Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Ransomware? Kovter remnants? or Something else? Please help!


  • This topic is locked This topic is locked
9 replies to this topic

#1 Groffeaston

Groffeaston

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:09:29 AM

Posted 05 June 2016 - 06:31 PM

Hello,

Yesterday afternoon I turned on my computer and opened Internet Explorer, typed in www.palottery.com and clicked enter. That is when Internet Explorer froze/locked up and 2 pop up windows appeared. One on top of the other! the one stated:

"Dear Pennteledata inc. customer,

 

Your IP: 70.15.203.116 has been blocked

A serious malfunction has been detected with Windows Vista / Server 2008 and you IE 9.0. Please call the toll-free number below for a certified technician to help you resolve the issue.

 

855-203-2052

 

For your safety, closing the IE browser has been disabled without support of the certified technician to avoid corruption to the registry of your Windows Vista / Server 2008 operating system

 

Please contact support at the toll-free Helpline 855-203-2052

 

DO NOT SHUT DOWN OR RESTART THE COMPUTER, DOING THAT MAY LEAD TO DATA LOSS AND POSSIBLE FAILURE OF THE OPERATING SYSTEM AND POTENTIAL NON BOOTABLE SITUATION RESULTING IN COMPLETE DATA LOSS, CONTACT MICROSOFT CERTIFIED TECHNICIANS TO RESOLVE THE ISSUE CALLING TOLL FREE - 855-203-2052"

I tried clicking to close the top window so I could see the window underneath, but it kept popping back up! Took a screen shot of the top message and then timed it so when I closed the top window I was able to get a screen shot of the bottom window/message.

I then game on here and opened a topic in the section: "Am I infected? What do I do?" Here is the link to my post there:

http://www.bleepingcomputer.com/forums/t/616347/ransom-ware-cannot-close-internet-explore-and-need-help-now/

  I then did a scan with MBAM free and Microsoft Security Essentials. they both detected Nothing. I then did a scan with SUPERAntiSpyware free and that detected nothing.  

Then I saw the section on Ransomware and I thought I made a mistake and posted in the wrong section. So I made a new topic Post in the Ransomware section, Here is that link:

http://www.bleepingcomputer.com/forums/t/616376/ransom-ware-cannot-close-internet-explore-and-need-help-now/

It was recommended that I wait for a reply to my original posting and that they did not think I had Ransomware, But just to be safe I should have my computer checked. SO I went back to my original post and one person recommended I contact/send a PM to Curie who had helped me with my most recent problem dealing with the "kovter" infection which was closed 4 days ago and ask to have another look at my system. I then sent a PM to Curie and explained my current problem. Curie responded back saying they were unable to help me at this time because they were busy and that I should open a new topic post in this section and follow the directions in the link they gave me. Which I did.

I do not know if I have any Ransomware, remnants of the "Kovter" infection or as one of the people who responded mentioned It was most likely a Phony Tech Support Scam.  They recommend that I have my computer given a thorough going over just to be safe!

I am attaching:  FRST.txt, Addition.txt which was requested.
Also I am including: MBAM scan result log, and the 2 screen shots of the pop up messages.
 

Attached Files



BC AdBot (Login to Remove)

 


#2 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:29 AM

Posted 06 June 2016 - 10:06 AM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

If you can please print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps in the order listed.
===

Remove this old version of Java via the Control Panel > Programs > Programs and Features applet.
JavaFX 2.1.1 (HKLM\...\{1111706F-666A-4037-7777-211328764D10}) (Version: 2.1.1 - Oracle Corporation)
===

Nothing suspicious was found on your logs.
This is just a cleanup of empy registry entries.

Press the windows key Windows_Logo_key.gif+ r on your keyboard at the same time. This will open the RUN BOX.
Type Notepad and and click the OK key.
Please copy the entire contents of the code box below to the a new file.
 
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction - Chrome <======= ATTENTION
FF Plugin HKU\S-1-5-21-1921292706-2233922792-2079689605-1000: @sun.com/npsopluginmi;version=1.0 -> C:\Program Files\OpenOffice.org 3\program [No File]
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll => No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java(TM) Platform SE 7 U21) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (tossc) - C:\Program Files\thinkorswim\tossc32.dll => No File
CHR Plugin: (Unity Player) - C:\Users\Matthew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => No File
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Matthew\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\Matthew\AppData\Local\Temp\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

End
Save the file as fixlist.txt in the same folder where the Farbar tool is running from.
The location is listed in the 3rd line of the Farbar log you have submitted.

Run FRST and click Fix only once and wait.

Restart the computer normally to reset the registry.

