If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#31
|
|||
|
|||
malware issue - part II
|
Ads |
#32
|
|||
|
|||
malware issue - part II
The noise was never there previously, and
only appeared after I ran the AdwCleaner scan. Robert |
#33
|
|||
|
|||
malware issue - part II
Yes, that is my post if any wish to
follow it versus me updating both. I should have thought of putting in the the link here before. Thanks Dave Robert |
#34
|
|||
|
|||
malware issue - part II
Hello Paul,
You're absolutely correct regarding the 8200; it has much more serious issues than the 8500 and hopefully it can be resolved. You've done allot to help me and I appreciate your time and effort and great advice and taking the time to explain things and showed me how to disable my anti-virus, anti-malware. I had no idea how to do that. I also appreciate everyone's help (yes I do read all the comments). Many Thanks, Robert |
#35
|
|||
|
|||
malware issue - part II
Hello Paul,
Once I have the 8500 and 8200 clean again I want to re-visit my external HD and software. I had thought I had been making separate screen images each time but it was only incrementally backing them up. So that if corrupted it would be of no use. I don't want to get into this right now as I have enough on my plate but clearly I'm not happy with what I presently have. Robert |
#36
|
|||
|
|||
malware issue - part III "The 8200"
wrote in message ... Hello Paul, You're absolutely correct regarding the 8200; it has much more serious issues than the 8500 and hopefully it can be resolved. You've done allot to help me and I appreciate your time and effort and great advice and taking the time to explain things and showed me how to disable my anti-virus, anti-malware. I had no idea how to do that. I also appreciate everyone's help (yes I do read all the comments). Many Thanks, Robert |
#37
|
|||
|
|||
malware issue - part II
Hello Paul,
I'm having a little difficulty finishing up with the 8500. He gave me this to do: Please Uninstall ComboFix: (if you used it) Press the Windows logo key + R to bring up the "run box" Copy and paste next command in the field: ComboFix /uninstall Make sure there's a space between Combofix and / Then hit enter. (it may look like CF is re-installing but it's not)This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point (If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller) but none of it works and the file path below ends at App Data because its not there? ComboFix is not on your desktop, you ran it form a temp folder: Running from: c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip \ComboFix.exe Move ComboFix to your desktop (or download it to your desktop) and try it again I said that I wasn't quite understanding him with this last part and he just repeated it back: The quarantine folder is located he C:\FRST Delete that folder. C:\FRST If you can't delete the FRST folder: Note: If you used FRST and can't delete the quarantine folder: Download the fixlist.txt to the same folder as FRST.exe.Run FRST.exe and click Fix only once and wait That will delete the quarantine folder created by FRST. The rest you can manually delete. I tried deleting (del FRST) at the command prompt which I assume is what he's saying but said it couldn't find the file. I did find FRST- Older Version folder and fixlog file however, under C/.UsersRobdownloads. Under C:/UserRpbertdocuments I found ComboFix14(Scans) but nothing under downloads. Unsure how to proceed? Thoughts, Suggestions? Robert |
#38
|
|||
|
|||
malware issue - part II
wrote:
Hello Paul, I'm having a little difficulty finishing up with the 8500. He gave me this to do: Please Uninstall ComboFix: (if you used it) Press the Windows logo key + R to bring up the "run box" Copy and paste next command in the field: ComboFix /uninstall Make sure there's a space between Combofix and / Then hit enter. (it may look like CF is re-installing but it's not)This will uninstall Combofix, delete its related folders and files, hide file extensions, hide the system/hidden files and clears System Restore cache and create new Restore point (If that doesn't work.....you can simply rename ComboFix.exe to Uninstall.exe and double click it to complete the uninstall or download and run the uninstaller) but none of it works and the file path below ends at App Data because its not there? ComboFix is not on your desktop, you ran it form a temp folder: Running from: c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip \ComboFix.exe Move ComboFix to your desktop (or download it to your desktop) and try it again I said