baumgrenze

Thanks for the prompt response. Re 2) Here is a copy (I hope it does not violate their forum terms to quote it here) Their reply did not make a lot of sense to me; I hope you understand it better Topic review: VMonitor - Operating System Problems? Re: VMonitor - Operating System Problems? by adafruit_support_mike » Fri Mar 10, 2017 5:52 am That looks like a case of antivirus protection software being aggressive. That's arguably a good thing for security software to do, but the natural consequence is that you get false positives. In this case, reading the page linked above shows that the security issue is related to malware which installs itself under the same name, not to the legitimate binary. Thank you for letting us know about the issue, but we don't have any control over the software, and definitely have no control over the way AV systems rank threats. thanks baumgrenze

A response on this forum: https://forums.adafruit.com/posting.php?mode=reply&f=44&t=113296 Subject: VMonitor - Operating System Problems? suggested that someone had used VMonitor to house malware. I searched for the concept and found this hit: https://www.google.com/search?num=50&site=&source=hp&q=malware+which+installs+itself+under+the+same+name%2C+not+to+the+legitimate+binary.&oq=malware+which+installs+itself+under+the+same+name%2C+not+to+the+legitimate+binary.&gs_l=hp.3...1108.1108.0.1639.2.2.0.0.0.0.235.336.0j1j1.2.0....0...1.1.64.hp..0.0.0.0.RIaD20NHcIE Cerber Ransomware - New, But Mature - Malwarebytes Labs ... https://blog.malwarebytes.com/threat-analysis/.../cerber-ransomware-new-but-mature/ Mar 11, 2016 - Name of the folder is specific to a particular sample – in the .... in a different campaign – not as a Cerber, but under some other name. ... After the successful installation, the initial malware sample ... Otherwise, it tries the same trick with different pair of EXE + DLL. .... Ransomware usually deletes itself. You're ... When I opened the link, Avast Free popped up, excitedly saying it had blocked a threat. The name of the threat disappeared before i could note it our I would post it here. 1) Why would Avast announce that malwarebyteslabs.com tried to plant a virus? 2) If someone converted the contents of VMonitor.exe into malware, would a malwarebytes scan find the malware? Answers to either one or both of the questions are of interest to me. thanks baumgrenze

I forgot to mention that this afternoon I downloaded Malwarebytes and ran it, too. I didn't have all my HDD's attached to the system, just a simple 128 Gb Crucial M550 SSD for the OS/Program files and the 640 Gb WD Caviar (2009 vintage) I've been using to store my data files. I've attached the log. I didn't think that it looked very frightening. Perhaps this is a result of 'incompetence knowledge.' thanks baumgrenze MalwarebytesLog052914.txt

Thank you, daledoc1, Here are the logs. I look forward to your reply. Here's a thought. With both AOO Writer and MS Word 2000 I saved all my documents in the classic *.doc format of MS Word. I hate to be a Luddite, but I can do things with Word documents "in my sleep." I'll leave my rant there.t thanks baumgrenze Addition.txt FRST.txt

Pardon my clumsiness, I thought I'd attached both "attach" and "dds" but I see only one, so here is "attach.txt" baumgrenze attach.txt

dds.txt

I have only recently installed Win7/Pro x64 on my system. I downloaded and installed XPMode but found it slow to open. Research quickly taught me that is as vulnerable as running XP/Pro itself if it is running when the greater system is exposed to the Internet. I've not uninstalled it yet but I've stopped using it. It took a little longer to discover that Office 2000 applications like Word and Excel run in compatibility mode. For a week or so before that I tried adding to my learning curve by trying out Apache Open Office Writer. Suddenly, one day, I found that a branch under My Documents was missing. I thought it might be AOO. Today, while running Word 2000, I went to open another branch of My Documents and I can't find it. When I say gone, I mean that logging the entire disk with ZTree and doing a global display with the file specification set for a 'lost file' yields no result. I also did a string search on every file, regardless of the extension, on both my OS/programs HDD and my Data HDD. There are only a very few System files that it can't log. Otherwise it sees everything. The missing file is gone into the ether. Is this the behavior of a known virus? Is this perhaps a phenomenon others have seen when they adopted Windows 7? thanks baumgrenze

I should have said "I will repost under 'malware removal' if that is where this post belongs given the above report. Thanks baumgrenze

I'm as confident as a MWB scan can leave me that the malware is gone. I thought that the 'resulting' bluescreen might be of interest as well as the somewhat modified boot behavior (hesitation during the display captured via digital photography - flash off.) I will repost under malware removal. Here's the last scan I ran a little more than 5 hours ago. Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.05.04.09 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 ########################### [administrator] 5/4/2014 4:29:19 PM mbam-log-2014-05-04 (16-29-19).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 251306 Time elapsed: 12 minute(s), 22 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Malwarebytes Anti-Malware 1.75.0.1300 www.malwarebytes.org Database version: v2014.05.04.09 Windows XP Service Pack 3 x86 NTFS Internet Explorer 8.0.6001.18702 ########################### [administrator] 5/4/2014 4:29:19 PM mbam-log-2014-05-04 (16-29-19).txt Scan type: Quick scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 251306 Time elapsed: 12 minute(s), 22 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end) Thanks, baumgrenze