The tool will create a log (Fixlog.txt) please post it to your reply.
===

#3 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:09:29 AM

Posted 06 June 2016 - 04:43 PM

At First I could not find the log were it was supposed to be, so I started to go through the steps again and run the FRST Fix again. But then after I re-saved the content of the code box, I could not even see that. I was like WTF!!! It took a few seconds to refresh the list and then I was able to both. I deleted the "new" fixlist.txt file and then copied and pasted the log below. Here is the log:
 

Fix result of Farbar Recovery Scan Tool (x86) Version:06-06-2016
Ran by Matthew (2016-06-06 17:21:59) Run:1
Running from C:\Users\Matthew\Downloads
Loaded Profiles: Matthew (Available Profiles: Matthew)
Boot Mode: Normal

==============================================

fixlist content:
*****************
start

CreateRestorePoint:
EmptyTemp:
CloseProcesses:

GroupPolicy: Restriction - Chrome <======= ATTENTION
FF Plugin HKU\S-1-5-21-1921292706-2233922792-2079689605-1000: @sun.com/npsopluginmi;version=1.0 -> C:\Program Files\OpenOffice.org 3\program [No File]
CHR Plugin: (Native Client) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => No File
CHR Plugin: (Chrome PDF Viewer) - C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => No File
CHR Plugin: (Adobe Acrobat) - C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => No File
CHR Plugin: (QuickTime Plug-in 7.7.3) - C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => No File
CHR Plugin: (AmazonMP3DownloaderPlugin) - C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll => No File
CHR Plugin: (Google Update) - C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll => No File
CHR Plugin: (Java™ Platform SE 7 U21) - C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => No File
CHR Plugin: (tossc) - C:\Program Files\thinkorswim\tossc32.dll => No File
CHR Plugin: (Unity Player) - C:\Users\Matthew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => No File
CHR Plugin: (BrowserPlus (from Yahoo!) v2.9.8) - C:\Users\Matthew\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll => No File
CHR Plugin: (Shockwave for Director) - C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll => No File
CHR Plugin: (Shockwave Flash) - C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll => No File
CHR Plugin: (Silverlight Plug-In) - c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll => No File
CHR Extension: (Chrome Web Store Payments) - C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda [2016-04-03]
S4 blbdrive; \SystemRoot\system32\drivers\blbdrive.sys [X]
S3 catchme; \??\C:\Users\Matthew\AppData\Local\Temp\catchme.sys [X]
S3 esgiguard; \??\C:\Program Files\Enigma Software Group\SpyHunter\esgiguard.sys [X]
S3 IpInIp; system32\DRIVERS\ipinip.sys [X]
S3 NwlnkFlt; system32\DRIVERS\nwlnkflt.sys [X]
S3 NwlnkFwd; system32\DRIVERS\nwlnkfwd.sys [X]
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}\InprocServer32 -> no filepath
CustomCLSID: HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}\InprocServer32 -> no filepath
AlternateDataStreams: C:\ProgramData\TEMP:5C321E34 [125]

End
*****************

Restore point was successfully created.
Processes closed successfully.
C:\Windows\system32\GroupPolicy\Machine => moved successfully
C:\Windows\system32\GroupPolicy\GPT.ini => moved successfully
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000\Software\MozillaPlugins\@sun.com/npsopluginmi;version=1.0" => key removed successfully.
FF Plugin HKU\S-1-5-21-1921292706-2233922792-2079689605-1000: @sun.com/npsopluginmi;version=1.0 -> C:\Program Files\OpenOffice.org 3\program [No File] => not found.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\ppGoogleNaClPluginChrome.dll => not found.
C:\Program Files\Google\Chrome\Application\49.0.2623.112\pdf.dll => not found.
C:\Program Files\Adobe\Reader 10.0\Reader\Browser\nppdf32.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll => not found.
C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll => not found.
C:\Program Files\Amazon\MP3 Downloader\npAmazonMP3DownloaderPlugin101752.dll => not found.
C:\Program Files\Google\Update\1.3.21.145\npGoogleUpdate3.dll => not found.
C:\Program Files\Java\jre7\bin\plugin2\npjp2.dll => not found.
C:\Program Files\thinkorswim\tossc32.dll => not found.
C:\Users\Matthew\AppData\LocalLow\Unity\WebPlayer\loader\npUnity3D32.dll => not found.
C:\Users\Matthew\AppData\Local\Yahoo!\BrowserPlus\2.9.8\Plugins\npybrowserplus_2.9.8.dll => not found.
C:\Windows\system32\Adobe\Director\np32dsw_1202122.dll => not found.
C:\Windows\system32\Macromed\Flash\NPSWF32_11_7_700_169.dll => not found.
c:\Program Files\Microsoft Silverlight\5.1.20125.0\npctrl.dll => not found.
C:\Users\Matthew\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda => moved successfully
blbdrive => service removed successfully.
catchme => service removed successfully.
esgiguard => service removed successfully.
IpInIp => service removed successfully.
NwlnkFlt => service removed successfully.
NwlnkFwd => service removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0000002F-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020420-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020421-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020422-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020423-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020424-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{00020425-0000-0000-C000-000000000046}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0BE35203-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{0BE35204-8F91-11CE-9DE3-00AA004BB851}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{46763EE0-CAB2-11CE-8C20-00AA0051E5D4}" => key removed successfully.
"HKU\S-1-5-21-1921292706-2233922792-2079689605-1000_Classes\CLSID\{B196B286-BAB4-101A-B69C-00AA00341D07}" => key removed successfully.
C:\ProgramData\TEMP => ":5C321E34" ADS removed successfully..
EmptyTemp: => 845.9 MB temporary data Removed.


