Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Security Pro


  • This topic is locked This topic is locked
16 replies to this topic

#1 A Selene

A Selene

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 14 October 2013 - 04:48 PM

A Windows 7 Home 64-bit PC is infected with something called "Antivirus Security Pro".

 

MALWAREBYTES is suppressed;

SuperAntiSpyware is suppressed;

DDS is suppressed;

TaskManager is suppressed;

TDSSKiller is suppressed;

 

Booting into Safe Mode gets as far as allowing user login, then system shuts down.

 

FRST64 Has Run once and produced addition.txt.

Re-runs of FRST64-program runs but stalls at HCU\Default\Software\Microsoft\Windows NT\CurrentVersion\Winlogon

 

RKill run from iexplore.exe version and log saved.

 

Typical POPUP message:

 

"Warning! Suspicious activity detected. To keep the computer safe, the threat must be blocked."

"Warning! Network attack attempt detected.To keep the computer safe, the threat must be blocked."

 

Typical Popup Window:

 

"Warning! Infected file detected."

 

How to attack this monster????


Edited by hamluis, 14 October 2013 - 05:40 PM.
Moved from Am I Infected to Malware Removal Logs - Hamluis.


BC AdBot (Login to Remove)

 


#2 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:10 AM

Posted 14 October 2013 - 05:04 PM

Hello! Welcome to BleepingComputer Forums! :welcome:
My name is Georgi and and I will be helping you with your computer problems.

Before we begin, please note the following:

  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The logs can take some time to research, so please be patient with me.
  • Stay with the topic until I tell you that your system is clean. Missing symptoms does not mean that everything is okay.
  • Instructions that I give are for your system only!
  • Please do not run any tools until requested ! The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.
  • Please perform all steps in the order received. If you can't understand something don't hesitate to ask.
  • Again I would like to remind you to make no further changes to your computer unless I direct you to do so. I will not help you if you do not follow my instructions.

 

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • I'll catch you tomorror sinice I need my sleep. :)

 

 

Regards,
Georgi


cXfZ4wS.png


#3 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 14 October 2013 - 07:36 PM

Georgi,

Thanks for your reply. Because I was really pressed for time, I did something really weird.  I booted from UBCD4W 3.60 which was built from WinXP-Sp3.  I did this because I'd previously copied a copy of the portable version of SuperAntiSpyware to the desktop of the affected machine.  Using the UBCD4W 3.60 environment, I navigated to the \users\username\desktop and ran the portable SuperAntiSpyware mentioned above.  It found the usual assortment of cookies PLUS a hook in the WINLOGIN key in the registry AND a program in the PROGRAMDATA folder that was anonymized.  I allowed SAS to remove these and rebooted normally.  Then, I installed MALWAREBYTES which NOW ran normally.  It found more things and I allowed it to remove them all.  I'm now re-running SuperAntispyware after having installed it and it's so far found Disabled.SecurityCenterOption values.  Since McAfee is installed on this system, I'm going to look quite carefully at the findings.

I plan to run the MicrosoftOfflineDefender on the system next.

At any rate, I think you can close this one for now.  The system is now accessible.  I don't yet know if it all works but I feel like I'm gaining on it.

Thanks for your suggestions.

 

ASelene



#4 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:10 AM

Posted 15 October 2013 - 05:21 AM

Hi,

 

I am glad you managed to resolve it yourself.

Please let me know if you want to check for malware remnants or I can close the topic?

 

 

Regards,

Georgi


cXfZ4wS.png


#5 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 15 October 2013 - 09:41 AM

Thanks Georgi.  If you have some suggestions for remnants, I'd be glad to see them.  This was the nastiest infection I've ever seen in that all routes of access to the system seem to have been blocked.

 

I think you can close the topic though. I'm sure you've got lots of people with more urgent problems to solve.

I ran Microsoft's Windows Offline Defender and restored the firewalls, automatic updates, and antivirus hooks.  Finally, ran a McAfee scan.  All scans now run clean and system can successfully boot into SAFE mode.

