Jump to content

suspect virus

curlew

By curlew
in Resolved Malware Removal Logs

 Share

Recommended Posts

curlew

curlew

Posted
Posted

suspect i have had a long term virus , malware or similar issues with this computer, which is mainly used by my wife and download happy boy, i seldom use it, i did notice several months ago that comodo av /is wasnt working this i sorted at the time.with some strong words to my other half and boy about using computers without av running.

 

malware bytes will not run and hasnt for some time also other software or programs that might rid me of the issue wont run or terminate part way.

 

kapersky free has come up today 26/9/14 with 3 malware,see below, but i cant see these when i search manually in said locations,

 
  • Trojan.Win32.Buzus.uuzf
    Setup.exe  
    C:\Users\HAYDEN\Downloads
    • HEUR:Trojan.Win32.Generic
      {AF5ACB7C-8E04-43A1-8B38-A8050A0977B3}  
      C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data
    • Trojan.Win32.Buzus.uuzf
      Setup.exe  
      C:\Documents and Settings\HAYDEN\Downloads

 

FRST.txt

Addition.txt

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

When looking at your data, you indicated the Kaspersky online scanner flgged...

 

C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data

 

for a HEURistic trojan but it is ..\COMODO\Cis\Quarantine\data

 

That's telling me that Kaspersky flagged something in Comodo's Quarantine.

 

I also see Comodo's anti virus solution i installed.  But I also see Trend Micro.

 

Out of the two, I suggest sticking with Comodo and removing Trend Micro's software.

 

 

What is found in the quarantine is safe.  You can keep it there and it isn't affecting your computer nor can it re-infect your computer.  You may wish to purge the Comodo Quarantine just to eliminate that as a factor.

 

Then you can manually DELETE

 
C:\Users\HAYDEN\Downloads\Setup.exe
Link to post
Share on other sites
curlew

curlew

Posted
  • Author
Posted

trendmicro is the on line scanner house call , RU Botted is running at present

 

strange thing is  C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data  is not showing in the quarantine area of comodo, even tho a few other things are

 

C:\Users\HAYDEN\Downloads\Setup.exe  this is also not visible in the downloads folder, have made hidden folders visible

 

has i cant delete any of the above, computer is still in the original state has my first contact

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

You are running Vista.

 

That means c:\users\hayden is the real profile.

You have references to C:\Documents and Settings\HAYDEN\  which is a  link back to to your profile for older programs that want Windows XP or an older OS.

 

Therefore

C:\Documents and Settings\HAYDEN\Downloads

is equivalent to...

C:\Users\HAYDEN\Downloads

 

What you think are two detections is the same things so in effect, it is one detection.

 

Thew thing is, if you can not actually see the files, are they ghost detections ?

 

One way to make sure is to open a Command Prompt (execute;  CMD.EXE)

In the command prompt enter the following commands...

 

cd  C:\Users\HAYDEN\Downloads

attrib -r -h -s *.*

 

then

 

DIR  Setup.exe

 

Is it there ?

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

OK.  So you were able to create a FILE named SETUP.EXE  in C:\Users\HAYDEN\Downloads

Therefore  C:\Users\HAYDEN\Downloads\Setup.exe  was a ghost.

 

We made sure there was no Hidden-System file of that name and you can't create a file whose name is already existing.

 

The thing next to do is close all programs and background application stubs and re-run the Kaspersky scanner that started this all.  If possible, attach the final LOG file of that scan.

 

EDIT:

 

Come to think of it, if a FOLDER exists by a particular name you can't create a FILE of that name.  Inversely, if a FILE exists by a particular name you can't create a FOLDER of that name.

 

 

 

 

 

BTW:  on another note...  Your 'nym CURLEW.  Is that like the below ?

 

post-14644-0-87160700-1412076456_thumb.j

 

Link to post
Share on other sites
curlew

curlew

Posted
  • Author
Posted

yes Curlew after the bird, i live on an estate where all the roads are named after birds eagle ,hawk,osprey,redpoll,redstart, and a few others, has you may have guessed i live in Curlew road, i have used Curlew has a name for many internet things ,saying that there is also someone else out there using it has there name.

---------------------------------------------------------------------------------------------------------------------------

 

attached karpersky log

 

seems i cant upload or paste the kaspersky results,

i get "you arent permitted to do" this or that message in red on malwarebytes forum

Link to post
Share on other sites
curlew

curlew

Posted
  • Author
Posted

Computer protection (0)

 

Information about anti-virus software and firewalls installed on the computer.

 

Malware (0)

 

Information about malware detected on the computer.

 

Vulnerabilities (10)

 

Information about applications and operating system components in which vulnerabilities have been detected.

 

    Portable Document Format

    Image Uploader Control Library

    getPlus+®

    VLC media player 2.0.6

    WinRAR archiver

    Shockwave Init

    Shockwave Init

    Shockwave Init

    Shockwave Init

    Flash Player 4.0 r28

 

Other issues (21)

 

Information about vulnerabilities associated with the settings of installed applications and the operating system.

