Worried about Virus In Yahoo email??????

Repa,

1) I'm very concerned about my Yahoo email being infected. Maybe you viewing my four screen shots will shed some light on this. The last couple of days while in my Yahoo email I've gotten a popup window saying "The page you're viewing uses Java", etc. Then suddenly I get Avast message that a bad guy was Blocked.

2) The first 2 pics are from yesterday, and 3 & 4 pics are from today. I also noticed that the Yahoo Login Page browser had an "S" at the end of http, but in my email account there was no "S" at the end of http, and there was no locked padlock in the browser address window box. I hope you can tell what's going on with this stuff. I'm pretty worried about this one! EDIT: If you look, you will be able to see the padlock & s is missing in the browser address bar. PS, I ran all my scans yesterday Sat. & nothing was found in any of them.

Answer these questions, then follow the below instructions.

1. Do you get these messages when you don't have a browser open?
2. Are you getting these messages from Avast when you open your browser, but do not go to your yahoo email?
3. Do you get these messages if all you do is go to your yahoo email but do not open any emails? If this is the case, do not go to your yahoo mail. Same question and action about your wife's yahoo email.
4. Do you get these messages when you open your emails, and if so, is it just from particular contacts or any contact? If this is the case, or not sure, do not open any emails in your yahoo account. If you can identify particular contacts, and then remove those contacts from your contact list. Same question and action concerning your wife's email account.
5. Are there any other circumstances when you get these messages besides those mentioned above?
6. Does your browser initially open to your expected homepage? When you click a link or do a google search, does the browser go where you expect it to go?

Answer the above questions. If you aren't sure, play around for a while in each configuration to see what happens. If you only get the messages when you open something in your email, then don't open anything in your email, just say that's the only time it happens, and only with certain contacts if you can identify them. Be sure to specify whether or not this happens in your wife's yahoo account. Once you have answered the above questions, then do the following:

Run ccleaner.

Download the following programs into your "My Downloads" folder and run them. You do not have to install these programs, they are stand-alone executables:

Download Adwcleaner:
http://www.bleepingcomputer.com/download/adwcleaner/

Save to your “My Downloads” folder. Open this program and click the Scan button to run it. It will produce a notepad file called AdwCleaner[R1].txt that will open when the scan ends and will also be saved on your C:\ drive. Copy the contents of this file and paste it here. X out of the program at this time – do not take any action.

Download TDSSKiller:
http://www.bleepingcomputer.com/download/tdsskiller/

Click the “Download Now Exe Version” button. Save to your My Downloads” folder and change the name of the file to save from TDSSKiller.exe to TK123.exe before clicking the Save button. Open the file to run it and click the “Scan Now” button. If it finds anything, make sure the action to take at the right hand side of the object found is set to “Skip” (use the dropdown arrow to set to Skip if not already set to Skip) and click Continue, then click Close. This program produces a file on your C:\ drive that looks like “TDSSKiller.2.8.15.0_26.11.2012_12.05.24_log.txt.” Open this file if anything was detected and copy and paste it’s contents here.

Download HitmanPro:
http://www.surfright.nl/en/downloads

Both 32-bit and 64-bit download versions are on this page. Download the 64-bit version if that is what your computer is.

Save to your “My Downloads” folder. Open the program and click the Next button. Select: “No, I only want to perform a one-time scan to check this computer.” Do not provide your email address. Uncheck: Please email me important notifications ….” Click the Next button and the scan will begin. When the scan is complete, take a screenshot of anything found and post it here. Do not take any action to delete anything at this time. X out of the program and wait until I get a chance to look at the screenshot list of detected items, even though this program is not known for detecting false positives.

BTW all, the tools listed in the above post are good to use when you think you have malware but can't find anything with the standard tools I've given you in the past, e.g., those in Tut#6.

