I had the NextLive bug....

This all seemed to begin last week after I installed the most recent Security updates to Win 7. These were the .NET security updates.

My primary symptom is my MagicJack will not properly initialize on my PC (but works fine on my Mac). Secondary symptom is Malwarebytes will not load except in safe mode. I get the verification to run it as Administrator, but then the process just quits.

I am unable to Restore to any System Restore point. I get a dialog stating the restore failed to complete because it was unable to access a file. I get the same result when I tried to complete a restore from Safe Mode. When I tried to uninstall the .NET updates, I get the same result. (Cannot uninstall because Windows cannot access a file). Note: It does not tell me what the file is it cannot access in any case.

In safe mode Malwarebytes has found NextLive and Imminent and removed them. I ran AdwCleaner and it cleaned a bunch of stuff, but after a reboot and switching to a different login account, the symptoms return.

I just ran Malwarebytes again, then OTL and here are the logs…

Hi,

Run this one as well.

Please download Farbar Recovery Scan Tool (
http://www.mcshield.net/personal/magna86/Images/FRST_canned.png
) by Farbar and save it to your desktop.

Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them.
Only one of them will run on your system, that will be the right version.

[*]Double-click to run it. When the tool opens click Yes to disclaimer.
[*]Press Scan button.
[*]It will make a log (FRST.txt) in the same directory the tool is run. Please attach it to your reply.
[*]The first time the tool is run, it makes also another log (Addition.txt). Please attach it to your reply.

Thx Magna

Here are those logs

Hi,

First you should attempt to uninstall the following PUP:
Image Editor Packages

I will look at your logs later. Can’t do it now … :frowning:

I was able to uninstall the Image Editor Packages using Total Uninstall.

After a reboot into Normal mode, I still have the same symptoms.

Hi,

We shall use two mighty tools for your Fix. First tool is FRST itself as we will re-run FRST using his FixList. Then, after the reboot, you will prepare the steps adn run ComboFix.

Important notice: Do NOT use USB memory devices until I tell you so.


FRST’s FixList


1. Open notepad and copy/paste the text present inside the code box below.
To do this highlight the contents of the box and right click on it. Paste this into the open notepad.
NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to the operating system

Start Folder: C:\Users\Tania\AppData\Local\tjnet Folder: C:\Users\Tania\AppData\Roaming\mjusbsp C:\Users\Randall York\AppData\Local\Temp\*.exe C:\Users\Randall York\AppData\Local\Temp\*.dll C:\Users\Tania\AppData\Local\Temp\*.exe HKLM\...\Run: [] - [X] HKU\S-1-5-21-4157483016-4262645346-3969846311-1001\...\MountPoints2: H - H:\autorun.exe HKU\S-1-5-21-4157483016-4262645346-3969846311-1001\...\MountPoints2: I - I:\LaunchU3.exe -a HKU\S-1-5-21-4157483016-4262645346-3969846311-1001\...\MountPoints2: {a0fd5a08-f4dd-11e2-b1d9-001e337d08ec} - H:\LaunchU3.exe -a Reboot: End

2. Save notepad as fixlist.txt to your Desktop.
NOTE: => It’s important that both files, FRST and fixlist.txt are in the same location or the fix will not work.

3. Run FRST/FRST64 and press the Fix button just once and wait.
If the tool needed a restart please make sure you let the system to restart normally and let the tool completes its run after restart.

The tool will make a log on the Desktop (Fixlog.txt). Please attach it to your reply.
Note: If the tool warned you about the outdated version please download and run the updated version.


ComboFix


  1. Please download ComboFix by sUBs from here and save it to your Desktop.
    If you are unsure how ComboFix works please read this guide carefully.
    Note: ComboFix must be downloaded to your Desktop.

  1. Temporarily disable your AntiVirus program, usually via a right click on the System Tray icon. They may interfere with Combofix.
    If you are unsure how to do this please read this or this Instruction.

