malware issue - part II

wrote:
Hello Paul,

Here's what I've done,

I disabled all my anti-virus and anti-malware
programs then ran ComboFix and posted the report
on the malwarebytes forum as he requested.


I have a feeling this is it:

https://forums.malwarebytes.org/inde...owtopic=142657

The noise was never there previously, and
only appeared after I ran the AdwCleaner
scan.

Robert

Yes, that is my post if any wish to
follow it versus me updating both. I
should have thought of putting in the
the link here before.

Thanks Dave

Robert

Hello Paul,

You're absolutely correct regarding the 8200;
it has much more serious issues than the 8500
and hopefully it can be resolved.

You've done allot to help me and I appreciate
your time and effort and great advice and taking
the time to explain things and showed me how to
disable my anti-virus, anti-malware. I had no
idea how to do that.

I also appreciate everyone's help (yes I do read
all the comments).

Many Thanks,
Robert

Hello Paul,

Once I have the 8500 and 8200 clean again
I want to re-visit my external HD and software.

I had thought I had been making separate
screen images each time but it was only
incrementally backing them up. So that if
corrupted it would be of no use. I don't
want to get into this right now as I have
enough on my plate but clearly I'm not happy
with what I presently have.

Robert

wrote in message ...
Hello Paul,

You're absolutely correct regarding the 8200;
it has much more serious issues than the 8500
and hopefully it can be resolved.

You've done allot to help me and I appreciate
your time and effort and great advice and taking
the time to explain things and showed me how to
disable my anti-virus, anti-malware. I had no
idea how to do that.

I also appreciate everyone's help (yes I do read
all the comments).

Many Thanks,
Robert

Hello Paul,

I'm having a little difficulty finishing up
with the 8500. He gave me this to do:



Please Uninstall ComboFix: (if you used it)
Press the Windows logo key + R to bring up
the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix
and /



Then hit enter. (it may look like CF is
re-installing but it's not)This will uninstall
Combofix, delete its related folders and files,
hide file extensions, hide the system/hidden
files and clears System Restore cache and create
new Restore point

(If that doesn't work.....you can simply rename
ComboFix.exe to Uninstall.exe and double click it
to complete the uninstall or download and run the
uninstaller)


but none of it works and the file path below ends
at App Data because its not there?

ComboFix is not on your desktop, you ran it form
a temp folder: Running from:
c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip \ComboFix.exe

Move ComboFix to your desktop (or download it to
your desktop) and try it again

I said that I wasn't quite understanding him with
this last part and he just repeated it back: The
quarantine folder is located he C:\FRST Delete
that folder. C:\FRST

If you can't delete the FRST folder:

Note:
If you used FRST and can't delete the quarantine
folder: Download the fixlist.txt to the same folder
as FRST.exe.Run FRST.exe and click Fix only once
and wait That will delete the quarantine folder
created by FRST. The rest you can manually delete.
I tried deleting (del FRST) at the command prompt
which I assume is what he's saying but said it
couldn't find the file. I did find FRST- Older
Version folder and fixlog file however, under
C/.UsersRobdownloads.

Under C:/UserRpbertdocuments I found ComboFix14(Scans)
but nothing under downloads.

Unsure how to proceed?

Thoughts, Suggestions?
Robert

wrote:
Hello Paul,

I'm having a little difficulty finishing up
with the 8500. He gave me this to do:



Please Uninstall ComboFix: (if you used it)
Press the Windows logo key + R to bring up
the "run box"

Copy and paste next command in the field:

ComboFix /uninstall

Make sure there's a space between Combofix
and /



Then hit enter. (it may look like CF is
re-installing but it's not)This will uninstall
Combofix, delete its related folders and files,
hide file extensions, hide the system/hidden
files and clears System Restore cache and create
new Restore point

(If that doesn't work.....you can simply rename
ComboFix.exe to Uninstall.exe and double click it
to complete the uninstall or download and run the
uninstaller)


but none of it works and the file path below ends
at App Data because its not there?