FWIW, I think the combination of UBCD4W and the portable SuperAntiSpyware makes for a potent tool to restore access for cleanups.  You have to exercise caution because UBCD4W is an XP tool -- not a Vista/Win 7 tool. But since SuperAntiSpyware has a portable version that supports Win XP thru Win 8, I think it works in this case.  I wouldn't try to run anything in this environment that required installation though.

 

Thanks again,

 

ASelene   
:thumbup2:


Edited by A Selene, 15 October 2013 - 09:46 AM.


#6 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:10 AM

Posted 15 October 2013 - 11:08 AM

Hi,

 

Yes (UBCD4W or Bartpe) are very good tools indeed but there are many alternatives for the treatment of this kind of rogues (like FRST, OTL, Rkill, HitmanPro, RogueKiller or even xPud). :)

 

Ok, if you have some free time please run the following tools for me to ensure that your system is malware or issues free (because sometimes Antivirus Security Pro don't come alone)...

The most of them should take no more than 5-8 minutes each.

 

 

 

STEP 1

 

  • Please download RKill by Grinler from the link below and save it to your desktop.

    Rkill
     
  • Before we begin, you should disable your anti-malware softwares you have installed so they do not interfere RKill running as some anti-malware softwares detect RKill as malicious. Please refer to this page if you are not sure how.
  • Double-click on Rkill on your desktop to run it. (If you are using Windows Vista, please right-click on it and select Run As Administrator)
  • A black screen will appear and then disappear. Please do not worry, that is normal. This means that the tool has been successfully executed.
  • If nothing happens or if the tool does not run, please let me know in your next reply.
  • A log pops up at the end of the run. This log file is located at C:\rkill.log.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.


 

STEP 2

 

  • Please download RogueKiller.exe and save to the desktop.
  • Close all windows and browsers
  • Right-click the program and select 'Run as Administrator'
  • Press the scan button.
  • A report opens on the desktop named - RKreport.txt
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 3


Please download the latest version of TDSSKiller from here and save it to your Desktop.

  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.
    image000q.png
  • Put a checkmark beside loaded modules.
    Sbf88.png
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.
    JtwHB.png
  • Click the Start Scan button.
    19695967.jpg
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.
    67776163.jpg
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.
    62117367.jpg
    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and past the results at pastebin.com and post the link to the log in your next reply.


 

STEP 4

 

  • Please download the newest version of Malwarebytes' Anti-Malware and install it.
  • Please start the application by double-click on it's icon.
  • Once the program has loaded go to the UPDATE tab and check for updates.
  • When the update is complete, select the Scanner tab
  • Select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad.
  • Please save it to a convenient location and copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 5


Please download Farbar Service Scanner and run it on the computer with the issue.


  • Make sure that all options are checked.
  • Press "Scan".
  • It will create a log (FSS.txt) in the same directory the tool is run.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.

 

 

STEP 6
 

Please download AdwCleaner by Xplode and save to your Desktop.


  • Double click on AdwCleaner.exe to run the tool.
    Vista/Windows 7/8 users right-click and select Run As Administrator.
  • Click on the Scan button.
  • AdwCleaner will begin...be patient as the scan may take some time to complete.
  • After the scan has finished, click on the Report button...a logfile (AdwCleaner[R0].txt) will open in Notepad for review.
  • The contents of the log file may be confusing. Unless you see a program name that you know should not be removed, don't worry about it. If you see an entry you want to keep, let me know about it.
  • Please copy and past the results at pastebin.com and post the link to the log in your next reply.
  • A copy of all logfiles are saved in the C:\AdwCleaner folder which was created when running the tool.

 

 

 

STEP 7

 

 

1.Please download HitmanPro.

  • For 32-bit Operating System - dEMD6.gif.
  • This is the mirror - dEMD6.gif
  • For 64-bit Operating System - dEMD6.gif
  • This is the mirror - dEMD6.gif

2.Launch the program by double clicking on the 5vo5F.jpg icon. (Windows Vista/7 users right click on the HitmanPro icon and select run as administrator).

Note: If the program won't run please then open the program while holding down the left CTRL key until the program is loaded.

