Goored?

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by bingo, Feb 7, 2009.

  1. bingo

    bingo Private E-2

    Hi Nice People,
    I've picked up the goored "google redirect"... searched MG forums but find no mention of it. Googling it on my other computer I see it's been around for at least a few months but doesn't seem a major threat, just a pain. I'm poking around with the usual interminable scans... can anyone shed any light?
    -kevin
     
  2. bingo

    bingo Private E-2

    Google redirect

    Hi Good People,
    I thought earlier my "goored" post might be an appropriate sidestep but I see it's maybe more complex than I thought.

    I have followed the R n R me guide rigourously and am attaching the files in 2 messages. The scans apparently found nothing.

    This search-redirect issue is new for me on an old computer so we can't blame Dell ;-)

    I can't think of anything wierd i did that might have triggered it.

    YIKES! while i was typing the previous I somehow downloaded the firefox update which will install itself next time I start.

    Here is some detail of the problem:
    a) I do a google search on "senator"
    b) hover on a result and the url shown at the bottom of firefox reflects the url shown in google (www.senate.gov)
    c) click and hold and said url shows:
    http://ad4.doubleclicker.net/c.php?...f=http://senator.liquidatedlots.com/index.php
    d) on mouseup, that ends up at www.monstermarketplace.com
    e) just another example, a similar series for search = "fairlane", pointed at "www.shopfairlane.com", dumped me out at http://www.bizrate.com/automotiveparts/products__keyword--fairlane.html
    f) Note this doesn't happen EVERY time, but more often than not. Shame on bizrate!

    My computer does not seem to have any other problem.

    Um, apologies for my still very overburdened desktop! I'm whittling it down but I have to work slowly or I'll lose track of a bunch of projects...

    Thanks for doing what you do!!!
    -k
     

    Attached Files:

  3. bingo

    bingo Private E-2

    Redirect redux: SASLog and qoobox question

    oh, I almost forgot: I've seen nothing anywhere at MG or in my previous cleanup about Qoobox, a folder created in my root directory apparently by combofix, seeming to include quarantine and some odds: what to do with it when this is all over?

    Here's the SASLog, thanks!
    -k
     

    Attached Files:

  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you have picked up one of the more recent forms of DNS hijackers, this infection is known to infect router hardware. If you have a router hooked up then you need to follow the instructions for your hardware and reset it to factory default settings. Normally there is a recessed push button type switch that needs to be held down for some number of seconds to do this. After resetting to factory defaults on your router, you will need to reconfigure the router for your network if you have made any changes to the default network setup.

    If the above does not help then you should do 100% of the below and then repeat the above.

    Please follow the instructions in the READ & RUN ME FIRST link given futher down and attach the requested logs when you finish these instructions.
    • If you have problems where no tools seem to run, please try following the steps given in the below and then continue on no matter what you find. You only need to try the TDSSserv steps if having problems getting scans in the Read & Run Me First.
    • If something does not run, write down the info to explain to us later but keep on going.
    • Do not assume that because one step does not work that they all will not.
    READ & RUN ME FIRST. Malware Removal Guide
    • After completing the READ & RUN ME and attaching your logs, make sure that you tell us what problems still remain ( if any still do )!
    Helpful Notes:


    1. If you run into problems trying to run the READ & RUN ME or any of the scans in normal boot mode, you can run the steps in safe boot mode but make sure you tell us what you did later when you post logs. See the below if you do not know how to boot in safe mode:
    2. If you have problems downloading on the problem PC, download the tools and the manual updates for SUPERAntiSpyware, Malwarebytes and Spybot ( links are given in the READ & RUN ME) onto another PC and then burn to a CD. Then copy them to the problem PC. You will have to skip getting updates if (and only if) your internet connection does not work. Yes you could use a flash drive too but flash drives are writeable and infections can spread to them.
    3. To avoid additional delay in getting a response, it is strongly advised that after completing the READ & RUN ME you also read this sticky:
    Any additional post is a bump which will add more delay. Once you attach the logs, your thread will be in the work queue and as stated our system works the oldest threads FIRST.
     
  5. bingo

    bingo Private E-2

    Thanks for the router info, I'll prepare for that... this thread should be deprecated in favor of my newer thread "Google redirect" 02-07-09, 17:39
    chaslang rocks!
     
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Did you reset your router to factory defaults yet? If not, please do so.

