Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

FakeSysDef


  • Please log in to reply
16 replies to this topic

#1 mdavison

mdavison

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 19 July 2011 - 05:41 AM

Hello,
About a week ago I caught this scanner and I was much guided by the content on this site on how to clean-up my laptop.
I summarise my diary of the clean-up.
120711 Caught it.
Ran MSE full scan. That found and removed/quarantined Trojan Downloader: Java/Open Connection.NV, VirTool:Win32/Obfuscator.QE.
Tried to run F-secure Online Scanner, error id:1004 and stopped.
Ran MSE full scan. That found and removed/quarantined Trojan:Win32/FakeSysDef, Trojan: Win32/Alureon.EN.
Downloaded Malwarebytes and ranQuickScan Trial. That found 5 items.
Ran full scan.
Downloaded Microsoft Safety Scan, found laptop switched off.
Launched Trend Micro Housecall short scan and then long scan, nothing found.
Download prevx.
Then found favourites empty, files empty, shortcuts empty.
130711 Downloaded and ran full scan MS MRT, clean.
Ran prevx, nothing found.
Turn on smart screen filter.
UAC is already set to top level of security.
140711 Changed hidden attribute, disclosed 'missing files'.
150711 Ran MSE full scan, clean.
160711 Ran MSE full scan, clean.
170711 Decided to be more organised as exhausted reading internet advice.
Created manual register restore point.
Malwarebytes blocked access to 208.87.149.250, port 49467, process: iexplore.exe.
Searched for and found smtmp 1,3 & 4.
Downloaded to desktop; unhide, systembook, rkill, Malwarebyte's MBAM, defogger, DDS, GMER, Secunia, prevx, MRT.
180711 Exported copy of registry to thumbdrive.
Disconnect internet.
AFrom desktop as admin ran DDS, defogger, GMER, rkill, Rootkit Revealer clean, Malwarebyte's MBAM full scan, MRT full scan, prevx new scan, Secunia found 3 legacy & 3 not updated, ran unhide 3/4 times as it reported c:/ and d:/(restore copy) and then parse error in D:/ turned off all security except prevx still same.
Checked Start Menu, looks as though all the short cuts have come back and also in All Programs.
Googled for backup of System Restore, to copy to thumb drive, no success.
F-secure responded about error. Ran F-secure it found Gen: Trojan.Heur.JP. F-secure suggested running with virus checker turned off, only if unconnected to internet, not easy with online scanner.
190711 Installed Windows 7 Firewall control to help catch outgoing calls.

February 2011, laptop crashed after being left with open GoogleMail window. Couldn't recover so installed Windows 7. Seemed to run quicker than before on Vista.
Since about the beginning of April 2011 had experienced erratic pop-ups of ie that Adobe wanted to open up. Mostly on bank or financial websites. Reset IE and ran MRT, sometimes that seemed to reduce the pop-ups.
Today still not using bank websites, financial websites don't seem to have adobe popup for the last few days and the laptop seems to be running quicker.

When I think the laptop is clean I shall remove everything except MSE.
Questions:
1. Any other software I should consider installing or running to clean-up?
2. Do I need to delete anything from the registry or system files?
Thank you and regards
mdavison

Edited by Budapest, 20 July 2011 - 04:48 PM.
Moved from Virus, Trojan, Spyware, and Malware Removal Logs ~Budapest


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 20 July 2011 - 04:49 PM

Run another MBAM scan and post the log.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 21 July 2011 - 02:19 AM

Good morning,
1. Here is the log for the MBAM full scan run this am.

Malwarebytes' Anti-Malware 1.51.1.1800
www.malwarebytes.org

Database version: 7217

Windows 6.1.7601 Service Pack 1
Internet Explorer 8.0.7601.17514

21/07/2011 09:45:16
mbam-log-2011-07-21 (09-45-16).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 280021
Time elapsed: 46 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowCpl\1 (Malware.Trace) -> Value: 1 -> Not selected for removal.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

2. Protection Log 21.07.2011.

06:29:56 Michael MESSAGE Protection started successfully
06:30:02 Michael MESSAGE IP Protection started successfully
06:31:50 Michael MESSAGE Scheduled update executed successfully
06:32:42 Michael MESSAGE IP Protection stopped
06:32:44 Michael MESSAGE Database updated successfully
06:32:45 Michael MESSAGE IP Protection started successfully

3. I also have a screen grab of MBAM scan result, I do not know how to post it.

Thank you and regards
Michael J Davison

#4 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 21 July 2011 - 04:18 PM

Don't worry about the screen grab for now.

Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#5 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 22 July 2011 - 12:50 AM

Thank you.
1. SuperAntiSpyWare Free downloaded, installed, rebooted into Safe Mode, ran full scan.
2. Here is the log.

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/22/2011 at 07:44 AM

Application Version : 4.55.1000

Core Rules Database Version : 7443
Trace Rules Database Version: 5255

Scan type : Complete Scan
Total Scan Time : 00:44:20

Memory items scanned : 354
Memory threats detected : 0
Registry items scanned : 8973
Registry threats detected : 0
File items scanned : 105498
File threats detected : 95

Adware.Tracking Cookie
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\michael@2o7[1].txt
media.pcadvisor.co.uk [ C:\Users\Michael\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\VWV8278G ]
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@122.2o7[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@247realmedia[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ad.360yield[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ad.bodybuilding[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ad.e-kolay[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ad.reklamport[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ad.yieldmanager[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adbrite[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adform[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adinterax[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adlegend[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ads.bleepingcomputer[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ads.cnn[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ads.pointroll[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ads.shorttail[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adserver.adtechus[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adtech[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@advert.gittigidiyor[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@advert.uzmantv[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@advertising.ctcproductions.com[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@advertising[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adviva[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@adxpose[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@anrtx.tacoda[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@apmebf[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ar.atwola[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@associatedcontent.112.2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@at-tantra-tantric-sex[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@at.atwola[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@atdmt[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@avgtechnologies.112.2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@bs.serving-sys[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@burstnet[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@caloriecount.about[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@casalemedia[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@click.adpaths.co[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@collective-media[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@content.yieldmanager[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@content.yieldmanager[3].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@dmtracker[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@doubleclick[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@e-2dj6wblogoajieo.stats.esomniture[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@eas21.emediate[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@emails.incisivemedia[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@fastclick[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@gfi.122.2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@highcountrygardens[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@imrworldwide[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@in.getclicky[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@insightexpressai[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@invitemedia[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@legolas-media[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@liveperson[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@liveperson[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@media6degrees[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@mediabrandsww[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@mediaplex[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@microsoftsto.112.2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@mm.chitika[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@msnportal.112.2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@newsletters.incisivemedia[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@o1.qnsr[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@paypal.112.2o7[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@pointroll[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@qnsr[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@questionmarket[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@revsci[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@ru4[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@server.iad.liveperson[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@serving-sys[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@smartadserver[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@solvemedia[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@specificclick[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@statcounter[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@statse.webtrendslive[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@tacoda.at.atwola[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@technologyquestions[3].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@track.adform[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@tracking.hostgator[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@tradedoubler[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@tribalfusion[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.burstnet[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.calorie-count[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.googleadservices[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.qsstats[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.qsstats[2].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@www.technologyquestions[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@xiti[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@yadro[1].txt
C:\Users\Michael\AppData\Roaming\Microsoft\Windows\Cookies\Low\michael@yieldmanager[1].txt

Trojan.Agent/Gen-IExplorer[Fake]
C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\RARSFX0\NIRD\IEXPLORE.EXE

Trojan.Agent/Gen-PEC
C:\USERS\MICHAEL\APPDATA\LOCAL\TEMP\RARSFX0\PROCS\EXPLORER.EXE

Thank you and regards
Michael J Davison

#6 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 22 July 2011 - 03:40 PM

So far we haven't really found much except what looks like the leftovers of the previous infections.

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image
      icon on your desktop.
  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Click Export, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Click the Back button.
  • Click the Finish button.

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#7 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 23 July 2011 - 09:00 AM

Thank you.
1. Downloaded and ran ESET Online Scan, full scan with options set as noted.

Log record: EsetScan230711.

C:\Users\Michael\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\40\1b5acb28-6c88d835 probably a variant of Java/TrojanDownloader.OpenStream.NCC trojan deleted - quarantined

Thank you and regards
Michael J Davison.

#8 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 23 July 2011 - 04:04 PM

That looks fine. How's your computer running now?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#9 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 23 July 2011 - 11:06 PM

Good morning,

1. This am when switched on Action Centre reported 3 items, Turn On Windows Firewall (it already is), IE8 MS10-002 (updated MSE) and Backup (I do manual backups of files and learning how to do full backup/mirror images is on the 'todo' list).

