Solved Computer under attack

[Doug8765]

OTL per your post 24

All processes killed
========== OTL ==========
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\ not found.
Prefs.js: "AVG Secure Search" removed from browser.search.defaultenginename
Prefs.js: "http://isearch.avg.com/search?cid=%7B883f89f6-7458-48ef-b43b-6eda0c75989c%7D&mid=ec59c282050647d1a85e41affcf06228-888224acfe48b3ad68641d3f0c9229171fca1072&ds=AVG&v=8.0.0.40&lang=en&pr=fr&d= 2011-11-19%2017%3A13%3A45&sap=ku&q=" removed from keyword.URL
File C:\Users\Doug\AppData\Roaming\Mozilla\Firefox\Profiles\7q0hgche.default\sea rchplugins\avg-secure-search.xml not found.
Unable to fix default_search_provider items.
Unable to fix default_search_provider items.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{30F9B915-B755-4826-820B-08FBA6BD249D} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{30F9B915-B755-4826-820B-08FBA6BD249D}\ not found.
Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\{88c7f2aa-f93f-432c-8f0e-b7d85967a527} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88c7f2aa-f93f-432c-8f0e-b7d85967a527}\ not found.
Registry value HKEY_USERS\S-1-5-21-4032159327-3157157313-2726375902-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\\{21FA44EF-376D-4D53-9B0F-8A89D3229068} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{21FA44EF-376D-4D53-9B0F-8A89D3229068}\ not found.
Starting removal of ActiveX control {E2883E8F-472F-4FB0-9522-AC9BF37916A7}
C:\Windows\Downloaded Program Files\gp.inf not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{E2883E8F-472F-4FB0-9522-AC9BF37916A7}\ not found.
C:\Users\Doug\AppData\Local\BITB0AB.tmp deleted successfully.
C:\ProgramData\~YFdVN365mYfZcj moved successfully.
C:\ProgramData\~YFdVN365mYfZcjr moved successfully.
C:\ProgramData\YFdVN365mYfZcj moved successfully.
ADS C:\ProgramData\Temp1B5B4F1 deleted successfully.
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 67 bytes
->Flash cache emptied: 56468 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Doug
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 6676754 bytes
->Java cache emptied: 50404032 bytes
->FireFox cache emptied: 140625200 bytes
->Google Chrome cache emptied: 94481042 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1174 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 7132 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 50199 bytes
RecycleBin emptied: 109 bytes

Total Files Cleaned = 279.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Doug
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb


OTL by OldTimer - Version 3.2.31.0 log created on 11202011_155104

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Doug8765]