    Your logs are not showing any problems; however you did not download the current version of MGtools as requested in the READ & RUN ME. You will need to install the current version and give us a new log after doing the below.

    First tell me why the below file has a date that is over a year into the future?
    Code:
    2010-08-01 07:46 . 2010-08-01 07:46 136,976 --a-- c:\windows\system32\SfxBar.dll
    Did you install Dockable Tools Library from Software FX, Inc ?



    I strongly advise you to cleanup your Desktop. Remove eveything but links to run programs. Do not download and save programs here and defintely do not use it for long term storage. You need to keep ComboFix.exe here for now as we need it, but we will be removing it when we are finished with your cleanup. A cluttered Desktop is malware's playground and it can also cause performance degradation especially when you start saving large files here like you are doing.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Run C:\MGtools\analyse.exe by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator). This is really HijackThis (select Do a system scan only) and select the following lines but DO NOT CLICK FIX until you exit all browser sessions including the one you are reading in right now:

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q106&bd=presario&pf=desktop
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local

    After clicking Fix, exit HJT.



    Now we need to Reset Web Settings:
    1. If you have an Internet Explorer icon on your Desktop, goto step 2. If not, skip to step 3.
    2. Now right click on your desktop Internet Explorer icon and select Properties. Then click the Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK. Then skip step 3.
    3. If you do not have an Internet Explorer icon on your Desktop, click Start, Control Panel (for some systems it may be Start, Settings, Control Panel), Internet Options, Programs tab and then click "Reset Web Settings". Now go back to the General tab and set your home page address to something useful like www.majorgeeks.com. Click Apply. Click Delete Cookies, Click Delete Files and select Delete all Offline content too, Click OK. When it finishes Click OK.
    Note for IE 7 users: You need to select Internet Options then the Advanced tab and then Reset Internet Explorer Settings!



    Click Start > Run and type in cmd
    • Click OK.
    • This will open a command prompt.
    • Type or copy and paste the following line in the command window:
      ipconfig /flushdns
    • Hit Enter
    • Exit the command window
    Now download HostsXpert and then follow the below steps.
    • Unzip HostsXpert.zip
    • It will create a folder named HostsXpert in whatever folder you extract it to.
    • Run HostsXpert.exe by double clicking on it.
    • Click the Make Writeable? button. (if you only see a Make Read-Only selection, it is already writeable so skip this button).
    • Click Restore Microsoft's Hosts File and then click OK.
    • Click the X to exit the program
    Now run Ccleaner!


    Now goto this link Using MGtools and download the new version of MGtools.exe from the black bold print link in the first sentence. Overwrite your previous MGtools.exe file with this one.

    Run MGtools.exe ( Note: If using Vista make sure UAC is still disabled. Also don't double click on it, use right click and select Run As Administrator )



    Now attach the below log:
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
  8. bingo

    bingo Private E-2

    OK Chas, that was not as scary as it looked!

    Done
    Oops... I thought it updated!
    1) I have no idea 2) I don't think so
    Working on that: I have to go slow or I'll lose track of a bunch of projects...
    Done and done
    Done and done
    This seemed a strange result: I now have a "sample hosts file" with 2 probably spurious entries and that's it.

    Done... is there a way to restore defaults in ccleaner? I had all boxes checked for this run, but in the past I've unchecked a couple of boxes and couldn't see a way to restore defaults...

    Something else: I'm running Firefox 3 and after all this it's still offering lots of autocompletes in the url field (tho some have gone)
    Well, I still get that "http://ad4.doubleclicker.net/c.php?url=http://www.blablabla" in the destination field when I click on a google search result, but it hasn't actually executed a redirect (yet)...

    I suppose I should have mentioned earlier that there's a small household network, with this computer, a linux box, and a Mac G4 wired in and my winXP laptop and housemate's ibook hitting it wirelessly. I need to reset our WEP passwords after the router reset... and firefox updated itself on my laptop without asking permission, which it's never done before, but the autoupdate might have reset when I upgraded to firefox 3.0.5 a couple weeks ago...

    so, well, here's the log, my friend: what next?
     