Being unsure if I could find the scan log for these Apps again if I closed them I'm running them one at a time and posting here for you. EDIT: I just checked in C:) drive to see if i could fond the file & I did, although the saved file appeared to shorter in length than this one I posted here. I'll get the other 2 done shortly. Thanks.


# AdwCleaner v2.009 - Logfile created 11/27/2012 at 14:39:53
# Updated 24/11/2012 by Xplode
# Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)
# User : WC Turner - WCTURNER-HP
# Boot Mode : Normal
# Running from : C:\Users\WC Turner\Downloads\AdwCleaner.exe
# Option [Search]


***** [Services] *****


***** [Files / Folders] *****

File Found : C:\Users\Public\Desktop\eBay.lnk

***** [Registry] *****


***** [Internet Browsers] *****

-\\ Internet Explorer v9.0.8112.16421

[OK] Registry is clean.

*************************

AdwCleaner[R1].txt - [575 octets] - [27/11/2012 14:39:53]

########## EOF - C:\AdwCleaner[R1].txt - [634 octets] ##########

Repa Said: Save to your My Downloads” folder and change the name of the file to save from TDSSKiller.exe to TK123.exe before clicking the Save button.

How do I do that before clicking the Save button? Got a screen shot to show you that at the bottom of the screen when I click the "Save" option, it goes directly to my downloads folder, & there's no chance to change the name before before clicking the Save button.

wcturner wrote:

Repa Said: Save to your My Downloads” folder and change the name of the file to save from TDSSKiller.exe to TK123.exe before clicking the Save button.

How do I do that before clicking the Save button? Got a screen shot to show you that at the bottom of the screen when I click the "Save" option, it goes directly to my downloads folder, & there's no chance to change the name before before clicking the Save button.

Click the down arrow beside the Save button and select "Save As" from the drop-down menu. You will get the normal save menu from which you can select your My Downloads folder to save to. Change the name of the file TDSSKiller.exe to TK123.exe on the line you see to the left of the Save button on that screen and click the Save button when done. You are doing this because there could be a malware on your machine that will recognize TDSSKiller and prevent it from running. This is done to fake it out.

wcturner wrote:

That's good!

WC, I need to have the answers to the questions I asked to help you further, especially if TK123.exe doesn't find anything. It looks like you are getting some kind of redirect to bad sites and I'm not sure that the eBay.lnk is responsible. Usually adwcleaner and TDSSKiller will find those things, but not always. Your response to those questions will help me decide what to do next, if necessary.

You remember that I "Restored" back to Friday, 11/23/2012, Yesterday, 11/26/2012? That might have helped things. I need to try my yahoo email again to see. I don't think I've tried it since the "Restore". Below is answer to your questions.

1. Do you get these messages when you don't have a browser open? NO

2. Are you getting these messages from Avast when you open your browser, but do not go to your yahoo email? NO

3. Do you get these messages if all you do is go to your yahoo email but do not open any mails? NO. Haven't been to email much since this all started, I didn't think you wanted me to.? As best as I recollect, the 2 times it happened, I was just scrolling up & down to see what I received, w/o opening any. And, I think I had opened 1 or 2 emails, before I received the Avast Blocking notice.

3. If this is the case, do not go to your yahoo mail. NO, so I assume it's OK to go to my email?? Same question and action about your wife's yahoo email. When asked, she said she had not had my problems in her email.

4. Do you get these messages when you open your emails, and if so, is it just from particular contacts or any contact? If this is the case, or not sure, do not open any emails in your yahoo account. It only happened 2 times, & I can't remember the sender of the 1st. one, but, I think I remember the sender of the 2nd. one. I think it was from a news type blog maybe is what it is, but, I've been receiving it for a long time, & never had anything like this happen before.
4. If you can identify particular contacts, and then remove those contacts from your contact list. I'll try it. Same question and action concerning your wife's email account. No problems with her's, yet. She did say that for the first, & only time, today, she was trying to close a website page she was on, and when she clicked "X" to get out of it, the page closed and came back up 2 more times & she clicked 3 separate times, before closing for good, but, it was not in yahoo email. And, it had not happened before today.