that I wasn't quite understanding him with this last part and he just repeated it back: The quarantine folder is located he C:\FRST Delete that folder. C:\FRST If you can't delete the FRST folder: Note: If you used FRST and can't delete the quarantine folder: Download the fixlist.txt to the same folder as FRST.exe.Run FRST.exe and click Fix only once and wait That will delete the quarantine folder created by FRST. The rest you can manually delete. I tried deleting (del FRST) at the command prompt which I assume is what he's saying but said it couldn't find the file. I did find FRST- Older Version folder and fixlog file however, under C/.UsersRobdownloads. Under C:/UserRpbertdocuments I found ComboFix14(Scans) but nothing under downloads. Unsure how to proceed? Thoughts, Suggestions? Robert I had to follow your thread a bit, to figure out what happened. The quoted text, is what Charlie said in one of his posts. https://forums.malwarebytes.org/inde...owtopic=142657 "Zipped up and attached, MrC " I don't seen an attachment, so either it was removed, or only forum members can see it. I suspect you detached something called Temp1_ComboFix.zip. That's what you got via your browser, and transfered to disk. it's a ZIP file, and would have a ZIP icon. It was probably sitting in some TEMP folder. If you go to the File Explorer in Windows 7, and use the search box in the upper right, you'd type this in and search for it. By default, it'll probably be searching C: for the file. Temp1_ComboFix.zip It should come back with one "hit", that being c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip If you move the mouse to the yellow ZIP icon on the left of that line in the search results, and right-click, a long menu with about 16 options will show. One of the options is "Open Folder Location". That will navigate you to the Temp folder. If you don't hit the correct place on the line, a tiny menu with 7 options will show, and that menu doesn't have the Open Folder thing. So you have to be careful to get the mouse over the icon, right-click, and then you should get the big context menu. Now, you should be inside the Temp folder. And the ZIP file should be there. If you right click on the Temp1_ComboFix.zip file, the word "Extract All" may be there. In this example, I put the attachment in its own folder, so you can see it. http://i62.tinypic.com/f24xoh.gif What the Windows extracter will do, is create a folder of the same name (without the word ".zip" on the end). You can see in my second picture, how a new folder exists. http://i58.tinypic.com/29dbvig.gif Since the top item is an actual folder, I can click and navigate down there. I can then drag combofix.exe to the desktop. You see, your problem was, you were running it directly from the ZIP, without extracting it. The path you list above, is navigating inside the ZIP. By doing the "Extract All", it converts the ZIP into a real folder, and the real folder has the necessary properties for you to follow Charlie's instructions. Once it's moved to the desktop, you can do this... ComboFix /uninstall The way Windows and some other operating systems work, is they have a thing called an execution path. That is basically a list of directories the operating system looks in, to find executable programs. When you use the Run box, or when you use a Command Prompt window, chances are the Path is consulted, and the OS methodically examines the list of directories until it finds the named program. In your case, combofix.exe was so well hidden, it wasn't in the Path list. Charlie seems to think that the desktop is in the Path, and I'll have to assume that is correct. The list is stored as an environment variable, so you can actually edit that Path thing. Some installers, when they install programs, they add things to that list. And it's all done, to help automate things. In this example, you can see me editing the Path variable. I don't see the desktop in the list, so it'll be interesting to see what happens. I expect there are places searched which are not in that list, and that will be why it works. I know that CWD (current working directory) is searched for example. And perhaps the shell, when triggered, just happens to start in that particular directory (desktop). http://i62.tinypic.com/2yys5rb.gif So when you run ComboFix /uninstall, the OS will be looking in all the Path directories, and hopefully, it'll find the combofix.exe file you moved to the desktop. ******* You were supposed to look under C: , to see if there was a C:\FRST folder, as that is where Farbar puts quarantined items. If no items were quarantined, maybe it doesn't create the folder. Look in the folder and see if items are in there. Paul |
