B-boy/StyLe/
-
Posts
1,583 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by B-boy/StyLe/
-
-
Hello,
Thank you for following my instructions perfectly!
Now that we are at the end of our journey I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.STEP 1 - CLEANUP
Here are a few additional steps on how to remove all of the tools we used as promised:Download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.- Next please download Delfix.exe by Xplode and save it to your desktop.
- Please start it and check the box next to "Remove disinfection tools" and click on the run button.
- The tool will delete itself once it finishes.
Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
STEP 2 - SECURITY ADVICES
Change all your passwords !
Since your computer was infected for peace of mind, I would however advise you that all (or as much possible) your passwords be changed including those for bank accounts, credit cards and home loans, PIN codes etc) just in case.Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use Password Generator - Norton Identity Safe to create random passwords and then install an application like KeePass Password Safe or LastPass to store them for easy access. If you do Online Banikng please read this article: Online Banking Protection Against Identity TheftIf you're storing passwords in the browser to access websites than they are non encrypted well. Only if you use Firefox with master password protection, this provide better security. You can add Secure Login to prevent Java and other exploits when log-in.
Keep your antivirus software turned on and up-to-date
- New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
- Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
- Note: You should scan your computer with an antimalware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
- Be sure to check for and download any definition updates prior to performing a scan.
- Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.
Visit Microsoft's Windows Update Site Frequently
- It is important that you visit Windows Update regularly.
- This will ensure your computer has always the latest security updates available installed on your computer.
- If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
- Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
- You can check these by visiting Personal Software Inspector or you can use the following application for this purpose PatchMyPC
Be prepared for CryptoLocker and similar threats:
Check the article below for more information:
The ascension of Crypto-Ransomware and what you need to know to protect yourself
Since the prevention is better than cure you can use CryptoPrevent (described in the link above) to secure the PC against these lockers. Keep in mind that if you choose high protection level in CryptoPrevent then you can encounter some problems with the installed applications. You may need to lower the protection level if you encounter such problems or to add the entries to the whitelist:
I would not recommend you to use the latest option which is still in BETA. Many programs will not work when the Maximum Protection + Program Filtering (BETA) setting is activated...
Also you may need to disable the protection sometimes before you can install new software or apply updates and when you are done then you need to re-apply the protection. It can be very annoying, but still better than losing all of the documents because of Cryptolocker and his variants.
Comodo Firewall/Internet Security can protect the data if you add all local disks to Protected Files and Folders but if you decide to use it then keep in mind that he will disable the built-in Windows Defender software.
Panda have an option (similar to this offered by Comodo) called Data Shield which can help you to protect your data against ransomware.
What is the Data Shield protection of Panda 2015? but if you choose to stick to Panda then you should keep in mind that the software is shareware.
However using such programs on business computers can be very difficult since the users will receive a lot of pop-ups with questions and probably will be impossible for them to work in a efficient way...
You may want to check Malwarebytes Anti-Exploit and add install it to be safe when surfing the net. It work with the most popular browsers and it is very effective. See the article here.
Be sure that UAC and SmartScreen are turned on. This will help you to stop unknown executables from starting.
There are other programs worth checking like Sandboxie, SecureAplus (offer ClamWin - be sure to uncheck it during install if you have another AV installed), VoodooShield (similar to SecureAplus but does not offer ClamWin antivirus), Emet, Toolwiz Time Freeze, KeyScrambler Personal etc, but they are too complicated for the average user. However, you can take a look at them if have the time to learn how to use them.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:- If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
- .zip, .exe, .com, .bat, .pif, .scr, .cmd or .vbs do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
- If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
- If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix - Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
- Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
- When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
- Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
- Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor, Bitdefender TrafficLight or Avira Browser Safety to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
- DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
- You may want to install unchecky to prevent adware bundled into many free programs to install. Please keep in mind that this program is a beta version of a product and not completely tested to ensure its stability or reliability.
Tweak your browsers
MOZILLA FIREFOXTo prevent further infections be sure to install the following add-ons AdBlock Plus
Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.
Adblock Plus can be found here.
Do not add to many filters subscriptions because it will slow down your browser startup time.
You can take a look at NoScript as well but NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.
You can download it from here
You can find the optimal settings here
A tutorial on how to use it can be found hereAd-Muncher is now free so you can give it a try as well.
Google Chrome
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.
However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access
For Internet Explorer read the article below:
Security and privacy features in Internet Explorer
Immunize your browsers with SpywareBlaster 5 and MVPS HOSTS.Also you can change your DNS settings with these 8.26.56.26 and 8.20.247.20 to use Comodo Secure DNS for free (to prevent phishing attacks). Sometime the DNS servers may be overloaded by the traffic coming from other networks and then you can lose your internet connection. In that case you can switch back to your ISP DNS again.
Make the extensions for known file types visible:
Be wary of files with a double extension such as image.jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.
Disable Autorun and Windows Scripting Host:
It's a good idea to disable the Autorun functionality to prevent spreading of the infections from USB flash drives.Check the article here for more information.
If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript again and select Enable, then reboot the computer.
Create an image of your system (you can use the built-in Windows software as well if you prefer)- Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
- Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
- The download link is here.
- The tutorial on how to create an system image can be found here.
- The tutorial on how to restore an system image can be found here.