ComboFix is not on your desktop, you ran it form
a temp folder: Running from:
c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip \ComboFix.exe

Move ComboFix to your desktop (or download it to
your desktop) and try it again

I said that I wasn't quite understanding him with
this last part and he just repeated it back: The
quarantine folder is located he C:\FRST Delete
that folder. C:\FRST

If you can't delete the FRST folder:

Note:
If you used FRST and can't delete the quarantine
folder: Download the fixlist.txt to the same folder
as FRST.exe.Run FRST.exe and click Fix only once
and wait That will delete the quarantine folder
created by FRST. The rest you can manually delete.
I tried deleting (del FRST) at the command prompt
which I assume is what he's saying but said it
couldn't find the file. I did find FRST- Older
Version folder and fixlog file however, under
C/.UsersRobdownloads.

Under C:/UserRpbertdocuments I found ComboFix14(Scans)
but nothing under downloads.

Unsure how to proceed?

Thoughts, Suggestions?
Robert

I had to follow your thread a bit, to figure out what happened.
The quoted text, is what Charlie said in one of his posts.

https://forums.malwarebytes.org/inde...owtopic=142657

"Zipped up and attached, MrC "

I don't seen an attachment, so either it was removed, or
only forum members can see it.

I suspect you detached something called Temp1_ComboFix.zip.
That's what you got via your browser, and transfered to disk.
it's a ZIP file, and would have a ZIP icon. It was probably
sitting in some TEMP folder.

If you go to the File Explorer in Windows 7, and use the
search box in the upper right, you'd type this in and search
for it. By default, it'll probably be searching C: for the file.

Temp1_ComboFix.zip

It should come back with one "hit", that being

c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip

If you move the mouse to the yellow ZIP icon on the left
of that line in the search results, and right-click,
a long menu with about 16 options will show. One of the
options is "Open Folder Location". That will navigate you
to the Temp folder. If you don't hit the correct place
on the line, a tiny menu with 7 options will show, and
that menu doesn't have the Open Folder thing. So you
have to be careful to get the mouse over the icon,
right-click, and then you should get the big context menu.

Now, you should be inside the Temp folder. And the ZIP file
should be there.

If you right click on the Temp1_ComboFix.zip file, the
word "Extract All" may be there. In this example, I put
the attachment in its own folder, so you can see it.

http://i62.tinypic.com/f24xoh.gif

What the Windows extracter will do, is create a folder of
the same name (without the word ".zip" on the end). You
can see in my second picture, how a new folder exists.

http://i58.tinypic.com/29dbvig.gif

Since the top item is an actual folder, I can click and
navigate down there. I can then drag combofix.exe to
the desktop.

You see, your problem was, you were running it directly
from the ZIP, without extracting it. The path you list
above, is navigating inside the ZIP. By doing the "Extract All",
it converts the ZIP into a real folder, and the real folder
has the necessary properties for you to follow Charlie's instructions.
Once it's moved to the desktop, you can do this...

ComboFix /uninstall

The way Windows and some other operating systems work, is
they have a thing called an execution path. That is basically
a list of directories the operating system looks in, to find
executable programs. When you use the Run box, or when you
use a Command Prompt window, chances are the Path is consulted,
and the OS methodically examines the list of directories until
it finds the named program. In your case, combofix.exe was
so well hidden, it wasn't in the Path list. Charlie seems to
think that the desktop is in the Path, and I'll have to assume
that is correct. The list is stored as an environment variable,
so you can actually edit that Path thing. Some installers,
when they install programs, they add things to that list.
And it's all done, to help automate things.

In this example, you can see me editing the Path variable.
I don't see the desktop in the list, so it'll be interesting
to see what happens. I expect there are places searched
which are not in that list, and that will be why it works.
I know that CWD (current working directory) is searched
for example. And perhaps the shell, when triggered, just
happens to start in that particular directory (desktop).

http://i62.tinypic.com/2yys5rb.gif

So when you run ComboFix /uninstall, the OS will be looking
in all the Path directories, and hopefully, it'll find
the combofix.exe file you moved to the desktop.

*******

You were supposed to look under C: , to see if there
was a C:\FRST folder, as that is where Farbar puts
quarantined items. If no items were quarantined, maybe
it doesn't create the folder. Look in the folder and
see if items are in there.

Paul

Hello Paul,

Another development. In Hotmail, when I clicked
on a file it disappeared. I can;t find it now. I would
like to get it back but how? I didn't delete it. I tried
logging out of hotmail and logging back in but it
still isn't there.

I tried searching for Temp1_ComboFix.zip and it
gave me this:

http://i59.tinypic.com/15xstis.png

I did look under C:/ but there was nothing there.

