captarheel

Reading other post now. In the meantime, I ran OTL. I have attached the txt file. I could not find a file called "extra". Can you please tell me where to look?

I uninstalled FF and logged on using IE. Still getting MBAM blocking messages.

will reinstall after this post. Here is the MB log from today:

I may have deleted the MVPS hosts by telling Rogue Killer to reset the hosts file. My mistake. I did that yesterday. Here is the MiniToolbox report MiniToolBox by Farbar Version: 25-06-2012 Ran by Craig Parker (administrator) on 05-07-2012 at 15:24:06 Microsoft Windows 7 Home Premium (X64) Boot Mode: Normal *************************************************************************** ========================= Hosts content: ================================= 127.0.0.1 localhost **** End of log ****

also, just staring yesterday, I am getting strange spam emails with addresses like the following: 7069823922@vtext.com

Okay. I reset IE again and deleted all personal data. I normally use Firefox, so don't know if resetting IE will do anything. I am still getting the MBAM blocking access message even after resettinng IE. I never changed the hosts file after you gave me the MVPS link. I liked how that blocked even the sponsored ads on Google. Last time we uninstalled Firefox and reinstalled it and that didn't seem to make any difference. That's a huge pain since I lose all bookmarks (I don't have many that I have created this time), but still . . . . Will follow your directions -- what's next?

ran combo fix as administrator from desktop. Log attached:

Made System Restore point. Ran TDSSKiller. Only saw three items of medium risk. "Cure" was not an option, so I selected "skip" and continue. Report zipped and attached

Hi Mr. C., I have absolutely no idea where this came from again, but I would appreciate your help. Here are the logs you requested:DDS.txtAttach.zipRKreport1.txt

Please help!

I was traveling yesterday and did not use the computer. However, I did not seen any pop-ups on Tues or Wed after we changed the hosts file, and have not seen any today. I have also checked the MBAM logs and don't see any blocked IP addresses since the Tues morning incident, again, before we changed the hosts file. Thank you very much for your help. Can you give me a suggestion for Paypal?

awesome -- thanks. So I assume it's safe to put on all computers used by the kids?

will I get a notification from MVPS, or will it be silent, in the background? Should I expect any negative impact from MVPS -- anything to be on the lookout for?

task completed

I suspect they all got cleared out from FF when I uninstalled it. I don't know that I have ever otherwise emptied them all.

a little skittish here -- I assume the links you gave above are informational but not to the bad guys themselves?

does the malware, virus, whatever have a purpose?

Let's call it "The really, really hard to get rid of" thing.

Hey MrC, A friend asked if I knew the name of the virus I got infected with. Does this thing have a name?

Sorry again. Based on yesterday's experience (I did not get the pop ups at all during the day), it may be tomorrow morning before I see anything again. I will go radio silent unless I hear from you until tomorrow morning. I will let you know what happens after 6:09. Thanks again for hanging in there with me.

Well . . . I screwed up, then. I re-read your post and thought at the end your instructions were to run the MVPS change. I just did that before I saw your post. Is there a way to undo that?

I ran SilentRunner and have attached the results. I did not fully understand the second part of your last post. Is there something more you would like me to install/run relating to MVPS Host?

When I turned off McAfee automatic updates and manually updated, I could see the update progress but got no pop-up box from MBAM. I do not know how to see what address McAfee uses when it updates. The pop up box does not seem to be particular to any given website. Over the past few days, the only websites I have been to are extremely limited -- and only news or very large commerce sites. I have been running FF. Interestingly (perhaps), I have not seen the 208 address since Sunday night, but I did see the 173 .. 195 address yesterday morning at 6:09 and again this morning also at 6:09. I saw the 173 ... 196 address at 5:59 this morning, but not at all yesterday. For all attempts the service listed was mcsvhost.exe According to the MBAM log, in each of the three instances - yesterday morning at 6:09, this morning at 5:59 and this morning at 6:09, there were 6 blocks each time. One more comment -- when I look at the Task Manager, show processes from all users, the svchost.exe under System name (not my individual user) is using (comparatively) a lot of ram usually well over 160,000k. I have no idea if that is meaningful or not, but it was that utilization that really started getting me suspicious. Here is the log from CKScanner: CKScanner - Additional Security Risks - These are not necessarily bad scanner sequence 3.MN.11.TTAPTW ----- EOF -----

Thank you This morning I am getting a pop up box from MBAM blocking access to 173.192.183.196 (one time so far) and to .195 (also one time so far). I think you said that is from McAfee. Should I allow those sites? I have not seen the 208.73.210.29 since Sunday night at 20:32. What sort of malware did I have? Was it the kind that logs keystrokes, or something else? Are you able to tell?