    Attached Files:

  9. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not sure what you mean. The default host file that was restored should have a bunch of comment lines (lines begining with a # are comment lines) at the top and then just one line showing 127.0.0.1 localhost

    Your DEFAULT hosts file should like like in the below code box:
    Code:
    # Copyright (c) 1993-1999 Microsoft Corp.
    #
    # This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
    #
    # This file contains the mappings of IP addresses to host names. Each
    # entry should be kept on an individual line. The IP address should
    # be placed in the first column followed by the corresponding host name.
    # The IP address and the host name should be separated by at least one
    # space.
    #
    # Additionally, comments (such as these) may be inserted on individual
    # lines or following the machine name denoted by a '#' symbol.
    #
    # For example:
    #
    #      102.54.94.97     rhino.acme.com          # source server
    #       38.25.63.10     x.acme.com              # x client host
    127.0.0.1       localhost
    Not that I know of anywhere. Uninstalling, deleting the CCleaner folders and then reinstalling may do this as long as they do not store all settings in the registry and they do not forget to remove them.


    I'm not sure what you mean by this. Could you elaborate.


    What do you mean by destination field? Do you mean the status bar at the bottom of the browser window.

    Are you have browser redirect issues? If yes, please download the current version of MGtools just released that may help us locate potential issues with FireFox browser redirection. So download this MGtools.exe to the root folder of your C drive overwriting the old version. Then run it and attach the new MGlogs.zip file.
     
  10. bingo

    bingo Private E-2

    OK, did that, hosts looks fine, I just thought there'd be more of it.

    In the url field where I enter my target url, firefox seems to remember a lot of urls I have previously visited even after running ccleaner.

    Yes, by destination field I meant the status bar at the bottom of the browser window.

    yeas, still having search redirect issues.
    New mglogs attached

    thank you chas!
     

    Attached Files:

    Last edited: Feb 12, 2009
  11. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    There will be when you reimmunize with Spybot. ;)

    This is not a malware issue. Check your settings in CCleaner on the Applications tab.

    Where are you being redirected to? What do you put in for a URL and where do you go?
    Have you tried using IE to see if it also happens with it? If not, please try it.
    Also check with both browsers to see if the problem happens in safe boot mode.
     
  12. bingo

    bingo Private E-2

    Thanks Chas, the behavior which I explained in my first post has not changed at all. This does not happen with IE, only with Ffox and only in Google, and does happen in safe mode. Let me try to explain it less confusedly:

    Example (really happened):
    1) I point ffox at google, search for "senator"
    2) choosing the first result, on mouseover, the status bar shows the correct url (www.senate.gov)
    3) on mousedown, the statusbar shows http://ad4.doubleclicker.net/c.php?...f=http://senator.liquidatedlots.com/index.php
    4) on mouseup, firefox goes to http://www.monstermarketplace.com/
    5) This happens the first time only: subsequently the sequence is repeatable through step 3, but at step four, on mouseup ffox goes to www.senate.gov as it should.

    The sequence I just described is what happened a week ago. Today, with the same google search, at step 3 mousedown I get http://ad4.doubleclicker.net/c.php?...&rf=http://senator.postenkontor.com/index.php and at mouseup ffox goes www.senate.gov

    Note the wierd url stuff happens with every search I do, but actual redirect happens only occasionally.

    Using for example the url www.SAMPLE.com, the url switch is always in the form of http://ad4.doubleclicker.net/c.php?...&rf=http://SAMPLE.SOMEOTHERSITE.com/index.php

    My guess is that doubleclicker is selling my hits to liquidatedlots who are in turn selling them to monstermarketplace, bizrate, etc...

    As for "(in the address bar) firefox seems to remember a lot of urls I have previously visited even after running ccleaner."
    you said
    "This is not a malware issue. Check your settings in CCleaner on the Applications tab."

    I did, and they're set to clear everything including recently-typed urls from IE, but the ccleaner settings for firefox offer no such option. I ran ccleaner with every button checked except the 2 shortcut boxes in "system" and the entire "advanced" section. Using ffox's "clear private data" tool also clears much, but not all, of this stuff (ie fewer options for autocomplete in the address bar). Occasionally one of these options looks suspect to me and I'm concerned that this is somehow related to whatever caused my google redirect issues. Odd things flickering through the status-bar as well, especialy when entering or leaving a google results page... why would this show "waiting for zfsearch.com"? Please excuse my ignorance about this stuff; this is an area where I veer from quite clever to wierdly superstitious... Do I need to worry about the other computers on our small network? Should I sacrifice a chicken to my internet cache?