Security Check output 20Nov 4:59 pm

Results of screen317's Security Check version 0.99.24
Windows 7 x64 (UAC is enabled)
Internet Explorer 9
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Disabled!
[size=1]WMI entry may not exist for antivirus; attempting automatic update.[/size]
```````````````````````````````
Anti-malware/Other Utilities Check:
Malwarebytes' Anti-Malware
Java(TM) 6 Update 29
Adobe Flash Player 11.0.1.152
Adobe Reader X (10.1.1)
````````````````````````````````
Process Check:
objlist.exe by Laurent
Common Files BitDefender BitDefender Update Service livesrv.exe
BitDefender BitDefender 2010 vsserv.exe
BitDefender BitDefender 2010 bdagent.exe
BitDefender BitDefender 2010 seccenter.exe
``````````End of Log````````````

 

[Doug8765]

JavaRa problem with .def

Hi Bruni -
When I ran JavaRa it had a problem find the .def file. I ran it several times, in different locations - either on the desktop or in the Downloads directory which is a subdir of the desktop. There *was* a JavaRa.def in dir.

Doug

 

[Broni]

Assuming you're talking about Quick Launch icons (next to Start button) you can easily recreate them.
Right click on any program and click "Add to Quick Launch".

 

[Broni]

Your Java is fine.
Go ahead with Eset.

 

[Doug8765]

ESET at 31%

Hi -
That ESET scan has found 5 threats, but it's only up to 31% after 70 minutes. So this will take awhile.

I have found that I can manually put back the taskbar icons.

I have family things to do this evening, so I'll be much later.

Doug

 

[Broni]

No problem

 

[Doug8765]

Hi Broni -
I guess I messed up on ESET since it finished and I did not get an output file. I know it found 60 threats and cleaned them up. Sorry about that.

Do you have a recommendation for security software? Like I said, Bitdefender won't let my scanner get its output so I'm looking for something else. Does ESET fit the bill?

When you get a gratuity for your help, what's a reasonable range?

Doug

 

[Doug8765]

Hi Broni -
You may not know about this, but there's a seemingly trivial difference in those taskbar icons now, but it's really quite irritating. Before the virus attack it mattered not how many copies of the application I had up and running, there was only one icon. Only when I hovered over it would the many copies show up, quite nicely.

The new behavior reduces the value of the taskbar icons. Now if I have fifteen copies of an application there are fifteen copies of the icon. Today my taskbar is chock-a-block full from left to right with icons. It's hard to keep track and see what's up.

Otherwise, everything's running fine. Thank you.

Doug

 

[Broni]

Don't worry about Eset scan results.
Whatever was removed was most likely not active (leftovers).

Do you have a recommendation for security software? Like I said, Bitdefender won't let my scanner get its output so I'm looking for something else. Does ESET fit the bill?

Eset is a fine program, or you can try free options:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/windows/products/security-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-security/antivirus.php

When you get a gratuity for your help, what's a reasonable range?

Any donation is strictly optional, so I can't answer your question....

As for Taskbar icons....
Right click on any taskbar empty space, click "Properties" and checkmark "Group similar taskbar buttons".

=============================================================

Your computer is clean

1. We need to reset system restore to prevent your computer from being accidentally reinfected by using some old restore point(s). We'll create fresh, clean restore point, using following OTL script:

Run OTL

• Under the Custom Scans/Fixes box at the bottom, paste in the following:

:OTL
:Commands
[purity]
[emptytemp]
[EMPTYFLASH]
[CLEARALLRESTOREPOINTS]
[Reboot]

• Then click the Run Fix button at the top
• Let the program run unhindered, reboot the PC when it is done
• Post resulting log.

2. Now, we'll remove all tools, we used during our cleaning process

Clean up with OTL:

• Double-click OTL.exe to start the program.
• Close all other programs apart from OTL as this step will require a reboot
• On the OTL main screen, press the CLEANUP button
• Say Yes to the prompt and then allow the program to reboot your computer.

If you still have any tools or logs leftover on your computer you can go ahead and delete those off of your computer now.

3. Make sure, Windows Updates are current.

4. If any Trojan was listed among your infection(s), make sure, you change all of your on-line important passwords (bank account(s), secured web sites, etc.) immediately!

5. Download, and install WOT (Web OF Trust): http://www.mywot.com/. It'll warn you (in most cases) about dangerous web sites.

6. Run Malwarebytes "Quick scan" once in a while to assure safety of your computer.

7. Run Temporary File Cleaner (TFC) weekly.

8. Download and install Secunia Personal Software Inspector (PSI): https://www.techspot.com/downloads/4898-secunia-personal-software-inspector-psi.html. The Secunia PSI is a FREE security tool designed to detect vulnerable and out-dated programs and plug-ins which expose your PC to attacks. Run it weekly.

