Hello Paul,
I'm having a little difficulty finishing up
with the 8500. He gave me this to do:
Please Uninstall ComboFix: (if you used it)
Press the Windows logo key + R to bring up
the "run box"
Copy and paste next command in the field:
ComboFix /uninstall
Make sure there's a space between Combofix
and /
Then hit enter. (it may look like CF is
re-installing but it's not)This will uninstall
Combofix, delete its related folders and files,
hide file extensions, hide the system/hidden
files and clears System Restore cache and create
new Restore point
(If that doesn't work.....you can simply rename
ComboFix.exe to Uninstall.exe and double click it
to complete the uninstall or download and run the
uninstaller)
but none of it works and the file path below ends
at App Data because its not there?
ComboFix is not on your desktop, you ran it form
a temp folder: Running from:
c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip\ComboFix.exe
Move ComboFix to your desktop (or download it to
your desktop) and try it again
I said that I wasn't quite understanding him with
this last part and he just repeated it back: The
quarantine folder is located here: C:\FRST Delete
that folder. C:\FRST
If you can't delete the FRST folder:
Note:
If you used FRST and can't delete the quarantine
folder: Download the fixlist.txt to the same folder
as FRST.exe.Run FRST.exe and click Fix only once
and wait That will delete the quarantine folder
created by FRST. The rest you can manually delete.
I tried deleting (del FRST) at the command prompt
which I assume is what he's saying but said it
couldn't find the file. I did find FRST- Older
Version folder and fixlog file however, under
C/.Users>Rob>downloads.
Under C:/User>Rpbert>documents I found ComboFix14(Scans)
but nothing under downloads.
Unsure how to proceed?
Thoughts, Suggestions?
Robert
I had to follow your thread a bit, to figure out what happened.
The quoted text, is what Charlie said in one of his posts.
https://forums.malwarebytes.org/index.php?showtopic=142657
"Zipped up and attached, MrC "
I don't seen an attachment, so either it was removed, or
only forum members can see it.
I suspect you detached something called Temp1_ComboFix.zip.
That's what you got via your browser, and transfered to disk.
it's a ZIP file, and would have a ZIP icon. It was probably
sitting in some TEMP folder.
If you go to the File Explorer in Windows 7, and use the
search box in the upper right, you'd type this in and search
for it. By default, it'll probably be searching C: for the file.
Temp1_ComboFix.zip
It should come back with one "hit", that being
c:\users\Rob\AppData\Local\Temp\Temp1_ComboFix.zip
If you move the mouse to the yellow ZIP icon on the left
of that line in the search results, and right-click,
a long menu with about 16 options will show. One of the
options is "Open Folder Location". That will navigate you
to the Temp folder. If you don't hit the correct place
on the line, a tiny menu with 7 options will show, and
that menu doesn't have the Open Folder thing. So you
have to be careful to get the mouse over the icon,
right-click, and then you should get the big context menu.
Now, you should be inside the Temp folder. And the ZIP file
should be there.
If you right click on the Temp1_ComboFix.zip file, the
word "Extract All" may be there. In this example, I put
the attachment in its own folder, so you can see it.
http://i62.tinypic.com/f24xoh.gif
What the Windows extracter will do, is create a folder of
the same name (without the word ".zip" on the end). You
can see in my second picture, how a new folder exists.
http://i58.tinypic.com/29dbvig.gif
Since the top item is an actual folder, I can click and
navigate down there. I can then drag combofix.exe to
the desktop.
You see, your problem was, you were running it directly
from the ZIP, without extracting it. The path you list
above, is navigating inside the ZIP. By doing the "Extract All",
it converts the ZIP into a real folder, and the real folder
has the necessary properties for you to follow Charlie's instructions.
Once it's moved to the desktop, you can do this...
ComboFix /uninstall
The way Windows and some other operating systems work, is
they have a thing called an execution path. That is basically
a list of directories the operating system looks in, to find
executable programs. When you use the Run box, or when you
use a Command Prompt window, chances are the Path is consulted,
and the OS methodically examines the list of directories until
it finds the named program. In your case, combofix.exe was
so well hidden, it wasn't in the Path list. Charlie seems to
think that the desktop is in the Path, and I'll have to assume
that is correct. The list is stored as an environment variable,
so you can actually edit that Path thing. Some installers,
when they install programs, they add things to that list.
And it's all done, to help automate things.
In this example, you can see me editing the Path variable.
I don't see the desktop in the list, so it'll be interesting
to see what happens. I expect there are places searched
which are not in that list, and that will be why it works.
I know that CWD (current working directory) is searched
for example. And perhaps the shell, when triggered, just
happens to start in that particular directory (desktop).
http://i62.tinypic.com/2yys5rb.gif
So when you run ComboFix /uninstall, the OS will be looking
in all the Path directories, and hopefully, it'll find
the combofix.exe file you moved to the desktop.
*******
You were supposed to look under C: , to see if there
was a C:\FRST folder, as that is where Farbar puts
quarantined items. If no items were quarantined, maybe
it doesn't create the folder. Look in the folder and
see if items are in there.
Paul