Author Topic: HEUR/HTML.Malware found - what to do now?  (Read 22198 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #45 on: December 14, 2009, 08:41:00 PM »
The 016 entries are "Downloaded Program Files".  Go to your download folder and delete the CA installer (and any other old downloaded program files you no longer need ;) ).


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1128
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #46 on: December 14, 2009, 09:21:55 PM »
There was no CA installer in my Downloads file...but there was some other junk I got rid of  :) . I'm sure I installed CA from a CD. Don't know where else to look for an installer....

Now about the 2009 uninstaller for CA and the ZoneAlarm uninstaller that didn't run? 

(repasting since we are on a new forum page)
Quote
Then ran the second CA utitlity for 2009.  Here's where I had a problem.  A popup appeared saying someone from CA would take over my desktop and gave me a permission option to proceed.  Since the download was named "selfserve process script request" like the first one, and not expecting anything like this, I did not give permission, just exited the program until I could ask about it. This screen came up in my browser afterwards: http://tinypaste.com/4799d

Third utitilty (for Zone Alarm) did not run because it said "failed to start VSUTIL.dll not found" and recommended to reinstall the application. (the ZA firewall program I presume)   Here is a screenie:
http://img2.pict.com/ea/96/2b/2210555/0/800/12142009161021.png
Then when I tried to exit, it rebooted my computer even though no changes had been made.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #47 on: December 14, 2009, 10:48:13 PM »
Presumably, you don't have any ZA remnants then. As to CA, do this then:

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab


Click on Fix Checked when finished and exit HijackThis.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1128
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #48 on: December 14, 2009, 11:59:36 PM »
Very carefully did the two item fixes in HJT.    So now I think I am ok to try re-installing the Online Armor FWall. I'll report back in after I try again tomorrow. Thanks for sticking with me!

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #49 on: December 15, 2009, 12:12:02 AM »
Don't forget to create a fresh restore point before installing.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1128
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #50 on: December 15, 2009, 02:51:11 PM »
Success.

Reinstalled Online armor using a fresh download. So far so good. No slow down at regular sites like yesterday, although the problem didn't start right away after first install either, so we'll see how today goes.  That first CA uninstaller pulled up hundreds of files.....hopefully getting rid of those was the solution.   The documentation for Online Armor (as opposed to Outpost) seems so much more thorough and aimed at basic user....so that is the reason I wanted to try this again rather than just chuck it and go with the other firewall.    I still suspect my ISP as later in the evening, after I had uninstalled OA and was humming along,  I experienced the same kind of slow down for a hour or two  and then all of a sudden, there was an immediate return to normal loading speeds.

If this turns out well, I think my next install will be WinPatrol mainly so I can get some control over my start menu.  I would like to be able to disable some programs from starting with Windows, but still be able to call them  up when needed, and I haven't been able to do that yet.   After reading through the articles Paddy posted, it seems cleaning that area up would be a good idea.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #51 on: December 15, 2009, 04:28:21 PM »
I think your suspicions are correct and that the slow-down can likely be attributed to your ISP.

Personally, along with an antivirus software, WinPatrol is the first software I install on my computers.  It does so very much more than monitoring start-up programs.  Bill's blog is here:  Bits from Bill (BillP Studios).


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1128
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #52 on: December 16, 2009, 02:32:37 PM »
Day two and all seems well.  I had a couple issues with not being able to view flash content last night that I sorted out with adding an exception for the item in question (a flash chat I have installed on my message board)  to my browser settings. Don't really understand that though.  Would that have been a firewall issue? I couldn't find anywhere to deal with that in the firewall options.

So since it's all good at the moment,  today I installed WinPatrol.  It was an amazingly easy and fast install. Didn't expect that.  It's funny how Scotty woofs whenever you open something.  :D  I'll have to spend some time reading the help files to study up on how to use it though.  Especially the stuff about IE helpers and Active X.  My start menu actually looks fairly lean, but there's quite a few entries there that I have no idea what are. 