3.Click on the next button. You must agree with the terms of EULA. (if asked)

4.Check the box beside "No, I only want to perform a one-time scan to check this computer".

5.Click on the next button.

6.The program will start to scan the computer. The scan will typically take no more than 2-3 minutes.

7.When the scan is done click on drop-down menu of the found entries (if any) and choose - Apply to all => Ignore <= IMPORTANT!!!

8.Click on the next button.

9.Click on the "Save Log" button.

10.Save that file to your desktop and post the content of that file in your next reply.

 

 

 

STEP 8

 

 

Download Security Check by screen317 from here.

  • Save it to your Desktop.
  • Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  • A Notepad document should open automatically called checkup.txt; please post the contents of that document.

 

 

 

Regards,

Georgi


cXfZ4wS.png


#7 A Selene

A Selene
  • Topic Starter

  • Members
  • 46 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:01:10 AM

Posted 15 October 2013 - 02:37 PM

Georgi,

 

I've done as you asked and the paste is called "ASelenePaste".

 

On the whole, I think it looks pretty good but I welcome your suggestions.

 

Thanks,

 

ASelene



#8 B-boy/StyLe/

B-boy/StyLe/

    Bleepin' Freestyler


  • Malware Response Team
  • 8,307 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Bulgaria
  • Local time:09:10 AM

Posted 16 October 2013 - 12:33 AM

Hi ASelene, :)

 

I found your logs and we should remove a few leftovers. :)

 

 

 

Please re-run RogueKiller.
Wait until Prescan has finished.
Click on Scan.
Now click the Registry tab and locate these: (if still present. They are may be already removed by MBAM)

 

 
[RUN][SUSP PATH] HKLM\[...]\Run : AS2014 (C:\ProgramData\s96sn373\s96sn373.exe [x]) -> FOUND
[SHELL][SUSP PATH] HKLM\[...]\Winlogon : userinit (userinit.exe,C:\ProgramData\s96sn373\s96sn373.exe -sm, [x][x]) -> FOUND
 

Place a checkmark on it, leave the others unchecked.
Now press the Delete button.
If asked to restart the computer, please do so immediately.
When it is finished, there will be a log on your desktop called: RKreport[2].txt
Post the log in your next reply.

 

 

Also regarding the TDSSKiller log file, some components of Mcafee are disabled and you should consider to re-enable them:

 

 
13:29:21.0511 0x028c  AV detected via SS2: McAfee Anti-Virus and Anti-Spyware, C:\Program Files\McAfee.com\Agent\mcupdate.exe ( 10.5.0.0 ), 0x50000 ( disabled : updated )
13:29:21.0511 0x028c  FW detected via SS2: McAfee Firewall, C:\Program Files\McAfee.com\Agent\mcupdate.exe ( 10.5.0.0 ), 0x50010 ( disabled )
 

Also please double click on AdwCleaner.exe to run the tool again.
  • Click on the Scan button.
  • AdwCleaner will begin to scan your computer like it did before.
  • After the scan has finished untick the following entries:
    <-
Key Found : HKLM\SOFTWARE\Classes\CLSID\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Classes\Interface\{2CE4D4CF-B278-4126-AD1E-B622DA2E8339}
Key Found : HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}
->
  • This time click on the Clean button.
  • Press OK when asked to close all programs and follow the onscreen prompts.
  • Press OK again to allow AdwCleaner to restart the computer and complete the removal process.
  • After rebooting, a logfile report (AdwCleaner[S0].txt) will open automatically.
  • Copy and paste the contents of that logfile in your next reply.
  • A copy of that logfile will also be saved in the C:\AdwCleaner folder.
  •  
     
     
    We Need to Run a Registry Script

    • Press the Windows Logo in the lower left corner of your screen.
    • In the 10-16-2011%204-33-46%20PM.png box, enter notepad and press Enter.
    • Highlight the contents of the following codebox, and copy and paste that text into notepad.
      Windows Registry Editor Version 5.00
       
      [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\A28B4D68DEBAA244EB686953B7074FEF]
    • Select File -> Save.
    • Press the Desktop button on the left side of the save dialog.
    • In the 10-16-2011%204-37-58%20PM.png box, type in Fix.reg.
    • Press 10-16-2011%204-36-39%20PM.png.
    • Close Notepad.
    • Double click 10-16-2011%204-34-48%20PM.png on your desktop.
    • Press Yes if prompted by User Account Control.
    • Press Yes, and then Ok, when prompted.
    • Right click on 10-16-2011%204-34-48%20PM.png and choose Delete.
    • Press Yes.