- Be sure to read the tutorial first.
Follow this list and your potential for being infected again will reduce dramatically.
Safe Surfing !
Regards,
Georgi
-
Hello,
I am sorry about the delay. For some reason, I didn't get notification of your reply.
You didn't post the log from adwcleaner. If you think that the problem is fixed and you no longer need my help then please let me know and I'll give you my final recommendations.
Regards,
Georgi
-
Hi,
Are you still around?
Regards,
Georgi
-
This is a good lesson for those who don't pay attention of the check boxes during the installation of software to avoid installing the bloatware.
-
Hi,
I am sorry about the delay.
Things have been very busy for me recently and I haven't had much free time that I can spend helping out here.
We are almost done here.
STEP 1
Please click Start Menu > All Programs > Accessories, right click on Command Prompt and select "Run as administrator".
Copy/paste the following text at the command prompt and press enter after it:
reg delete "HKU\.DEFAULT\Software\AppDataLow\{1146AC44-2F03-4431-B4FD-889BC837521F}" /f
You can close the Command Prompt now.STEP 2
Before I let you go I'd like to scan your machine with ESET OnlineScan.
- Please download and the run exe from the link below:
ESET OnlineScan - Check
- Click the
button. - Accept any security warnings from your browser.
- Check the option beside: Enable detection of potentially unwanted applications
- Now click on Advanced Settings and make sure that the option Remove found threats is NOT checked, and select the following:
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click on the Change button and select only Operating memory and drive C:\
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push
, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply. - Push the
button. - Push
STEP 3
Also let's check for outdated and vulnerable software on your pc
Download Security Check by screen317 from here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
- Note if you see the following message "UNSUPPORTED OPERATING SYSTEM! ABORTED" please restart the computer and try again. The tool should produce a log file now.
and then if there aren't any issues left I'll give you my final recommendations.
Let me know for any remaining issues.
Regards,
Georgi
- Please download and the run exe from the link below:
-
Hello,
I am sorry about the delay.
Things have been very busy for me recently and I haven't had much free time that I can spend helping out here.
Thank you for following my instructions perfectly!
Now that we are at the end of our journey I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.STEP 1 - CLEANUP
Here are a few additional steps on how to remove all of the tools we used as promised:Download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.- Next please download Delfix.exe by Xplode and save it to your desktop.
- Please start it and check the box next to "Remove disinfection tools" and click on the run button.
- The tool will delete itself once it finishes.
Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
STEP 2 - SECURITY ADVICES
Change all your passwords !
Since your computer was infected for peace of mind, I would however advise you that all (or as much possible) your passwords be changed including those for bank accounts, credit cards and home loans, PIN codes etc) just in case.Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use Password Generator - Norton Identity Safe to create random passwords and then install an application like KeePass Password Safe or LastPass to store them for easy access. If you do Online Banikng please read this article: Online Banking Protection Against Identity TheftIf you're storing passwords in the browser to access websites than they are non encrypted well. Only if you use Firefox with master password protection, this provide better security. You can add Secure Login to prevent Java and other exploits when log-in.
Keep your antivirus software turned on and up-to-date
- New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
- Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
- Note: You should scan your computer with an antimalware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
- Be sure to check for and download any definition updates prior to performing a scan.
- Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.
Visit Microsoft's Windows Update Site Frequently
- It is important that you visit Windows Update regularly.
- This will ensure your computer has always the latest security updates available installed on your computer.
- If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
- Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
- You can check these by visiting Personal Software Inspector or you can use the following application for this purpose PatchMyPC
Be prepared for CryptoLocker and similar threats:
Check the article below for more information:
The ascension of Crypto-Ransomware and what you need to know to protect yourself
Since the prevention is better than cure you can use CryptoPrevent (described in the link above) to secure the PC against these lockers. Keep in mind that if you choose high protection level in CryptoPrevent then you can encounter some problems with the installed applications. You may need to lower the protection level if you encounter such problems or to add the entries to the whitelist:
I would not recommend you to use the latest option which is still in BETA. Many programs will not work when the Maximum Protection + Program Filtering (BETA) setting is activated...
Also you may need to disable the protection sometimes before you can install new software or apply updates and when you are done then you need to re-apply the protection. It can be very annoying, but still better than losing all of the documents because of Cryptolocker and his variants.
Comodo Firewall/Internet Security can protect the data if you add all local disks to Protected Files and Folders but if you decide to use it then keep in mind that he will disable the built-in Windows Defender software.
Panda have an option (similar to this offered by Comodo) called Data Shield which can help you to protect your data against ransomware.
What is the Data Shield protection of Panda 2015? but if you choose to stick to Panda then you should keep in mind that the software is shareware.
However using such programs on business computers can be very difficult since the users will receive a lot of pop-ups with questions and probably will be impossible for them to work in a efficient way...
You may want to check Malwarebytes Anti-Exploit and add install it to be safe when surfing the net. It work with the most popular browsers and it is very effective. See the article here.
Be sure that UAC and SmartScreen are turned on. This will help you to stop unknown executables from starting.
