithd]

Hi Holly,

 

Antimalwarebytes is popping up quite frequently with messages: blocked outbound malicious, the majority are from internet explorer. Would those be from one of the trojans eset found? Thanks, Holly

First, I need to change my script for ESET (which I did do below), so please re-run.

 

So, two comments on MBAM (Anitmalwarebytes). I'm not a fan (although many others are) of having it installed and running as it frequently alarms on simple things (tracking cookies, etc.) that are not worth chasing. I am a fan of using MBAM as on "on demand" scanner.

 

Scan with ESET Online Scanner

This step can only be done using Internet Explorer, Google Chrome or Mozilla Firefox.
Temporary disable your AntiVirus and AntiSpyware protection - instructions here.
Please visit ESET Online Scanner website.
Click there Run ESET Online Scanner.

If using Internet Explorer:
 

• Accept the Terms of Use and click Start.
• Allow the running of add-on.

If using Mozilla Firefox or Google Chrome:

• Download esetsmartinstaller_enu.exe that you'll be given link to.
• Double click esetsmartinstaller_enu.exe.
• Allow the Terms of Use and click Start.

To perform the scan:

• Make sure that Remove found threats is checked.
• Scan archives is checked.
• In Advanced Settings: Scan for potentially unwanted applications, Scan for potentially unsafe applications and Enable Anti-Stealth technology are checked.
• Click Start
• The program will begin to download it's virus database. The speed may vary depending on your Internet connection.
• When completed, the program will begin to scan. This may take several hours. Please, be patient.
• Do not do anything on your machine as it may interrupt the scan.
• When the scan is done, click Finish.
• A logfile will be created at C:\Program Files (x86)\ESET\ESET Online Scanner. Open it using Notepad.

Please include this logfile in your next reply.

Don't forget to re-enable previously switched-off protection software!

[AuntieHolly]

When I ran eset this time it cleaned or quarantined 3 of 4 files. It did not save a log file though. I did notice that it found the same Trojans and files as the first scan. It only cleaned or quarantined 3 because poweliks was listed twice. Do you want me to run it again to get a log? Thanks, Holly

[Biscuithd]

When I ran eset this time it cleaned or quarantined 3 of 4 files. It did not save a log file though. I did notice that it found the same Trojans and files as the first scan. It only cleaned or quarantined 3 because poweliks was listed twice. Do you want me to run it again to get a log?

ESET is sneaky that way as far as the log is concerned. However, no need to re-run as it did the clean up on the remaining Poweliks exploit.

 

How the machine running now? Any issues at all?

[AuntieHolly]

Had some time to run the computer. Seems to work fine except explorer (again). The free trial of McAfee is up and I don't want to purchase it. I've had the free Avast on prior computers. Thoughts on this?