Thoughts/Suggestions?
Robert

wrote:
Hello Paul,

Another development. In Hotmail, when I clicked
on a file it disappeared. I can;t find it now. I would
like to get it back but how? I didn't delete it. I tried
logging out of hotmail and logging back in but it
still isn't there.

I tried searching for Temp1_ComboFix.zip and it
gave me this:

http://i59.tinypic.com/15xstis.png

I did look under C:/ but there was nothing there.

Thoughts/Suggestions?
Robert



Why not attempt to get ComboFix from the original web site ?

http://www.bleepingcomputer.com/download/combofix/

The button to click, is shown here.

http://i61.tinypic.com/ieni89.gif

Wait about ten seconds, and a dialog should show
up, for the Save As step. You will be getting ComboFix 14.2.24.2 .

ComboFix.exe

You can move it from your download folder, to the desktop.
Then follow Charlie's instructions.

HTH,
Paul

Hello Paul,

I hate to admit it but I was in fact
deleting those files but didn't know
it. sorry I did manage to save and
restore the missing file so all was
not lost.

I downloaded, installed and ran ComboFix
but couldn't find ComboFix.exe only
ComboFix Application and Fixlog.

Thoughts/Sugesstions?
Robert

wrote:
Hello Paul,

I hate to admit it but I was in fact
deleting those files but didn't know
it. sorry I did manage to save and
restore the missing file so all was
not lost.

I downloaded, installed and ran ComboFix
but couldn't find ComboFix.exe only
ComboFix Application and Fixlog.

Thoughts/Sugesstions?
Robert


OK, but think carefully about this.

You downloaded ComboFix.exe, it ran and it installed
some folders. You could even have gone to Start : Run
and typed this in the box, to run it for the first time.

ComboFix.exe

Charlie was giving you a recipe, to run the downloaded
Combofix.exe file a second time. And run it from the
command line and pass a parameter to it. Here, the "uninstall"
word is a parameter, being passed to the executable. You
need to use Start : Run or use a Command Prompt window, to
have a way to pass a parameter to a program.

ComboFix.exe /uninstall

Once you have ComboFix.exe sitting on the Desktop, go to
Start : Run box and type in the command and run it. The
Uninstall option should not do a scan, instead it should
delete the quarantine folder and similar items.

ComboFix does not do a conventional installation, which is
why it would not leave items in Add/Remove Programs. ComboFix
is basically a huge scripted environment. And passing a
parameter to the master file, is how you tell it to do things.

HTH,
Paul

Hello Paul,

Here's what I've done:


On the 8500:

I ran a full system scan with Avast, it gave me this:

http://i62.tinypic.com/66i4o8.png

I selected fix automatically and clicked apply.

http://i57.tinypic.com/6y1edd.png

I checked Avast for any updates and said I was current.

I went back and tried to do what you suggested and
I think I did it.

http://i57.tinypic.com/mhso6w.png



8200:

When I log on, the Firewall turns off and says
my computer is at risk and the virus protection
was out of date: tried to update Firefox via Avast.
Updated Adobe Flash Player, Adobe plug-in. I also
tried to check for Windows updates but it wouldn't
open. Now it just says my computer is at risk and
clears itself after about a minute.

Ran an Avast scan - found (9) infected files

C:\...Insis.hdr NSIS:NextLive-A[Adw]
C:\AdwCleaner\...\nengine.dll.vir Win32:NewxtLive-A[Adw]
C:\...\A0014394.dll Win32:NewxtLive-A[Adw]
C:\...\A0014395.dll Win32:NewxtLive-A[Adw]
C:\...\A0017566.dll Win32:NewxtLive-A[Adw]
C:\...\A0014393.dll Win32:NewxtLive-A[Adw]
C:\...Insis.hdr Win32:NewxtLive-A[Adw]

* The first and last isn't really a capital ' I ' but a
black bar but I didn't know how to make
one.

Ran a boot scan and it gave me this at 21%

File c:\Program Files\Uninstaller\Uninstall.exe is infected by win32:Installer-U [Pup}

I selected number 2 (fix all automatically) and
it was moved to the quarantine chest.

later it gave me

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013223.exe is infected by win32:Mobogenie-B [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013239.exe is infected by win32:Mobogenie-C [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP43\A0014373.exe is infected by win32:Installer-U [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP67\A0020850.exe is infected by win32:Instaler-U [PUP]


the scan didn't stop but moved them all into the
quarantine chest.

