Author Topic: HEUR/HTML.Malware found - what to do now?  (Read 22192 times)

0 Members and 1 Guest are viewing this topic.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #15 on: December 12, 2009, 09:54:19 PM »
OK..those are pretty big lists of what is not recommended because of the toolbar installations. Thanks for posting them. :)

I still need to know what IS recommended.  I feel like I am piling on so many kinds of protection that at some point they will begin eating each other. :D

So I need to know the best combination to go with.

Note: My specs list is now updated with the changes made in updating programs and extensions today.  The list dumper is showing those Java Consoles as extensions, but they are not in my extension manager, so I don't know how to disable the one Corinne mentioned.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #16 on: December 13, 2009, 02:27:51 PM »
I believe I have completed everything on the list, including the update to IE8.   I figure I hardly ever use IE except to test things, so what could it hurt. And I think my husband has washed his hands of me after I decided to uninstall CA Security Suite anyway...
No A/V is perfect.  Malware evolves faster than detections can keep up.  That said, CA for Consumers has not passed recent VirusBulletin testing and CA Business failed the most recent test. http://www.virusbtn.com/vb100/archive/results?display=summary Then there was this situation in July: CA Antivirus Detected Windows System File as Virus.

o..one thing...I could not find  Java Console 6.0.15 anywhere to disable.
I am going by what is listed at http://209.85.62.24/2/81/0/p153674/ComputerSpecs.txt.  Perhaps it would be wise if you ran JavaRa:  Please download JavaRa and unzip it to your desktop.

  • Double-click on JavaRa.exe to start the program.  (Windows Vista users Right-click JavaRa.exe > Select Run as Administrator)
  • Click on Remove Older Versions to remove older versions of Java.
  • A logfile will pop up. Please save it to a convenient location.

Found the post where you gave me some advice on this before and so have not proceeded with anything yet. (Except to download ZoneAlarm 9.1.007 from cnet.com.)
The last time ZoneAlarm Free was tested by Matousec, it failed the Firewall Challenge, getting only 11%, where Online Armor and Outpost consistently pass with high scores.

I feel like I am piling on so many kinds of protection that at some point they will begin eating each other. :D
Basic computer protection:
Antivirus
Firewall
Anti-malware (2) with 1 real-time protection

Surfing protection:
HOSTS File
NoScript
WOT

The recommended additions for "surfing protection" are due to your recent postings in which it appears you are hitting infected sites.  To be blunt, although we are happy to help, researching logs is a manual process and takes a considerable amount of time.  If you were to seek help at a local shop, it would likely cost you at least $75 just to walk in the door and they would likely just do a reinstall.  Seeing that you are repetitively getting infected means that your security needs significant boosting.



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #17 on: December 13, 2009, 07:28:24 PM »
Thanks so much Corinne and everyone else who has been helping me.  I know I've been requesting help a lot recently and I deeply appreciate the time that has been spent trying to get me protected.

yes, that plugins list in the txt file was generated yesterday by the About Plug FireFox extension.  However, this is all that shows up regarding java in the extension manager:
http://img2.pict.com/04/50/18/2201566/0/plugins.png [before running Java-Ra]

and yes, I agree my security needs boosting, and it looks like I now do have everything in place that you recommended except to replace Windows Firewall with something else.   So now, I  should go pick either Online Armor or  Outpost firewall.....  I guess I"ll go research those some and then report back.

Again, thank you profusely for the help.  I get so lost in trying to figure out these security programs.  Here's the Java-Ra log.  Seems like I was just asked to  run this not too long ago...how could there be so many entries in that little bit of time? It's not like Java has been updated a bunch of times.   Wait--maybe because of the IE8 installation?



Edit Note by Corrine: Deleted previous date runs of JavaRa

JavaRa 1.11 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Dec 13 15:18:34 2009

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0000-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0000-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0001-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0003-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0004-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0005-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0006-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0008-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0009-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0010-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0014-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0015-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0016-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0017-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0018-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0019-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0020-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0021-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0022-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0023-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0024-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0025-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0026-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBA}

Found and removed: Software\Classes\CLSID\{CAFEEFAC-0013-0001-0027-ABCDEFFEDCBB}

Found and removed: Software\Classes\CLSID\{C

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #18 on: December 13, 2009, 07:47:59 PM »
Here is what my extension list dumper is showing after running Java-Ra:
I just figured out it would give me the plugins list too....so I will probably disable the About Plug extension and just use the InfoLister to get my current specs.

