[Resolved] Possible trojon

[Jen27]

Hi Hoov, I was curious as to what the Issue was & what was removed.I did notice something that I thought was odd today & the last couple of days.Not sure when It started yesterday but It was while I was Running a scan.Secunia PSI said 5 new programs found.Then Said 4 programs removed Later on?Today while in the middle of another scan with defender secunia said 5 new programs again.So I opened It up.I was not sure what these programs were that were either being added or patched?So I did a little looking around.It may not be anything but I just want to be sure.Due to the fact I don`t even Know what this program is for.This is what it says under the Secunia Patched programs.I looked at this 1 in paticular because it had 10 files this was name and the files listed.That`s strange as I was typing this Secunia Now said 7 programs removed???Also secunia has I.p in that Range from the Mcafee post.Not same one though.
Here is 1 i did`nt know about.


NirCmd 2.x

detected instances

C:\Users\Tara\AppData\Local\temp\RarSFX2\winlogon.exe,version 2.3.7.192
C:\Users\Tara\AppData\Local\temp\RarSFX2\userinit.exe,version 2.3.7.192
C:\Users\Tara\AppData\Local\temp\RarSFX2\iexplore.exe,version 2.3.7.192
C:\Windows\NIRCMD.exe,version 2.3.5.189
C:\Users\Tara\AppData\Local\temp\RarSFX0\nircmd.exe,version 2.3.7.192
C:\Users\Tara\AppData\Local\temp\RarSFX0\nird\iexplore.exe,version 2.3.7.192
C:\Users\Tara\AppData\Local\temp\RarSFX1\nircmd.exe,version 2.3.7.19
C:\Users\Tara\AppData\Local\temp\RarSFX1\nird\iexplore.exe,version 2.3.7.192
C:\Users\Tara\AppData\Local\temp\RarSFX2\nircmd.exe,version 2.3.7.192
C:\Users\Tara\AppData\Local\temp\RarSFX2\nircmdc.exe,version 2.3.7.192

[Hoov]

Nircmd itself is not a problem, it is the programs that use it. Can you zip up this entire folder, C:\Users\Tara\AppData\Local\temp\RarSFX2 and attach it to a response. Also can you look and see if there is a folder other than the one I posted, that has a name of RarSFX2 ? If there is one, zip up that folder as well and attach it with the other one.

As for Secunia telling you that programs removed and installed, it is a little misleading. A removed program is either a program that was uninstalled or updated. An installed program is a program that was installed or updated.

For instance you could get a notice that you had one removed and one installed program when what really happened was that ITunes was updated. The old version was uninstalled and the new version was installed. It could be that the entire program was not, but if the file that Secunia watches was changed, then it thinks there was an uninstall and an install.

[Jen27]

Hi Hoov I can`t attach The Files they are giving an Error again.Should I send them To The address you earlier Sent Me with Link?

[Hoov]

yes.

[Jen27]

Hi,Ok I sent them over.Oddly enough after being on my computer for a few days.Mcafee Just Removed Combofix as a Trojan today??

[Hoov]

I got them. As for combofix and McAfee, don't worry about it, many of the virus tools see combofix as a Trojan.
I think I have a handle on what is going on.

I suspect that you had one of the programs partially installed on your computer that is a rogue program but proclaims to be an Antivirus or antimalware tool like McAfee or Malwarebytes' Anti-Malware. I don't know if this is something that you had on your computer and was improperly removed, or if the security you have running on your computer stopped it, but only after it was halfway installed.

Can you tell me what this is, C4USelfUpdater ?

Below here are some instructions. Please read thru them and ask any questions before starting them. I need you to run all the way thru the fix in one setting. Don't reboot until after Malwarebytes' Anti-Malware has finished with the fixes. Then reboot and see if your computer is running any differently.
 
Next please download FixNCR to your desktop. Then double click on it. If you get any pop ups telling you of dangers or errors, just click yes or OK or whatever to let it run.

Please download Rkill by Grinler and save it to your desktop.

Link 2
Link 3
Link 4

• Double-click on the Rkill desktop icon to run the tool.
• If using Vista, right-click on it and Run As Administrator.
  
• A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  
• If not, delete the file, then download and use the one provided in Link 2.
  
• A log pops up at the end of the run. This log file is located at C:\rkill.log. Please post this only if requested to by the person helping you. Otherwise you can close this log when you wish.
• If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
• If the tool does not run from any of the links provided, please let me know.

Please read carefully and follow these steps.

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
  
  
  
  
  
  
• If an infected file is detected, the default action will be Cure, click on Continue.
  
  
  
  
  
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
  
  
  
  
  
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
  
  
  
  
  
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

Now update Malwarebytes' Anti-Malware and run a full scan with it. If it finds anything, fix it and post the log. If it does not find anything, post that log.[/list]

[Jen27]

Hello Hoov,No Idea what C4USelfUpdater is.I can`t even find it in programs & features.Not Sure what you meen By ("I need you to run all the way thru the fix in one setting")
So in this order I run fixncr  -Do I rght click run as admin.
Rkill
Tdss
Then Malwarebytes?         Sorry just want to make sure.Thanks

[Hoov]

For fixncr, yes right click, then run rkill, TDSSKiller and then Malwarebytes' Anti-Malware.

As for being sorry, don't worry about it. I would rather you ask questions than not run the procedure correctly.

[Jen27]

Thanks As for fixnr there is not a Right click option for Admin? Do I need to download to my admin account?
Also Rkill Has The Shield on it so I have to put my Admin password but also does not have a right click -Run as Admin.
Just want to make sure.Thank You

[Hoov]

Just double click on fxncr, and as for rkill, the user account control should just ask you if you want to run it.

[Jen27]

Hoov,Could not run Fixncr.I recieved This -
Red X        Registry editor
Cannot import C:\Users\Tata\Desktop\fixNCR.reg :Not all data was successfully written
to the registry.Some keys are open by system or other processes.

[Hoov]

I need you to reboot windows cleanly. To do that please go to the run command and type in msconfig . Once that starts, select selective startup, and then uncheck the load startup items. Now click on the services tab, and down near the bottom of the window, check the box that says Hide all Microsoft Services now go up and uncheck all the services still listed, make sure you scroll down the list if need to unselect all the non Microsoft services. Now click apply, then click OK and reboot the computer.

Try running the entire procedure again. If it runs all the way thru or fails then run msconfig and select normal startup then click apply then OK and then reboot. Let me know how it went.

[Jen27]

No Good Hoov,They all seem to revert back to original settings after I hit apply & reboot and ran Both was as explained.When I went back in to look.It was set like I did`nt change anything! Strange.Let me know what to try now.Thank You

[Hoov]

Do you have access to another computer with a CD burner or a thumbdrive at least 1GB in size, and a broadband internet connection?

[Jen27]

Not here but I may be able to at work???But not until maybe Monday What would I have to do?? I do think I have a working version of Kasperky rescue disk somewhere around.If that helps.If not what would I need to download?