curlew Posted September 26, 2014 ID:883365 Share Posted September 26, 2014 suspect i have had a long term virus , malware or similar issues with this computer, which is mainly used by my wife and download happy boy, i seldom use it, i did notice several months ago that comodo av /is wasnt working this i sorted at the time.with some strong words to my other half and boy about using computers without av running. malware bytes will not run and hasnt for some time also other software or programs that might rid me of the issue wont run or terminate part way. kapersky free has come up today 26/9/14 with 3 malware,see below, but i cant see these when i search manually in said locations, Trojan.Win32.Buzus.uuzfSetup.exe C:\Users\HAYDEN\DownloadsHEUR:Trojan.Win32.Generic{AF5ACB7C-8E04-43A1-8B38-A8050A0977B3} C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\dataTrojan.Win32.Buzus.uuzfSetup.exe C:\Documents and Settings\HAYDEN\Downloads FRST.txtAddition.txt Link to post Share on other sites More sharing options...
David H. Lipman Posted September 26, 2014 ID:883438 Share Posted September 26, 2014 When looking at your data, you indicated the Kaspersky online scanner flgged... C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data for a HEURistic trojan but it is ..\COMODO\Cis\Quarantine\data That's telling me that Kaspersky flagged something in Comodo's Quarantine. I also see Comodo's anti virus solution i installed. But I also see Trend Micro. Out of the two, I suggest sticking with Comodo and removing Trend Micro's software. What is found in the quarantine is safe. You can keep it there and it isn't affecting your computer nor can it re-infect your computer. You may wish to purge the Comodo Quarantine just to eliminate that as a factor. Then you can manually DELETE C:\Users\HAYDEN\Downloads\Setup.exe Link to post Share on other sites More sharing options...
curlew Posted September 26, 2014 Author ID:883492 Share Posted September 26, 2014 trendmicro is the on line scanner house call , RU Botted is running at present strange thing is C:\Documents and Settings\All Users\COMODO\Cis\Quarantine\data is not showing in the quarantine area of comodo, even tho a few other things are C:\Users\HAYDEN\Downloads\Setup.exe this is also not visible in the downloads folder, have made hidden folders visible has i cant delete any of the above, computer is still in the original state has my first contact Link to post Share on other sites More sharing options...
David H. Lipman Posted September 26, 2014 ID:883525 Share Posted September 26, 2014 You are running Vista. That means c:\users\hayden is the real profile.You have references to C:\Documents and Settings\HAYDEN\ which is a link back to to your profile for older programs that want Windows XP or an older OS. ThereforeC:\Documents and Settings\HAYDEN\Downloadsis equivalent to...C:\Users\HAYDEN\Downloads What you think are two detections is the same things so in effect, it is one detection. Thew thing is, if you can not actually see the files, are they ghost detections ? One way to make sure is to open a Command Prompt (execute; CMD.EXE)In the command prompt enter the following commands... cd C:\Users\HAYDEN\Downloadsattrib -r -h -s *.* then DIR Setup.exe Is it there ? Link to post Share on other sites More sharing options...
curlew Posted September 26, 2014 Author ID:883542 Share Posted September 26, 2014 returning file not found Link to post Share on other sites More sharing options...
David H. Lipman Posted September 26, 2014 ID:883555 Share Posted September 26, 2014 It is looking like an apparition. Here is another test... Create; C:\Users\HAYDEN\Downloads\TEST.TXT then rename TEST.TXT to SETUP.EXE Can you do it ? Link to post Share on other sites More sharing options...
curlew Posted September 27, 2014 Author ID:883776 Share Posted September 27, 2014 ok so i made a folder in downloads test.txt then renamed setup.exe Link to post Share on other sites More sharing options...
David H. Lipman Posted September 27, 2014 ID:883790 Share Posted September 27, 2014 Did you create a FOLDER or a FILE ? I am sorry if I was unclear but I wanted you to create a FILE and rename that file. Link to post Share on other sites More sharing options...
curlew Posted September 27, 2014 Author ID:883806 Share Posted September 27, 2014 my apoligises, i made a FOLDER , have now made a FILE Link to post Share on other sites More sharing options...
David H. Lipman Posted September 27, 2014 ID:883808 Share Posted September 27, 2014 OK. So you were able to create a FILE named SETUP.EXE in C:\Users\HAYDEN\DownloadsTherefore C:\Users\HAYDEN\Downloads\Setup.exe was a ghost. We made sure there was no Hidden-System file of that name and you can't create a file whose name is already existing. The thing next to do is close all programs and background application stubs and re-run the Kaspersky scanner that started this all. If possible, attach the final LOG file of that scan. EDIT: Come to think of it, if a FOLDER exists by a particular name you can't create a FILE of that name. Inversely, if a FILE exists by a particular name you can't create a FOLDER of that name. BTW: on another note... Your 'nym CURLEW. Is that like the below ? Link to post Share on other sites More sharing options...
