A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » General XP issues or comments
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

malware issue - part II



 
 
Thread Tools Display Modes
  #46  
Old March 5th 14, 12:52 PM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 333
Default malware issue - part II

Hello Paul,

The AdwCeaner found nothing... and
generated the automatic report.

Ran the JRT scan but it didn't
display a log it opened My Documents.

Tried installing Malwarebytes and
during installation it gave me this:

Setup

CoCreateInstance failed; code 0x80040154
Class not registered

Ran HitmanPro and found 22 traces but
no threats. deleted traces.

Robert


Ads
  #47  
Old March 5th 14, 05:17 PM posted to microsoft.public.windowsxp.general
Paul
external usenet poster
 
Posts: 18,275
Default malware issue - part II

wrote:
Hello Paul,

I forgot to mention I also have Windows
Defender installed on the 8500 which must
have been installed originally or came
with something I installed. From time to
time it request to do a full system scan.
So I let it.

So I'm ok now? Mr. C mentioned manually
deleting the remaining programs. How am
I to tell which ones to delete?

I'll go through the process on the 8200
and if I run into problems post it to the
other forum.

Thanks
Robert


For portable programs, you probably downloaded them somewhere,
or put them on your desktop. You don't have to delete
them, except you would want them gone, if having to do
the procedures again (as you'd want up-to-date copies).
If it was me, I'd want a bookmark for each tool's download
page, so I could find it again later.

For programs that actually install (and reside in Program Files,
have an entry in Programs and Features control panel), you
could uninstall those if you're done with them.

If I was sitting at the keyboard of your machine, I would
probably use the file search to look for remnants. If I can see
things in Program Files, then I'd know it was an actual install.
If the program or folders are located somewhere else (like right
under C:\), then it might be harder to locate all of them. Programs
like that have at least a half dozen places they could hang out, so
it's not that easy to be thorough.

The Combofix should have removed its quarantine folder, so
that is one less thing right under C:.

Paul
  #48  
Old March 5th 14, 07:02 PM posted to microsoft.public.windowsxp.general
Paul
external usenet poster
 
Posts: 18,275
Default malware issue - part II

wrote:
Hello Paul,

The AdwCeaner found nothing... and
generated the automatic report.

Ran the JRT scan but it didn't
display a log it opened My Documents.

Tried installing Malwarebytes and
during installation it gave me this:

Setup

CoCreateInstance failed; code 0x80040154
Class not registered

Ran HitmanPro and found 22 traces but
no threats. deleted traces.

Robert



http://www.bleepingcomputer.com/foru...stalling-mbam/

CoCreateInstance failed; code 0x800401154. Class not Registered.

This means that a COM object or an ActiveX object
could not be instantiated because it is not registered.

Since you are mentioning other problems, it could be
that this missing class is related to this. It sometimes
happens when an uninstall removes too much.

There is a way to find out which class, but it's technical.
How good are you at using ProcMon?

Now, what that person is suggesting, is watching something
with Process Monitor from sysinternals.com (owned by Microsoft).

That is as close as I got, to someone suggesting a way to debug.
I tried a few more searches, and there doesn't seem to be a
common theme to responses to that. Yes, there is Malwarebytes
Chameleon, as a way to fool the malware that you're not
trying to run MBAM. But the symptoms suggest that something
underneath is broken enough, it probably wouldn't work.

I would take the 8200 over to Bleepingcomputer and start
another thread, citing the symptoms. As me suggesting
dumb things to do here, would be of no help to you at
all.

Paul


  #49  
Old March 5th 14, 07:17 PM posted to microsoft.public.windowsxp.general
Buffalo[_3_]
external usenet poster
 
Posts: 686
Default malware issue - part II

"Paul" wrote in message ...

wrote:
Hello Paul,

Here's what I've done:


On the 8500:

I ran a full system scan with Avast, it gave me this:

http://i62.tinypic.com/66i4o8.png

I selected fix automatically and clicked apply.
http://i57.tinypic.com/6y1edd.png

I checked Avast for any updates and said I was current.

I went back and tried to do what you suggested and
I think I did it. http://i57.tinypic.com/mhso6w.png



8200: When I log on, the Firewall turns off and says
my computer is at risk and the virus protection
was out of date: tried to update Firefox via Avast.
Updated Adobe Flash Player, Adobe plug-in. I also
tried to check for Windows updates but it wouldn't
open. Now it just says my computer is at risk and clears itself after
about a minute. Ran an Avast scan - found (9) infected files
C:\...Insis.hdr NSIS:NextLive-A[Adw]
C:\AdwCleaner\...\nengine.dll.vir Win32:NewxtLive-A[Adw]
C:\...\A0014394.dll Win32:NewxtLive-A[Adw]
C:\...\A0014395.dll Win32:NewxtLive-A[Adw]
C:\...\A0017566.dll Win32:NewxtLive-A[Adw]
C:\...\A0014393.dll Win32:NewxtLive-A[Adw]
C:\...Insis.hdr Win32:NewxtLive-A[Adw]

* The first and last isn't really a capital ' I ' but a black bar but I
didn't know how to make one. Ran a boot scan and it gave me this at 21%
File c:\Program Files\Uninstaller\Uninstall.exe is infected by
win32:Installer-U [Pup}

I selected number 2 (fix all automatically) and
it was moved to the quarantine chest. later it gave me File C:\ System
Volume Information\_restore
{E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013223.exe is infected by
win32:Mobogenie-B [PUP]

File C:\ System Volume Information\_restore
{E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013239.exe is infected by
win32:Mobogenie-C [PUP]

File C:\ System Volume Information\_restore
{E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP43\A0014373.exe is infected by
win32:Installer-U [PUP]

File C:\ System Volume Information\_restore
{E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP67\A0020850.exe is infected by
win32:Instaler-U [PUP]


the scan didn't stop but moved them all into the quarantine chest.

