Author Topic: HEUR/HTML.Malware found - what to do now?  (Read 22193 times)

0 Members and 1 Guest are viewing this topic.

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #30 on: December 14, 2009, 12:23:18 AM »
Quote
On the Online Armour firewall,  can I check "trust everything on my computer' on the Safety  Check Wizard since we have just cleaned it all up?  Or should I run the wizard?

Sorry, I missed that question.  Yes, you should be fine clicking the trust option.  As the on-line tutorial indicates, "Most users will not need to configure many, if any, of the sections below."

To disable Avira, navigate to the system tray on the bottom right hand corner and look for an open white umbrella on red background
  • right click it-> untick the option AntiVir Guard enable.
  • You should now see a closed, white umbrella on a red background


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #31 on: December 14, 2009, 01:05:29 AM »
thank you.  On the umbrella thing, I wasn't sure if that disabled the Avira program or just the realtime protection and there was some other switch for the whole thing somewhere.

OK, I am planning to do this installation tomorrow when I can give it my full attention.  ( and not visit any new sites between now and then except to read up on the Online Armour tutorials.)   I think I will go make a new system restore point now just to have an extra one before I start.

I plant to turn of Live Messenger during the installation, but what about SpywareBlaster? It says it is active even when the program is not running.  Should I disable all protection and close the program during the firewall installation ?

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #32 on: December 14, 2009, 01:33:05 PM »
It is a smart move to make a new restore point prior to installing any software.

Yes, turn off Messenger and any other programs running while installing the new firewall.  SpywareBlaster will be fine though as you will not have a browser open and will not be surfing the net at the time.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #33 on: December 14, 2009, 02:30:57 PM »
Thank you so much for the information. I think I followed all installation instructions and recommendations correctly.
 
I have just finished installing Online Armour Free 4.0.0.15 which I downloaded from cnet.com  and everything went pretty well.  It did turn off Windows Firewall as promised.   I'm not understanding why they need 2 task bar icons as both have the same right click menu, but oh well.

I allowed everything and so far have only gotten one popup asking about an extra .exe file I have installed to enhance GIMP  (which I recognized and allowed).   So this has gone so much more easily than the ZoneAlarm installation ...and the CA firewall was just a nightmare, don't even get me started....  I was offered a half price deal on the paid version  of OA if I buy it in the next 5 days  ($10 instead of $20) and I'm seriously considering that as I really like the idea of the banking mode protection.

I have a question about my start up menu.  On setup, I saw a huge list on there of start ups that I only use occasionally, like QuickTime and some of the office applications.   None of these appear in my start folder, so that surprised me.   To disable these programs from loading when Windows starts, should I block them in the firewall? or is there a better way to do that? And I'm also wondering why aren't they listed in my startup folder?

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #34 on: December 14, 2009, 02:45:37 PM »
another question after the edit permissions expired.....

In the Saftety Check Wizard > Options, there was a tickbox for "enable multi desktop support".  I do use a little application that lets me view mutiple desk tops, though not true extra desk tops as I can't run a duplicate browser session on the extra ones.     Should I have that box ticked or no?
 

OMGosh!  I just noticed my sound icon is now restored to the right side of the task bar!  OA has apparently healed Windows.   *genuflects*

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #35 on: December 14, 2009, 03:32:59 PM »
I prefer to use WinPatrol to control start-up programs.  It is safe and works with all versions of Windows:  http://www.winpatrol.com/features.html

Sorry, I have no idea about the multi-desktop feature. 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7332
  • Liverpool FC - YNWA
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #36 on: December 14, 2009, 03:38:20 PM »
This is a good reference for startup programs:  http://www.sysinfo.org/startuplist.php

Be certain to click on the blue Content and Info links, and read them before going any further.

http://www.pacs-portal.co.uk/startup_content.php

http://www.sysinfo.org/startupinfo.html
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #37 on: December 14, 2009, 03:52:12 PM »
hmmm...something is not right.  Pages are taking 30 seconds or more to load or not loading at all.
Was trying to get to my account on Windows Live Messenger to see if I needed to update, can't access my account, although I can log in.  Other sites equally problematic.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #38 on: December 14, 2009, 05:44:14 PM »
Loading problems are persisting.   Sites do eventually load but the loading activity icon in the tabs keeps going for minutes.   I thought maybe  it was just coincidental with a slow period from my IPS, and have done a couple of reboots. No change.   I have to assume it is something happening from the new firewall. This is not acceptable.  What should I check?

Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #39 on: December 14, 2009, 05:58:31 PM »
Did you check anything with the "Saftety Check Wizard"?  If so, you need to unblock it.  Since I do not personally use Online Armor, I suggest that the Online support forum would be the best place to get assistance.  Otherwise, uninstall OA and see if everything returns to "normal" and consider Outpost (being sure to read the instructions previously linked). 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #40 on: December 14, 2009, 06:07:37 PM »
On the safety check wizard I went back and saw that  I did change one setting for an application that it didn't recognize to "ask".  But nothing has been blocked.

I will take further questions to the support forums. 

*wanders off muttering my best Nancy Kerrigan impression.......  'why MEEEEEE?'..... *

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #41 on: December 14, 2009, 06:52:58 PM »
Reading the Online Armor FAQs..recommended uninstalling and re-install as a first attempt at any issues after cleaning up remnants of any previously installed firewalls.  I did uninstall, and my computer is back to it's normal speed again.

I noticed on my previous HijackThis logs that I have a couple of CA entries.  I also had Zone Alarm installed for a while, but neither has a folder left over in my program files.  Not sure how to look for other remnants. Will do some google searches later and see if I can figure it out.


Online Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20213
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #42 on: December 14, 2009, 07:13:28 PM »
For CA remnants, see the following.  Note that clicking the links provides both instructions and the download tool:

Computer Associates 2007/2008 (all products), see the instructions and download the SupportBridge tool at https://remoteassist.ca.com/supportbridge/jsp/selfserve/processScriptRequestOwnWindow.jsp?divisionID=7&scriptID=179

Computer Associates 2009 (all products), see the instructions and download t he Support Bridge tool at https://remoteassist.ca.com/supportbridge/jsp/selfserve/processScriptRequestOwnWindow.jsp?divisionID=7&scriptID=259

ZoneAlarm Removal Tool (Direct link):  http://download.zonealarm.com/bin/free/support/cpes_clean.exe


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #43 on: December 14, 2009, 07:44:00 PM »
Thank you Corinne.  All I had found so far was advice   to reinstall them and then uninstall them.  This seems like a much simpler solution. 

I'll work on it. :)

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1127
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #44 on: December 14, 2009, 08:31:19 PM »
As usual, things are not what they seem...

Downloaded and ran the CA utitlity for 207-2008.  Ran and took about 10 minutes listing tons of files..I recognize the couple that I had seen inthe HijackThis logs.   Required reboot when done. Did that. Still see these too files in the HJT logs:
http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000}

Then ran the second CA utitlity for 2009.  Here's where I had a problem.  A popup appeared saying someone from CA would take over my desktop and gave me a permission option to proceed.  Since the download was named "selfserve process script request" like the first one, and not expecting anything like this, I did not give permission, just exited the program until I could ask about it. This screen came up in my browser afterwards: http://tinypaste.com/4799d

Third utitilty (for Zone Alarm) did not run because it said "failed to start VSUTIL.dll not found" and recommended to reinstall the application. (the ZA firewall program I presume)   Here is a screenie:
http://img2.pict.com/ea/96/2b/2210555/0/800/12142009161021.png
Then when I tried to exit, it rebooted my computer even though no changes had been made.