malware has hijacked my home page - help please

[Corrine]

Looking at the restore points in your log, that would be the best one.  You'll need to reinstall KB952011.  You replied with the restore failure as I was about to post.  :(  I'm afraid you're going to need to try another restore point and see what works. 

Although I'm sure you're aware of the approaching April 8th end of support for Windows XP, I don't want to take a chance and not call it to your attention.   (The Countdown Begins: Support for Windows XP Ends on April 8, 2014 - Microsoft Security Blog - Site Home - TechNet Blogs)

[pastywhitegurl]

Alright. I guess I'll just work out  a couple of restore points from there.  If I'm successful, I'll run the Adwcleaner again and then bring a report here.

Yes, I am aware of the end of life date for XP.   I've talked with my honey about about, and he seems to think it may get some support after that time because government centers still are using it, and he wants to wait and see what happens.

[pastywhitegurl]

:(   I tried about 6 different restore points from a day before my created point to this morning.  All failed.

I guess I'm stuck with reconfiguring my extension and browser preferences.  The worst part of it will be re-establishing my allowed list for NoScript.  But so far, I haven't encountered any other problems.

[Corrine]

Since you're using Freebyte Backup, can you restore the Firefox folder from the backup?  MikeW may be able to help if you have questions.

As to extended support for Windows XP for home computer users, the OS will be 13 years old.  Microsoft has provided this page for Enterprise customers:  http://www.microsoft.com/en-us/windows/enterprise/endofsupport.aspx

[pastywhitegurl]

That would have been a great idea had I backed up that file, :(  but I only backed up documents and pictures and a few edited music traks.  I do have an old  prefs.js file from 2009. But I don't think that would be much help for now.

Why did none of my restore points work? Do you have any idea?

[Corrine]

Ok, let's try a couple of things.

First, make sure the Service is running:

•      Click Start, click Run, and then type compmgmt.msc in the Open box, and then press Enter.
  
•      Expand Services, and then click System Restore Services..
  
•      If the Status of System Restore Service is not Started, click Start on the toolbar to start it.

Second, try in System Restore in Safe Mode:

•      Restart the computer and when you see anything on the screen, start tapping the F8 key on your keyboard.
  
•      Select Safe Mode, and then press ENTER. As files load they will scroll down the screen.
  
•      Click No in the safe mode information screen to start System Restore.
  
•      Select Restore my computer to an earlier time, and then click Next to proceed to select a date with restore points available.
  
•      Click Next to begin restoring the system to a previous state.

[pastywhitegurl]

I did the first part and the service was started and was running.

For the second part,  how will I get out of safe mode?   Will that happen automatically after the system restore processes?

(BTW, a system restore box did come up and  it did seem like it was restoring. It even seemed to continue to completion on several of the attempts I made, but each time ended with a panel that said the restore could not be done and no changes were made to the computer.  So it did at least act like it was doing something.)

Should I try the same restore points again? (Sorry for all the questions, but I don't want to mess up.)

[Corrine]

I would try the complete restore points, starting with the one prior to installing the video editor:

RP2166: 12/24/2013 11:28:41 PM - before installing video editor
RP2167: 12/24/2013 11:37:25 PM - Installed Windows XP --  Software Updates KB952011

For System Restore to work, it will restart your computer.  When it restarts, start in normal mode. 

[Corrine]

There is something I forgot about that may fix the problem with extensions.  JRT exports the registry with ERUNT prior to making changes.  So, if System Restore has not worked, you can restore the registry to the point prior to running JRT.

From the ERUNT help file, http://www.larshederer.homepage.t-online.de/erunt/erunt.txt

Restoring the registry with ERDNT
---------------------------------

Situation: Windows is running normally.

To restore a previous registry backup, open Windows Explorer, navigate
to the folder where you saved the backup to, and double-click the
ERDNT.EXE file to start the restoration program. (Each restore folder
has its own copy of ERDNT.EXE in it.) Select which registry components
to restore, then click "OK" to start restoration. When the process is
complete, click "OK" to restart the computer and activate the restored
registry.

The registry backup is located at C:\Windows\ERUNT\JRT

[pastywhitegurl]

o thank you for that.

I have been putting off the restore while I did some backing up. I have now installed FEBE extension to back up my Firefox profile.

I haven't deleted temporary files since either, so one thought I had was possibly the prefs.js file may be in there somewhere.

I like the idea of the ERUNT restore though...especially the part about "select which components to restore".  I'll explore that  later today.

[pastywhitegurl]

In the end, I decided to  not try any more restores.    I've reconfigured all my extensions, and everything else is working fine.   I wonder if the reason my prefs.js file was deleted by the tool was because there really was something wrong in there.  If so, its better to just move on, I think.

My suspicion though is that it didn't like something about the Text Area Cache extension that I have installed, because while it was running, it was showing findings like "string too long", and the "bad" entries in the report included pieces of text that had been recently cached by the extension.

I think however, that the next few restore points I make, I will also make duplicates with ERUNT  in case there is something wrong with my Windows system restore.

[Corrine]

You may just be right about that extension.  I use Lazarus: Form Recovery :: Add-ons for Firefox.  The only change I've made from default settings it to limit the duration for saving forms.

You may also want to create a fresh restore point and clear the old points.  See this KB article on System Restore on XP:  How antivirus software and System Restore work together.  The same applies to an anti-malware program that scans System Restore points.  In particular note:

During a restoration, an active antivirus program scans for infected files. If the antivirus program detects any infected files, the antivirus program tries to modify, move, or delete the infected files. If the antivirus program successfully cleans the infected files, System Restore restores the cleaned files. However, if the antivirus software cannot clean a file, the antivirus software deletes or quarantines the file. As a result, the restoration does not work because these actions to the file cause an inconsistent restoration state.

First, create a fresh restore point:

1.  Click Start, click All Programs, click Accessories, click System Tools, and then click System Restore.
2.  Click Create a Restore Point, and then click Next.
3.  Name your restore point. (i.e., clean)
4.  Click the Create button.
5.  When the new restore point has been created, click Close.

Now select the files to be removed as well as all but the new restore point:

• Click start-->Run and type cleanmgr into the run box and then click "OK".
  
• Select the drive where Windows is installed (if you have more than one drive) and click "OK".
  
• When the scan completes, check/uncheck desired boxes.
  
• Next, please click the More Options tab at the top.
  
• Click the "Clean up..." button under the System Restore section at the bottom.
  
• Answer Yes to the question "Are you sure you want to delete all but the most recent restore point?".
  
• Click OK and answer Yes[/b] again.
  

The disk clean up utility will remove any items you select, although you can just use it to remove the old restore points.  When it completes, please restart the computer to properly record the changes made to the hard disk.

[pastywhitegurl]

Did the follow up cleanup as suggested.

I don't know exactly what was accomplished, but I'm kind of glad I didn't try to revert to the earlier state.  Everything is running smoother than previously and page loads are lightening fast now.  And after this last regular monthly windows update and reboot,  my taskbar is normal and not messed up.  Even MSE booted without having to reset the real-time protection.

So yay.  And thanks so much again for all your patient help, Corrine!

[Corrine]

You're welcome.  I'm happy I was able to help.

Although I'm sure you've heard, it needs to be repeated as a reminder:  On April 8, 2014, Windows XP will be reaching its end of life.  That means that Microsoft will not be releasing any additional security updates for Windows XP, regardless of any new vulnerabilities.  My best advice is to start saving for a new computer so that you will be in a position to replace this one sooner rather than later.  In the meantime, it will be more important than ever to keep any Adobe products (Adobe AIR, Adobe Reader and Adobe Flash Player) as well as Oracle Java updated. 

Due to a recent change in policy, Microsoft has elected to provide Microsoft Security Essentials definitions available until July 15, 2015 (See Microsoft antimalware support for Windows XP). 

[pastywhitegurl]

Hmm. so the extensions are beginning for good ol' XP. :)

I've heard some talk that some other company may take over the updating and fixes for XP once Microsoft discontinues their own support.  That might just be for government or organizational set ups though.

It would be nice to have an up-to-date system though.  I'm sure we'll do what we have to when the deadline is unavoidable.