     

     

    Everything else looks ok. :)

     


    Regards,
    Georgi


    cXfZ4wS.png


    #9 A Selene

    A Selene
    • Topic Starter

    • Members
    • 46 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:01:10 AM

    Posted 16 October 2013 - 10:17 PM

    Thanks Georgi!

     

    I should have results ready for you within 24 hours.

     

    Regards,

    ASelene



    #10 B-boy/StyLe/

    B-boy/StyLe/

      Bleepin' Freestyler


    • Malware Response Team
    • 8,307 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Bulgaria
    • Local time:09:10 AM

    Posted 17 October 2013 - 07:25 AM

    :thumbup2:


    cXfZ4wS.png


    #11 A Selene

    A Selene
    • Topic Starter

    • Members
    • 46 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:01:10 AM

    Posted 17 October 2013 - 03:38 PM

    Hi Georgi:

     

        The new paste should be "ASelenePaste-2".

     

    Two notes worthy of mention:

     

    a) McAfee was re-installed from scratch by McAfee techs.  (I was unable to resolve the warnings from TDSS on this issue.)

     

    B) The key you noted: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A92DAB39-4E2C-4304-9AB6-BC44E68B55E2}

    ->
        WAS NOT FOUND!
     
    I went ahead with the rest.
     
    I know it's probably late for you but I did this as fast as I could.
     
    Thanks,
    ASelene


    #12 B-boy/StyLe/

    B-boy/StyLe/

      Bleepin' Freestyler


    • Malware Response Team
    • 8,307 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Bulgaria
    • Local time:09:10 AM

    Posted 17 October 2013 - 04:14 PM

    Hi,

     

    I can't find the link to the ASelenePaste-2 this time. Can you just please post the link to the logs instead? :)

     

    Ok, I found it but you didn't delete the following entries in RogueKiller:

     

     
    [RUN][SUSP PATH] HKLM\[...]\Run : AS2014 (C:\ProgramData\s96sn373\s96sn373.exe [x]) -> FOUND
    [SHELL][SUSP PATH] HKLM\[...]\Winlogon : userinit (userinit.exe,C:\ProgramData\s96sn373\s96sn373.exe -sm, [x][x]) -> FOUND

     

     

     

    Regards,

    Georgi


    Edited by B-boy/StyLe/, 17 October 2013 - 04:16 PM.

    cXfZ4wS.png


    #13 A Selene

    A Selene
    • Topic Starter

    • Members
    • 46 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:01:10 AM

    Posted 17 October 2013 - 06:11 PM

    Georgi, I must have pasted the wrong log. They're kind of hard to collate since they're scattered all over. :)

    Here's a rerun (Scan only):

     

    RogueKiller V8.7.3 [Oct 15 2013] by Tigzy

    mail : tigzyRK<at>gmail<dot>com

    Feedback : http://www.adlice.com/forum/

    Website : http://www.adlice.com/softwares/roguekiller/

    Blog : http://tigzyrk.blogspot.com/

     

    Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version

    Started in : Normal mode

    User : hugh [Admin rights] Mode : Scan --

    Date : 10/17/2013 18:03:14

    | ARK || FAK || MBR |

     

    ¤¤¤ Bad processes : 0 ¤¤¤

     

    ¤¤¤ Registry Entries : 6 ¤¤¤

    [HJ POL][PUM] HKLM\[...]\System : EnableLUA (0) -> FOUND

    [HJ POL][PUM] HKLM\[...]\Wow6432Node\[...]\System : EnableLUA (0) -> FOUND

    [HJ DESK][PUM] HKCU\[...]\ClassicStartMenu : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