I just scanned manually and encountered "PUP.Optional.Bandoo" and "PUP.Optional.SweetPacks.A." I had not noticed any suspicious behavior, browser hijack or popup adds. I shut down all running applications and allowed MWB to remove the PUPs. The reboot led to the 0x7B blue screen (Blue Screen Stop: 0x0000007E (0xC0000005, 0x8054B51A, 0xBA4C7530, 0xBA4C722C.) I struggled around with going to my BIOS settings to see if everything was OK there and found no trouble I could see. Eventually I hit a prompt where I could choose my 'boot with last known good configuration' and that completed. Now when I reboot the system is much slower to leave the post image attached. I reran MWB and got a clean bill of health and a clean log. The system is custom built on a Gigabyte MOBO as named in the image. Any suggestions what I should do to get the boot to run more smoothly? Thanks in advance, baumgrenze

Larry, Mission accomplished. Thanks again for the patient help. John

Larry, Should I try to delete the C:\32788R22FWJFW1 folder and its sub-folders, though? Thanks, John

Larry, I used ZTree and deleted all the ComboFix associated files, I think. When I log C:\ I still see Qoobox as a folder. When I log that folder I see a subfolder, BackEnv. Acess to that folder is denied. Without access neither folder can be deleted. Perhaps you have another trick? Also, ZTree reveals the C:\32788R22FWJFW1 folder and its contents are still there. See the image below. One folder is at the top, the other just above the RECYCLER. Uploaded with ImageShack.us Thanks, John

Larry, Here is a best attempt at a ZTree catalog of Qoobox and Combofix files I did a Google search on "32788R22FWJFW1" and learned that this may have been created when my first attempt at ComboFix aborted. Could this be causing problems? Can I just use ZTree to delete these, if I can access them? Thanks, John Disk Volume: 11-09-11 14:06:34 Page 1 Available space 39,045,824,512 bytes 119,415 logged files using 34,370,014,077 bytes 6 tagged files using 4,566,972 bytes Path: C:\1 tagged files using 16,527 bytes 11-02-11 15:05:46 16,527 .a.. ComboFix.txt Path: C:\32788R22FWJFW1 tagged files using 236,032 bytes 8-30-00 16:00:00 236,032 .a.. ComboFix-Download.3XE Path: C:\Documents and Settings\John Baum\Desktop1 tagged files using 4,280,796 bytes 11-02-11 14:41:47 4,280,796 .... ComboFix.exe Path: C:\Documents and Settings\John Baum\Recent2 tagged files using 1,113 bytes 11-08-11 22:35:08 444 .a.. Qoobox .lnk 11-08-11 22:31:42 669 .a.. ComboFix-quarantined-files.txt.lnk Path: C:\WINDOWS\Prefetch1 tagged files using 32,504 bytes 11-09-11 10:48:49 32,504 .a.. COMBOFIX.EXE-3B629577.pf

Larry, Here is a follow-up regarding uninstall.exe. I found these files using ZTree on my C:\ drive. I do not want to uninstall these programs. I don't understand how renaming the icon on the uninstall.exe will uninstall ComboFix instead of the files below. Disk Volume: 11-09-11 13:43:49 Page 1 Available space 39,086,481,408 bytes 119,414 logged files using 34,370,012,661 bytes 7 tagged files using 782,549 bytes Path: C:\Program Files\Belarc\Advisor1 tagged files using 164,864 bytes 9-28-01 17:00:28 164,864 .... Uninstall.exe Path: C:\Program Files\Canon\IJ Manual\CANON IP4700 SERIES1 tagged files using 238,936 bytes 1-22-09 5:00:48 238,936 ra.. uninstall.exe Path: C:\Program Files\CDex_1501 tagged files using 37,803 bytes 5-20-08 14:11:41 37,803 .... uninstall.exe Path: C:\Program Files\CDex_150_New1 tagged files using 37,803 bytes 5-14-09 9:30:24 37,803 .a.. uninstall.exe Path: C:\Program Files\Secunia\PSI1 tagged files using 208,039 bytes 1-12-11 15:47:11 208,039 .a.. Uninstall.exe Path: C:\Program Files\ZTree1 tagged files using 47,775 bytes 5-29-11 20:33:14 47,775 .a.. uninstall.exe Path: C:\Program Files\ZTreeOld_Ver11 tagged files using 47,329 bytes 6-23-08 20:45:46 47,329 .... uninstall.exe Thanks, John