There are other programs worth checking like Sandboxie, SecureAplus (offer ClamWin - be sure to uncheck it during install if you have another AV installed), VoodooShield (similar to SecureAplus but does not offer ClamWin antivirus), Emet, Toolwiz Time Freeze, KeyScrambler Personal etc, but they are too complicated for the average user. However, you can take a look at them if have the time to learn how to use them.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:- If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
- .zip, .exe, .com, .bat, .pif, .scr, .cmd or .vbs do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
- If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
- If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix - Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
- Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
- When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
- Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
- Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor, Bitdefender TrafficLight or Avira Browser Safety to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
- DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
- You may want to install unchecky to prevent adware bundled into many free programs to install. Please keep in mind that this program is a beta version of a product and not completely tested to ensure its stability or reliability.
Tweak your browsers
MOZILLA FIREFOXTo prevent further infections be sure to install the following add-ons AdBlock Plus
Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.
Adblock Plus can be found here.
Do not add to many filters subscriptions because it will slow down your browser startup time.
You can take a look at NoScript as well but NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.
You can download it from here
You can find the optimal settings here
A tutorial on how to use it can be found hereAd-Muncher is now free so you can give it a try as well.
Google Chrome
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.
However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access
For Internet Explorer read the article below:
Security and privacy features in Internet Explorer
Immunize your browsers with SpywareBlaster 5 and MVPS HOSTS.Also you can change your DNS settings with these 8.26.56.26 and 8.20.247.20 to use Comodo Secure DNS for free (to prevent phishing attacks). Sometime the DNS servers may be overloaded by the traffic coming from other networks and then you can lose your internet connection. In that case you can switch back to your ISP DNS again.
Make the extensions for known file types visible:
Be wary of files with a double extension such as image.jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.
Disable Autorun and Windows Scripting Host:
It's a good idea to disable the Autorun functionality to prevent spreading of the infections from USB flash drives.Check the article here for more information.
If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript again and select Enable, then reboot the computer.
Create an image of your system (you can use the built-in Windows software as well if you prefer)- Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
- Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
- The download link is here.
- The tutorial on how to create an system image can be found here.
- The tutorial on how to restore an system image can be found here.
- Be sure to read the tutorial first.
Follow this list and your potential for being infected again will reduce dramatically.
Safe Surfing !
Regards,
Georgi
-
Hello,
I am sorry about the delay.
Things have been very busy for me recently and I haven't had much free time that I can spend helping out here.
How are things now?
Let's check for malware leftovers:
STEP 1
Please download Malwarebytes Anti-Malware 2.0.4.1028 Final to your desktop.
- Double-click mbam-setup-2.0.4.1028.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Launch Malwarebytes Anti-Malware
- A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
- Click Finish.
- On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
- Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
- A Threat Scan will begin.
- With some infections, you may see this message box.
- 'Could not load DDA driver'
- Click 'Yes' to this message, to allow the driver to load after a restart.
- Allow the computer to restart. Continue with the rest of these instructions.
- When the scan is complete, click Apply Actions.
- Wait for the prompt to restart the computer to appear, then click on Yes.
- After the restart once you are back at your desktop, open MBAM once more.
- Click on the History tab > Application Logs.
- Double click on the scan log which shows the Date and time of the scan just performed.
- Click 'Copy to Clipboard'
- Paste the contents of the clipboard into your reply.
STEP 2
Please download AdwCleaner by Xplode and save to your desktop.- Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator. - Click on the Scan button.
- AdwCleaner will begin to scan your computer.
- After the scan has finished click on the Report button.
- Copy and paste the contents of that logfile in your next reply.
- A copy of that logfile will also be saved in the C:\AdwCleaner folder.
Regards,
Georgi
-
Hello,
You forgot to post the log from Malwarebytes Anti-malware?
Also most of the entries found by Eset are already quarantined by FRST & adwcleaner.
The rest of the files are safe as long you are careful with the check boxes that appear during the install and to avoid installing of unwanted applications or toolbars.
You can install Unchecky to make sure that the check boxes will remain clean when you install new software.Regards,
Georgi
-
Hi,
It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.
Thank you for your understanding!
Regards,
Georgi -
Hi,
Sound like a plan. Don't worry...Just checking. No rush.
Regards,
Georgi
-
Nice work. We are almost done here.
Let's check for malware leftovers:
STEP 1
Please download Malwarebytes Anti-Malware 2.0.4.1028 Final to your desktop.
- Double-click mbam-setup-2.0.4.1028.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Launch Malwarebytes Anti-Malware
- A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
- Click Finish.
- On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
- Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
- A Threat Scan will begin.
- With some infections, you may see this message box.
- 'Could not load DDA driver'
- Click 'Yes' to this message, to allow the driver to load after a restart.
- Allow the computer to restart. Continue with the rest of these instructions.
- When the scan is complete, click Apply Actions.
- Wait for the prompt to restart the computer to appear, then click on Yes.
- After the restart once you are back at your desktop, open MBAM once more.
- Click on the History tab > Application Logs.
- Double click on the scan log which shows the Date and time of the scan just performed.
- Click 'Copy to Clipboard'
- Paste the contents of the clipboard into your reply.
STEP 2
Before I let you go I'd like to scan your machine with ESET OnlineScan.
- Please download and the run exe from the link below:
ESET OnlineScan - Check
- Click the button.
- Accept any security warnings from your browser.
