JeanInMontana

MBAM removes it as soon as we find it, put it that way. nosirrah searches for what will be next, anything not removed in the HJT forum is submitted so what ever your going to see MBAM is likely to be able to get it or will with the next update. I have seen the program update 4 times in a day. Very likely there have been more.

Malware is known to cause the best of apps to stop functioning. I'm fairly sure the system is infected and IMO and nearly anyone else in the malware community your going to run into, cleaning the infection is priority. In the past when MBAM has failed once a new variant of usually Vundo is removed MBAM works fine. It's on of the nastiests things out there and constantly mutates.

Well after nosirrah has had a look reformat probably isn't necessary. I'm going to attach a zip file that will get all your files we want in the download program files. just unzip it and double click. It will make a folder on your desktop called malware. Zip that and upload. capture.zip capture.zip

GT500 my point is too many cooks spoil the broth. If you want to take over the entire process then I really think that's best. In my experience when one part of the machine is getting tweaked it messes with all of it. The goal is a clean functioning machine.

Arg, I thought the protection service issue was fixed with the clean install but it doesn't start now at all. Error 997.

Two CD's should be all it takes to reformat. The MBAM team would really appreciate if you can submit the files requested, it will help the program and others a great deal. Do you wish to continue with the fixes?

Also please upload these files: 2008-06-12 18:22 . 2008-06-12 18:12 52,736 --a------ C:\WINDOWS\system32\2F.tmp 2008-06-12 17:11 . 2008-06-12 19:20 52,736 --a------ C:\WINDOWS\system32\blphc5skj0ee89.scr 2008-06-12 17:05 . 2008-06-12 16:55 52,736 --a------ C:\WINDOWS\system32\1D4.tmp 2008-06-12 16:55 . 2008-06-12 16:45 52,736 --a------ C:\WINDOWS\system32\1D1.tmp 2008-06-12 16:45 . 2008-06-12 16:35 52,736 --a------ C:\WINDOWS\system32\1CE.tmp 2008-06-12 16:35 . 2008-06-12 16:25 52,736 --a------ C:\WINDOWS\system32\1CB.tmp 2008-06-12 16:25 . 2008-06-12 16:15 52,736 --a------ C:\WINDOWS\system32\1C8.tmp 2008-06-12 16:15 . 2008-06-12 16:05 52,736 --a------ C:\WINDOWS\system32\1C5.tmp 2008-06-12 16:05 . 2008-06-12 15:55 52,736 --a------ C:\WINDOWS\system32\1C2.tmp 2008-06-12 15:55 . 2008-06-12 15:40 52,736 --a------ C:\WINDOWS\system32\1BF.tmp 2008-06-12 15:40 . 2008-06-12 15:30 52,736 --a------ C:\WINDOWS\system32\1BC.tmp 2008-06-12 15:30 . 2008-06-12 15:19 52,736 --a------ C:\WINDOWS\system32\1B9.tmp 2008-06-12 15:19 . 2008-06-12 15:09 52,736 --a------ C:\WINDOWS\system32\1B6.tmp 2008-06-12 15:09 . 2008-06-12 14:59 52,736 --a------ C:\WINDOWS\system32\1B3.tmp 2008-06-12 14:59 . 2008-06-12 14:49 52,736 --a------ C:\WINDOWS\system32\1B0.tmp 2008-06-12 14:24 . 2008-06-12 14:14 52,736 --a------ C:\WINDOWS\system32\1A9.tmp 2008-06-12 14:14 . 2008-06-12 14:04 52,736 --a------ C:\WINDOWS\system32\1A6.tmp 2008-06-12 14:04 . 2008-06-12 13:54 52,736 --a------ C:\WINDOWS\system32\1A3.tmp 2008-06-12 13:54 . 2008-06-12 13:44 52,736 --a------ C:\WINDOWS\system32\1A0.tmp 2008-06-12 13:03 . 2008-06-12 12:53 52,736 --a------ C:\WINDOWS\system32\195.tmp 2008-06-12 08:19 . 2008-06-12 08:09 52,736 --a------ C:\WINDOWS\system32\172.tmp 2008-06-12 08:09 . 2008-06-12 07:59 52,736 --a------ C:\WINDOWS\system32\16F.tmp 2008-06-12 07:59 . 2008-06-12 07:49 52,736 --a------ C:\WINDOWS\system32\16C.tmp 2008-06-12 07:49 . 