The system needed a reboot.

==== End of Fixlog 17:23:33 ====



#4 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:29 AM

Posted 07 June 2016 - 07:22 AM

Any remaining issues with this computer?

#5 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:09:29 AM

Posted 07 June 2016 - 01:04 PM

I think I may have figured out why my computer is somewhat slow on load up and why my web browsers are slow to load up. Of course I could be wrong.

Slow computer start up - I saw There are approximately over 225 programs/files in my "downloads" folder/section.  Some are: old set-ups to programs that are currently on my computer, some are old set-ups to programs that are no longer on my computer, some are older "update" files, some are current "update" files, and Some are Programs that I thought got deleted long ago!  Some of these, I know, could possibly contain "messed up" data, missing data, etc.. and some if not most can safely be deleted or removed. But some of the others are vital to the operation of programs on my computer.  I think that this could possibly be Part of the reason why I keep getting "script" errors on some websites,have slow computer load up, web browser freezes up.

Web browser has slow start up and freezes up - I believe part of the problem is TOO Many emails saved in my email folders, too many "contacts" in my Contacts list, and there was one other thing which I cannot recall off the top of my head. The emails and contact lists from 1 or more of my email accounts get saved to my computer; which I did not realize until I was searching for something on my computer and found the emails contact list stored there.  Which eats up storage space on my hard drive and slows down start up and shutdown times!

The one time I was able to "clear" the emails from my computer, but with out clearing them from my actual Email accounts. it sped up my computer. But the next time I tried it, it would have deleted them from my email account! So I did not do it again.

I remember reading on a different website that some of these could lead to Virus, Malware, and spyware infections by a "back door" way. 
 

I have to get off the computer now! thunder storm with lightening. I will add more later when it is safe! 



#6 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:09:29 AM

Posted 07 June 2016 - 03:01 PM

Okay, I am back. I have a little while until another line of thunder storms roll through! 

Now back to what I saying:  I remember reading, I believe it was on a different website that some of the saved emails onto the computer and old download files/programs, could possibly be used to install a Virus, Malware, Spyware, etc.. or even could allow a "hacker" access to your computer by hiding their program into those items. How much of that is "true" or just "speculation" I do not know.

I would like to "clean up" some of if not most of those files. 

I can take the time and go through the email folders on my email accounts manually, which I started to do. But that still leaves the ones that are saved on my computer and the "contacts" Lists. Some on the contacts list are duplicates. Again I can do on my email accounts and will take some time and most email accounts have way of checking for duplicates.

Now for the old "downloads" of "set-ups" and updates and other files. Some "set-ups" I can delete while others I am not sure if I can, because the program may need information on the "set-up" to download updates or to "fix" the program if there is a problem. I ran into this problem a couple of times! I deleted the set-up and then had a problem with the program, then when I went to "uninstall the program it could not find the "uninstall" information because it was on the "set-up" file which got deleted!!  While another program needed the set-up files to uninstall the other files that were created from using the program so I could then do a clean re-install.     Then there are the "updates" for Windows and other programs that are older than a year or two.

My questions are:

1) How can I determine what Downloads are safe to delete in the "downloads" folder?

2) Is there a way to Separate the Downloads in to "Folders" so I know "what is what"? As an example: Downloads that are for my computer's operating system: Windows Updates.  Also Java updates, Adobe updates, etc..   and then have folders for "security programs": anti-malware anti-virus, and anti-spyware. and then have other folders for other things!