- Check the option beside: Enable detection of potentially unwanted applications
- Now click on Advanced Settings and make sure that the option Remove found threats is NOT checked, and select the following:
- Scan archives
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Click on the Change button and select only Operating memory and drive C:\
- Push the Start button.
- ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
- When the scan completes, push
- Push , and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
- Push the button.
- Push
STEP 3
Also let's check for outdated and vulnerable software on your pc
Download Security Check by screen317 from here.
- Save it to your Desktop.
- Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
- A Notepad document should open automatically called checkup.txt; please post the contents of that document.
and then if there aren't any issues left I'll give you my final recommendations.
Let me know for any remaining issues.
Regards,
Georgi
-
Hi Linny,
STEP 1
Double click on AdwCleaner.exe to run the tool again.
- Click on the Scan button.
- AdwCleaner will begin to scan your computer like it did before.
- After the scan has finished...please uncheck the following entries:
Folder Found : C:\Users\linda\Aimersoft Video Converter Ultimate
Folder Found : C:\Users\linda\AppData\Local\FileViewPro- This time click on the Clean button.
- Press OK when asked to close all programs and follow the onscreen prompts.
- Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
- After rebooting, a logfile report will open automatically.
- Copy and paste the contents of that logfile in your next reply.
- A copy of that logfile will also be saved in the C:\AdwCleaner folder.
STEP 2
- Double click on ZHPCleaner to run the tool. (Vista/Windows 7/8 users right-click and select Run As Administrator).
- Please click the
button. - Then press the
button. - During the scan any open instances of the browsers will be closed automatically.
- A logfile will automatically open after the scan has finished.
- Please post the contents of that logfile with your next reply.
Also let me know how are things now.
Thanks!
Regards,
Georgi
-
Hello,
Please download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.
This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system Let me know how are things after the fix above.
Regards,
Georgi
-
Hello.
Nice work. Let's check for malware remnants:
STEP 1
Please download AdwCleaner by Xplode and save to your desktop.- Double click on AdwCleaner.exe to run the tool.
Vista/Windows 7/8 users right-click and select Run As Administrator. - Click on the Scan button.
- AdwCleaner will begin to scan your computer.
- After the scan has finished click on the Report button.
- Copy and paste the contents of that logfile in your next reply.
- A copy of that logfile will also be saved in the C:\AdwCleaner folder.
STEP 2
Please download ZHPCleaner (by NicolasCoolman) to your desktop.- Double click on ZHPCleaner to run the tool. (Vista/Windows 7/8 users right-click and select Run As Administrator).
- Please click the button.
- Then press the
button. - During the scan any open instances of the browsers will be closed automatically.
- A logfile will automatically open after the scan has finished.
- Please post the contents of that logfile with your next reply.
Regards,
Georgi
- Double click on AdwCleaner.exe to run the tool.
-
Hi,
It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.
Thank you for your understanding!
Regards,
Georgi -
Hi,
It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.
Thank you for your understanding!
Regards,
Georgi -
Hi,
It's been several days. Do you still need help on this?
This thread will be closed if you don't respond within 72 hours.
Thank you for your understanding!
Regards,
Georgi -
Hi,
Pokki provides classic start menu like environment replacing Metro interface (the same as ClassicShell does). If you like the Metro style then you don't need both and you can uninstall them. If you want your start button back then stick to Classic Shell.
Be careful with Revo especially in its aggressive mode.
Revo Uninstaller use the built-in installers of the programs the way Programs and Features in Windows does but it can scan for files/folders and registry remnants and other traces left by the programs' uninstallers. Also Revo uninstaller and similar programs can be forced to remove entries shown in the Programs and Features list if for some reason the applications are already uninstalled but they are still visible in the list. These entries are usually saved under the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall => for x86 (32 bit versions of Windows)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall => for x64 (64 bit versions of the programs under 64 bit versions of Windows)
Revo uninstaller can save you some time for searching and deleting the remnants manually when uninstalling a program and it is usually save enough to use as it create a Restore Point before the removal process but sometimes it can flag legitimate entries for removal and can do some damage to Windows like any other registry cleaner programs... Check the articles below for more information about the registry cleaners:
Registry Cleaners and System Tweaking Tools
Why Using a Registry Cleaner Won’t Speed Up Your PC or Fix Crashes
So better use the built-in Windows feature for everyday use and Revo only if needed and only if you have enough knowledge about the registry. If you decide to use Revo be sure to create a new Restore Point before the removal and also be sure to check the listed entries by Revo one by one before you agree to delete them.
However, sometimes the built-in feature can be dangerous as well if there are bad written programs like Conduit. Check the link below for more information:
Uninstalling Conduit SearchProtect deletes NTLDR making Windows XP Unbootable
That said, stick to built-in Windows feature, search for files and folders leftovers manually and leave the registry alone. This should be the best strategy for beginners.
Please download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST and press the Fix button just once and wait.
The tool will make a log on the Desktop (Fixlog.txt). Please post it to your reply.This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system!
Regards,
Georgi
-
Hello! Welcome to Malwarebytes Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:- I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
- The logs can take some time to research, so please be patient with me.
- Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
- Instructions that I give are for your system only!
- Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
- Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
- Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
Please download the latest version of Farbar Recovery Scan Tool and save it to your desktop.
Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.- Double-click to run it. When the tool opens click Yes to disclaimer.