#39
|
|||
|
|||
malware issue - part II
Hello Paul,
Another development. In Hotmail, when I clicked on a file it disappeared. I can;t find it now. I would like to get it back but how? I didn't delete it. I tried logging out of hotmail and logging back in but it still isn't there. I tried searching for Temp1_ComboFix.zip and it gave me this: http://i59.tinypic.com/15xstis.png I did look under C:/ but there was nothing there. Thoughts/Suggestions? Robert |
#40
|
|||
|
|||
malware issue - part II
wrote:
Hello Paul, Another development. In Hotmail, when I clicked on a file it disappeared. I can;t find it now. I would like to get it back but how? I didn't delete it. I tried logging out of hotmail and logging back in but it still isn't there. I tried searching for Temp1_ComboFix.zip and it gave me this: http://i59.tinypic.com/15xstis.png I did look under C:/ but there was nothing there. Thoughts/Suggestions? Robert Why not attempt to get ComboFix from the original web site ? http://www.bleepingcomputer.com/download/combofix/ The button to click, is shown here. http://i61.tinypic.com/ieni89.gif Wait about ten seconds, and a dialog should show up, for the Save As step. You will be getting ComboFix 14.2.24.2 . ComboFix.exe You can move it from your download folder, to the desktop. Then follow Charlie's instructions. HTH, Paul |
#41
|
|||
|
|||
malware issue - part II
Hello Paul,
I hate to admit it but I was in fact deleting those files but didn't know it. sorry I did manage to save and restore the missing file so all was not lost. I downloaded, installed and ran ComboFix but couldn't find ComboFix.exe only ComboFix Application and Fixlog. Thoughts/Sugesstions? Robert |
#42
|
|||
|
|||
malware issue - part II
|
#43
|
|||
|
|||
malware issue - part II
Hello Paul,
Here's what I've done: On the 8500: I ran a full system scan with Avast, it gave me this: http://i62.tinypic.com/66i4o8.png I selected fix automatically and clicked apply. http://i57.tinypic.com/6y1edd.png I checked Avast for any updates and said I was current. I went back and tried to do what you suggested and I think I did it. http://i57.tinypic.com/mhso6w.png 8200: When I log on, the Firewall turns off and says my computer is at risk and the virus protection was out of date: tried to update Firefox via Avast. Updated Adobe Flash Player, Adobe plug-in. I also tried to check for Windows updates but it wouldn't open. Now it just says my computer is at risk and clears itself after about a minute. Ran an Avast scan - found (9) infected files C:\...Insis.hdr NSIS:NextLive-A[Adw] C:\AdwCleaner\...\nengine.dll.vir Win32:NewxtLive-A[Adw] C:\...\A0014394.dll Win32:NewxtLive-A[Adw] C:\...\A0014395.dll Win32:NewxtLive-A[Adw] C:\...\A0017566.dll Win32:NewxtLive-A[Adw] C:\...\A0014393.dll Win32:NewxtLive-A[Adw] C:\...Insis.hdr Win32:NewxtLive-A[Adw] * The first and last isn't really a capital ' I ' but a black bar but I didn't know how to make one. Ran a boot scan and it gave me this at 21% File c:\Program Files\Uninstaller\Uninstall.exe is infected by win32:Installer-U [Pup} I selected number 2 (fix all automatically) and it was moved to the quarantine chest. later it gave me File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013223.exe is infected by win32:Mobogenie-B [PUP] File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013239.exe is infected by win32:Mobogenie-C [PUP] File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP43\A0014373.exe is infected by win32:Installer-U [PUP] File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP67\A0020850.exe is infected by win32:Instaler-U [PUP] the scan didn't stop but moved them all into the quarantine chest. I ran a full system scan with Avast afterwards and came up clean. Tried to open Spywareblaster to update it and it gave me this: Error: Access violation at 0x73483F5A (tried to read from 0x00000014), program terminated. Last CP is 'RF'. Thoughts, suggestions? Robert |
#45
|
|||
|
|||
malware issue - part II
Hello Paul,
I forgot to mention I also have Windows Defender installed on the 8500 which must have been installed originally or came with something I installed. From time to time it request to do a full system scan. So I let it. So I'm ok now? Mr. C mentioned manually deleting the remaining programs. How am I to tell which ones to delete? I'll go through the process on the 8200 and if I run into problems post it to the other forum. Thanks Robert |
Thread Tools | |
Display Modes | |
|
|