JeanInMontana

Hi skins and welcome to Malwarebytes. We need to have the HJT log after the removal scan. Would you please update MBAM and run a quick scan again, make sure you have the option to remove checked before hand. Then post a new HJT log.

I got the service to start manually today and then did an update. I'm wondering if Online Armor is in anyway blocking the service? I have clocked to allow several times for OA but lately it seems to not "listen" for several programs. Let me know if this is something you want me to address with Mike Nash rather than here.

Seems to be a game site or software. I don't have time to read all the hits. Try using Xanthic + malware in a Google seach you get all sorts of interesting stuff.

Great, thought maybe that was was this update fixed.

Firefox, because I can pimp it out. There isn't anything I don't like about it.

Update through program went fine, although it didn't start with boot and in new version the protection won't start. I closed and reopened program and still won't start. Error code 997 MBAMService. Should I have done a clean install? Malwarebytes' Anti-Malware 1.14 Database version: 807 6:47:02 PM 5/30/2008 mbam-log-5-30-2008 (18-47-02).txt Scan type: Quick Scan Objects scanned: 35065 Time elapsed: 5 minute(s), 18 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Fin please follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 .

Hi nwarp and welcome to Malwarebytes. From Marcin he says you need to run as an administrator to do the updates.

Phil, M$ does not blacklist for freeware. Yes you would get .Net update with regular updates and you really should update for security reasons. There are lots worse things to happen that the information M$ will gather.

Ok let's call your account clean. Now please start threads for the other accounts. Two threads, one for each account, updated scans with MBAM for each and a HJT log, also scan with ESET and post all logs for each account in the relative thread.

Why do you want to reinstall? Ethical hacking, this site doesn't do any hacking period. Your problem won't be fixed by uninstalling IE. What do you mean by Vista angle? If your infected still follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 . Does the PC boot?

Attached. Mini052608_01.zip Mini052608_01.zip

MBAM needs updating every time you scan. The man behind the definitions for the program never stops. The program updates several times a day. You didn't take screen shots or you saved wrong. They have a doc extension and I can't see what it says. I can open them in Open Office but I can't zoom the size to read it. MBAM did find more stuff, are you running better? Have you been posting logs from other accounts all along into this thread? Please keep to one account at a time. We can clean them all but not en masse. Each will get a thread of their own. I'm only human. Update MBAM scan again please post the log. Tell me how things are running.

I had a first time ever with MBAM shutting it down. I did the normal right click exit program, clicked the OK to the box asking if I mean it and went to BSOD. Driver unloaded with out canceling pending operators MBAM.sys is what the screen said 0X 00CE(0XEB41A518,0X08,0XEB41A518,0X0). It was so hard a crash it made FireFox reinstall all Add Ons and even changed my homepage. Yet all settings were there even the history.

You can't use AOL at all without opening the program. Time Warner owns AOL. If AOL wasn't your ISP there would be no reason to have it on your PC period. It is a shell over IE but cobbled together so poorly it slows performance of everything. Firefox is all I use. I bet your son would just love pimping it out with all the extensions etc. LOL Sandi I need logs, when you run scans and something is found I need the log. That is how we will find this. I should have told you, I wanted to see the Virus Total report. I did want mirc.exe sent? The blue folders are due to the drive being formatted originally to allowed compressed files and folders. Kaaza is a file sharing program. You can make sure your son doesn't download anything by taking away his privalidges . If he has no administrative privilages he can't download or install. I would do that for him and your husband . Please post me the Yahoo log if you have it. Update MBAM do a quick scan post that log and a new HJT log please.

I deleted one after I had replied to one. I didn't see there were 3. Now extras are deleted, topics merged. We carry on. Thanks guys. B)

Hi Silverwolf and welcome to Malwarebytes. First I strongly recommend you get rid of Emule and what ever you downloaded to supplement it. Second follow the instructions here http://www.malwarebytes.org/forums/index.php?showtopic=2936 and someone will be happy to help you.

The exe part of the Mirc is what Bruce needs. Your infected is why the browsers keep closing. Finding it is what we are doing. Getting this file to the MBAM team will help all of us. You have something new or MBAM would have got it. I wanted it to find something too. LOL AOL is as bad or worse than any malware to control as you wish. Forcing anything with it will either stop logons or break it. It is your ISP right? C:\WINDOWS\system32\tcerjhvx.exe zip that up and upload it to MBAM team also please and submit to http://www.virustotal.com/ see what they say about it.