2008-06-12 07:39 52,736 --a------ C:\WINDOWS\system32\169.tmp 2008-06-12 07:39 . 2008-06-12 07:29 52,736 --a------ C:\WINDOWS\system32\166.tmp 2008-06-12 07:29 . 2008-06-12 07:19 52,736 --a------ C:\WINDOWS\system32\163.tmp 2008-06-12 07:19 . 2008-06-12 07:08 52,736 --a------ C:\WINDOWS\system32\160.tmp 2008-06-12 07:08 . 2008-06-12 06:58 52,736 --a------ C:\WINDOWS\system32\15D.tmp 2008-06-12 06:58 . 2008-06-12 06:48 52,736 --a------ C:\WINDOWS\system32\15A.tmp 2008-06-12 06:48 . 2008-06-12 06:38 52,736 --a------ C:\WINDOWS\system32\157.tmp 2008-06-12 06:38 . 2008-06-12 06:28 52,736 --a------ C:\WINDOWS\system32\154.tmp 2008-06-12 06:28 . 2008-06-12 06:18 52,736 --a------ C:\WINDOWS\system32\151.tmp 2008-06-12 06:18 . 2008-06-12 06:08 52,736 --a------ C:\WINDOWS\system32\14E.tmp 2008-06-12 06:08 . 2008-06-12 05:58 52,736 --a------ C:\WINDOWS\system32\14B.tmp 2008-06-12 05:58 . 2008-06-12 05:48 52,736 --a------ C:\WINDOWS\system32\148.tmp 2008-06-12 05:48 . 2008-06-12 05:38 52,736 --a------ C:\WINDOWS\system32\145.tmp 2008-06-12 05:38 . 2008-06-12 05:28 52,736 --a------ C:\WINDOWS\system32\142.tmp 2008-06-12 05:28 . 2008-06-12 05:18 52,736 --a------ C:\WINDOWS\system32\13F.tmp 2008-06-12 05:18 . 2008-06-12 05:08 52,736 --a------ C:\WINDOWS\system32\13C.tmp 2008-06-12 05:08 . 2008-06-12 04:58 52,736 --a------ C:\WINDOWS\system32\139.tmp 2008-06-12 04:58 . 2008-06-12 04:48 52,736 --a------ C:\WINDOWS\system32\136.tmp 2008-06-12 04:48 . 2008-06-12 04:38 52,736 --a------ C:\WINDOWS\system32\133.tmp 2008-06-12 04:38 . 2008-06-12 04:28 52,736 --a------ C:\WINDOWS\system32\130.tmp 2008-06-12 04:28 . 2008-06-12 04:18 52,736 --a------ C:\WINDOWS\system32\12D.tmp 2008-06-12 04:18 . 2008-06-12 04:08 52,736 --a------ C:\WINDOWS\system32\12A.tmp 2008-06-12 04:08 . 2008-06-12 03:57 52,736 --a------ C:\WINDOWS\system32\127.tmp 2008-06-12 03:57 . 2008-06-12 03:47 52,736 --a------ C:\WINDOWS\system32\124.tmp 2008-06-12 03:47 . 2008-06-12 03:37 52,736 --a------ C:\WINDOWS\system32\121.tmp 2008-06-12 03:37 . 2008-06-12 03:27 52,736 --a------ C:\WINDOWS\system32\11E.tmp 2008-06-12 03:27 . 2008-06-12 03:17 52,736 --a------ C:\WINDOWS\system32\11B.tmp 2008-06-12 03:17 . 2008-06-12 03:07 52,736 --a------ C:\WINDOWS\system32\118.tmp 2008-06-12 03:07 . 2008-06-12 02:57 52,736 --a------ C:\WINDOWS\system32\115.tmp 2008-06-12 02:57 . 2008-06-12 02:47 52,736 --a------ C:\WINDOWS\system32\112.tmp 2008-06-12 02:47 . 2008-06-12 02:36 52,736 --a------ C:\WINDOWS\system32\10F.tmp 2008-06-12 02:36 . 2008-06-12 02:26 52,736 --a------ C:\WINDOWS\system32\10C.tmp 2008-06-12 02:26 . 2008-06-12 02:16 52,736 --a------ C:\WINDOWS\system32\109.tmp 2008-06-12 02:16 . 2008-06-12 02:06 52,736 --a------ C:\WINDOWS\system32\106.tmp 2008-06-12 02:06 . 2008-06-12 01:56 52,736 --a------ C:\WINDOWS\system32\103.tmp 2008-06-12 01:56 . 2008-06-12 01:46 52,736 --a------ C:\WINDOWS\system32\100.tmp 2008-06-12 01:46 . 2008-06-12 01:36 52,736 --a------ C:\WINDOWS\system32\FD.tmp 2008-06-12 01:36 . 2008-06-12 01:26 52,736 --a------ C:\WINDOWS\system32\FA.tmp 2008-06-12 01:26 . 2008-06-12 01:16 52,736 --a------ C:\WINDOWS\system32\F7.tmp 2008-06-12 01:16 . 2008-06-12 01:06 52,736 --a------ C:\WINDOWS\system32\F4.tmp 2008-06-12 00:55 . 2008-06-12 00:45 52,736 --a------ C:\WINDOWS\system32\EF.tmp 2008-06-12 00:45 . 2008-06-12 00:35 52,736 --a------ C:\WINDOWS\system32\EC.tmp Ignore the date portion just navigate to the C:\Windows\System32 folder and find the rest of the file name.

