136 replies to this topic

[thatguy89]

Yeah I wouldn't be surprised if that's what it came to. To be honest, I don't mind living without things that I can just get for free online such as freeware replacements for windows defender and the like, but I obviously don't know how much actual damage it has caused (other than not being able to use firefox/chrome, open norton etc) and whether or not it would really be safe to be typing in passwords and bank details as I wouldn't know if its ok to do that at the moment. Tried combofix as well, both of the methods you suggested: same again, just doesn't proceed after "scan times....take longer"

[jeffce]

Hi, Let me get with some of my colleagues and I will return as quickly as I can.

[jeffce]

Hi,

I have spoken with a couple of my colleagues and have gotten a couple of suggestions. I will start with the easiest...

Let's remove Norton 360 until we finish up. Be sure not to do any surfing on the internet besides here and to the links I provide until we have finished.

Please download the tool found here to remove Norton 360.

Once Norton 360 has been removed attempt to run ComboFix again and let me know what happens.

[thatguy89]

Hi,
I don't think you'll believe this really! I clicked on the link and "Internet explorer cannot display the webpage"! I surfed google and checked out other removal tool download sites, they ALL went to internet explorer cannot display the web page when I tried to download it. Unbelievable!

I found a website that advertises the "perfect uninstaller" for use with norton, but I don't want to download anything without letting you know first.. http://www.squidoo.com/uninstallnorton

not so easy after all was it! lol

[jeffce]

Hi,

LOL!! It just keeps getting better.

Delete all copies of ComboFix from your system.

Download the file found here directly to your C:\ folder.

Restart your system in Safe Mode (not with Networking) and then try to run the program.

If a log is produced post it...if not let me know what happens.

[thatguy89]

Heylo, It just so happens I managed to download the norton uninstaller so thats sorted. Combo fix didnt work afterwards though, so I'll download what you suggested and try in safe mode. I'll get back to you soon!

[thatguy89]

Errr, just tried to download it and I got redirected to here: http://www.mediafire...r.php?errno=320


"Invalid or Deleted File.

The key you provided for file download was invalid. This is usually caused because the file is no longer stored on Mediafire. This occurs when the file is removed by the originating user or Mediafire."

It asked me whether or not I wanted to download adobe flash when the page opened. should I do it anyway?

[jeffce]

Hi,

Hmmmmm... try this link. I just copied it and I know the file is still there.

[thatguy89]

Ok, got the file, saved it to c:/ and rebooted in safe mode without networking. Same thing though, froze at the same place unfortunately....

[jeffce]

Hi,

There is something new that we can try.

Go to this folder >> C:\Program Files\Malwarebytes' Anti-Malware\Chameleon and be sure it's there....then

Place the new ComboFix program we renamed to svchost.exe in Malwarebytes Chameleon folder.
C:\Program Files\Malwarebytes' Anti-Malware\Chameleon

Install the Chameleon driver by doing the following:
Press the Windows key + R and in the Run box, copy and paste the following command then press Enter.

"%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o

A black DOS prompt will appear with a prompt to press any key to continue, please do.

Execute ComboFix by doubleclicking on it.

Hopefully this will allow ComboFix to run through and create a log.

[thatguy89]

something doesn't seem to be right. svchost.exe renamed itself to combofix.exe after trying to use it last time, so i moved it to "program files/ malwarebites anit-malware/chameleon" and opened run with windows button + R, copied and pasted "%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o and it says windows cannot find ""%programfiles%\Malwarebytes' Anti-Malware\Chameleon/mbam-chameleon.com" /o" Sooooooo I thought I'd give "chameleon" a try. It says to test whether programs are working and if they do a black command box will appear. None of them worked! "svchost.exe" did work, without the black command box, and it was the same result as always... Something pretty fishy seems to be going on within the depths of my hard drive...

[jeffce]

Hi,

• Please download Junction.zip and save it to your desktop.
• Unzip it and extract junction.exe to your C:\ drive. So it appears as C:\junction.exe
  
• Next,
• Now copy (Ctrl +C) and paste (Ctrl +V) the text inside the code box below into Notepad.

@ECHO OFF
cd c:\
junction -s c:\>log.txt
start log.txt
del %0

• Save it to your desktop as File name: junc.bat
• Save as type: All Files

Next,
Double click junc.bat to run it. (accept any alerts) A log will be presented. Copy and paste or attach the content of the log in your next reply.

[thatguy89]

Ok, I did everything exactly as you wrote it, opened junc.bat, accepted a terms and conditions agreement, then C:\Windows\system32\cmd.exe opens up and just like in combofix, the little text thing "_" flashes on and off and that's as far as it goes! How long should I leave it running like that? I'd left it about 10 minutes and gave up because the little light on my laptop that blinks when the hard disk's hard at work didn't seem to be indicating anything was happening...

[jeffce]

Hi,

It shouldn't take that long...try the following:

• Please download Junction.zip and save it to your desktop.
• Unzip it and put junction.exe in the Windows directory (C:\Windows) so you have C:\Windows\Junction.exe
• Now go to Start > Run to open a run box > Copy and paste the following command in the open run box and click OK:
  
  cmd /c junction -s c:\ >log.txt&log.txt& del log.txt
  
• A command window will open and the system will be scanned.
• Wait until a log file opens.
• Copy and paste log in your next reply

[thatguy89]

Hmm, again it was the same thing. The command box opened and a blinking "_" was as far as it would go. Waited a little while but decided to stop after 15 minutes. Should it take that long?