5. Are there any other circumstances when you get these messages besides those mentioned above? NO


6. Does your browser initially open to your expected homepage? YES
When you click a link or do a google search, does the browser go where you expect it to go? YES

6. If you aren't sure, play around for a while in each configuration to see what happens. To be sure I'll try email again, since it only happened those 2 times, & I think I know one that I was viewing when Avsat blocked, but, unsure of the first one. Unless you don't want me to?

If you only get the messages when you open something in your email, then don't open anything in your email, just say that's the only time it happens, and only with certain contacts if you can identify them. Only happened in my Yahoo email twice & ID'd one maybe, not the other.

Be sure to specify whether or not this happens in your wife's yahoo account. See above for the one thing that has happened to her, & it was not in her Yahoo email.

I just came back to edit this. This may mean something to you. I just logged out, & at the
bottom of the home page, it still had me as logged in where it says Registered Users. I logged in & out 2 more times, just to see, & it still showed me as logged in, but only at the bottom of home page. But, when I returned to this thread, the Text Box was not there as it is when I am logged in. Might be a glitch here at geeks.?

What was going on when you posted this? This doesn't look like you were in email.



Also, get TK123.exe run as quickly as possible. That ebay.lnk is frequently the result of a backdoor trojan adding that shortcut to your desktop, and deleting that may not get rid of the trojan unless the restore possibly took care of it. Hopefully TK123.exe will find it and get rid of it altogether.

I am concerned that if we don't find what was causing your problem, you should do a complete reinstall with your recovery disks to be sure it is safe to use your computer for online banking and purchases. Before you panic, let's see what TK123.exe finds, and after that doing a boot time scan with avast, running sophos anti-rootkit, and again running the standard malware scanners, but in safe mode this time.

Repa wrote:

What was going on when you posted this? This doesn't look like you were in email. That's my desktop. I can't remember but, I think I may have got out of email when that happened & just went to the desktop to create the screenshot. But, I was in email when it was blocked.



Also, get TK123.exe run as quickly as possible. It's late, but, I'll try to do that now.

That ebay.lnk is frequently the result of a backdoor trojan adding that shortcut to your desktop What What shortcut are you talking about?, and deleting that may not get rid of the trojan unless the restore possibly took care of it. Hopefully TK123.exe will find it and get rid of it altogether.

I am concerned that if we don't find what was causing your problem, you should do a complete reinstall with your recovery disks to be sure it is safe to use your computer for online banking and purchases. Before you panic, let's see what TK123.exe finds, and after that doing a boot time scan with avast, running sophos anti-rootkit, and again running the standard malware scanners, but in safe mode this time.

I'm already panicing! You never did say about whether or not to go to my yahoo email, or to surf internet or not, or just come here til we get it fixed?

You didn't say, so I guess I delete whatever TK123.exe finds?

Repa,
1. I ran the scan twice, after changing the name to TK123.exe, but, each time as the scan box opened up, it still said Kaspersky TDSSKiller at the top, as you will see. Both scans said the same thing as you see in the screenshot. Here's screenshot:



2. Since it said No Threat found, maybe the Restore fixed it?

3. I hope all this is good news from you??????

4. Should I use the computer or not?????

Thanks

Don't go anywhere except here until we finish. Run ccleaner and run it after each time you return here as you go through the steps below so the scans you run won't find stuff like tracking cookies left by IE as you progress through the steps and report your findings here.

I gave you the below instruction in an earlier post:

The file it found, eBay.lnk is a redirector. Not sure how it got there in your Public account (usually done by a back door trojan, which isn't good). If you haven't closed AdwCleaner, select the Delete button to delete it. If you have closed the program, rerun it and when complete, select the Delete button. Re-run to make sure that eBay.lnk is gone.