2. Laptop seems to be running quickly and responsively, no incidence of IE Security window popup (this is long running maybe for 3 months and erratic incidence, some days clear, some days multiple popups) wanting to run Adobe Flashplayer (FlashUtil10t_ActiveX.exe) outside IE8, particularly on bank and financial services websites. Checked Task Manager FlashUtil10t_ActiveX.exe is running now.

3. Do I need to delete any Windows Registry Entries or System Files?
As belt & braces could I consider running all the checking software again?

4. Can you point me to a good source to configure W7 Firewall, I feel I need to learn in depth how to make it as difficult as possible for infection to take hold on this laptop.

5. Do you think I can use this laptop to access online bank accounts again?

Thank you and regards
Michael J Davison

#10 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 24 July 2011 - 05:13 PM

1. Do you mean that the Action Centre reports your firewall as off even though it is on?

2. FlashUtil10t_ActiveX.exe is the name of a legitimate process by Adobe. Let's try this:

Uninstall flash using the directions here: http://kb2.adobe.com/cps/141/tn_14157.html

Then reinstall flash here: http://get.adobe.com/flashplayer/

3. There is no need to delete any Windows Registry Entries or System Files other than what we have already removed with the various scanners.

4. http://windows.microsoft.com/en-US/windows-vista/Firewall-frequently-asked-questions

5. Let's try and sort out the firewall and flash problems first.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#11 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 25 July 2011 - 09:38 AM

[font="Arial"]Good afternoon,

1. I can't recall when I last saw the Action Centre popup after launching laptop.
Yesterday, the popup in the notification area on the taskbar, reported Windows Firewall as off. When I checked it reported it was on.
Just now, manually checked Action Center, only report is no backup. Checked Windows Firewall Home or work (Private) Networks, it is on.

2. Downloaded Flash Uninstaller and Installer to desktop.
Disconnected internet.
Checked Task Manager Processes, FlashUtil10t_ActiveX.exe is running.
Ran Uninstaller, FlashUtil10t_ActiveX.exe, no longer shown. Reconnected internet. Tested on some websites where popup had previously (up to 20 times) been a pest and no sign.
Ran installer from desk top as Administrator, unticked Chrome option, installed quickly.
Checked Task Manager Processes, FlashUtil10u_ActiveX.exe is running.
Tested on ThisIsMoney (only test site that said Flash needs to be installed) and it displayed stock market graph in place of message.
Ran Uninstaller and Installer again to make sure had used Administrator settings where available, tested websites.
Internet access response seems to be quicker and no popup asking for Adobe Flash Player by Internet Security.

4. Thanks.

Thank you and regards
Michael J Davison

#12 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 25 July 2011 - 04:20 PM

Well I guess that just about clears it up.

Any other problems?
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#13 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 25 July 2011 - 10:55 PM

Many thanks for your calm and low key guidance.
The item on the 'todo' list to study about keeping security on this laptop at a high level is creeping quickly towards the top of the pending pile.
This am laptop launched quickly, websites opened quickly and (great relief) no sign of the Adobe popup.
Thank you and regards
Michael J Davison.

#14 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:01 PM

Posted 25 July 2011 - 11:04 PM

You're welcome.
The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#15 mdavison

mdavison
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:12:01 AM

Posted 26 July 2011 - 06:40 AM

Sorry,
1. Apparent all clear on my laptop given this morning.
2. Spent morning browsing numerous sites with no incidence of Adobe Flash Player popup. Closed down.
3. This afternoon, signed on again, accessed the front page of an online banking site and the popup is back, asking if it can run FlashUtil10uActiveX.exe.
4. Checked Task Manager and it is not running. Clicked on allow and in Task Manager is now running. Popup still popping.
5. Closed online banking website and is no longer displayed in Task Manager.
6. Checked IE addons and Flash Player with reference of FlashUtil10uActiveX.exe is Enabled.
7. This am noticed MBAM blocked an outgoing call.
Here is the log.

06:29:51 Michael MESSAGE Protection started successfully
06:30:15 Michael MESSAGE IP Protection started successfully
06:31:20 Michael MESSAGE Scheduled update executed successfully
06:32:08 Michael MESSAGE IP Protection stopped
06:32:10 Michael MESSAGE Database updated successfully
06:32:10 Michael MESSAGE IP Protection started successfully
11:45:05 Michael IP-BLOCK 208.87.149.250 (Type: outgoing, Port: 52470, Process: iexplore.exe)
14:13:18 Michael MESSAGE Protection started successfully
14:13:24 Michael MESSAGE IP Protection started successfully

Can you help me again please?

Thank you and regards
Michael J Davison




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users