P
Paul
Hello Paul,
Here's what I've done:
On the 8500:
I ran a full system scan with Avast, it gave me this:
I selected fix automatically and clicked apply.
I checked Avast for any updates and said I was current.
I went back and tried to do what you suggested and
I think I did it.
8200:
When I log on, the Firewall turns off and says
my computer is at risk and the virus protection
was out of date: tried to update Firefox via Avast.
Updated Adobe Flash Player, Adobe plug-in. I also
tried to check for Windows updates but it wouldn't
open. Now it just says my computer is at risk and
clears itself after about a minute.
Ran an Avast scan - found (9) infected files
C:\...I>nsis.hdr NSIS:NextLive-A[Adw]
C:\AdwCleaner\...\nengine.dll.vir Win32:NewxtLive-A[Adw]
C:\...\A0014394.dll Win32:NewxtLive-A[Adw]
C:\...\A0014395.dll Win32:NewxtLive-A[Adw]
C:\...\A0017566.dll Win32:NewxtLive-A[Adw]
C:\...\A0014393.dll Win32:NewxtLive-A[Adw]
C:\...I>nsis.hdr Win32:NewxtLive-A[Adw]
* The first and last isn't really a capital ' I ' but a
black bar but I didn't know how to make
one.
Ran a boot scan and it gave me this at 21%
File c:\Program Files\Uninstaller\Uninstall.exe is infected by win32:Installer-U [Pup}
I selected number 2 (fix all automatically) and
it was moved to the quarantine chest.
later it gave me
File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013223.exe is infected by win32:Mobogenie-B [PUP]
File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP38\A0013239.exe is infected by win32:Mobogenie-C [PUP]
File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP43\A0014373.exe is infected by win32:Installer-U [PUP]
File C:\ System Volume Information\_restore {E25274F5-321C-4C3D-A322-8F6F5F7F5B9F}\RP67\A0020850.exe is infected by win32:Instaler-U [PUP]
the scan didn't stop but moved them all into the
quarantine chest.
I ran a full system scan with Avast afterwards
and came up clean.
Tried to open Spywareblaster to update it and it
gave me this:
Error: Access violation at 0x73483F5A (tried to read from 0x00000014),
program terminated. Last CP is 'RF'.
Thoughts, suggestions?
Robert
On the 8500, that was a copy of CCleaner from Piriform (cc_setup), which has
Google Chrome and some toolbar inside it. Avast has "moved it
to the chest". So that was adware, rather than malware. And hopefully,
something you could decline (using tick boxes), when installing CCleaner,
so you don't get a toolbar.
*******
On the 8200, have your run this machine through Bleepingcomputer ?
Have you ever had these results checked by a professional malware fighter ?
The NextLive is covered here, and it's just another PUP. AdwCleaner
and friends are the suggested solution. You've been through
this routine before.
http://malwaretips.com/blogs/win32-nextlive-a-removal/
If the computer saves a System Restore point, while you're infected with
something, then a scan is going to find the infection in the System Restore.
So that would be normal, if you had something nasty on the machine.
Malware is pretty good at making sure it's in the Restore points, one
way or another.
It's possible, in your file list there, that AdwCleaner has a
quarantine folder, and another tool is picking up that
quarantine folder during a scan.
But the other symptoms bother me. The Spywareblaster getting an
Access Violation, it's probably been tampered with. And your firewall,
sometimes that can be explained by other things (like, a .NET problem),
but that's probably not it in this case. Maybe these symptoms aren't
consistent with just a PUP being present.
If you look at this thread, Spywareblaster seems to be sensitive to
interference from other protection programs. That's all I can figure.
And reinstalling it, doesn't necessarily help.
http://www.wilderssecurity.com/showthread.php?t=229348
Paul