    I'm going to go ahead and immunize with spybot and then carry on til I hear from you. Thanks as always!
     
    Last edited: Feb 14, 2009
  13. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not seeing anything in your logs that indicates a problem. Are you actually being hijacked to a incorrect websites or do the links still take you to the correct addresses?


    I would like to get some more info on the c:\windows\system32\SfxBar.dll file that I asked about earlier. Right click Start and select Explore to bring up Windows Explorer. Use it to navigate to the file and right click on it and select Properties. Now see if there is a Version[ tab in the window. If so, select the Version tab and on the next window select each of the listed Item names (one at a time) to get more info about the file. The most important Item is the company name. If there is no Version tab, tell me that too.

    Also in the meantime, please try the below in FireFox.
    • Click Tools
    • Select the Content icon
    • Uncheck the Enable JavaScript check box and then click OK.
    • Close all FireFox tabs/windows
    • Open a new FireFox window and see if you still have the same problem
     
  14. bingo

    bingo Private E-2

    As I and other petitioners have said, actually ending up at a wrong site happens only occasionally. It looks to me (from what I see my browser doing and what I've read in other forums) that the browser always redirects but usually passes through the redirect and on to the correct URL.

    File Version -- 1.0.17.0
    Description -- Dockable Tools Library
    Copyright -- Copyright © 1997-1998 Software FX, Inc.
    -------------------------
    Comments value = Provides support for Toolbars, CommandBars and Dockable Frames
    Company value = Software FX, Inc.
    File Version value = 1.0.17.0
    Internal name value = Sfxbar
    Language value = English
    Legal trademarks value = null set
    OLESelfRegister value = null set
    Original File name value = Sfxbar.dll
    Product Name value = Software FX, Inc.
    Product Version value = 1.0

    The problem goes away when JavaScript is disabled.

    ~~~~~~~~~~~~~~~~~~~~~~~
    I did a little rooting on the net about zfsearch:
    Over at 247fixes.com/forums, the administrator "jpshortstuff"
    has connected zfsearch to Goored and written a tool called GooredFix.exe:
    http://www.247fixes.com/forums/Inactivezfsearch-HJTLo-t2766.html&hl=zfsearch

    Meanwhile there's a report at threatexpert.com mentioning it in
    connection with "Email-Worm.Win32.Zhelatin.zb"
    http://www.threatexpert.com/report.aspx?uid=a2189a9d-4221-4a7a-a22f-444264f08ae8

    GooredFix is also mentioned with zfsearch in forums at
    http://www.tech-101.com/solutions-netorks/topic101.html
    "A link to GooredFix by jpshortstuff and help using it is now offered on a number of different malware removal forums..."

    Several other petitioners also mention doubleclicker.com... I don't know if it's related, but it's interesting that in March '08 Google bought DoubleClick ("a premier provider of digital marketing technology and services") for $3 billion...

    I hope this helps, chas, and really appreciate your assistance.
    -kc
     
  15. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I had been working on a new version of MGtools to try and display additional info for FireFox in an attempt to try and locate what is causing this. I'm not quite finished with it yet. Have you attempted to use the GooRedFix program yet
     
  16. bingo

    bingo Private E-2

    No I have not tried to use the gooredfix program; changing horses mid-stream, too many cooks, etc... didn't want to muddy the waters.

    I had a vague notion that there was an effort afoot to integrate gooredfix into combofix
     
  17. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay this is what we normally would prefer so that is good. ;) But I do not want to delay your attempts to getting this fixed. I would however ask if you could first run the below beta version of some scans I'm working on for MGtools.

    Please download this View attachment MGbeta.zip file to the C:\MGtools folder. Then extract the two files from it overwriting the current GetRunKey.bat and ShowNew.bat programs you have. Then double click on the GetLogs.bat file in the C:\MGtools folder. When it finishes running, attach the new C:\MGlogs.zip file.



    Now let's try running GooRedFix.
    • Please download GooredFix and save it to your Desktop.
    • Double-click Goored.exe to run it.
      • Select 1. Find Goored (no fix) by typing 1 and pressing Enter.
      • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Please attach the Goored.txt log to your next reply
    • Note: Do not run Option #2 yet.
     