    [HJ DESK][PUM] HKCU\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {59031a47-3f72-44a7-89c5-5595fe6b30ee} (1) -> FOUND

    [HJ DESK][PUM] HKLM\[...]\NewStartPanel : {20D04FE0-3AEA-1069-A2D8-08002B30309D} (1) -> FOUND

     

    ¤¤¤ Scheduled tasks : 0 ¤¤¤

     

    ¤¤¤ Startup Entries : 0 ¤¤¤

     

    ¤¤¤ Web browsers : 0 ¤¤¤

     

    ¤¤¤ Particular Files / Folders: ¤¤¤

     

    ¤¤¤ Driver : [NOT LOADED 0x0] ¤¤¤

     

    ¤¤¤ External Hives: ¤¤¤

     

    ¤¤¤ Infection :  ¤¤¤

     

    ¤¤¤ HOSTS File: ¤¤¤

    --> %SystemRoot%\System32\drivers\etc\hosts

     

     

     

     

    ¤¤¤ MBR Check: ¤¤¤

     

    +++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) (Standard disk drives)

    +++++ - ST31000528AS ATA Device +++++

    --- User ---

    [MBR] a9a61e365aca805f5627aacf3e798cbd

    [BSP] 30b29a52438311981d61eb6325ea0b7f : Windows 7/8 MBR Code Partition table:

    0 - [XXXXXX] DELL-UTIL (0xde) [VISIBLE] Offset (sectors): 63 | Size: 54 Mo

    1 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 112640 | Size: 12466 Mo

    2 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 25643008 | Size: 941347 Mo User = LL1 ... OK!

    User = LL2 ... OK!

     

    Finished : << RKreport[0]_S_10172013_180314.txt >> RKreport[0]_D_10172013_133931.txt

     

    Hope this is what you expected to see.

     

    Thanks,

    ASelene


    Edited by A Selene, 17 October 2013 - 06:27 PM.


    #14 B-boy/StyLe/

    B-boy/StyLe/

      Bleepin' Freestyler


    • Malware Response Team
    • 8,307 posts
    • OFFLINE
    •  
    • Gender:Male
    • Location:Bulgaria
    • Local time:09:10 AM

    Posted 17 October 2013 - 07:12 PM

    Hi,

     

    Yes, that look alot better. :)

     

    Nicely done ! This is the end of our journey if you don't have any more questions.
    I have some final words for you.
    All Clean !
    Your machine appears to be clean, please take the time to read below on how to secure the machine and take the necessary steps to keep it Clean.

     

     

     

    STEP 1 CLEANUP



    To remove all of the tools we used and the files and folders they created, please do the following:

     

    Please download OTC.exe by OldTimer and save it to your desktop.
     

    • Right-click the OTC.exe and choose Run as Administrator.
    • Click on CleanUp! button.
    • If you are prompted to Reboot during the cleanup, select Yes.
    • The tool will delete itself once it finishes.

     

    • Next please download Delfix.exe by Xplode and save it to your desktop.
    • Please start it and check the box next to "Remove disinfection tools" and click on the run button.
    • The tool will delete itself once it finishes.

     

    Note: If any tool, file, log file or folder (belonging to the program we have used) hasn't been deleted, please delete it manually.



    STEP 2 SECURITY ADVICES



    Change all your passwords !


    Since your computer was infected for peace of mind, I would however advise you that all your passwords be changed immediately !! (just in case).
    Use different passwords for all your accounts. Also don't use easy passwords such as your favorite teams, bands or pets because this will allow people to guess your password.
    You can use PC Tools Password Generator to create random passwords and then install an application like KeePass Password Safe to store them for easy access.If you do Online Banikng please read this article: Online Banking Protection Against Identity Theft



    Keep your antivirus software turned on and up-to-date

     

    • Make sure your antivirus software is turned on and up-to-date.
    • New viruses come out every minute, so it is essential that you have the latest signatures for your antivirus program to provide you with the best possible protection from malicious software.
      Note:
    • You should only have one antivirus installed at a time. Having more than one antivirus program installed at once is likely to cause conflicts and may well decrease your overall protection as well as impairing the performance of your PC.
    • You should scan your computer with an AntiSpyware program like Malwarebytes' Anti-Malware on a regular basis just as you would an antivirus software.
    • Be sure to check for and download any definition updates prior to performing a scan.

