HappyToRV Posted January 23, 2015 Report Share Posted January 23, 2015 First, want to say writing this on my iPad because not want to use laptop running Win 8.1 in case my laptop has a virus as of last night? Looking for advice from anyone here who has had the same virus on computer and/or use Norton w/Power Eraser feature? Here's what I know so far. Last night turned on laptop, on wifi jet pack. Fyi most recent "Norton quick scan, and ch & download Norton updates was 1-18-15. I checked last night for any new Microsoft/Win updates, there were a few, did that. Then a box came on screen that looked like Adobe with update ready, and started that too. In just a bit, Norton box came on screen identifying the following: uplayermediaplayer-setup[1].exe Threat name: SAPE.downlodAdmin5 Remove this file (may cause brower to close) Recommended Okay, I spent the next two to three hours trying to do just that - multiple times this Norton threat notice, my repeated clicks to REMOVE ..and several "full system scans" using Norton ...but it looks like the file/virus is still there. Because the Norton box would come up, I would click remove...etc. I also saw Norton full system scan dialog box had a line saying if you think you still have a problem , click here. Following that click tells me info how to download & use Norton Power Eraser (which Norton adds caveat..may quarantine a legitimate program). So...it was late, I was too worried I might do the wrong things...so I shutdown the laptop and gave up. Not sure, but seems like something piggy-backed into my laptop, or, what looked quick glance like a "normal adobe update" wasn't? Where to begin next? I am open to advice from fellow escapees ... Know many of you from your posts have much greater computer tech knowledge than I :-) Thanks in advance for any help! SKP member since June 2014 (?BTW, I created this user on forum prior to joining Escapees, and have no idea how to have this user id reflect that I am a SKP member now, too. Would love help to do that too! Thanks so much :-) Link to comment Share on other sites More sharing options...
RV_ Posted January 23, 2015 Report Share Posted January 23, 2015 Happy, Go to a clean computer and have a USB thumbdrive with you that is known to be clean, only need a 1 GB no big one needed. Then go to: https://security.symantec.com/nbrt/npe.aspx and download Norton Power eraser saving it to the thumb drive. Then go to Malwarebytes free here: https://www.malwarebytes.org/antimalware/ download the free version and save it also to the USB thumb drive. Boot your computer and as soon as it is up using File Explorer, that icon of folders in a document holder at the bottom right of your Windows 8.1 desktop. in File explorer click on "This PC" and in that drop down list click on "OS (C:)" and you will see the USB thumb drive on that list, double click the thumb drive so you can see those two files you saved to it. First right click on the Norton power eraser file and then on the drop down menu click on run as administrator. Say yes to everything to allow it to run. It will immediately connect to the Internet and then when it has made sure it is updated click on start and it will immediately ask to restart and do that. It restarts first to prevent rootkit malware from loading before most of the Boot occurs. When it gets into Windows it continues with a scan. Now if power eraser does not work, repeat the same thing but this time install Malwarebytes from the USB thumb drive that was clean to start, update it ir allow it to and then run a full scan. Power eraser is fast, but if it does not work you will need to do a full scan with Malwarebytes and take the action needed to delete the infection. After you do both of those exactly, downloaded to the thumb drive from another uninfected computer, if the problem persists post back and we will walk you through booting into safe mode, and running those from there and see what we can do. RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
Medico Posted January 23, 2015 Report Share Posted January 23, 2015 For future reference, Adobe Flash is included by default in Win 8.1, IE 11. It updates through Windows Update. There are several PDF Readers that are safer to use than Adobe Reader, and have a much smaller footprint. Since you do not mention if your infection might have come through a fake Flash or Reader pop up, we have no way of knowing which. Adobe Reader seems to be far more prone to infection simply because it is the most used reader. It is also much more bloated than many of the other readers. MalwareBytes is a great app. RV has given great directions for it's use. I have not trusted Norton for many years although others have stated it has improved in recent years. Unfortunately a good anti-virus app will not stop the most nefarious method that these viruses are propagated and infect us: the user at the keyboard! Lifehacker and Gizmo's Freeware both have reviews of competing PDF Readers. I happen to use PDF X-Change Viewer (listed on both lists) Foxit is also a very popular app. Many of the better anti-virus developers have online scanners as well. Trend Micro, ESET and Kapersky are 3 such. GS Lifetime #822128658, FMCA #F431170 2012 Airstream Mercedes Interstate Extended Class B Link to comment Share on other sites More sharing options...
