captarheel

thanks. If you find anything, please let me know!

Thanks. So do you think we have gotten as far as we are going to get? I haven't seen any popup windows at all since 6:09 this am. Doesn't seem like we ever found something specific. Or did you see something along the way that we finally nailed? I am grateful for your assistance and patience -- thank you so much!

done. No errors or exceptions noted.

here you go: SystemLook 30.07.11 by jpshortstuff Log created at 16:55 on 30/04/2012 by Administrator - Elevation successful ========== filefind ========== Searching for "mcsvhost.exe" C:\Program Files\Common Files\McAfee\McSvcHost\McSvHost.exe --a---- 249936 bytes [18:49 29/07/2011] [23:28 27/01/2011] ACB01BF1A905356AB7F978C7FE852209 -= EOF =-

Here is the log output from the SysLook scan: SystemLook 30.07.11 by jpshortstuff Log created at 15:50 on 30/04/2012 by Administrator - Elevation successful ========== filefind ========== Searching for "208.73.210.29" No files found. Searching for "13376694984709702142491016734454" No files found. ========== regfind ========== Searching for "208.73.210.29" No data found. Searching for "13376694984709702142491016734454" No data found.

As I wrote a little earlier today, I haven't seen the popups for several hours. The last indication in the MBAM log of a blocked IP address is from 6:09 AM: 2012/04/30 05:46:05 -0500 MESSAGE IP Protection stopped 2012/04/30 05:46:07 -0500 MESSAGE Database refreshed successfully 2012/04/30 05:46:07 -0500 MESSAGE Starting IP protection 2012/04/30 05:46:09 -0500 MESSAGE IP Protection started successfully 2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51064, Process: mcsvhost.exe) 2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51071, Process: mcsvhost.exe) 2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51087, Process: mcsvhost.exe) 2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51094, Process: mcsvhost.exe) 2012/04/30 06:09:38 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51098, Process: mcsvhost.exe) 2012/04/30 06:09:47 -0500 IP-BLOCK 173.192.183.195 (Type: outgoing, Port: 51109, Process: mcsvhost.exe) 2012/04/30 08:26:02 -0500 MESSAGE Starting protection 2012/04/30 08:26:05 -0500 MESSAGE Protection started successfully 2012/04/30 08:26:09 -0500 MESSAGE Starting IP protection 2012/04/30 08:26:10 -0500 MESSAGE IP Protection started successfully 2012/04/30 08:36:40 -0500 MESSAGE Stopping IP protection 2012/04/30 08:38:37 -0500 MESSAGE IP Protection stopped 2012/04/30 08:53:25 -0500 MESSAGE Starting protection 2012/04/30 08:53:28 -0500 MESSAGE Protection started successfully 2012/04/30 11:44:53 -0500 MESSAGE Starting database refresh 2012/04/30 11:44:55 -0500 MESSAGE Database refreshed successfully

Re-ran Stinger. Here is the report

Stinger did not give me a report, at least not one that popped up. Is there somewhere I should look on the system?

I have not seen the pop up box since about 6:09 this morning.

nothing detected. Here is the report: Malwarebytes Anti-Malware (Trial) 1.61.0.1400 www.malwarebytes.org Database version: v2012.04.30.06 Windows 7 x64 NTFS Internet Explorer 9.0.8112.16421 Protection: Enabled 4/30/2012 11:45:25 AM mbam-log-2012-04-30 (11-45-25).txt Scan type: Full scan Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM Scan options disabled: P2P Objects scanned: 300865 Time elapsed: 43 minute(s), 57 second(s) Memory Processes Detected: 0 (No malicious items detected) Memory Modules Detected: 0 (No malicious items detected) Registry Keys Detected: 0 (No malicious items detected) Registry Values Detected: 0 (No malicious items detected) Registry Data Items Detected: 0 (No malicious items detected) Folders Detected: 0 (No malicious items detected) Files Detected: 0 (No malicious items detected) (end)

under way right now. Will post log when it finishes

thanks. I will check throughout the day. I really do appreciate your time and assistance.

turned off all anti virus and firewall. Re-ran CF. It rebooted, and then I had to beboot again as I was getting the "illegal ... marked for deletion" error. here is the new CF log:

will do right now. Do I need to turn off all the anti virus stuff again

I found the blocked site IP address in MBAM's log: 173.192.183.196

Actually, I noticed that the last pop up was for a different IP address. Unfortunately, I didn't get it before it disappeared. It started with 173.something. And, I haven't seen another popup in nearly an hour.

Yes -- they are still popping up

I just reinstalled Firefox, but there are absolutely no bookmarks or anything else left after I uninstalled everything yesterday.

MBAM pop up box still appearing -- man, you weren't kidding when you said this was hard to get rid of!

oops. Ok. Re-ran. Here is the log: All processes killed ========== OTL ========== Registry value HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Toolbar\\Locked deleted successfully. File PTYJAVA] not found. File ptytemp] not found. OTL by OldTimer - Version 3.2.42.1 log created on 04292012_135937 Files\Folders moved on Reboot... Registry entries deleted on Reboot...

I was asked to reboot and did so. The MBAM pop up box is still occasionally appearing saying MBAM blocked access to a potentially malicious site with the same IP address -- 208.73.210.29 Sorry to hear about your main machine -- hopefully it can be resurrected!

Thanks. I have completely uninstalled FF and all personal settings. There is no application to open or bookmarks to check. I opened OTL and pasted the fix you asked me to run. Here are the results: OTL by OldTimer - Version 3.2.42.1 log created on 04292012_134702 Files\Folders moved on Reboot... Registry entries deleted on Reboot...

also realized you might want the Extras report from OTL as well. Attached:

I reinstalled Chrome then uninstalled it again. After the second uninstall, i ran OTL and was able to get a full scan. Txt file attached

Ok. Reinstalled FF, then did a complete uninstall. Problem remains. also, tried to re-run OTL, and it still got stuck at scanning Chrome settings and gave the List index out of bounds messge.