- Press Scan button.
- It will make a log (FRST.txt) in the same directory the tool is run. Please copy and paste it to your reply.
- The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.
Regards,
Georgi
-
Hi,
I am sorry for the delay. I was busy at the office more than expected.
Please go ahead and uninstall Spyware Doctor. Spyware Doctor was discontinued after PC Tools was bought by Symantec.
Also I would suggest you to replace Pokki with ClassicShell which is adware free.
The logs show a lot of potentially unwanted applications remnants.
Before we proceed further and remove them please delete your illegal stuff:
Check the link Piracy for more information
So please remove all illegal stuff and then run a new scan with FRST. Make sure that Addition.txt is checked before you press the Scan button.
2015-02-18 12:48 - 2015-02-25 16:07 - 00000000 ____D () C:\Users\linda\Downloads\JLS - Goodbye the Greatest Hits (Deluxe)
2015-02-18 12:26 - 2015-02-18 12:26 - 00015330 _____ () C:\Users\linda\Downloads\JLS_-_Goodbye_the_Greatest_Hits_(Deluxe).torrentThank you for your understanding!
Regards,
Georgi
-
Hi Mike,
I hope you received the beer money (from Margaret's account).Thank you very much. Yes, Indeed I received a notification on my email. Cheers
Thank you for following my instructions perfectly!
Now that we are at the end of our journey I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.STEP 1 - CLEANUP
Here are a few additional steps on how to remove all of the tools we used as promised:Download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.- Next please download Delfix.exe by Xplode and save it to your desktop.
- Please start it and check the box next to "Remove disinfection tools" and click on the run button.
- The tool will delete itself once it finishes.
Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
STEP 2 - SECURITY ADVICES
Change all your passwords !
Since your computer was infected for peace of mind, I would however advise you that all (or as much possible) your passwords be changed including those for bank accounts, credit cards and home loans, PIN codes etc) just in case.Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use Password Generator - Norton Identity Safe to create random passwords and then install an application like KeePass Password Safe or LastPass to store them for easy access. If you do Online Banikng please read this article: Online Banking Protection Against Identity TheftIf you're storing passwords in the browser to access websites than they are non encrypted well. Only if you use Firefox with master password protection, this provide better security. You can add Secure Login to prevent Java and other exploits when log-in.
Keep your antivirus software turned on and up-to-date
- New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
- Note: You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
- Note: You should scan your computer with an antimalware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
- Be sure to check for and download any definition updates prior to performing a scan.
- Also keep in mind that MBAM is not a replacement for antivirus software, it is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software.
Visit Microsoft's Windows Update Site Frequently
- It is important that you visit Windows Update regularly.
- This will ensure your computer has always the latest security updates available installed on your computer.
- If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- It is possible for other programs on your computer to have security vulnerability that can allow malware to infect you.
- Therefore, it is also a good idea to check for the latest versions of commonly installed applications that are regularly patched to fix vulnerabilities.
- You can check these by visiting Personal Software Inspector or you can use the following application for this purpose PatchMyPC
Be prepared for CryptoLocker and similar threats:
Check the article below for more information:
The ascension of Crypto-Ransomware and what you need to know to protect yourself
Since the prevention is better than cure you can use CryptoPrevent (described in the link above) to secure the PC against these lockers. Keep in mind that if you choose high protection level in CryptoPrevent then you can encounter some problems with the installed applications. You may need to lower the protection level if you encounter such problems or to add the entries to the whitelist:
I would not recommend you to use the latest option which is still in BETA. Many programs will not work when the Maximum Protection + Program Filtering (BETA) setting is activated...
Also you may need to disable the protection sometimes before you can install new software or apply updates and when you are done then you need to re-apply the protection. It can be very annoying, but still better than losing all of the documents because of Cryptolocker and his variants.
Comodo Firewall/Internet Security can protect the data if you add all local disks to Protected Files and Folders but if you decide to use it then you should uninstall Norton first (and also it will disable the built-in Windows Defender software).
Panda have an option (similar to this offered by Comodo) called Data Shield which can help you to protect your data against ransomware.
What is the Data Shield protection of Panda 2015? but if you choose to stick to Panda then you should uninstall Norton first.
However using such programs on business computers can be very difficult since the users will receive a lot of pop-ups with questions and probably will be impossible for them to work in a efficient way...
You may want to check Malwarebytes Anti-Exploit and add install it to be safe when surfing the net. It work with the most popular browsers and it is very effective. See the article here.
Be sure that UAC and SmartScreen are turned on. This will help you to stop unknown executables from starting.
There are other programs worth checking like Sandboxie, SecureAplus (offer ClamWin - be sure to uncheck it during install if you have another AV installed), VoodooShield (similar to SecureAplus but does not offer ClamWin antivirus), Emet, Toolwiz Time Freeze, KeyScrambler Personal etc, but they are too complicated for the average user. However, you can take a look at them if have the time to learn how to use them.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:- If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that. Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
- .zip, .exe, .com, .bat, .pif, .scr, .cmd or .vbs do not open the attachment unless you know for a fact that it is clean. For the casual computer user, you will almost never receive a valid attachment of this type.
- If you receive an attachment from someone you know, and it looks suspicious, then it probably is. The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
- If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix - Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you. We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window. If there is a menu that comes up saying Add to Favorites... you know it's a fake.
- Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
- When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
- Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
- Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor, Bitdefender TrafficLight or Avira Browser Safety to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
- DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.
- You may want to install unchecky to prevent adware bundled into many free programs to install. Please keep in mind that this program is a beta version of a product and not completely tested to ensure its stability or reliability.
Tweak your browsers
MOZILLA FIREFOXTo prevent further infections be sure to install the following add-ons AdBlock Plus
Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.
Adblock Plus can be found here.
Do not add to many filters subscriptions because it will slow down your browser startup time.
You can take a look at NoScript as well but NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.
You can download it from here
You can find the optimal settings here
A tutorial on how to use it can be found hereAd-Muncher is now free so you can give it a try as well.
Google Chrome
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.
However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access
For Internet Explorer read the article below:
Security and privacy features in Internet Explorer
Immunize your browsers with SpywareBlaster 5 and MVPS HOSTS.Also you can change your DNS settings with these 8.26.56.26 and 8.20.247.20 to use Comodo Secure DNS for free (to prevent phishing attacks). Sometime the DNS servers may be overloaded by the traffic coming from other networks and then you can lose your internet connection. In that case you can switch back to your ISP DNS again.
Make the extensions for known file types visible:
Be wary of files with a double extension such as image.jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.
Disable Autorun and Windows Scripting Host:
It's a good idea to disable the Autorun functionality to prevent spreading of the infections from USB flash drives.Check the article here for more information.
If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript again and select Enable, then reboot the computer.
Create an image of your system (you can use the built-in Windows software as well if you prefer)- Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
- Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
- The download link is here.
- The tutorial on how to create an system image can be found here.
- The tutorial on how to restore an system image can be found here.
- Be sure to read the tutorial first.
Follow this list and your potential for being infected again will reduce dramatically.
Safe Surfing !
Regards,
Georgi
-
Hello! Welcome to Malwarebytes Forums!
My name is Georgi and and I will be helping you with your computer problems.
Before we begin, please note the following:- I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
- The logs can take some time to research, so please be patient with me.
- Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
- Instructions that I give are for your system only!
- Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
- Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
- Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.
Will reply later today. Thank you for your patience.
Regards,
Georgi
-
Hi,
You had me install and run at least 8 applications to clean my computer. I didn't bother to read about any of them while following your directions. I will read about them, but I would appreciate your explanation about their use. I'm not looking for a lot of detail, just a general idea about the process.That's correct. However don't worry. I will give you instructions how to remove them in my next reply when I post my final recommendations.
We ran Revo Uninstaller, FRST, AdwCleaner, JRT, Malwarebytes, HitmanPro, ESET, and SecurityCheck. What did they do and what was special about the order in which they were run?Revo Uninstaller use the built-in installers of the programs the way Programs and Features in Windows does but it can scan for files/folders and registry remnants and other traces left by the programs' uninstallers. Also Revo uninstaller and similar programs can be forced to remove entries shown in the Programs and Features list if for some reason the applications are already uninstalled but they are still visible in the list. These entries are usually saved under the keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall => for x86 (32 bit versions of Windows)
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall => for x64 (64 bit versions of the programs under 64 bit versions of Windows)
Should I run any of these periodically myself? Is Revo Uninstaller better than the built-in Windows application?It depends. Revo uninstaller can save you some time for searching and deleting the remnants manually when uninstalling a program and it is usually save enough to use as it create a Restore Point before the removal process but sometimes it can flag legitimate entries for removal and can do some damage to Windows like any other registry cleaner programs... Check the articles below for more information about the registry cleaners:
Registry Cleaners and System Tweaking Tools
Why Using a Registry Cleaner Won’t Speed Up Your PC or Fix Crashes
So better use the built-in Windows feature for everyday use and Revo only if needed and only if you have enough knowledge about the registry. If you decide to use Revo be sure to create a new Restore Point before the removal and also be sure to check the listed entries by Revo one by one before you agree to delete them.
However, sometimes the built-in feature can be dangerous as well if there are bad written programs like Conduit. Check the link below for more information:
Uninstalling Conduit SearchProtect deletes NTLDR making Windows XP Unbootable
That said, stick to built-in Windows feature, search for files and folders leftovers manually and leave the registry alone. This should be the best strategy for beginners.
AdwCleaner and JRT are designed to clean potentially unwanted applications. Check the article below for more information:
What are the 'PUP' detections, are they threats and should they be deleted?
They both should be used under guidance of a malware removal expert only. To delete them simple start adwcleaner and click the Uninstall button. Delete the JRT.exe file icon from your desktop as well as the folder located at C:\Users\santella\AppData\Local\Temp\jrt
Malwarebytes Anti-Malware is meant to complement the protection provided by a full antivirus product and is designed to detect the threats that are missed by most antivirus software. Keep in mind that MBAM is not a replacement for antivirus software so you should use both programs to ensure the protection of your computer.
HitmanPro is an on-demand malware scanner and removal tool. It will scan the system faster than other solutions due to its cloud-based technology. It does not offer a real-time component and it require an internet connection to work. It's very powerful but It should be used under guidance of a malware removal expert only. You can delete the program and delete the associated folder => C:\ProgramData\HitmanPro
ESET Online Scanner offer you the ability to scan and clean the computer using Eset without the need to install Eset NOD32 Antivirus or Eset Smart Security. It does not offer real-time protection and will not cause conflicts with another antivirus already installed on the system but will give you a second opinion. You can uninstall it via the Control Panel if you want.