Did you at one time run SmitfraudFix? This system is seriously compromised. You have had a key logger for nearly a month from the ComboFix log and have been infected with a rootkit that can only be guaranteed removal by reformatting the machine. You should contact any banks and credit card companies that have information on the machine. Change all passwords and keep it off line as much as possible. If it's networked the entire network is at risk. You have P2P software installed (LimeWire) and this is a huge risk for what has happened to the machine. Possibly why your here. I recommend you uninstall it. Please place the following files in a folder and zip it. Then upload here http://uploads.malwarebytes.org/ C:\WINDOWS\system32\lsdelete.exe C:\WINDOWS\system32\VCCLSID.exe C:\WINDOWS\system32\SrchSTS.exe C:\WINDOWS\system32\VACFix.exe C:\WINDOWS\system32\IEDFix.exe C:\WINDOWS\system32\404Fix.exe C:\WINDOWS\system32\Process.exe C:\WINDOWS\system32\dumphive.exe C:\WINDOWS\system32\WS2Fix.exe C:\WINDOWS\system32\phc5skj0ee89.bmp C:\WINDOWS\system32\lphc5skj0ee89.exe C:\WINDOWS\system32\V0330Cvw.dll O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab All the above beginning with 016 will be found on your main drive, usually C in the Windows folder and then in a folder called Downloaded Program files. Run HJT in scan only mode and place a check next to the following items and then click fix. O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file) O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing) O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://www.worldwinner.com/games/v47/share...GamesLoader.cab O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.6.108.cab O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab O16 - DPF: {C49134CC-B5EF-458C-A442-E8DFE7B4645F} (YYGInstantPlay Control) - http://www.yoyogames.com/downloads/activex/YoYo.cab O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Unknown owner - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe (file missing) Reboot, update MBAM and scan again. Post that log and a new HJT log. Decide if you wish to continue trying to clean the system or do a reformat. Let me know what you decide, and how things are looking now.

Sorry I didn't get a notice of reply. I need you to either stay in this topic and only do what I instruct or you stick with what's going on in the other forum. Please put HJT in a folder of it's own on your hard drive. O4 - Startup: EruntRegistrySave.bat <======== What do you know about this? I can't find it in Google except here. Uninstall this program C:\Program Files\Tor\tor.exe delete any files associated. Run HJT again in scan only and put a check next to the following and then click fix. O4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat" O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat" O4 - HKCU\..\RunOnce: [spybotDeletingB623] command /c del "c:\smp.bat" O4 - HKCU\..\RunOnce: [spybotDeletingD8674] cmd /c del "c:\smp.bat" O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User '?') O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user') O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing) O20 - Winlogon Notify: efcDSLbA - efcDSLbA.dll (file missing) Now reboot and please get this. 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

OK let's pick a thread here and stay in it. Docfxit has a thread in HJT forum also. I can't work with him if he's going to be doing stuff in this one too. So what if best?