     

     

    Install HIPS based software


    HIPS based software controls what an application is allowed to do and not allowed to do.
    It monitors what each application tries to do, how it use the internet and give you the ability to block any suspicious activity occurring on your computer.
    In my opinion the best way to prevent an unknown malware from gaining access is to use some HIPS programs (like COMODO, PrivateFirewall, Online Armor etc.) to control the access rights of legitimate applications, although this would only be advisable for experienced users...
    However, you should be aware though that (if you install Comodo Firewall and not the whole package Comodo Internet Security) this is not an replacement for a standard antivirus application. It's a great tool to add another layer of protection to your existent antivirus application. It takes some time and knowledge to configure it for individual purposes but once done, you should not have a problems with it.
    There are so many reviews on YouTube and blogs about all these programs.
    Keep in mind to choose carefully in order to avoid conflicts or instability caused by incompatible security programs.
    Also having more than one "real-time" program can be a drain on your PC's efficiency...
     
    If you like Comodo you should choose for yourself which version of Comodo you will use 5 or 6. Personally I stick to version 5!
    COMODO V5 & V6 Users Count Poll
     

     

    Practice Safe Internet


    One of the main reasons people get infected in the first place is that they are not practicing Safe Internet. You practice Safe Internet when you educate yourself on how to properly use the Internet through the use of security tools and good practice. Knowing how you can get infected and what types of files and sites to avoid will be the most crucial step in keeping your computer malware free. The reality is that the majority of people who are infected with malware are ones who click on things they shouldn't be clicking on. Whether these things are files or sites it doesn't really matter. If something is out to get you, and you click on it, it most likely will.  Below are a list of simple precautions to take to keep your computer clean and running securely:
     

    • If you receive an attachment from someone you do not know, DO NOT OPEN IT! Simple as that.  Opening attachments from people you do not know is a very common method for viruses or worms to infect your computer.
    • .exe, .com, .bat, .pif, .scr, .vb, .vbe, .vbs, .ws, .wsf, .shs, .hta, .jar, .js or .jse do not open the attachment unless you know for a fact that it is clean.  For the casual computer user, you will almost never receive a valid attachment of this type.
    • If you receive an attachment from someone you know, and it looks suspicious, then it probably is.  The email could be from someone you know infected with a malware that is trying to infect everyone in their address book.
    • If you are browsing the Internet and a popup appears saying that you are infected, ignore it!. These are, as far as I am concerned, scams that are being used to scare you into purchasing a piece of software. For an example of these types of popups, or Foistware, you should read this article:
      Foistware, And how to avoid it. There are also programs that disguise themselves as Anti-Spyware or security products but are instead scams.  For a list of these types of programs we recommend you visit this link: About Malwares, Rogues, Scarewares, SmitfraudFix
    • Another tactic to fool you on the web is when a site displays a popup that looks like a normal Windows message  or alert. When you click on them, though, they instead bring you to another site that is trying to push a product on you.  We suggest that you close these windows by clicking on the X instead of the OK button. Alternatively, you can check to see if it's a real alert by right-clicking on the window.  If there is a menu that comes up saying Add to Favorites... you know it's a fake.
    • Do not go to adult sites. I know this may bother some of you, but the fact is that a large amount of malware is pushed through these types of sites. I am not saying all adult sites do this, but a lot do.
    • When using an Instant Messaging program be cautious about clicking on links people send to you. It is not uncommon for infections to send a message to everyone in the infected person's contact list that contains a link to an infection. Instead when you receive a message that contains a link, message back to the person asking if it is legit before you click on it.
    • Stay away from Warez and Crack sites! In addition to the obvious copyright issues, the downloads from these sites are typically overrun with infections. Avoid using cracks and unknown programs from sources you don't trust. There are MANY alternative open-source applications. Malware writers just love cracks and keygens, and will often attach malicious code into them. By using cracks and/or keygens, you are asking for problems. So my advice is - stay away from them!
    • Be careful of what you download off of web sites and Peer-2-Peer networks. Some sites disguise malware as legitimate software to trick you into installing them and Peer-2-Peer networks are crawling with it. If you want to download a piece of software a from a site, and are not sure if they are legitimate, you can use McAfee Siteadvisor to look up info on the site. Note: skip this advice if your antivirus have a Web Guard.
    • DO NOT INSTALL any software without first reading the End User License Agreement, otherwise known as the EULA. A tactic that some developers use is to offer their software for free, but have spyware and other programs you do not want bundled with it. This is where they make their money. By reading the agreement there is a good chance you can spot this and not install the software.