 

    "Invalid EXE files association"

    "Invalid COM files association"

    "Invalid PIF files association"

    "Invalid BAT files association"

    "Invalid LNK files association"

    "Invalid SCR files association"

    "Invalid REG files association"

    "Service termination timeout is out of admissible values"

    "Autorun from hard drives is allowed"

    "Autorun from network drives is enabled"

    "CD/DVD autorun is enabled"

    "Removable media autorun is enabled"

    "Windows Explorer - show extensions of known file types"

    "Incorrect warning level for low disk space"

    "Microsoft Internet Explorer: clear history of typed URLs"

    "Microsoft Internet Explorer - disable caching data received via protected channel"

    "Microsoft Internet Explorer: disable sending error reports"

    "Microsoft Internet Explorer: clear the list of trusted domains"

    "Microsoft Internet Explorer: enable cache autocleanup on browser closing"

    "Windows Explorer: display of known file types extensions is disabled"

    "Microsoft Internet Explorer: start page reset"

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

yes Curlew after the bird, i live on an estate where all the roads are named after birds eagle ,hawk,osprey,redpoll,redstart, and a few others, has you may have guessed i live in Curlew road, i have used Curlew has a name for many internet things ,saying that there is also someone else out there using it has there name.

 

Thanx.  I had never heard of a Curlew until there was one on my beach.  It was different than the usual Gulls and Pipers I always see so I snapped its picture and an ornithologist told me what it was.  I hadn't seen it before nor since.

 

You have a clean log so are you satisfied that this issue over ?

 

BTW:  Upload (attachment) directions.

 

  • Create a new post.

      

  • Choose "More Reply Options" on the bottom Right of the Web Form

      

  • Now choose "Attach Files" on the bottom Left of the Web Form.

      

  • Browse and find your TXT or LOG file.

      

  • Choose "Add Reply" and there's your post with your attachment(s)
Link to post
Share on other sites
curlew

curlew

Posted
  • Author
Posted

Curlews are a little different ! i guess its the bill that does it, i have seen a few when we have been near the river or sea,

 

yes logs clean and i have run a few other programs and deleted a pile of tracking cookies and such like, also rtun MS fixit which has sorted a few things, but i still CAN NOT run malwarebytes, i click to open and it terminates immediatly with an MS message malwarebytes has stopped working looking for source .............

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Sorry for the late reply...

 

 

Download the MBAM Removal Tool

 

Run it and when it requests a reboot, allow the PC to reboot the PC.

 

Subsequently, re-install the software.  If you have paid for the Full Version, apply your license key.

Link to post
Share on other sites
curlew

curlew

Posted
  • Author
Posted

slow reply ? according to the time-stamp you answered me 57 minutes before i asked the question.

 

i have removed mbam with mbam clean  and reinstalled version 2.1.1.1001 which booted to the main screen then terminated trying to find up dates, i removed again with mbam clean and installed version 2.0.2.1012 which again terminated when updating

Link to post
Share on other sites
David H. Lipman

David H. Lipman

Posted
Posted

Well you posted at 0709 hrs and I replied at 1835 hrs (my time zone, ~ 12hrs later).

 

i have removed mbam with mbam clean  and reinstalled version 2.1.1.1001 which booted to the main screen then terminated trying to find up dates, i removed again with mbam clean and installed version 2.0.2.1012 which again terminated when updating

 

Is there a message that shows up or when you choose to update the windows just disappears ?

 

 

Let me get back to you on that.

Link to post
Share on other sites
curlew

curlew

Posted
  • Author
Posted

mbam is opening, database version v2014.03.04.09 is in update field,click update and it cycles then a MS window pops up saying malwarebytes anri malware has stopped working followed by the usual MS info a problem caused the program to stop working will notify you of a solution same thing happens with the fix now button in mbam and then it closes

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Hello,

 

I've been asked to take a look and see if I can assist you with your issue going forward.

 

The logs indicate that you're running or have run at least 4 or 5 antivirus products and you still have some components from each of them running on the system.

 

What I would like to propose is that we do a clean removal of all of them and then choose which one you really want to use and then install that one and get it configured but we can do that later. For now please run the following.

 

 

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:
 
Please Run TFC by OldTimer to clear temporary files:


  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.

 
 

 

Now restart the computer and then run the following.

 

 

Please download the attached fixlist.txt file and save it to the Desktop.
NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.

NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.

Run FRST or FRST64 and press the Fix button just once and wait.
If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.
The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.

Note: If the tool warned you about an outdated version please download and run the updated version.
 

 

fixlist.txt

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Yes, the original site for the file went offline for some reason. Please try the following.

Ignore going into the Control Panel and just run the JavaRA tool.

 

Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following.
 
Please download JavaRa-1.16 and save it to your computer.

  • Double click to open the zip file and then select all and choose Copy.
  • Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.
  • Quit all browsers and other running applications.
  • Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location and post it in your next reply.

Next:
 
Please Run TFC by OldTimer to clear temporary files:
  • Download TFC from here and save it to your desktop.
  • http://oldtimer.geekstogo.com/TFC.exe
  • Close any open programs and Internet browsers.
  • Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.
  • Please be patient as clearing out temp files may take a while.
  • Once it completes you may be prompted to restart your computer, please do so.
  • Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files.


 
 

Link to post
Share on other sites
  • Root Admin
AdvancedSetup

AdvancedSetup

Posted
  • Root Admin
Posted

Please visit this webpage and read the ComboFix User's Guide:

  • Once you've read the article and are ready to use the program you can download it directly from the link below.
  • Important! - Please make sure you save combofix to your desktop and do not run it from your browser
  • Direct download link for: ComboFix.exe
  • Please make sure you disable your security applications before running ComboFix.
  • Once Combofix has completed it will produce and open a log file.  Please be patient as it can take some time to load.
  • Please attach that log file to your next reply.
  • If needed the file can be located here:  C:\combofix.txt
  • NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer.


 

Link to post
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.