So, I think for now I am good and will take some time investigating and getting used to these  new defense programs before delving into any further issues ( which of course you know I seem to always have some. :D )   First task..update my computer specs file with the new additions. :)

Many thanks for all the time spent helping me clean up and fortify, Corrine, Winchester and Paddy.  You guys are the best. 

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7333
  • Liverpool FC - YNWA
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #53 on: December 16, 2009, 04:29:01 PM »

My start menu actually looks fairly lean, but there's quite a few entries there that I have no idea what are. 

http://www.landzdown.com/index.php?topic=38779.msg119803#msg119803   :D
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #54 on: December 16, 2009, 05:15:13 PM »
So since it's all good at the moment,  today I installed WinPatrol.  It was an amazingly easy and fast install. Didn't expect that.  It's funny how Scotty woofs whenever you open something.  :D  I'll have to spend some time reading the help files to study up on how to use it though.  Especially the stuff about IE helpers and Active X.  My start menu actually looks fairly lean, but there's quite a few entries there that I have no idea what are. 

In addition to the links provided by Winchester73, down the road consider upgrading to WinPatrol PLUS (not a subscription but a one-time payment, lifetime license that you can use on future computers), which will provide access to the WinPatrol PLUS Knowledgebase as well as real-time infiltration protection (different from anti-malware real-time programs) and increased performance.  Keep an eye out.  BillP frequently offers a $10 discount off the regular $29.95 price.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1128
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #55 on: December 16, 2009, 06:11:40 PM »
yes, although I looked over those start menu articles when they were posted, I need to go back and study them now that I can easily do something about them.  I have a LOT of reading to do.

I think my first upgrade will be the Online Armor one so that I can get the banking protection. Those couple of latest infections really spooked me. 

 I'll watch for the special on WinPatrol.

Offline pastywhitegurl

  • Hero Member
  • *****
  • Posts: 1128
  • advanced techno feeb
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #56 on: December 19, 2009, 09:34:38 PM »
I found the cause of the slow down. I"ll document here to help anyone else that goes through this.

It was because of corrupted cookies I had not allowed to be deleted for a long time.  I had no issues with keeping cookies until I started this firewall installation thing, but who knows what happened.  Maybe it happened on a system restore that I made while being frustrated with the installation. (I unistalled and reinstalled a couple of times.)  Also, something else weird happened because when I was looking for remnants, I found 3 folders copied from my bookmarks toolbar sitting under C:\ drive which were trying to load everytime I clicked on a new page.  Getting rid of those helped some but not totally. Things kept getting slower and slower until finally I was getting the 404 error about "Bad Request Your browser sent a request that this server could not understand." I found a suggestion that it might be a cookie issue.  After I wiped cookies from each site where I was experiencing slow loading, everything returned to normal load times...maybe even faster than normal.

Online Armor is great now that I got it installed properly, and is playing nicely with Avira and WinPatrol.  I love the WOT add-on. It has made me much more careful about clicking search links.   NoScript I am still struggling with because the cross-scripting block is keeping me from accessing database features on two trusted daily sites that use Json scripting.   There is no way to make individual cross-scripting exceptions in the option, but  I think there is a bit of code I can add to whitelist those two sites from the cross-scripting blocks. Until I can figure it out, I have NoScript turned off.  I will continue to pursue getting it to accommodate though, because I know it heads off a lot of stuff.   

Thanks again for help here. The people at Online Armor are terrific too.  They respond nearly as quickly and thoroughly as y'all do. 

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 20218
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: HEUR/HTML.Malware found - what to do now?
« Reply #57 on: December 19, 2009, 10:26:05 PM »
Excellent detective work! 


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline winchester73

  • Half a bubble off plumb
  • Administrator
  • Hero Member
  • *****
  • Posts: 7333
  • Liverpool FC - YNWA
    • View Profile
Re: HEUR/HTML.Malware found - what to do now?
« Reply #58 on: December 20, 2009, 12:41:07 PM »
Glad you got everything sorted out ...  :mitch:
Speak softly, but carry a big Winchester ... Winchester Arms Collectors Association member