curlew Posted September 28, 2014 Author ID:884077 Share Posted September 28, 2014 yes Curlew after the bird, i live on an estate where all the roads are named after birds eagle ,hawk,osprey,redpoll,redstart, and a few others, has you may have guessed i live in Curlew road, i have used Curlew has a name for many internet things ,saying that there is also someone else out there using it has there name.--------------------------------------------------------------------------------------------------------------------------- attached karpersky log seems i cant upload or paste the kaspersky results,i get "you arent permitted to do" this or that message in red on malwarebytes forum Link to post Share on other sites More sharing options...
curlew Posted September 28, 2014 Author ID:884080 Share Posted September 28, 2014 Computer protection (0) Information about anti-virus software and firewalls installed on the computer. Malware (0) Information about malware detected on the computer. Vulnerabilities (10) Information about applications and operating system components in which vulnerabilities have been detected. Portable Document Format Image Uploader Control Library getPlus+® VLC media player 2.0.6 WinRAR archiver Shockwave Init Shockwave Init Shockwave Init Shockwave Init Flash Player 4.0 r28 Other issues (21) Information about vulnerabilities associated with the settings of installed applications and the operating system. "Invalid EXE files association" "Invalid COM files association" "Invalid PIF files association" "Invalid BAT files association" "Invalid LNK files association" "Invalid SCR files association" "Invalid REG files association" "Service termination timeout is out of admissible values" "Autorun from hard drives is allowed" "Autorun from network drives is enabled" "CD/DVD autorun is enabled" "Removable media autorun is enabled" "Windows Explorer - show extensions of known file types" "Incorrect warning level for low disk space" "Microsoft Internet Explorer: clear history of typed URLs" "Microsoft Internet Explorer - disable caching data received via protected channel" "Microsoft Internet Explorer: disable sending error reports" "Microsoft Internet Explorer: clear the list of trusted domains" "Microsoft Internet Explorer: enable cache autocleanup on browser closing" "Windows Explorer: display of known file types extensions is disabled" "Microsoft Internet Explorer: start page reset" Link to post Share on other sites More sharing options...
David H. Lipman Posted September 28, 2014 ID:884104 Share Posted September 28, 2014 yes Curlew after the bird, i live on an estate where all the roads are named after birds eagle ,hawk,osprey,redpoll,redstart, and a few others, has you may have guessed i live in Curlew road, i have used Curlew has a name for many internet things ,saying that there is also someone else out there using it has there name. Thanx. I had never heard of a Curlew until there was one on my beach. It was different than the usual Gulls and Pipers I always see so I snapped its picture and an ornithologist told me what it was. I hadn't seen it before nor since. You have a clean log so are you satisfied that this issue over ? BTW: Upload (attachment) directions. Create a new post. Choose "More Reply Options" on the bottom Right of the Web Form Now choose "Attach Files" on the bottom Left of the Web Form. Browse and find your TXT or LOG file. Choose "Add Reply" and there's your post with your attachment(s) Link to post Share on other sites More sharing options...
curlew Posted September 29, 2014 Author ID:884495 Share Posted September 29, 2014 Curlews are a little different ! i guess its the bill that does it, i have seen a few when we have been near the river or sea, yes logs clean and i have run a few other programs and deleted a pile of tracking cookies and such like, also rtun MS fixit which has sorted a few things, but i still CAN NOT run malwarebytes, i click to open and it terminates immediatly with an MS message malwarebytes has stopped working looking for source ............. Link to post Share on other sites More sharing options...
David H. Lipman Posted September 29, 2014 ID:884713 Share Posted September 29, 2014 Sorry for the late reply... Download the MBAM Removal Tool Run it and when it requests a reboot, allow the PC to reboot the PC. Subsequently, re-install the software. If you have paid for the Full Version, apply your license key. Link to post Share on other sites More sharing options...
curlew Posted September 30, 2014 Author ID:884864 Share Posted September 30, 2014 slow reply ? according to the time-stamp you answered me 57 minutes before i asked the question. i have removed mbam with mbam clean and reinstalled version 2.1.1.1001 which booted to the main screen then terminated trying to find up dates, i removed again with mbam clean and installed version 2.0.2.1012 which again terminated when updating Link to post Share on other sites More sharing options...
David H. Lipman Posted September 30, 2014 ID:884874 Share Posted September 30, 2014 Well you posted at 0709 hrs and I replied at 1835 hrs (my time zone, ~ 12hrs later). i have removed mbam with mbam clean and reinstalled version 2.1.1.1001 which booted to the main screen then terminated trying to find up dates, i removed again with mbam clean and installed version 2.0.2.1012 which again terminated when updating Is there a message that shows up or when you choose to update the windows just disappears ? Let me get back to you on that. Link to post Share on other sites More sharing options...
curlew Posted September 30, 2014 Author ID:884952 Share Posted September 30, 2014 mbam is opening, database version v2014.03.04.09 is in update field,click update and it cycles then a MS window pops up saying malwarebytes anri malware has stopped working followed by the usual MS info a problem caused the program to stop working will notify you of a solution same thing happens with the fix now button in mbam and then it closes Link to post Share on other sites More sharing options...
David H. Lipman Posted September 30, 2014 ID:885005 Share Posted September 30, 2014 I have contacted a Malwarebytes employee (who is also the forum administrator) and he will assist you with the MBAM terminating upon updating issue. Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted September 30, 2014 Root Admin ID:885029 Share Posted September 30, 2014 Hello, I've been asked to take a look and see if I can assist you with your issue going forward. The logs indicate that you're running or have run at least 4 or 5 antivirus products and you still have some components from each of them running on the system. What I would like to propose is that we do a clean removal of all of them and then choose which one you really want to use and then install that one and get it configured but we can do that later. For now please run the following. Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following. Please download JavaRa-1.16 and save it to your computer.Double click to open the zip file and then select all and choose Copy.Create a new folder on your Desktop named RemoveJava and paste the files into this new folder.Quit all browsers and other running applications.Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program.From the drop-down menu, choose English and click on Select.JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.A logfile will pop up. Please save it to a convenient location and post it in your next reply.Next: Please Run TFC by OldTimer to clear temporary files:Download TFC from here and save it to your desktop.http://oldtimer.geekstogo.com/TFC.exeClose any open programs and Internet browsers.Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning.Please be patient as clearing out temp files may take a while.Once it completes you may be prompted to restart your computer, please do so.Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files. Now restart the computer and then run the following. Please download the attached fixlist.txt file and save it to the Desktop.NOTE. It's important that both files, FRST or FRST64 and fixlist.txt are in the same location or the fix will not work.NOTICE: This script was written specifically for this user, for use on this particular machine. Running this on another machine may cause damage to your operating system.Run FRST or FRST64 and press the Fix button just once and wait.If the tool needs a restart please make sure you let the system restart normally and let the tool complete its run after restart.The tool will make a log on the Desktop (Fixlog.txt). Please attach or post it to your next reply.Note: If the tool warned you about an outdated version please download and run the updated version. fixlist.txt Link to post Share on other sites More sharing options...
curlew Posted October 1, 2014 Author ID:885365 Share Posted October 1, 2014 add remove assume you mean to remove java from programs. has i have nothing control panel saying add/remove, this link returns file not found JavaRa-1.16 Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 2, 2014 Root Admin ID:885642 Share Posted October 2, 2014 Yes, the original site for the file went offline for some reason. Please try the following.Ignore going into the Control Panel and just run the JavaRA tool. Please go into Control Panel, Add/Remove and uninstall ALL versions of Java and then run the following. Please download JavaRa-1.16 and save it to your computer.Double click to open the zip file and then select all and choose Copy. Create a new folder on your Desktop named RemoveJava and paste the files into this new folder. Quit all browsers and other running applications. Right-click on JavaRa.exe in RemoveJava folder and choose Run as administrator to start the program. From the drop-down menu, choose English and click on Select. JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer. Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK. A logfile will pop up. Please save it to a convenient location and post it in your next reply.Next: Please Run TFC by OldTimer to clear temporary files:Download TFC from here and save it to your desktop. http://oldtimer.geekstogo.com/TFC.exe Close any open programs and Internet browsers. Double click TFC.exe to run it on XP (for Vista and Windows 7 right click and choose "Run as administrator") and once it opens click on the Start button on the lower left of the program to allow it to begin cleaning. Please be patient as clearing out temp files may take a while. Once it completes you may be prompted to restart your computer, please do so. Once it's finished you may delete TFC.exe from your desktop or save it for later use for the cleaning of temporary files. Link to post Share on other sites More sharing options...
curlew Posted October 2, 2014 Author ID:885819 Share Posted October 2, 2014 done the above,i cant not locate the JavaRa log, it also didnt show up on the screen when it finished scanning even tho the message said it would. have also tried a search Link to post Share on other sites More sharing options...
Root Admin AdvancedSetup Posted October 3, 2014 Root Admin ID:885969 Share Posted October 3, 2014 Please visit this webpage and read the ComboFix User's Guide:Once you've read the article and are ready to use the program you can download it directly from the link below. Important! - Please make sure you save combofix to your desktop and do not run it from your browser Direct download link for: ComboFix.exe Please make sure you disable your security applications before running ComboFix. Once Combofix has completed it will produce and open a log file. Please be patient as it can take some time to load. Please attach that log file to your next reply. If needed the file can be located here: C:\combofix.txt NOTE: If you receive the message "illegal operation has been attempted on a registry key that has been marked for deletion", just reboot the computer. Link to post Share on other sites More sharing options...
curlew Posted October 3, 2014 Author ID:886011 Share Posted October 3, 2014 attached combofix logcombofix log 3 10 14.txt Link to post Share on other sites More sharing options...
Recommended Posts