I ran a full system scan with Avast afterwards
and came up clean.

Tried to open Spywareblaster to update it and it
gave me this:

Error: Access violation at 0x73483F5A (tried to read from 0x00000014),
program terminated. Last CP is 'RF'.


Thoughts, suggestions?
Robert

wrote:
Hello Paul,

Here's what I've done:


On the 8500:

I ran a full system scan with Avast, it gave me this:

http://i62.tinypic.com/66i4o8.png

I selected fix automatically and clicked apply.

http://i57.tinypic.com/6y1edd.png

I checked Avast for any updates and said I was current.

I went back and tried to do what you suggested and
I think I did it.

http://i57.tinypic.com/mhso6w.png



8200:

When I log on, the Firewall turns off and says
my computer is at risk and the virus protection
was out of date: tried to update Firefox via Avast.
Updated Adobe Flash Player, Adobe plug-in. I also
tried to check for Windows updates but it wouldn't
open. Now it just says my computer is at risk and
clears itself after about a minute.

Ran an Avast scan - found (9) infected files

C:\...Insis.hdr NSIS:NextLive-A[Adw]
C:\AdwCleaner\...\nengine.dll.vir Win32:NewxtLive-A[Adw]
C:\...\A0014394.dll Win32:NewxtLive-A[Adw]
C:\...\A0014395.dll Win32:NewxtLive-A[Adw]
C:\...\A0017566.dll Win32:NewxtLive-A[Adw]
C:\...\A0014393.dll Win32:NewxtLive-A[Adw]
C:\...Insis.hdr Win32:NewxtLive-A[Adw]

* The first and last isn't really a capital ' I ' but a
black bar but I didn't know how to make
one.

Ran a boot scan and it gave me this at 21%

File c:\Program Files\Uninstaller\Uninstall.exe is infected by win32:Installer-U [Pup}

I selected number 2 (fix all automatically) and
it was moved to the quarantine chest.

later it gave me

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013223.exe is infected by win32:Mobogenie-B [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013239.exe is infected by win32:Mobogenie-C [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP43\A0014373.exe is infected by win32:Installer-U [PUP]

File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP67\A0020850.exe is infected by win32:Instaler-U [PUP]


the scan didn't stop but moved them all into the
quarantine chest.

I ran a full system scan with Avast afterwards
and came up clean.

Tried to open Spywareblaster to update it and it
gave me this:

Error: Access violation at 0x73483F5A (tried to read from 0x00000014),
program terminated. Last CP is 'RF'.


Thoughts, suggestions?
Robert


On the 8500, that was a copy of CCleaner from Piriform (cc_setup), which has
Google Chrome and some toolbar inside it. Avast has "moved it
to the chest". So that was adware, rather than malware. And hopefully,
something you could decline (using tick boxes), when installing CCleaner,
so you don't get a toolbar.

*******

On the 8200, have your run this machine through Bleepingcomputer ?
Have you ever had these results checked by a professional malware fighter ?

The NextLive is covered here, and it's just another PUP. AdwCleaner
and friends are the suggested solution. You've been through
this routine before.

http://malwaretips.com/blogs/win32-nextlive-a-removal/

If the computer saves a System Restore point, while you're infected with
something, then a scan is going to find the infection in the System Restore.
So that would be normal, if you had something nasty on the machine.
Malware is pretty good at making sure it's in the Restore points, one
way or another.

It's possible, in your file list there, that AdwCleaner has a
quarantine folder, and another tool is picking up that
quarantine folder during a scan.

But the other symptoms bother me. The Spywareblaster getting an
Access Violation, it's probably been tampered with. And your firewall,
sometimes that can be explained by other things (like, a .NET problem),
but that's probably not it in this case. Maybe these symptoms aren't
consistent with just a PUP being present.

If you look at this thread, Spywareblaster seems to be sensitive to
interference from other protection programs. That's all I can figure.
And reinstalling it, doesn't necessarily help.

http://www.wilderssecurity.com/showthread.php?t=229348

Paul

Hello Paul,

I forgot to mention I also have Windows
Defender installed on the 8500 which must
have been installed originally or came
with something I installed. From time to
time it request to do a full system scan.
So I let it.

So I'm ok now? Mr. C mentioned manually
deleting the remaining programs. How am
I to tell which ones to delete?

I'll go through the process on the 8200
and if I run into problems post it to the
other forum.

Thanks
Robert