You can add that entry to the ignore list. There should have been many other cookies also. But please move on to the next step in the instructions.

Have I got this right, AVG is saying MBAM is adware? To be exact eshopper?

OK

Sorry put the check and click fix. Follow all the instructions i gave you. Disable Tea Timer for now. Immunize and run a removal scan with the Spybot S&D remove what it finds. Immunization is not a scan. It just adds a list of bad sites. I don not want a log from that program, I want you to have the prevention it provides and remove the junk from the tracking cookies etc that show in your Panda scan. Please follow all instructions.

So do we not use it? I have just given instructions to install and scan with it.

There is no version 2.0.0.04 of MBAM, so I don't know what you may have done. Please follow the instruction below. MBAM is on version 1.17 Make sure your running as an adminstrater on the machine. Allow email from Malwarebytes.org and set your preferences in the User Control Panel to email notifications for replies to your topics. This ensures you make prompt replies back and we get you cleaned in the fastest way possible. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. If you haven't already, please get these programs, update and run a complete scan removing all items found. Spybot Search & Destroy Be sure to use the immunize feature. But do not enable TeaTimer at this time. Open SB S&D Make sure you are in Advanced Mode. Click on the Mode [b/]link at the top of the program and then Advanced Mode. Click on the Tools section and then Resident. You will see two items. 1. Resident "SD helper" (Internet Explorer bad download blocker.) active 2. Resident "Tea Timer" (Protection of over-all system settings.) active. Uncheck number 2.. Leave number 1 checked always. You can enable Tea Timer again if you wish once all special fixes have been done. Please run a quick scan of your main drive, usually C with MBAM making sure you check all items found for removal. Please post that log in your next reply. Then go here and run a scan PandaActive Scan There is a full tutorial on how to to this at the top of this forum. Post the logs from the Panda and MBAM scans please, along with a log from this program HiJack This! You will post three logs. 1. MBAM scan. 2. Panda Active Scan. 3. HiJack This scan. Please run and post the scans in this order. You will finish the MBAM first so go ahead and post that log, then move on to Panda and so forth. I will analyze the logs and give you further instructions. Be sure to set your email to allow mail from Malwarebytes.org and your personal settings to send an email on reply to your topic. This will let you know when there has been an update to your topic and you can come and see what has been said. Be patient and persistent. These things can take time and many procedures.

Hi Legacy and welcome to Malwarebytes. You have done well so far, still work to do. Did you run a removal scan with Spbot Search and Destroy? If not please do so, the Panda scan looks like you might not have. You also still have Tea Timer running and that can interfere with removal prossesses. Please turn it off. Open SB S&D Make sure you are in Advanced Mode. Click on the Mode link at the top of the program and then Advanced Mode. Click on the Tools section and then Resident. You will see two items. 1. Resident "SD helper" (Internet Explorer bad download blocker.) active 2. Resident "Tea Timer" (Protection of over-all system settings.) active. Uncheck number 2.. Leave number 1 checked always. You can enable Tea Timer again if you wish once all special fixes have been done. Run HJT in scan only and put a check next to these items: R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file) O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file) O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background Next please go to Start > My Computer > Right Click on C if that is your main drive and choose properties. You will see a pie chart and a button *Disk Clean-up* click this. Clean up all the temp files etc. Reboot the computer. Now please get this: 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Hi hixus and welcome to Malwarebytes. Please follow the instructions here and post the requested logs. Your PC is way due for updates, but we need to see if your infected first. The current service pack is 3. Is there any reason you havn't done the updates for over 4 years? When did you lose ability to connect to the internet? What other symptoms do you have?

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Hello Naked Truth and welcome to Malwarebytes. The first step should be to follow these instructions here and start a thread in that forum. That is the forum malware is removed. Getting rid of remnants of Symantec is secondary to malware.

Those of us with issues should do clean install? I have several things wrong with this version that came along after one update or another not sure when.