I ran a full system scan with Avast afterwards and came up clean.
Tried to open Spywareblaster to update it and it gave me this:

Error: Access violation at 0x73483F5A (tried to read from 0x00000014),
program terminated. Last CP is 'RF'.


Thoughts, suggestions?
Robert


On the 8500, that was a copy of CCleaner from Piriform (cc_setup), which
has
Google Chrome and some toolbar inside it. Avast has "moved it
to the chest". So that was adware, rather than malware. And hopefully,
something you could decline (using tick boxes), when installing CCleaner,
so you don't get a toolbar.

*******

On the 8200, have your run this machine through Bleepingcomputer ?
Have you ever had these results checked by a professional malware fighter ?

The NextLive is covered here, and it's just another PUP. AdwCleaner
and friends are the suggested solution. You've been through
this routine before.

http://malwaretips.com/blogs/win32-nextlive-a-removal/

If the computer saves a System Restore point, while you're infected with
something, then a scan is going to find the infection in the System
Restore.
So that would be normal, if you had something nasty on the machine.
Malware is pretty good at making sure it's in the Restore points, one
way or another.

It's possible, in your file list there, that AdwCleaner has a
quarantine folder, and another tool is picking up that
quarantine folder during a scan.

But the other symptoms bother me. The Spywareblaster getting an
Access Violation, it's probably been tampered with. And your firewall,
sometimes that can be explained by other things (like, a .NET problem),
but that's probably not it in this case. Maybe these symptoms aren't
consistent with just a PUP being present.

If you look at this thread, Spywareblaster seems to be sensitive to
interference from other protection programs. That's all I can figure.
And reinstalling it, doesn't necessarily help.

http://www.wilderssecurity.com/showthread.php?t=229348

Paul

AdwCleaner probably messed up his SpyWareBlaster. When I ran AdwCleaner on
my Win7 HE 64bit PC, it wanted to do something to SWB.
If he wants to keep SWB I would suggest he tries to uninstall SWB and
reinstall SWB, or just leave it uninstalled until he gets his other problems
corrected.

--
Buffalo

  #50  
Old March 5th 14, 11:56 PM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 333
Default malware issue - part II

Where is a safe download for SpyWareBlaster
and how is one to know a safe site from one
that isn't?

Thanks,
Robert
  #51  
Old March 6th 14, 12:04 AM posted to microsoft.public.windowsxp.general
No_Name
external usenet poster
 
Posts: 333
Default malware issue - part II

Hello Paul,

If you mean following a persons instructions while you
watch, I've done a little of that. So I'll give it a try.

I'll start a post on the other forum but If I have
questions regarding the 8200 I'll create another post here.

Once again, I want to thank you for all your good help
and staying with me through all this. I appreciate your
time and patience, expertise, excellent instructions and
taking the time to educate me in the process which I
appreciate.

Thanks,
Robert
  #52  
Old March 6th 14, 12:33 AM posted to microsoft.public.windowsxp.general
Buffalo[_3_]
external usenet poster
 
Posts: 686
Default malware issue - part II

wrote in message
...

Where is a safe download for SpyWareBlaster
and how is one to know a safe site from one
that isn't?

Thanks,
Robert


Download it from the author's site.
Always save the dl'd file rather than choosing to run it.
After it is dl'd and before you use it, let your Anti-virus program and your
Anti-Malware program scan it.
That should help the odds.
ALSO, when you do install (execute) the program, look at EVERY screen during
the install to see what else it may want to install.
--
Buffalo

  #53  
Old March 6th 14, 12:37 AM posted to microsoft.public.windowsxp.general
Buffalo[_3_]
external usenet poster
 
Posts: 686
Default malware issue - part II

wrote in message
...

Where is a safe download for SpyWareBlaster
and how is one to know a safe site from one
that isn't?

Thanks,
To answer your question, go to :


http://www.brightfort.com/
--
Buffalo
PS: I missed doing that in my just previous post.

  #54  
Old March 6th 14, 02:04 AM posted to microsoft.public.windowsxp.general
Paul
external usenet poster
 
Posts: 18,275
Default malware issue - part II

wrote:
Where is a safe download for SpyWareBlaster
and how is one to know a safe site from one
that isn't?

Thanks,
Robert


This doesn't work in every instance, but I use
Wikipedia to get the "authoritative" web site
information. I go to wikipedia.org and search
for Spywareblaster, and it takes me here.

http://en.wikipedia.org/wiki/Spywareblaster

http://www.brightfort.com/spywareblaster.html

SpywareBlaster works by blacklisting the CLSID of
known malware programs, effectively preventing
them from infecting a protected computer.

So as Buffalo says, brightfort.com is the developer site.

HTH,
Paul
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off






All times are GMT +1. The time now is 12:09 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.