Instructions how to disable avast:

[*]Right click on the avast! system tray icon (
http://www.mcshield.net/pg/images/avast5.png
) in the lower right corner of the screen and scroll up to avast! shield controls;
[*]In the menu that appears, choose Disable Permanently. When you are prompted to turn off security, click Yes.

Note: Do not forget to turn back on this option after the cleaning by choosing avast! shield controls > Enable all shield options.


  1. Run ComboFix. Click on I Agree!

[i][size=7pt]- ComboFix will display DISCLAIMER of warranty on software.
By clicking I Agree ComboFix shall continue.

  • ComboFix will check if there is a newer version of ComboFix available.
    Click Yes if prompted to download.[/size]
    -If Recovery Console is not installed, ComboFix will offer download & installation.
    Click Yes to allow ComboFix to install Recovery Console.
  • ComboFix will scan your computer in stages, total of 50 stages.
    Do not mouse-click around while ComboFix is running.
    Note:If you see a message like “Illegal operation attempted on a registry key that has been marked for deletion” just restart your computer.
    [/i]

  1. When the tool is finished, it will produce a log report for you. (typical location: C:[b]ComboFix.txt[/b] )
    Attach log reports ( ComboFix.txt) back to topic.

FRST and ComboFix logs attached

Hi,

Logs shows some leftovers from baidu antivirus. I suggest to download and run AppRemover ( to scan and remove any detected leftover ). I don’t have prepared canned for AppRemover but tool is userfrendly so …

http://www.appremover.com/


Posted logs doesn’t show the malware activity. Now I would like to scan all your USB devices for malware. We shall use MCShield for that …

Please download MCShield from one of the following links:

MCShield -Official download link

[*]Double click on MCShield-Setup to install the application.
Next => I Agree => Next => Install … per installation click on Run! button.
[]Wait a few seconds to MCShield finish initial HDD scan…
[
]Connect all your USB storage devices to the computer one at a time. Scanning will be done automatically.
[*]When all scanning is done, you need to post a logreport that MCShield has created.

Under Logs tab (in Control Center) for AllScans.txt log section click on Save button. AllScanst.txt report shall be located on your Desktop.

=> Post here AllScanst.txt

Explanation: USB storage devices are all the USB devices that get their own partition letter at connecting to the PC,
e.g. flash drives (thumb/pen drives, USB sticks), external HDDs, MP3/MP4 players, digital cameras,
memory cards (SD cards, Sony Memory Stick, MultiMedia Cards etc.), some mobile phones, some GPS navigation devices etc.

Downloaded AppRemover. Started it, got the “permission to run” dialog, clicked ok. Nothing else happened. Double clicked again and got a box saying it was already running.
Rebooted into Safe Mode, ran AppRemover and it only lists Malwarebytes Anti-Malware, avast! Free Antivirus and Dropbox. No baidu!

We may need to delete that manually.

But as you see, apps are still not loading properly in Normal Mode.

:frowning:

MCShield installed and ran clean (in Safe Mode). Tested all my Flash Drives (a couple were Mac formatted) and all reported clean.

Hi macguru_42,

But as you see, apps are still not loading properly in Normal Mode.
Hm ... let's first remove the Baidu leftovers and see will that help.
We may need to delete that manually.
You have two options. Pick one. :)

- The proper way is:

I’ve been looking for some Baidu uninstall tool but I could not find one. Looks like the only way to remove this AntiVirus is via Uninstall process from Control Panel. As you don’t have this installed on your PC you will need to install it again. Baidu can be downloaded from official site:

http://antivirus.baidu.com/en/

Install Baidu, reboot your system and then attempt to preform the regular Uninstallation from Control Panel.
http://forum.antivirus.baidu.com/bbs/topic/101196/1/
Note: Shields for avast! AntiVirus should be down of the best would be to temporarily uninstall the avast! AntiVirus while you preform this action as we do not wont some driver conflict.

- The alternative way:

…to use Force.
As these drivers loaded in kernel, probably signed we will need to remove them beyond active Windows.

Please download fresh Farbar Recovery Scan Tool x86 and save it to a flash drive.
…or you may run FRST from desktop and allow the tool to update itself. Then, copy-paste the FRST.exe tool on USB device.