RV_ Posted January 23, 2015 Report Share Posted January 23, 2015 Medico, Norton Power eraser is the fastest way to kill the majority of infections today. I knew he had 8.1 and thought he was referring to the Windows update issued out of cycle a couple of days ago that I posted about here I believe. Good catch bud! Medico, go to that link and download Power eraser to your computer. It is not installed so don't worry about Norton slowdowns. Then run it while online as "Administrator." It will go through its paces and the scan after reboot is pretty fast. This is a tool you want to try to see why it needs to be part of your toolbox.. It will not harm your uninfected system but will show you how fast it runs. Lots of malware has to have Malwarebytes run in chameleon mode and that is difficult for some newbies to computer disinfection. There are thousands of things that can be used, but if a user can't clean it out with those two tools, used exactly as I outlined, downloaded from a known clean computer to a thumb drive and run directly from there, then they need to pay a tech to disinfect, or do a factory restore if they want to start over. I had assumed (Ass/U/Me) he was running Adobe Reader too and that one is not patched by 8.1. But 8.1 has its own pdf reader that MS keeps up, and MS keeps up with Flash so with 8.1 no one should be patching any Adobe products save paid programs like Photoshop etc. I just set up a new 8.1 system for a Pawn shop (old customer, he gives me a big discount on guns/tools/etc. so I give him one on my services) And there was no Adobe reader on it. Hopefully folks are using the windows reader despite a slight learning curve like printing menu in it without touch. I am sure there is for keyboard that you might chime in with too, but I just swipe from the top and select print on the bottom. Anyway, if any other folks reading this have a Windows 8.1 computer and think you need to load any Adobe free readers or flash, don't. I also use both Windows Defender on my 8.1 systems, MSE on my only remaining Windows 7 soon to be Windows 10 systems, and Malwarebytes premium paid lifetime subscription on all of my systems including the Windows tablets.. That new computer came with McAfee and I had to go download a fresh copy of MCPR.exe because they update it all the time from here: http://service.mcafee.com/FAQDocument.aspx?id=TS101331 For others thinking about getting rid of the resource hog AV paid programs, that one two punch should work unless you click to allow a bogus attachment or pop up to load malware. Norton has its own removal tool and different instructions than Mcafee. Same with AVG and Kaspersky. See if you only do the Windows uninstall from control panel programs and features, gobs of registry and start up junk gets left behind. Just make sure you are only ever using only one malware program/scanner except for Malwarebytes which is designed to run with another malware program. No others can do that. RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
HappyToRV Posted January 25, 2015 Author Report Share Posted January 25, 2015 This is Long - but hoping the second part may be a 'pay it forward' type info to help others. .... Here's the update on my OP. THANK YOU !! RV and Medico for your help. This entire Escapee Forum Member community is such a great group! I believe the offending virus has been eliminated and life is good again. In your replies, RV mentioned that Adobe Reader is not patched by 8.1, and that no one should be patching any Adobe products save paid programs like PhotoShop etc. FWIW my laptop does have Adobe Reader X (installed OEM/ASUS laptop), and I bought/installed Adobe Acrobat XI Standard on this laptop. So, that is why I do get legitimate prompts when Adobe has updatesat least they were all fine until yesterdays virus. Okay, I followed RVs wonderful step-by-step instructions and went to the local Wally store today to get a clean USB thumb drive. Then, did as RV said .. downloading Norton Power Eraser and MalwareBytes Premium (14 day free trial) both to the clean USB thumb drive. ( I also have a Desktop running WIN 7, clean without the virus issues used the Desktop to save these downloads to my clean thumb drive). Followed RVs instructions doing Norton first. Norton found and removed a file: Risk Type Status Action Unctwk.exe service bad remove After using Norton Power Eraser, the pop-up boxes and warnings to remove from Norton Security stopped. But, I wasnt sure everything that should be removed would really be gone? To see if my virus issues stopped, I opened some internet sites that yesterday seemed to trigger launches into unwanted pop-ups for Finance Alert, and other unrelated sites. (FYI I do have pop-ups turned off which was one reason the whole scenario yesterday was not normal.) And, while the suspected virus caused issues seem to stop, I was/am still seeing a box open on the bottom of my screen at some web sites, & it has a yellow border on top (like when you download and it asks run or save), which now said, This webpage wants to run the following add-on Adobe Flash Player from Microsoft Windows Third Party Application Component With box at right Allow (drop down to Allow Once), and an X top right corner. I have been clicking X. Still not sure if this one is legit, or a part