SecurityCheck is used to check the common software for outdated and insecure versions.
I have Norton installed on this machine but I wasn't using it. It had started being a little more intrusive than I liked. I discussed this with a technician at a Microsoft store and was advised that the built-in Windows applications like Defender were good enough to protect against most things. Should I start using Norton again? What would a better protection strategy be, in your opinion?Windows Defender is not that good in my opinion. Yes, there is no antivirus that catches everything but however even MS confessed that MSE (aka Windows Defender in Windows 8) provides baseline" protection. It can't be uninstalled (only disabled).
If you decide to stay with Windows Defender then you can add PrivateFirewall (be sure to uninstall Norton first) to controls what an application is allowed to do and not allowed to do. It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer, although this would only be advisable for experienced users. More information about HIPS can be found here: What is Host Intrusion Prevention System (HIPS) and how does it work?
There are many programs worth checking but they are too complicated for the beginners. So this is really a matter of personal choice depending on what your needs, computer skills, computer resources and comfort level. All antivirus programs have advantages and disadvantages.You should try and decide what is best for you based on your experience level and computer knowledge.
There are so many reviews on YouTube and blogs about all these programs and you will find many tests there on how they are performing against malware samples. The tests are not perfect so better give them a try yourself rather than believe in the tests. Also every month the results in the tests could be different and another antivirus could be the top of the list.
Be sure to create a new Restore Point before you proceed with the installation of antivirus software in case you decide to uninstall it at a later stage and the program refuse to be uninstalled or other errors occur.
You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC. Also keep in mind that there is no antivirus that catches everything. You still should be very careful when surfing and having good browsing habits...
If these kind of programs are difficult for you to use then you can use a standard user account. If you need administrative privileges to perform some tasks, then you can use Run As or log on as the administrator account for that specific task.
One of the sites I visited when I realized I needed help was bleepingcomputer.com. Of course, I see it in your signature line. Is it a pretty good and trustworthy site for information and help?Yes, of course and I included the site in my signature since I graduated from BleepingComputer and currently offer support in multiple forums such as BleepingComputer, Malwarebytes etc.
If I wanted to learn more about malware and protection, would you recommend the tutorials on bleepingcomputer as a good place to start?Yes, of course.
Regards,
Georgi
-
Hi,
I am glad to here there is an improvement.
You forgot to post the log from step 1 from my previous post but it's not needed to repeat it since adwcleaner already deleted the entry I included for removal in my step 1.
Next let's check for malware leftovers:
STEP 1
Please download Malwarebytes Anti-Malware 2.0.4.1028 Final to your desktop.
- Double-click mbam-setup-2.0.4.1028.exe and follow the prompts to install the program.
- At the end, be sure a checkmark is placed next to the following:
- Launch Malwarebytes Anti-Malware
- A 14 day trial of the Premium features is pre-selected. You may deselect this if you wish, and it will not diminish the scanning and removal capabilities of the program.
- Click Finish.
- On the Settings tab > Detection and Protection subtab, Detection Options, tick the box 'Scan for rootkits'.
- Click on the Scan tab, then click on Scan Now >> . If an update is available, click the Update Now button.
- A Threat Scan will begin.
- With some infections, you may see this message box.
- 'Could not load DDA driver'
- Click 'Yes' to this message, to allow the driver to load after a restart.
- Allow the computer to restart. Continue with the rest of these instructions.
- When the scan is complete, click Apply Actions.
- Wait for the prompt to restart the computer to appear, then click on Yes.
- After the restart once you are back at your desktop, open MBAM once more.
- Click on the History tab > Application Logs.
- Double click on the scan log which shows the Date and time of the scan just performed.
- Click 'Copy to Clipboard'
- Paste the contents of the clipboard into your reply.
STEP 2
1.Please download HitmanPro.
- For 32-bit Operating System -
. - This is the mirror -
- For 64-bit Operating System -
- This is the mirror -
2.Launch the program by double clicking on the
icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).
Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.
3.Click on the next button. You must agree with the terms of EULA. (if asked)
4.Check the box beside "No, I only want to perform a one-time scan to check this computer".
5.Click on the next button.
6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.
7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!
8.Click on the next button.
9.Click on the "Save Log" button.
10.Save that file to your desktop and post the content of that file in your next reply.
Note: if there isn't a dropdown menu when the scan is done then please don't delete anything and close HitmanPro
Navigate to C:\ProgramData\HitmanPro\Logs open the report and copy and paste it to your next reply.Note: Programdata is hidden by default. Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in WindowsRegards,
Georgi
This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system
Malware: svchost.exe
in Resolved Malware Removal Logs
Posted
Hello,
Thank you for following my instructions perfectly!
Now that we are at the end of our journey I have some final words for you.
All Clean !
Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.
STEP 1 - CLEANUP
Here are a few additional steps on how to remove all of the tools we used as promised:
Download the following file => fixlist.txt and save it to the Desktop.
NOTE. It's important that both files, FRST and fixlist.txt are in the same location or the fix will not work.