[*]Plug the flashdrive into the infected PC.
[*]Restart your computer and tap F8 to bring up the Advanced Menu, then click Repair your computer
[*]Follow the prompt to enter keyboard input method, and then the prompt to enter a password. If the machine does not have a password, simply click Enter.

In the next menu, use the arrow keys on the keyboard to highlight Command Prompt and press Enter.

[*] In the command window type in notepad and press Enter.
[*] When notepad opens, click File and select Open.
[*]Select “Computer” and find your flash drive letter and close the notepad.
[*]In the command window type e:\frst.exe and press Enter.

Note: Replace letter e with the drive letter of your flash drive.

[*]The tool will start to run. When the tool opens click Yes to disclaimer.
[*]Press Scan button.

It will make a log (FRST.txt) on the flash drive. Please attach it to your reply.

What the heck…

File attached…

Hi macguru_42,

This shall tell FRST to remove all Baidu related drivers and related folders and files in %program files.


FRST’s RE_FixList


Open notepad.

[*]Click Start
[*] Type notepad.exe in the search programs and files box and click Enter.
[] A blank Notepad page should open.
[
] Copy/Paste the contents of the code box below into Notepad.


Start
C:\Windows\System32\drivers\Bhbase.sys
C:\Windows\System32\drivers\BprotectEx.sys
C:\Program Files\Baidu Security
S0 Bhbase; C:\Windows\System32\drivers\Bhbase.sys [47456 2013-12-18] (Baidu, Inc.)
S3 BprotectEx; \??\C:\Windows\System32\drivers\BprotectEx.sys [X]
S3 PCFApiUtil; \??\C:\Program Files\Baidu Security\PC Faster\4.0.0.0\PCFApiUtil.sys [X]
End

[*] Save it to your USB flashdrive as fixlist.txt

Boot into Recovery Environment

Start FRST in a similar manner to when you ran a scan earlier (via flash drive and from Recovery Environment) , but this time when it opens …

[*] Press the Fix button once and wait.
[*] FRST will process fixlist.txt
[*] When finished, it will produce a log fixlog.txt on your USB flashdrive.

Exit out of Recovery Environment and post me the log please.


Re-scan with ComboFix


Now I would like you to run ComboFix from Normal Mode one more time adn post me fresh ComboFix.txt logreprot.
Instructions for running CF you have in my post above.

And tell me is there any improvements?

Here is the FRST log.

ComboFix did open and run in Normal Mode, scanning now. I have to run an errand and will post the log once I return.

Ok-et.

ComboFix Log attached.

Things are looking good

Hi macguru_42,

So this does not apply any more? All works well?

...apps are still not loading properly in Normal Mode.

Everything is back to GOOD! Thank you so much for your assistance.

(Wish I knew how to interpret all those logs!)

randall

The following will implement some post-cleanup procedures:

It is necessary to uninstall ComboFix :

[*] Click Start (or
http://amf.mycity.rs/pg/images/VistaStartButton.png
) then Run.

On Windows7 or Vista you may use Start Search field if Run is not available.

[*] In the line of text type in (Copy) the following:

ComboFix /Uninstall

Note that there is a space between " ComboFix " and " /Uninstall " .

[*] then click OK (or press Enter ).

Wait for the uninstall process is complete.

=> Please download DelFix by Xplode to your Desktop.

Run the tool and check the following boxes below;
[i]
http://www.mcshield.net/personal/magna86/Images/checkmark.png
Remove disinfection tools

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Create registry backup

http://www.mcshield.net/personal/magna86/Images/checkmark.png
Purge System Restore [/i]
Click Run button and wait a few seconds for the programme completes his work.
At this point all the tools we used here should be gone. Tool will create an report for you (C:[b]DelFix.txt[/b])

The tool will also record healthy state of registry and make a backup using ERUNT program in %windir%\ERUNT\DelFix
Tool deletes old system restore points and create a fresh system restore point after cleaning.