  18. bingo

    bingo Private E-2

    I will do this instantly... stand by for logs
     
  19. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Thanks! I'll be here for a little while longer although getting tired at 2:30 AM my time. ;)
     
  20. bingo

    bingo Private E-2

    Attached Files:

  21. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Okay something shows up in the new MGlogs file that also shows in the GooRed log. And that is the below folder from Dec 1, 2008

    C:\Documents and Settings\Compaq_Owner\Local Settings\Application Data\{FFF413AA-3F86-476E-810F-8F70830A4AF6}



    You should print these instructions because all FireFox browsers MUST be closed before running the fix.
    • Please double-click Goored.exe on your Desktop to run it.
      • Select 2. Fix Goored by typing 2 and pressing Enter.
      • Make sure all instances of Firefox are closed at this point.
      • Type y at the prompt and press Enter again.
      • A log will open which you can just close. The log file is named Goored.txt and is on your Desktop.
    • Now rerun FireFox and please attach the new Goored.txt log to your next reply
    • Let me know if there is any change.
     
  22. bingo

    bingo Private E-2

    OK did that, here's the log... I saw that thing when gooredfix ran before... looks like a firefox plug-in?

    FYI, the command-line window for gooredfix didn't tell me it was done: log came up instantly but nothing in the cmd window to indicate "we're finished".

    That seems to have done it! Even tho I have javascript enabled in firefox, none of those "enhanced" urls are appearing anywhere in the process...

    there's a new folder on my desktop called GooredFixBackups, which appears to be just what it says: copies of the stuff gooredfix dumped...

    what I do next, my man?
     
  23. bingo

    bingo Private E-2

    Doh! forgot the log!
    Guess I'm a little tired, too ;-)
    standing by...
     

    Attached Files:

  24. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
      • Delete the C:\combofix folder from combofix (if it exists)
    3. If we had you run Avenger, you can delete all files related to Avenger now.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. You can delete the C:\MGtools folder and the C:\MGtools.exe file. You can also delete the C:\MGlogs.zip
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
  25. bingo

    bingo Private E-2

    Chas, it's been a pleasure and a privilege: thank you so much for your help! I'll do the cleanup in the morning, and I'll no doubt have a couple of niggly little questions like what to do with C:\Qoobox and the GooredFixBackups folder; but for now I'm going to wash goored's blood off my hands and go to bed, with a blessing on your many hours staring blearily at one more line of code while some distraught and benighted innocent awaits your healing touch: it's an awesome burden you've shouldered, and I honor you for it. A thousand thanks!!!
     
  26. bingo

    bingo Private E-2

    Hey There Chas,
    Thanks and thanks again. Still no problem with the redirect and computer getting faster as I tidy up :)

    I followed the cleanup and decided to just toss the GooredFixBackups in the recycle and empty it out. Hope that was the right thing...

    Then, because I'm a little obsessive, I did the entire Read and Run Me from the top. SAS and spybots and mbam all saw no problems, but I couldn't get Combofix to run: I had uninstalled using "%userprofile%\Desktop\combofix" /u in the runbox and downloaded the latest version to the desktop (from bleeping at 2pm today wednesday)... when I double-clicked it started to install and then threw the following error:

    "Error:
    Some installation files are corrupt.
    Please download a fresh copy and retry the installation"

    I clicked the close box on the error-notice and the combofix progress-bar sat there doing nothing for awhile. I saw no way to stop or change it so I restarted windows, which went fine. Then I did the run-box uninstall again, which caused combofix to try and start again, and then throw the same error. I used task-manager to stop the combofix process, restarted, trashed combofix from my desktop, downloaded a fresh copy from bleeping, and repeated the process with the same results and the same error. Stopped combofix process again from task manager, restarted computer, finished off with MGtools, and here I am. I've attached the 3 logs I got. I'm proceeding for the moment on the assumption my computer is fine and there's a problem with the download at bleeping, but must say my curiosity is piqued. Can you see any other explanation for this?

    thanks!
    -k
     

    Attached Files:

  27. bingo

    bingo Private E-2

    problem with Combofix current version?