Run FRST/FRST64 and press the Fix button just once and wait.
It's no needed to post the log this time.
Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.
STEP 2 - SECURITY ADVICES
Change all your passwords !
Since your computer was infected for peace of mind, I would however advise you that all (or as much possible) your passwords be changed including those for bank accounts, credit cards and home loans, PIN codes etc) just in case.
Many of the modern malware samples have backdoor abilities and can steal confidential information from the compromised computer. Also you should check for any suspicious transactions if such occur. If you find out that you have been victim to fraud contact your bank or the appropriate institution for assistance.
Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
You can use Password Generator - Norton Identity Safe to create random passwords and then install an application like KeePass Password Safe or LastPass to store them for easy access. If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft
If you're storing passwords in the browser to access websites than they are non encrypted well. Only if you use Firefox with master password protection, this provide better security. You can add Secure Login to prevent Java and other exploits when log-in.
Keep your antivirus software turned on and up-to-date
I have a few updating tasks for you:
Java 8 Update 31 (64-bit)
Next please run JavaRa.
You can choose between 2 variants:
1. If you have applications that require Java to be installed on the computer then uninstall the old version of Java and then run JavaRa to remove all remnants and then go ahead and download & install the latest version of Java (Java SE 8).
2. If you want to be on the safe side then go ahead and uninstall the old version of Java, then run JavaRa to remove all remnants and then remove all applications that require Java (time to learn to live without Java and find alternatives to the applications that require Java)... Check this article.
Visit Microsoft's Windows Update Site Frequently
Be prepared for CryptoLocker and similar threats:
Check the article below for more information:
The ascension of Crypto-Ransomware and what you need to know to protect yourself
Since the prevention is better than cure you can use CryptoPrevent (described in the link above) to secure the PC against these lockers. Keep in mind that if you choose high protection level in CryptoPrevent then you can encounter some problems with the installed applications. You may need to lower the protection level if you encounter such problems or to add the entries to the whitelist:
I would not recommend you to use the latest option which is still in BETA. Many programs will not work when the Maximum Protection + Program Filtering (BETA) setting is activated...
Also you may need to disable the protection sometimes before you can install new software or apply updates and when you are done then you need to re-apply the protection. It can be very annoying, but still better than losing all of the documents because of Cryptolocker and his variants.
Comodo Firewall/Internet Security can protect the data if you add all local disks to Protected Files and Folders but if you decide to use it then keep in mind to uninstall avast! Antivirus first.
Panda have an option (similar to this offered by Comodo) called Data Shield which can help you to protect your data against ransomware.
What is the Data Shield protection of Panda 2015? but if you choose to stick to Panda then you should uninstall avast! Antivirus and also keep in mind that the software is shareware.
However using such programs on business computers can be very difficult since the users will receive a lot of pop-ups with questions and probably will be impossible for them to work in a efficient way...
You may want to check Malwarebytes Anti-Exploit and add install it to be safe when surfing the net. It work with the most popular browsers and it is very effective. See the article here.
Be sure that UAC and SmartScreen are turned on. This will help you to stop unknown executables from starting.
There are other programs worth checking like Sandboxie, SecureAplus (offer ClamWin - be sure to uncheck it during install if you have another AV installed), VoodooShield (similar to SecureAplus but does not offer ClamWin antivirus), Emet, Toolwiz Time Freeze, KeyScrambler Personal etc, but they are too complicated for the average user. However, you can take a look at them if have the time to learn how to use them.
Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
Also having more than one "real-time" program can be a drain on your PC's efficiency so please refrain doing so.
Practice Safe Internet
One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will. Below are a list of simple precautions to take to keep your computer clean and running securely:
Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams. For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
Tweak your browsers
MOZILLA FIREFOX
To prevent further infections be sure to install the following add-ons AdBlock Plus
Adblock Plus can be found here.
Do not add to many filters subscriptions because it will slow down your browser startup time.
You can take a look at NoScript as well but NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.
You can download it from here
You can find the optimal settings here
A tutorial on how to use it can be found here
Ad-Muncher is now free so you can give it a try as well.
Google Chrome
If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.
However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access
For Internet Explorer read the article below:
Security and privacy features in Internet Explorer
Immunize your browsers with SpywareBlaster 5 and MVPS HOSTS.
Also you can change your DNS settings with these 8.26.56.26 and 8.20.247.20 to use Comodo Secure DNS for free (to prevent phishing attacks). Sometime the DNS servers may be overloaded by the traffic coming from other networks and then you can lose your internet connection. In that case you can switch back to your ISP DNS again.
Make the extensions for known file types visible:
Be wary of files with a double extension such as image.jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.
Disable Autorun and Windows Scripting Host:
It's a good idea to disable the Autorun functionality to prevent spreading of the infections from USB flash drives.
Check the article here for more information.
If you don't use any script files then you can go ahead and disable Windows Scripting Host using the tool provided by Symantec - NoScript.exe. Simple download and run it and click on the Disable button and reboot the computer. If you need to run any js. or vbs scripts at a later stage you should run NoScript again and select Enable, then reboot the computer.
Create an image of your system (you can use the built-in Windows software as well if you prefer)
Follow this list and your potential for being infected again will reduce dramatically.
Safe Surfing !
Regards,
Georgi