9. (optional) If you want to keep all your programs up to date, download and install FileHippo Update Checker.
The Update Checker will scan your computer for installed software, check the versions and then send this information to FileHippo.com to see if there are any newer releases.

10. (Windows XP only) Run defrag at your convenience.

11. When installing\updating ANY program, make sure you always select "Custom " installation, so you can UN-check any possible "drive-by-install" (foistware), like toolbars etc., which may try to install along with the legitimate program. Do NOT click "Next" button without looking at any given page.

12. Read How did I get infected?, With steps so it does not happen again!: http://www.bleepingcomputer.com/forums/topic2520.html

13. Please, let me know, how your computer is doing.

 

[Doug8765]

Hi Broni -
You write:

Eset is a fine program, or you can try free options:
- Avast! free antivirus: http://www.avast.com/eng/download-avast-home.html
- free Microsoft Security Essentials: http://windows.microsoft.com/en-GB/w...ity-essentials
- free Comodo Antivirus: http://www.comodo.com/home/internet-.../antivirus.php​

Questions:

• I'm actually a bit unclear about what do I actually need to have running in order to keep my computer protected? The suites make it seem like I need all their features, but I don't give a whit for "parental controls" since I pay close attention to what my child is doing. Is all I need an anti-virus? What is "essentials"?
• Is ESET an antivirus product for continual protection or just an app for cleaning?
• When people pay for Malwarebytes, do they get something that continually protects their computer or are they just being supportive of an excellent free product that they will run periodically?

I asked this question before on Tech Spot and the single response I got was that anything that is free is not worth using.

FWIW, I run a Google Group focused on talking with Boston-area stock investors and so I like to find free, reliable products, but I'll pay when free is worthless.

Doug

 

[Doug8765]

OTL output cleanup Tuesday 22Nov2011

All processes killed
========== OTL ==========
========== COMMANDS ==========

[EMPTYTEMP]

User: All Users

User: Default
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Default User
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 0 bytes
->Flash cache emptied: 0 bytes

User: Doug
->Temp folder emptied: 0 bytes
->Temporary Internet Files folder emptied: 3941236 bytes
->Java cache emptied: 0 bytes
->FireFox cache emptied: 122808371 bytes
->Google Chrome cache emptied: 35888775 bytes
->Opera cache emptied: 0 bytes
->Flash cache emptied: 1322 bytes

User: Public
->Temp folder emptied: 0 bytes

%systemdrive% .tmp files removed: 0 bytes
%systemroot% .tmp files removed: 0 bytes
%systemroot%\System32 .tmp files removed: 0 bytes
%systemroot%\System32 (64bit) .tmp files removed: 0 bytes
%systemroot%\System32\drivers .tmp files removed: 0 bytes
Windows Temp folder emptied: 19388 bytes
%systemroot%\sysnative\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files folder emptied: 33170 bytes
RecycleBin emptied: 0 bytes

Total Files Cleaned = 155.00 mb


[EMPTYFLASH]

User: All Users

User: Default
->Flash cache emptied: 0 bytes

User: Default User
->Flash cache emptied: 0 bytes

User: Doug
->Flash cache emptied: 0 bytes

User: Public

Total Flash Files Cleaned = 0.00 mb

Restore point Set: OTL Restore Point

OTL by OldTimer - Version 3.2.31.0 log created on 11222011_070620

Files\Folders moved on Reboot...

Registry entries deleted on Reboot...

 

[Doug8765]

Taskbar tip

Hi Broni -
Just going through the list.

Thanks for the taskbar tip on grouping the icons. I felt like I was nitpicking when I asked, but am now pleased that there's a resolution.

Doug

 

[Doug8765]

Hi Broni -
I love the list of cleanup tasks.

I use the automatic Windows update feature, so that should be a no-op.

I frequently run Malwarebytes, but I use the "full scan". Is all that extra time earning me nothing?

I'll be glad to add TFC to my very frequent usage of CCleaner and the Windows Disk Cleanup utility. Cleaner is better.

The Secunia PSI is a cool app. I also signed up for the FileHippo app.

Thanks for the "custom" installation suggestion. I'm always getting those dang toolbars which I then have to turn off.

So the issue remaining is performance. (When I was a professional programmer I was a proficient x86 assembler language programmer; learned the 1%/99% rule quite well.) Yesterday I was writing docs that require inserting URLs. As a part of inserting URLs I always test to see that the inserted URL actually works, which requires that a new instance of Mozilla Firefox is loaded. When I did this yesterday
the test of the URL, every single time, took about 5 minutes. That's a pain. Any ideas?

That's it for now. Again, many thanks. Looking forward to your responses, especially vis-a-vis the going-forward security setup - response #36.