    I had completed a malware cleanup, and during a final repeat of Read and Run I had a problem with the latest version of combofix (downloaded from bleeping at 2pm on 2/18) where it threw an error:
    "Some installation files are corrupt.
    Please download a fresh copy and retry the installation"
    and then hung.
    Downloaded a fresh copy and tried again with the same result... I see also a new post at Malware removal from someone else today saying "ComboFix Hangs", makes me think the problem is with the file and not with my computer and I thought I'd throw up a little red flag here where it might be seen sooner than the next time my malware-helper finds me in his qeue... maybe someone wants to look into this, since combofix is a main part of the MG malware-cleaning routines...

    thanks all!
    -k
     
  28. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Chaslang is away at the moment but as his last reply states, your logs are clean just as your new logs are.:)
     
  29. Lev

    Lev MajorGeek

    Re: problem with Combofix current version?

    Two things:

    You need to keep it in your malware thread, as Chaslang and his team will not see your post here in the Welcome Forum. This forum is just for welcoming new members. Chaslang and his team would need to be aware of this to check any download issues that may be prevalent. I am re-merging this post with your original Malware thread.

    Also you say you downloaded from bleeping....do you mean bleepingcomputer.com? If so, why are you working through the Read and Run Me and not downloading applications from the Majorgeeks.com links given, which we know to be safe and in good working order?
     
  30. bingo

    bingo Private E-2

    Thanks, Tim and Lev,
    Glad to hear my logs are clean. Any idea why combofix is giving me grief? Lev, I'm sorry, I did in fact download from the MG links, not from bleeping computer. Thx again,
    -k
     
  31. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    What did you download from MG's instead of Bleeping Computer?
     
  32. bingo

    bingo Private E-2

    ComboFix, which is hanging with a "some installation files are corrupt" error as per post #25 in this thread...
    -k
     
  33. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    First, you're clean you don't need to download/run it. Second, you should only download it from Bleeping Computer.

    http://download.bleepingcomputer.com/sUBs/ComboFix.exe
     
  34. bingo

    bingo Private E-2

    I guess when Lev scolded me for downloading from bleepingcomputer instead of MG, she didn't realize that the MG link for combofix just opens a download from bleeping... ;-)

    Anyhow, granted that my logs are clean, the fact that combofix throws errors when I try to install it suggests I have SOME kind of problem, neh? ...and even though I don't need it right now, with the exciting rates of growth in the wonderful world of malware, it's likely I'll need it again someday.

    So, well, maybe there's a problem with today's version; I'll try it again tomorrow and see if the problem persists. I just figured either I have a problem and maybe need help, or the file has a problem and maybe y'all would like to know about it.

    be well,
    k
     
  35. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    It's updated often so keeping it on your HDD is a bad idea unless you download it everyday. You should only keep the programs we recommend such as SUPERAntiSpyware and Malwarebytes.

    Also, just because you can't run a utility doesn't mean you have an infection.:)

    I would make sure everything is uninstalled/removed from our cleaning procedures. If you ran the uninstall script properly it will remove everything however at times there are leftovers which you can manually delete. Looks in C:\ and delete any related files/folders such as C:\ComboFix or C:\Qoobox.
     
  36. Lev

    Lev MajorGeek

    Hardly a scolding...just a mere question. But my bad - I too need to work through the R&R and get up to date :) However, in my defense your response was:

    Maybe we both need to ;)
     
  37. bingo

    bingo Private E-2

    Quite right, Lev: I should have said "chided", or "asked pointedly" ;) ...in any case I meant no offense nor took any :)

    Here's a quick recap:
    1) Doing a Read and Run yesterday, I arrived at a point where I was apparently unable to either install or uninstall combofix ("some installation files are corrupt" error as per post #25 in this thread). I had no intention of keeping combofix on my computer but was concerned that if I needed it in the future I'd be unable to install. I finished the RnR without CFix, and my SAS, mbam, and MGtools logs showed clean.

    2) Today I tried again to uninstall combofix and it threw the same error. I stopped the process with task manager, manually deleted combofix from my desktop, downloaded a new copy (from bleeping via the MG link :) ... this time CFix installed to and ran successfully from my desktop. I then downloaded and ran the latest version of MGtools.

    3) I've attached the Cfix and MGtools logs. I think this whole business with combofix hanging was probably just one of those odd things and I can forget about it, but I'd feel a lot better if y'all would look them over.

    y'all have been great... thanks a lot!
    -k
     

    Attached Files:

  38. bjgarrick

    bjgarrick MajorGeeks Admin - Malware Expert

    Your logs are clean! Follow post 24 again and then be sure you follow the "How to protect yourself" thread.:)
     

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds