JeanInMontana

http://uploads.malwarebytes.org/ This is the Malwarebytes upload link for suspect files.

Hope your having a great day Tarun. Your a great person here at MWB and such an asset to us all.

The registry section is under the cube icon, click it and you will see a list of things all checked, if you just uncheck the very first one all of them will be unchecked. You will turn off the Windows firewall and no it is not too much security. You can set the updates to only install after you approve them, so you can choose not to get the ones that you don't need. I do this also, no need to get a bunch of stuff you never use. Now SP3 is out and you can get it. Yes run CCleaner and then set the restore point.

Step 1 You will need to get your XP CD and locate the folder called: I386 or find it in SP2 This is a major folder and should be one of the first you see, now copy this onto your hard drive into the system root. For most of you that is going to be C:\ so you should end up with a folder that looks like: C:\I386 ----------------------------- Step 2 Now you will need to tell your computer you now have the files on your PC. We do this is the registry (type regedit in the Run box on the start menu) by navigating to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup You will see various entries here on the right hand side. The one we want is called: SourcePath It probably has an entry pointing to your CD-ROM drive, and that is why it is asking for the XP CD. All we need to do is change it to: C:\ Simply double click the SourcePath setting and a new box will pop up allowing you to make the change. Now restart your computer and try scannow sfc again! ------------------------------ Other Problems with scannow sfc... #1 Has the CD Drive's drive letter changed (perhaps by the addition of another hard drive, partition, or removable drive) since Windows XP was first installed? If so, simply edit the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath to reflect the changed drive letter. After you restart the computer, WFP and sfc /scannow uses the new source path instead of prompting for the Windows XP installation CD-ROM #2 Has the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\SourcePath got an incorrect entry? The SourcePath entry does NOT include the path location till the I386 folder. It completes one folder ahead to reach the I386 folder. Example: If the I386 directory is at C:\I386, the SourcePath value would be C:\ #3 If the problem persists and you have the correct path for your I386 folder then the I386 folder is corrupted. To solve this problem copy I386 folder from the CD-ROM to your system restart the system and then perform sfc /scannow again. #4 You do not have an XP retail CD with an I386 folder on it. If you have a restore CD from your PC manufacturer then you may have to explore the CD to find the folder. #5 You still keep being prompted for the XP CD yet you have done all in this article! There is another setting in the registry that may be causing the problem. Navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SourcePath Make sure the entry here is the same path to the I386 folder as used above. #6 Systems administrators can enforce security policies that may include changes to the Windows File Protection settings. You will need to speak with your network administrator about this, but it is important to bear in mind when Windows starts up, the Windows File Protection service synchronizes (copies) the WFP settings from the following registry key: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection to the following registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon Therefore, if any of the following values are present in the HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Windows File Protection key, they will take precedence over the same values under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key. This will not effect scannow sfc so much, but WILL make an impact if any of the other sfc.exe "switches" have been used! (More about these at the end of this article.) #7 When you run scannow at logon you do not get a progress bar... This can easily be remedied by adding a new DWORD: SFCShowProgress to the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon the values available are: 0 = disabled, 1 = enabled ------------------------------------ What about Windows Updates..... You may be asking yourself how does sfc.exe know how to check for updated Windows system files? Well during OS upgrades, service pack installations etc.. the dllcache folder should be updated with these new files. As an example the recent Windows XP Hotfix - KB828035 updated the system file wkssvc.dll A new version of the file was placed in C:\WINDOWS\system32 and a copy in the cache: C:\WINDOWS\system32\dllcache A copy of the old system file is archived in: C:\WINDOWS\$NtUninstallKB828035$ There is another location the Windows File protection service uses and that is the I386 folder in C:\WINDOWS\ServicePackFiles When you install a service pack, like SP1. Any new system drivers are cached in this location too. If you have odd problems with running scannow sfc and nothing else in the article has resolved it, then take a look at the entry in: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ServicePackSourcePath This should be pointing to the location C:\WINDOWS\ServicePackFiles (assuming C:\ is the boot drive.) To check if sfc /scannow ran right go to start > run and type in EVENTVWR> Enter> Click on Systems> Scroll Down to the category Windows File Protection. Click it and it'll say "ran successfully" if it did. Some entries will tell you what has been repaired. I have ran this a few times and it has always worked when I needed to actually repair files. It is rare these days that you will get an original CD for the OS, this can save you.

Oh the mod Angnoid makes with the fruits is very good. Totally put a stop to daily policing of my site while using phpBB 2x

Today and yesterday auto update and scan ran fine as scheduled, but no log is saved. Also I deleted the registry folder both times and still got the key in the program. So I don't know where it's hiding. Screen shots of event log and properties related to error and MBAM.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Geez sorry about the delay here, I didn't see a reply notice for this, and I've been uber busy. What is the last part of the post from VT? Let's see a new HJT log and tell me what's going on with the system please.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

Since this topic has had no reply for over 5 days it will be closed to prevent other from posting into it. Should you decide to resume with your assistance PM any staff member and we will be happy to reopen the topic. Note: the fixes in this topic are for this system only. Applying them to your system can cause severe damage and result in utter system failure. If you need help start your own topic and someone will be happy to assist you.

It depends on how one defines reputable. The company behind the product has had a very shady past and was at one time considered rogue, since the delisting of the program by Erick Howes, they have staggered back and forth across the line of rogue [iMO]. Their affiliates have spamvertised the product on Digg and other forums, they threatened well respected members of the anti spyware community with a legal suit because we protested the spam. They have been prosecuted in some countries for fraud. I certainly would never recommend the product. All statements in this post are my opinions, and my opinions only.

Without a doubt MBAM is better and your spam just got you banned. B)

Anyone can use an avatar, it must be within the size and file restrictions.

Hope you have a great day Kevin!!!

I don't think there is any need to worry about MBAM getting gobbled up by the corporate machine anytime soon.

It's not status or length of membership, it must be the file type or size. There is a great free program that will resize and change the format. http://bluefive.pair.com/

I can't read this and not chuckle. Most large networks do not allow employees administrative rights. The fact that this joker is using them to get himself in trouble and put the entire network at risk is certainly grounds for taking them away and in many companies being a repeat offender would send him packing. He must be downloading stuff that is 1. not part of the job, 2. maybe even illegal. Nothing is fool proof and like nosirrah says Trend ranks low IMO too. This person will probably get themselves in a mess no matter what you do unless you stop them from installing stuff. Why let him get away with it?

Marcin is good. It wasn't there either, I uninstalled again, deleted reg keys, and application data, still registered when I reinstalled. One thing that was different this time is the program folder was gone after uninstall in Program files folder.

Well, I thought I did a clean install, but the registration was there and also scan logs for 2 other dates prior to today. I deleted the program folder and all regkeys, where did I miss? Scheduled update check and quick scan failed to initiate. Below is the post installation scan. Malwarebytes' Anti-Malware 1.12 Database version: 728 Scan type: Quick Scan Objects scanned: 34164 Time elapsed: 12 minute(s), 56 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you. The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you. Many thanks to AdvancedSetup for the excellent help.

It's OK to have no homepage, but when you do have one and it changes you have an immediate notice something is wrong. The whole idea is to prevent this stuff from happening again. You don't have to be infected ever if you follow good surfing habits and use proper prevention and protection methods. The reason I would like you to upload those files is to help MBAM protect and remove them in the future. It is really not that hard to do. Just go to the file location, right click on the file and choose send to zipped folder. Then upload the zipped folder to the location http://uploads.malwarebytes.org/ . If you can't do that, then you should run CCleaner and get rid of them. They are malware. Shareaza and all P2P programs are a huge security risk and often engaged in illegal activities. My advise is to uninstall it. I'm sure it's why your performance is not good and most likely why you got infected. Are you using the Windows firewall only? This is not sufficient. We need to now reset a clean System Restore point. If you don't and you need to use System Restore you will reinfect yourself. Go to Start>Control Panel>System. Click on the System Restore tab and put a check in Turn off System Restore. Then click OK. Now go to Start>Help and Support > Undo Changes to Your System or System Restore depending on the make of your PC. Click on what ever will open the System Restore box. You will see two options, Choose Create a System Restore Point. Give it a name like Clean Restore Point and today's date. Now if you need to use it you have it. Many of these infections can be avoided with an added layer of prevention. All recommended programs are free and easy on system resources. You should install them as part of your protection arsenal. Keep Spybot Search & Destroy and always immunize when you update. You will also need at least one other scanning program AVG is good and there are several other excellent programs with free and paid versions. Read the overviews of what each program below does so you have an understanding of their importance and how to use. A firewall and antivirus are also essential. The Windows firewall in XP is not sufficient. Preform Windows Updates monthly on the second Tuesday or use automatic updates, and use your scanners weekly at the least. Always update before you scan. SpywareBlaster from Javacool Software WinPatrol by BillPStudios SiteHound by FireTrust RogueRemover hpHosts The windows firewall is not sufficient to protect. It doesn't monitor outgoing traffic and this is a must. I use and recommend Online Armor Free Also the full protection of MBAM is offered at a very low price.

Have your cake and eat it too!! Happy birthday Gerard!

Hi Yesitis and welcome to Malwarebytes. I don't think you can call anyone involved with the MBAM project an employee. It's hard to pin the team down to a set number too. Five main people are listed on the program credits. Two of those joined the development team after MBAM had been released to the public. There are also all the people that have helped to test the program and who continue to do so, and those that contribute to the malware data base daily. There are the people who help here at the website as moderators in varying capacities and the people that do the site maintenance. Making a rough guess at a number of people involved heavily in MBAM I would say there are at least 20 that are very active either as part of the website or in submitting files and test information. But, that is by no means all inclusive because everyone that has helped testing and reported a bug or a false positive, a missed malware item are just as valuable and appreciated. That probably puts the numbers into the 100's. As for paid employees, I'm fairly sure there are none. Mind you I'm certainly not all knowing, I try to stay in tune and do all I can to help out, but I may very well be totally wrong.

How are you running now? Run HJT again and put a check next to this item and then click fix. R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank Please upload all of these files to here http://uploads.malwarebytes.org/ put them in a zip file, no larger than 2MB each. C:\Local Disk (D)\From Disc C\My Downloads\AGSetup0608.exe C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\bann.exe[■%%\gzmrt.dll] C:\Documents and Settings\tata\Local Settings\Temp\tmp40A.tmp.exe[■%%\iebrowserc.dll] C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\bann.exe C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe C:\Documents and Settings\tata\Local Settings\Temp\nsu376.tmp\adw.exe[