of the problem, so asking RV advice: do you see a problem with this one listed above? I then, followed RVs instructions running MalwareBytes second. MalwareBytes came up with a list of non-malware detected (sample: PUP.optional arcade parlor.A and finance alert in titles). But all were listed as non-malware action: Quarantine all. Reboot. Since I had been seeing the finance alert pop-ups yesterday for the first time, I figured these too must be part of the issue I had and was glad RV suggested MalwareBytes. However, after the re-boot, a new issue began appearing in a box on my screen every few minutes, whether I was on or off the internet. Ugh! Here is what it was, and what I did to resolve that issue. Note: if anyone is familiar with Microsoft tool called AutoRuns it is amazing! Read on :- ) See URLs I used : (listed in the order which I followed for help solving the pop-up box noted below) Pop Up Box said this à =============== There was a problem starting c:\Users\AC1\AppData\Local\ARCADE~1\CATHEL~1.DLL The specified module could not be found. =============== (i.e., note here AC1 is the specific user name of person posting question in forum I found on Google Search) URLs: First, I did a Google Search arcade cathel dll and followed this URLhttp://forums.cnet.com/7723-6122_102-632290/how-can-i-remove-unwanted-rundll-popup/ 2) Next, at the cnet page on above URL, I Scrolled down to the reply posted : 12-17-14 by gwrach923 And I used the URL listed below which I found in that reply post to read more info at microsoft answers http://answers.microsoft.com/en-us/protect/forum/protect_scanner-protect_scanning/run-dll-error-messagebackground-containerdll/49612202-667e-4a71-8e9a-d02161d8bc19 3) At the answers microsoft web page, see the answer by quietman7 on October 18, 2013 in which he gives a step-by-step answer to resolve the pop-up. I DID A SCREEN PRINT OF quietman7s STEP-BY-STEP INSTRUCTIONS SO I WOULD HAVE IT TO REFER TO LATER. He also included links to download a Microsoft Program/Tool? called AutoRuns - so next I went to the AutoRuns webpage.https://technet.microsoft.com/en-us/sysinternals/bb963902 4). Here's the best part! At the AutoRuns webpage, (on the right side of the page) is a heading: Learn More with a hyperlink to see a video titled Defrag Tools: #5 Autoruns and MSConfig Click that link to watch a video showing you how / when / what / why of using both MSConfig, and ending with using AutoRuns. This video (~38 minutes?) was wonderful for a neophyte like me! After I watched the video, I felt more comfortable knowing what screens within AutoRuns would look like, and was able to apply the info seen on the Defrag Tools: #5 video and used the step-by-step instructions found at the 2) URL above. See Video at:http://channel9.msdn.com/shows/Defrag-Tools/Defrag-Tools5-autoruns Hope this info / URLs will be useful to anyone else. The video shows just how powerful a tool AutoRuns can be, and gives tips on how to narrow down what you are really looking for, making it very quick for me to find the culprit and the pop-up boxes (re: arcade cathel dll) have ended. I am again . Happy! Thank you all so much! Link to comment Share on other sites More sharing options...
RV_ Posted January 25, 2015 Report Share Posted January 25, 2015 Great! Well, you certainly passed it forward. With Windows 8.1 no flash updates are needed, it's embedded in the OS and IE. Anytime a webpage wants to run anything say no until you look it up. Lots of websites will pop up requests to load a video upgrade for Windows media player or others. If you think you might need it run Windows update. Good job. RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
Chris-n-Dennis Posted January 25, 2015 Report Share Posted January 25, 2015 Grrrrr, the unlamented Adobe updates. Thanks you two, I've got a couple of more tools in the box after reading this thread. BTW - if you are looking for an alternate to Adobe, consider Foxit Reader Berkshire XL 40QL Camphosting and touring Our blog: cndtravels.blogspot.com Link to comment Share on other sites More sharing options...
RV_ Posted January 26, 2015 Report Share Posted January 26, 2015 Nada, No sweat bud! Thanks for reminding others about Foxit reader I used it on my Win 7 systems and it is not only safer (security by obscurity) but its ten time faster than Adobe reader, and is a much smaller program. With my 8.1 computers I just use the Windows default reader. My Brother scanner software and other programs let me take my documents and pics and make pdfs out of them free. I have no Adobe on my computer. I don't use Photoshop either. I can pretty much do it all without buying a thing. But for those still on Vista and 7, good reminder. Oh, and I only use JavaScript for one scan and send function a couple of times a month. I saved to favorites the correct webpage and just download a fresh copy each time and remove it when done. Takes all of two minutes but no Java updates to do either. RV/Derekhttp://www.rvroadie.com Email on the bottom of my website page.Retired AF 1971-1998 When you see a worthy man, endeavor to emulate him. When you see an unworthy man, look inside yourself. - Confucius “Those who can make you believe absurdities, can make you commit atrocities.” ... Voltaire Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.