3) Is there anything I might be missing that i could do or do better that could help me prevent a problem like this in the near future? Security program(s) I should add to what I am using now, replace the ones I am using now with, or should I change how I scan and/or the settings: More often instead, more deeply instead of a quick scan,  etc.

4) Could any of the above even be related to what I experience, with either the "Kovter" infection or the Phony Support tech Scam which I thought was "Ransomware"?



#7 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:29 AM

Posted 08 June 2016 - 06:39 AM



saved emails onto the computer and old download files/programs, could possibly be used to install a Virus

I do not think they can be used to install a virus.
They may however have been compromised when you got them.
Opening a compromised e-mail message may give you some type of infection.

I keep only the last two months of old email.
If I want to keep older ones I move them to a designated folder. (create one and move the e-mail in it).

Which e-mail program do you use?
===

I can take the time and go through the email folders on my email accounts manually, which I started to do. But that still leaves the ones that are saved on my computer and the "contacts" Lists. Some on the contacts list are duplicates. Again I can do on my email accounts and will take some time and most email accounts have way of checking for duplicates

Can you not sort them by date, subject or sender?

===

It looks like you are a Firefox user.

When you download a program it's downloaded and saved in the Downloads folder.

Installing the program from that folder is not an ideal option.
Should you delete the files in the Download folders could compromised the use of the program.

I would leave everything as is.

However I would create a new folder and name it My_Downloads.
Open Firefox and change the location where the new downloads will be created.

How to:
Open Firefox > Setting (the three horizontal bar on the top right)
Click Options
On the Download section, Save files to > Browse to the location of the newly created folder and select it.
Exit.

Try the download by downloading the FRST.TXT file you have attached to your first post.

Check the folder is all went well.
===

The next time you download a program it will be saved in that folder.

Create a new folder (name if with the program name) where you want to install this new program from.
Move the file to that new folder and run the application from there.

Not only will the program run from that folder but the installer for that program will also be located where it's safe.

If you need additional information let me know.

#8 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:09:29 AM

Posted 08 June 2016 - 10:54 AM

I will move the NON Critical Downloads for my computer's operation such as: photos, music, videos, etc. out of the "downloads" file/folder and create a new file/folder like you suggested. I think I remember how to do that on my computer! :hysterical:  It has been a while! As for changing it in Firefox that is no problem, I can just change it to "ask where to download to". 

I will let you know how I do on changing things around.

"Can you not sort them by date, subject or sender?" Yes I can. Also with my email accounts through Yahoo, AOL and Hotmail, I already sort then into different folders it is just that some of them have WAY too many old emails in them! :hysterical:  Time to Clean the folders out!!  I try to only keep emails back 2 to 6 months depending on how many there are in that specific folder.      As example there is one folder that I have where I get about 5 or 6 emails a day so I would only keep less than a month's worth or only a few weeks worth.   Another one I only get 1 email a month so I would keep maybe the last 6. 

But then there are times when I get sick, have an injury, or I have had surgery a few times in the past 4 years, and I got behind checking my emails they really piled up and it takes a while to get through them and get caught up!  Then I fall even further behind trying to clean up the old emails in my folders! 

I remember once seeing a program, I do not remember if it was included in one of the email accounts or if it was separate, where it would automatically clean up old emails for you, but it was a "beta" at that time. I guess people had too many emails that they wanted to keep, being deleted so I guess the program got "canned", because I have not seen any mention of it anymore! Or they just added some parts of it not other parts of it into their email programing. I am just not sure. I will have to check. I will sure make it easier! LOL

Thanks for the help. Again I will let you know how I do on making the changes.



 



#9 Groffeaston

Groffeaston
  • Topic Starter

  • Members
  • 518 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Easton,PA
  • Local time:09:29 AM

Posted 08 June 2016 - 11:48 AM

Okay, I created a New File folder and called it "My_Downloads" and switched the NON Essential Download files such as: Photos (.jpg files word documents, Manuals, catalogs, etc) from "Downloads" to "My_Downloads".  IN Firefox I changed where to save Downloads to: From "downloads" to "Always ask me where to save files".  

Now I just have to spend time going through my emails and old emails cleaning up! :hysterical:



#10 nasdaq

nasdaq

  • Malware Response Team
  • 39,519 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Montreal, QC. Canada
  • Local time:09:29 AM

Posted 14 June 2016 - 09:06 AM

It appears that this issue is resolved, therefore I am closing the topic. If that is not the case and you need or wish to continue with this topic, please send me or any Moderator a Personal Message (PM) that you would like this topic re-opened.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users