PLUG INS
Application: Firefox 3.5.5 (20091102152451)
Operating System: WINNT (x86-msvc)

December 13, 2009

Total number of items: 12


December 13, 2009

Total number of items: 12

- Authorware Web Player 2004.0.0.1
- Java Deployment Toolkit 6.0.170.4 6.0.170.4
- Java(TM) Platform SE 6 U17 6.0.170.4
- Microsoft® DRM 9.0.0.4503
- Microsoft® DRM 9.0.0.4503
- Microsoft® Windows Media Player Firefox Plugin 1.0.0.8
- Mozilla Default Plug-in 1.0.0.15
- QuickTime Plug-in 7.6.4 7.6.4.0
- Shockwave Flash 10.0.42.34
- Shockwave for Director 11.5.2.602
- Silverlight Plug-In 3.0.40818.0
- Windows Media Player Plug-in Dynamic Link Library 3.0.2.629


EXTENSIONS:

December 13, 2009

Total number of items: 42

- AboutPlug 1.4
- Adblock Plus 1.1.2
- APNG Edit 1.5
- BBCode 0.5.3.1
- ChatZilla 0.9.85
- Clear Cache Button 0.8
- ColorZilla 2.0.2
- Compact Menu 2 2.3.3
- Copy Link Text 1.3.2
- Extension List Dumper 1.14.4
- Firebug 1.4.5
- Font Finder 0.5d
- Greasefire 1.0.4
- Greasemonkey 0.8.20091209.4
- InfoLister 0.10.1
- InFormEnter 0.5.5.5
- Java Console 6.0.15
- Java Console 6.0.17
- JustSmile 1.4.1
- MeasureIt 0.3.9
- NoScript 1.9.9.18
- NoSquint 2.0.3
- Open in Browser 1.6
- Palette Grabber 0.4.1
- Paste Quote 0.3.4
- pict.com Uploader 1.2.5
- QuickNote 0.6.0.4
- ReminderFox 1.9.5
- Save File to 1.4
- Screenshot *** 1.52
- Stop Autoplay 0.7.6
- Stylish 1.0.7
- Text Link 3.1.2009110201
- Textarea Cache 0.5.5
- TinyPaste Uploader 1.0.2
- TinyURL Generator 1.0.12
- UpDown 1.1.3
- Vacuum Places Improved 1
- WeatherBug 2.0.0.4
- WOT 20091028
- Yahoo! Mail Notifier 1.0.0.19
- YouTube to MP3 1.0.5

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #19 on: December 13, 2009, 07:54:41 PM »
The log included previous runs.  However, you are running version 1.11, dated August 2, 2008.  Please launch JavaRa and select "Update JavaRa".  The current version is 1.14, dated May 27, 2009.  http://raproducts.org/javara.html



Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #20 on: December 13, 2009, 08:05:54 PM »
Did that but found nothing that said "update Java-Ra"   Clicked 'search for updates'....said  "you already have the latest JRE platform on this system'

So clicked the second update option which took me to this page:
http://java.sun.com/javase/downloads/index.jsp

I have no idea what I'm supposed to download there. Nothing says Java-Ra.  Help?

Edit:  I guess I"m supposed to download from raproducts.org site then.....
downloaded...haven't installed yet because it says it is version 1.15 created 7/16/09  Is this right?

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7332
  • Liverpool FC - YNWA
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #21 on: December 13, 2009, 08:12:35 PM »
Did that but found nothing that said "update Java-Ra"   Clicked 'search for updates'....said  "you already have the latest JRE platform on this system'

So clicked the second update option which took me to this page:
http://java.sun.com/javase/downloads/index.jsp

I have no idea what I'm supposed to download there. Nothing says Java-Ra.  Help?

On the main JavaRa screen, you'll see "Additional Tasks".  Clicking on that will reveal the update JavaRa option.

JavaRa is not a product from Sun, so you won't see a download link on the Java website.

Quote
Edit:  I guess I"m supposed to download from raproducts.org site then.....
downloaded...haven't installed yet because it says it is version 1.15 created 7/16/09  Is this right?

I believe that version is beta, I'll go and check.  Use the internal updater within JavaRa to update the product.
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7332
  • Liverpool FC - YNWA
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #22 on: December 13, 2009, 08:23:53 PM »
From the link Corrine provided you:

JavaRa Version History
[15jul09] JavaRa 1.15 beta
- [fixed] JavaRa commandline issue
- [fixed] Small bug causing JavaRa to crash if no Java executable was found.