You can use WinPatrol to remove it form startup or put it into delayed start, but since it's your ISP your probably going to want it to start. I don't know how happy you are with AOL, but there are other options . None of these are needed at boot up: O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe SiteHound and SiteAdvisor do basically the same thing, Internet Explorer is hampered by the two together if I remember right. You should get rid of one and use a host file and the immunization from Spybot Search and Destroy. I like SiteHound the best, just because they actually listen to the users when a bad site is reported. I send my, apologies and sympathies I see your fighting a huge battle, teenage son and husband. Shame on them both. When was the last time you did a disk error check and defragment of the hard drive? Always do in that order also. Fragmented drive can cause performance loss too. I don' t know why Kaspersky's is saying every thing is locked. Please set your system to show all files; Click Start. Open My Computer. Select the Tools menu and click Folder Options. Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders. Uncheck the Hide protected operating system files (recommended) option. Click Yes to confirm. Click OK. These items are flagged as infected: C:\Documents and Settings\Sandi\Desktop\Misc\mirc631.exe/stream/data0001/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped C:\Documents and Settings\Sandi\Desktop\Misc\mirc631.exe/stream/data0001/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped C:\Documents and Settings\Sandi\Desktop\Misc\mirc631.exe/stream/data0001 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped C:\Documents and Settings\Sandi\Desktop\Misc\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped C:\Documents and Settings\Sandi\Desktop\Misc\mirc631.exe NSIS: infected - 4 skipped Would you put the mirc631.exe files in a zipped folder and upload here http://uploads.malwarebytes.org/ Make sure your running as an administrator and that the system is set to show all files and folders. Then update MBAM and run a quick scan of just the main drive, usually C again, please and a new HJT log. I'm going to point your thread out to the lead researcher for MBAM so he is aware your sending samples.

Well CF removed several things. So it was good we ran it. You have a massive amount of crap running at startup that is not needed, on top of using AOL[a huge waste of resources] All of these things can also be part of the problem. You have installed new stuff, and ran programs I never requested. I just don't think I can help you at this rate. Your hell bent on doing things your way and that just isn't how this process works. My time is being wasted deciphering all the new crap again, your adding stuff that will in fact get you reinfected. Limewire is a P2P program known risky behavior. Did you get a log from the Kaspersky's scan? You can remove these two lines with HJT O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing) O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll (file missing) Something has gone wrong with your Java since the files are missing. Malwarebytes makes a program that will shut down some of your unnecessary startup programs. You can get it free here StartUpLite . I'm getting a second opinion on this also.

Hi sandi, Yes I agree, there can be confusion with written instructions. HJT can ruin your computer too if it's used wrong. Malware can ruin your life if your personal information is mined and your identity stolen. Combofix notifies whether or not the Recovery Console has been installed, that's a good thing. Backing up is something that should be done regularly. Very simple. We are going to have to use Combofix to see what's hiding. Please just do what the instructions say. The scan takes about 30 seconds if I remember correctly. 1. Download this file : http://download.bleepingcomputer.com/sUBs/ComboFix.exe 2. Double click combofix.exe. It will be a red icon with a white X on your desktop. Follow the prompts, you will get a blue cmd prompt screen and a choice to choose Y or N. Choose Y and hit enter. 3. When finished, it shall produce a log for you. This logfile is located at C:\ComboFix.txt. Post that log and a HiJack log in your next reply Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

OK, sandi I asked you to run MBAM updated and post the log, then run ESET. However, finish the ESET scan since you have started it. I see a pattern here of you not doing what is asked. That isn't going to work, and it is why your back looking for help. I don't mean to sound harsh. I'm just telling it like it is. ComboFix is a well known tool used by all of us that do work on forums. Most likely it will be the next step we do, and you should have done it when Rosty asked. You do nothing but run the program, it does the work. It shows areas we can't see any other way and it does the removal as part of the scan in most cases that's all it takes. Once in a while a batch file is needed to get really stubborn stuff. When you don't do things the way the helper tells you the malware gets the upper hand, and mutates to a new form, and is harder to find and remove. We don't ask users to use tools without good reason.

Ahh I would like to see what went on at the other site please give a link. Most likely you still have Vundo. If you have ran the updated MBAM post the log now please.

Hi sandi149 and welcome to Malwarebytes. Run HJT again in scan only and remove these two lines by putting a check next to them and clicking fix. O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll (file missing) O3 - Toolbar: (no name) - {C17590D2-ECB4-4b15-8820-F58798DCC118} - (no file) Please update MBAM and run another quick scan and post the log. Did you happen to see the names of any of the files in Panda? They could have been just tracking cookies. Let's see if you can get this scan to run ESET You must allow the active x install and run IE. Post the MBAM log after you update and then the ESET and a new HJT.

Not hearing Scotty bark is good, seeing him down in the tray is comforting. B) I am not aware of a conflict in the real time monitor in RRP and AVG, the free version of RR doesn't have the real time monitor but blocks against bad sites much like SpyWareBlaster and a hosts file do. In other words it can add a layer of protection but doesn't actually need to be running to be helping keep you safer. You can update, immunize, run the scan and exit the program with either version. That's what I do. The hpHosts is not a running process or service either. It is a hosts file, which adds a list of known nasty websites to be blocked.