     

     

    Tweak your browsers
     
     
    MOZILLA FIREFOX


    To prevent further infections be sure to install the following add-ons NoScript and AdBlock Plus.

    Adblock Plus hides all those annoying (and potentially dangerous) advertisements on websites that try and tempt you to buy or download something. AdBlock not only speeds up your browsing and makes it easier on your eyes, but also makes it safer.

     

    Adblock Plus can be found here.

    NoScript is only for advanced users as it blocks all the interactive parts of a webpage, such as login options. Obviously you wouldn’t want to block your ability to log on to your internet banking or your webmail, but thankfully you can tell NoScript to allow certain websites and block others. This is very useful to ensure that the website you’re visiting is not trying to tempt you to interact with another, more dangerous website.

     

    NoScript can be found here
     

     

     

    Google Chrome

     
    If you like Google Chrome there are many similar extensions for this browser as well. Since I am not a Google Chrome user I can't tell you which of them are good and how they work. You should find out by yourself.

    However Google Chrome can block a lot of unknown malware because of his sandbox.Beware of the fact that Google Chrome doesn't provide master password protection for your saved in the browser passwords. Check this out: Google Chrome security flaw offers unrestricted password access

     

     

     

    For Internet Explorer 9/10 read the articles below:
     

    Security and privacy features in Internet Explorer 9

    Enhanced Protected Mode
    Use Tracking Protection in Internet Explorer

    Security in Internet Explorer 10

     

    Immunize your browsers with SpywareBlaster 5 and Spybot Search and Destroy 1.6

    Also MBAM acquired the following software Malwarebytes Anti-Exploit and it should work with the most popular browsers. Beware the product is in beta stage.
     

     

     

    Disable the dangerous services you don't need and don't use like Remote Registy, Server, SSDP Discovery, RemoteAccess etc. (if you don't feel confortable to change the services configuration then please skip this step). It's a good idea to disable the autorun functionality using the following tool to prevent spreading of the infections from USB flash drives.

     
     
    Make the extensions for known file types visible:
     
     
    Be wary of files with a double extension such as jpg.exe. As a default setting, Windows often hides common file extensions, meaning that a program like image.jpg.exe will appear to you as simply image.jpg. Double extensions exploit this by hiding the second, dangerous extension and reassuring you with the first one.Check this out - Show or hide file name extensions.

     

     

     

    Create an image of your system

     

    • Now when your pc is malware free it is a good idea to do a backup of all important files just in case something happens it.
    • Macrium Reflect is very good choice that enables you to create an image of your system drive which can be restored in case of problems.
    • The download link is here.
    • The tutorials can be found here.
    • Be sure to read the tutorial first.

     

     

    Optimize Windows 7 for better performance

    Check this article for more information.

     

     

     

    Follow this list and your potential for being infected again will reduce dramatically.

    Safe Surfing! :)
     

     

    Cheers,

    Georgi


    cXfZ4wS.png


    #15 A Selene

    A Selene
    • Topic Starter

    • Members
    • 46 posts
    • OFFLINE
    •  
    • Gender:Male
    • Local time:01:10 AM

    Posted 18 October 2013 - 01:28 PM

    Thanks Georgi!

     

    The beer's on me. :)

     

    All the best to you and yours.

     

    ASelene






    0 user(s) are reading this topic

    0 members, 0 guests, 0 anonymous users