So, no, I would not recommend you install 1.15.
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #23 on: December 13, 2009, 08:41:57 PM »
Well this is getting silly.

Thank you for telling me where to find the update Java-Ra link....that was my problem in the first confusion.

Did that, and it give me a download which I unzipped and found was version 1.13.  hmmm.   OK....so I did the same update check from that new download, and it gave me another dowload zip which turned out to be version 1.15.  So I'm thinking..what the hell? 

So I do it AGAIN....and this time the new download is still version 1.15.

So now what? Apparently the internal updater is not going to give me version 1.4 (haven't run anything yet)

[did I ever tell you about my family unluckiness curse?]

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #24 on: December 13, 2009, 08:50:47 PM »
Try 1.15 and see what that does, please.  http://raproducts.org/purera.html shows it was released in July and still much newer than the version you had.  (Even the beta version would not have been an issue since you have a Java executable installed.)

(Edit note:  I see where it shows Beta now in the release notes. I suspect the developers forgot to remove that if that is what is included in the download.  That is the version I have run on my machines.)


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #25 on: December 13, 2009, 08:58:33 PM »
JavaRa 1.15 Removal Log.

Report follows after line.

------------------------------------

The JavaRa removal process was started on Sun Dec 13 16:53:31 2009

Found and removed: C:\Documents and Settings\Helena\Application Data\Sun\Java\jre1.6.0_11

Found and removed: C:\Documents and Settings\Helena\Application Data\Sun\Java\jre1.6.0_13

Found and removed: C:\Documents and Settings\Helena\Application Data\Sun\Java\jre1.6.0_14

Found and removed: C:\Documents and Settings\Helena\Application Data\Sun\Java\jre1.6.0_15

Found and removed: SOFTWARE\Microsoft\Active Setup\Installed Components\{08B0E5C0-4FCB-11CF-AAA5-00401C608500}


Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #26 on: December 13, 2009, 09:24:27 PM »
Excellent.  Now, let's see how things go. 

As to firewalls,

Online Armor Free has setup instructions at http://www.tallemu.com/webhelp3/Welcome.html .  Additional help is available at the support forums:  http://support.tallemu.com/vbforum/.

See the guide at http://www.outpostfirewall.com/guide/index.htm for Outpost Free Firewall.  The Outpost FREE FAQ is located at the support forum here: Outpost Users Support Forum


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #27 on: December 13, 2009, 09:59:32 PM »
from reading over the information at those site, I'm more inclined towards the Online Armor firewall.  It seems simpler which is a good thing for me.

Espcially after reading some of the FAQs at Outpost like this one:

Quote
Outpost Free was released before Windows XP and has not been updated for it - there is therefore a possibility that it will cause problems (including blue screen crashes) with Windows XP

although a more recent post says it supports WindowsXP..also the warning that if there is a crash it has to be completely reconfigured so users are instructed to make regular backups.  I don't think this kind of high maintainance stuff is for me.

I also like that Online Armour will disable the Windows Firewall for me, so I don't have to figure out when is the best time to do that.     I do have a question about how to disable Avira though, as the installation instructions say that you should disable your antivirus program during the install process.

Could you give me some help on that?  I can't find a complete disable switch--only for the real-time Guard on Avira.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #28 on: December 13, 2009, 10:26:31 PM »
Secunia just gave me a message I've never gotten before. It is telling me that IE8 is completely patched, but still insecure and there is no solution and I should disable or uninstall. (which I guess is the same thing with IE) 

http://img2.pict.com/97/7c/ab/2202538/0/12132009181300.png

http://secunia.com/advisories/24314/  says that it is because of a cross-scripting vulnerability.  If I understand NoScript right, I should be protected against that, right? So I can ignore the Secunia dire warning?


still trying to figure out how to disable Avira.....no luck yet

On the Online Armour firewall,  can I check "trust everything on my computer' on the Safety  Check Wizard since we have just cleaned it all up?  Or should I run the wizard?

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #29 on: December 13, 2009, 10:34:25 PM »
As you will note, IE7 has the same vulnerability.  Just leave IE8 installed and continue using FF with NoScript.

Search results are injected with all kinds of nasty goodies.  In addition, there are numerous websites infected with SQL injections (as evidenced by just one example of the 318x.com iframe injection 318x SQL Injection Claims 125,000+ and 318x Compromises Bigger on Yahoo).


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.