Author Topic: Vista antispyware 2012 infection  (Read 3790 times)

0 Members and 1 Guest are viewing this topic.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Vista antispyware 2012 infection
« on: January 13, 2012, 03:14:11 PM »
    Hello, and thank you in advance for you help. Two days ago I became infected with the subject malware which started popping up many warnings about viruses that I quickly realized were fake. Most disturbing, when i try to open a program it says that program is infected and blocks it. I discovered this when I tried to use a snipping tool to capture a pop up warning generated by the malware.
    Please note that my computer is shutdown and I am posting to your forum from my wife's iPad (or alternately from her laptop). While I am no expert, I consider myself to be tech-savy and I am not afraid to  "get my hands dirty."
    The infected computer is a Dell 531, about 3 years old, running the original Windows Vista OS. I also have Norton 360 running and run nightly backups to a USB drive. I keep the OS and Norton updated and try to do the same with Adobe Reader, Flash Player, etc, but I'm sure there are gaps.
    Before discovering this forum, I Googled the program name and wound up at malwareexperts.com. I went through many of there steps: booted into safe mode with networking, downloaded and ran rkill (it was not clear whether it worked), downloaded malewarebytes, but not sure if it ran because then started getting the malware pop up windows again, even though I was still safe mode. And when tried to start IE from the Run box I got the pop up that it was infectected. So, being basically "dead in the water," I shut down the machine, took a day off, and today did more research and found you. Thanks for any help you can provide.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #1 on: January 13, 2012, 03:25:27 PM »
Perhaps I should have noted that I rarely run my computer from an administrator login as I understand that increases risk. If I should choose the administrator login when I follow you instructions please let me know. Thanks.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15973
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #2 on: January 13, 2012, 04:28:19 PM »
Hi, HilltownJohn.  Welcome to LandzDown Forum.

We will do our best to assist you.  However, in order to do so, please follow all instructions provided in the sequence given.  Do not install/re-install any programs or run any fixes or scanners that you have not been instructed to use.  This may cause conflicts with the tools being used in the cleanup process.   

If you have questions regarding any of the instructions or problems running any tools, please let us know.

For the purposes of cleanup, yes, please use your administrator login.  In the event you are unable to download any of the needed files please transfer them from a known clean computer (your wife's laptop).

1)  Please download the following two files (RKill link repeated in case you did not keep a copy).  In the event you are blocked by the malware from downloading, it will be necessary to go to an uninfected computer and then transfer the files to the infected computer via CD/DVD, external drive, or USB flash drive.

FixNCR.reg
Bleeping Computer Downloads: RKill

2)  Insert the removable device into the infected computer and open the folder the drive letter associated with it. Double-click the FixNCR.reg file to fix the Registry on your infected computer.

3)  Copy the downloaded RKill file to the desktop of the infected computer.
  • Double-click rkill to run.
  • A command window will open then disappear upon completion, this is normal.
  • Please leave rkill on the Desktop until otherwise advised.
  • Do NOT restart your computer after running rkill as the malware program(s) will start again.
Notes:

If you you receive security warnings about rkill, please ignore and allow the download to continue.

4)  Since you already downloaded MBAM, please proceed as follows:
  • Launch Malwarebytes' Anti-Malware then click the Update tab and "Check for Updates
  • Once the update has been installed and the program has loaded, select Quick scan
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, EXCEPT items in System Restore as shown in this sample:

  • Click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See the Note below)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Please post contents of that file in your next reply.
** Note **

If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

In addition to the MBAM log, please return to the "Log Posting Instructions" topic and provide the requested logs from that topic, noting that it may take more than one reply.

Thank you.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #3 on: January 13, 2012, 08:37:42 PM »

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15973
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #4 on: January 13, 2012, 11:35:10 PM »


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #5 on: January 14, 2012, 12:28:48 AM »
Thank you so much Corrine! I will do these before any other work on the computer. One quick question: Do I use Windows Remove Programs on the various versions of Java and then run JavaRa or is JavaRa all I need to do the uninstalls? Sorry for being dense and thanks again.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15973
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #6 on: January 14, 2012, 01:05:52 AM »
Hi, HilltownJohn.

Use Windows Remove Programs on the Java versions first.  Then JavaRa will clean up any leftovers that Java likes to leave behind in the uninstall process.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline HilltownJohn

  • Jr. Member
  • **
  • Posts: 5
    • View Profile
Re: Vista antispyware 2012 infection
« Reply #7 on: January 14, 2012, 02:27:13 PM »
Corrine, I can't thank you enough for your very thorough and extremely prompt directions! I have been through all the clean-up and update steps you gave and all seems well. You made a complex process manageable, and I could never have figured out all these steps and software apps. I have logged back onto my non-administrator user and both Firefox and Thunderbird are running well there. I went with the current versions of these and am adjusting to the new look and feel without much problem. Thunderbird was perfect about bringing in all my accounts and folders and saved emails. I will also start checking other applications like Adobe Reader to make sure they are up-to-date.

Two things to note. One, extremely minor, that is strictly an FYI, is that the link you provided for JavaRa now brings up a "file not found" message. Of course, it is not hard to locate and I found it at http://singularlabs.com/software/javara/javara-download/     The second is that the JavaRa log, in addition to many entries of successfully removing files, included roughly 20 lines that look like this:
There was an error removing \Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-ABCDEFFDCBA}. The error returned was 124.
(The only difference among the lines is the 4-dgit string after "CAFEEFAC-0016"). I assume this is not a problem? Especially since I ran JavaRa before upgrading Fifefox.

Anyway, thanks again.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 15973
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Vista antispyware 2012 infection
« Reply #8 on: January 14, 2012, 07:39:23 PM »
Hi, HilltownJohn.

You are very welcome.  I'm glad I was able to help.  Also, thank you for the information about JavaRa.  I'll fix my standard instructions.  You are very astute in picking up the 4-digit string in the log regarding Java.  The reason is that uninstalling older versions of JRE may not uninstall the Java Console for that version, causing Firefox to accumulate multiple Java Console extensions located in the Firefox > Tools > Add-ons list (explained here).  So,  here's how you can take care of that:
  • Make sure you already have the most recent version, Java SE Runtime Environment 6u30.
  • Go to C:\Program Files > Mozilla Firefox > extensions.
  • Delete the folders "{CAFEEFAC-0016-0000-xxxx-ABCDEFFEDCBA}", where xxxx is the number of the JRE-version.  Keep the highest number as this is the latest version, i.e., 0030.

To help you stay on top of third-party software updates like Adobe and Java as well as others, I suggest Secunia which will check if your system is missing security updates or has insecure applications.  Install Secunia Personal Software Inspector or, alternatively, visit http://secunia.com/software_inspector/ .  The Secunia Software Inspector runs through your browser with no installation or download required and does the following:
  • Detects insecure versions of applications installed
  • Verifies that all Microsoft patches are applied
  • Assists you in updating your system and applications

Install and update SpywareBlaster to prevent the installation of spyware and other potentially unwanted software: http://www.javacoolsoftware.com/spywareblaster.html

My favorite security software is WinPatrol which includes the features described at http://www.winpatrol.com/features.html.  If you have questions about WinPatrol, we have a forum here at LzD:  WinPatrol Help & Information.

Please let me know if you have any questions.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.