1. Did you re-run AdwCleaner and then click the Delete button when it was finished with the scan to get rid of that eBay.lnk? If you didn't, you must do that now. After you complete that, and even if you did do that before, you will now need to shutdown completely, then re-start your system, and run AdwCleaner again to make sure eBay.lnk hasn't come back. You will see it listed near the top of the notepad listing you get when the program finishes the scan, if it is still there.

2. Then I want you to run TK123.exe again. Don't be concerned that it says TDSSKiller when you open it. It's the file name the bad guys key in on to disable it, not what it says inside. When you run it this time, before you start the scan I want you to click where it says "Change parameters". On the screen that appears you will see 3 unchecked boxes. Click the lower 2 first, then the one above. Be sure you click them in that order. You will be prompted to restart your computer. Do it. When it comes back up you will see some strange stuff going on. Ignore it and let it get back to the screen with the "Start Scan" button. Click it and let it run. Do not do anything if it finds stuff, just post what it finds here i.e., from the logfile I told you about in an earlier post on your C drive - just click on your C drive and look down toward the end where files are listed and you'll find it. There will be more than one, so open the latest one by date and time and post the contents here so I can look at it as it may find stuff on this type of scan that you don't want to delete. X out of the program after posting the results here and go to the next step.

3. Run a boot time scan with Avast. Click Settings before doing the scan and make sure the action to take is "Move to chest" if it finds anything during the scan. Use the drop-down arrow to set it if it is not set to this. If it moves anything to the chest that it shouldn't, you will be able to restore it later. Restart your computer to start the scan.

4. Run Sophos Anti-rootkit. If you don't have it on your machine, you can download it here:

http://www.majorgeeks.com/Sophos_Anti-Rootkit_d5238.html

This is also a program that may find stuff you don't want to delete, so don't take any action if it does, just post a screenshot here if it finds anything, X out of the program and let me look at it. Be sure to maximize the window and expand each item so I can see what it is and where it is.

5. Go to safe mode and run full scans of spybot, malwarebytes, and superantispyware. Fix anything spybot finds (it can be undone later if necessary), and quarantine anything malwarebytes and superantispyware find - those can also be restored later if necessary.

Let me know at each step if anything is found. Do not surf or go to your email box until you are done with all the above and nothing further is found or anything found has been resolved. When I am satisfied your computer is safe, the last thing I will have you do is to delete all your restore points and set a new one. I'll tell you how to do that when everything else is resolved. Then we'll need to restore your HP Support Assistant and make sure your Services settings are set back correctly for the HP services you changed in that other thread.

1. Got a couple of screenshots to post. First one from my 2nd. scan with AdwCleaner & after Deleting it, at least I thought I deleted it. I'll run it again to be sure.

2. The 2nd. shot is from this morning while I was trying to update Malwarebytes. I clicked Yes to it to get the new copy.





3. Since I started having this virus problem, when trying to post my screen shots it is taking longer, when I click the Host It button, for the next step of "Copy" to come up, and the Text, "Host It", is broken up, as in "not clear to read". Probably not related to this virus thing, but, I thought I'd mention it anyway.
Thanks....

Repa,
Got your latest instructions. I haven't started the first set of instructions yet. I copied them & was reading thru them to get an idea if the majestic feat this will be, & trying to get my mindset right to begin.

1. Repa said: Run a boot time scan with Avast. Click Settings before doing the scan and make sure the action to take is "Move to chest"
I looked high & low for the "How to change the Avast settings for "Move to chest" & could not find it????. I went down the line in settings and did not see that option anywhere? Where could it be?