Doug

 

[Broni]

Let's start with this:

anything that is free is not worth using.

In case of security program it's totally false.
I've never used any paid for security program (using free Avast AV and free Comodo firewall) and I've never been infected.
You have realize two things:
1. There is no perfect security program
2. It's all about your computing habits. You can have $1,000 security program and if you computing habits are not smart you'll get infected anyway (sooner, or later).

I'm actually a bit unclear about what do I actually need to have running in order to keep my computer protected? The suites make it seem like I need all their features, but I don't give a whit for "parental controls" since I pay close attention to what my child is doing. Is all I need an anti-virus? What is "essentials"?

Every security programs has some settings, so if you feel like you don't need this or that part you don't have to use it.
MSE is free Microsoft AV program.

Is ESET an antivirus product for continual protection or just an app for cleaning?

Eset provides regular AV program which runs in real time (paid for) and also (like many other security companies) free online scan, which you can run once in a while as a double check. It doesn't run in real time, you have to run it manually.

When people pay for Malwarebytes, do they get something that continually protects their computer or are they just being supportive of an excellent free product that they will run periodically?

Paid for MBAM runs in real time, free MBAM has to be updated and run manually.

I frequently run Malwarebytes, but I use the "full scan". Is all that extra time earning me nothing?

Under normal circumstances (computer behaves fine, you just want to make sure nothing is hiding) "Quick scan" is perfectly fine.

When I did this yesterday the test of the URL, every single time, took about 5 minutes.

If this issue concerns Firefox only I strongly suggest clean reinstallation.
Uninstall Firefox completely using this manual: http://kb.mozillazine.org/Uninstalling_Firefox
Do NOT skip any steps.
Install fresh copy.

Assuming there are no other issues I'll mark this topic as resolved.

Good luck and stay safe

 

[Doug8765]

Hi Broni -
That uninstalling Firefox URL is coming up as "Error: The requested URL could not be retrieved". I'll try again later.

If I uninstall will I lose all my bookmarks?

Regarding continual protection versus manual app runs, is free Avast AV and free Comodo firewall sufficient? Wouldn't that mean not using the Microsoft Windows Firewall? Sorry to sound so thick.


Doug

 

[Broni]

Link works fine for me....

Regarding bookmarks, go Bookmarks>Show all bookmarks>Import and Backup>Export Bookmarks to HTML
After reinstallation you can import them in a very same way.

is free Avast AV and free Comodo firewall sufficient?

Yes. If you install Comodo firewall you have to disable Windows firewall.

 

[Doug8765]

Hi Broni -
I have just successfully uninstalled and reinstalled Firefox 3.6. I have all my bookmarks and also have del.ic.ious installed.

If I should open a separate case for a separate problem related to the Firefox install then I will, but I'll tell you about it and you can cogitate on it:

• Some years ago I decided to try out a different PDF reader, Foxit. Right away I decided that I did not like it and I uninstalled the thing.
• Ever since, I cannot read any PDFs that are embedded in the URL, such as this one that I just tried after in reinstalled Firefox: http://dl.dropbox.com/u/11366935/Op...e thru CRB and CRX commodity p.II_11-2011.pdf.
• This problem does not exist for PDFs that are attached to files. For that the Adobe PDF reader successfully gets the job done.
• I have tried repeatedly to go to the Firefox support and there are some entries there about people who have this problem also, but there's no help in getting rid of the problem.
• Apparently, even if you delete/uninstall Foxit, somehow Firefox still wants to use Foxit to read the URL.
• In the past I brought this problem to Tech Spot and did not get much help. The proffered solution was to uninstall Firefox and reinstall. At the time I was unwilling to uninstall Firefox for fear of losing my bookmarks. However, now I have uninstalled Firefox and reinstalled Firefox and the dang nonexistent Foxit reader still has the job of reading PDFs that are embedded in a URL.

Any suggestions?

 

[Broni]

In this forum, we make sure, your computer is free of malware and your computer is clean
Because the access to malware forum is very limited, your best option is to create new topic about your current issue, at Windows section.
You'll get more attention.

 

[Doug8765]

Hi Broni -
Not a problem with the Foxit reader problem. I've been putting up with it.

Thank you ever so much for all your help.

I'm using TFC, Comodo, Avast, Secunia PSI and FileHippo. Feels like a different computer.

So thank you and shut this thread down.

Doug

 

[Broni]

Way to go!!

Good luck and stay safe