2. Repa said: Select the View tab and under Hidden Files and Folders Unhide hidden files, folders and drives".(I didn't print all as u can see) Will I have to come back later to "Re-hide them" when this is finished?
EDIT 6:03 PM CST: When I click computer on desktop, I could not get the menu you said. I assume you meant right click, & my menu options says this, Open, Manage, Map Network Drive, Disconnect Network Drive, Create Shortcut, Delete, Rename, and, Properties at the bottom of menu. Why don't I have the options on my menu like yours?
3. Unless you say to do the Malwarebytes testing to see if the uninstall and reinstall the Malwarebytes is necessary, I'll just do that later.?? Got a lot to do now. Thanks

EDIT again 6:33 PM: A. Since I could not change the 'Hidden Folders" thing, I went ahead & ran AdwCleaner again, and ebay.exe did not show on file report. So, I guess it's deleted for good? I'll shut down the computer now & eat, and come back and run it again like you said, but, this is at least the 2nd. time I've run the scan & ebay.exe didn't show up in the report file either time.

B. While I was in my downloads, I placed the Mouse over the Malwarebytes App. & the dialog box that appears still says that Malwarebytes was created 11/7/2012, and not today, as I would have expected, since I got the new copy today(per the screenshot I posted for you) or what ever it said earlier, can't remember. The date I first installed it was 11/7/2012, so I don't know if the screen shot I posted should have changed the date or not.

Repa,

1. Got the hidden files "SHOwing". If I don't change them back to being "Hidden", who would be able to see them?

2. I'll have to do the Avast Boot Scan Thursday. I changed settings for the action to take is "Move to chest". Why don't I leave them set like this all the time?

3. I'm a little confused at the moment. I'll begin Thursday, 11/29/2012 with the Avast Boot Scan & then #4 would be next Run Sophos Anti-rootkit, which I don't have.
3A. I don't run either of the above in Safe Mode, do I, just Normal Mode, Correct??

3B. Here's my plan. Go to majorgeeks to get Sophos Anti-rootkit, Save it to my downloads, then come back to my Desktop & run Ccleaner before running it, Correct??

4. Then I'll post anything found. Then move on to #5 in Your Instructions.

Here's screen shots. Edit: The first file report is scan with AdwCleaner with files Hidden, & 2nd. shot is after files not hidden or "Showing". Nothing found in either file report, at least that is the way I see it.







5. I don't know why these next 2 are on my desktop & in my pictures , I didn't create them, unless changing those parameters/ showing hidden files caused it. I thought you need to see them & tell me what to do about them, as well as the above screen shots???? Ok the last 2 are not allowed I was told. I kinda wondered if I could post them. You can see them in the TDSSKiller screen shot, on the left top of my desktop. They say desktop.ini, & you probably know what they mean..?

Repa,

1. I was also thinking about Re-Hiding those files again.

2. These are encouraging. Do you think the System Restore back to 11/23/2012 maybe fixed the problem, I hope???

3. Ran Boot Time Scan & No Virus Found! Good progress, or not?

4. Next, Going to majorgeeks to get Sophos Anti-rootkit.
back soon. thanks

We may have gotten lucky with the Restore - I hope so. But need to do the thorough check and go thru all steps I gave to to be sure. Boot-time scan is encouraging.

I'll just post a separate one here. Please take a look at the post above.

1. What do you think of the screen shot?


2. I'm going to begin #5 on instructions list next, the full scans in safe mode. I'll check back here before I start, to see if you've seen these last 2 posts.
What I'm thinking about doing is before I go into safe mode for those full scans is to just go ahead & uninstall & reinstall Malwarebytes. I'm still kinda leery about that since the incident about my old copy missing or something the other day. I;ll check back to see if you replied.
2A. Do you think that would be the best thing to do?

3. I think I have to go to Malwarebytes.org to get the App don't I? I don't think majorgeeks has it??

Repa,

1. Got another update. Ran full scans of Spybot & SuperAntiSpyWare in safe mode & No Threats were found in either of them.

2. Since you haven't seen the above post, I guess I'l go ahead & uninstall & reinstall Malwarebytes. Then I'll run a full scan of it in Safe Mode.

3. And, looks like that will complete the instructions too!!! Maybe then we can finish up.!
Don't forget the post above also.
thanks