sosimple

Your Pre- HJT Post Instructions say to run Spybot S/D and remove all items found. It does not say to run the scan in Default Mode, or Advanced mode. Later in the instructions it talks about Spybot-Advanced Mode and Tea-Timer. When I clicked to set Spybot-Advanced Mode, it shows a warning that some of the options for Advanced Mode can do harm to your computer. I assume that means that if running Spybot-Advanced Mode, you should not just blindly select and remove all items found. So, I am running Spybot in Default mode. Please let me know if I should run it again in Advanced Mode. Also please consider clarifying this in your instructions. Thanks for your help. Kevin

After I ran MBAM, I then ran HJT2.02 and found the registry entry: O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM') But the file C:\Documents and Settings\LocalService\svchost.exe was already gone. I looked through the logs and found that ComboFix had removed the file before I ran MBAM. When I ran MBAM, the file was gone but the registry entry was still there. So the issue is only that MBAM did not flag/remove the registry entry that was pointing to a non-existant file. Perhaps this is by design. I still have the file svchost.exe MD5: 0326a3e66838dc2b4b99fee588cef724, but it is likely that MBAM would have removed the file and the registry entry, if the file was present when I ran MBAM.

First, I have to say MBAM is the GREATEST! Some details are below, but the reason for my post is to let you know of a VERY-MINOR issue with MBAM during the cleanup of a recent infection ... the Registry entry: O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM')was not cleaned by MBAM. (I removed the registry entry with HJT-2.02) I was using: Malwarebytes' Anti-Malware 1.17 Database version: 849 ... 8:56:15 AM 6/12/2008 ----------- I recently had an infection (several at once) ComboFix and SDFix removed the first 4 files, with no re-infections: C:\Windows\System32\sockins32.dll C:\Windows\System32\sft.res C:\Windows\System32\sockots64.dll C:\Windows\System32\adsn.dll But these files were only partly handled by each of those tools, so these files re-infected after reboot: C:\Documents and Settings\(USER)\ftp34.dll C:\Windows\System32\ftp34.dll C:\Documents and Settings\(USER)\svchost.exe C:\Windows\System32\drivers\services.exe C:\Documents and Settings\(USER)\Start Menu\Programs\Startup\userinit.exe C:\userinit.exe Malwarebytes Anti-Malware to the rescue! It cleaned this all up, and no re-infections. One VERY-MINOR point though ... the Registry entry: O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM') was not cleaned by MBAM. (I removed the registry entry with HJT-2.02) The file: C:\Documents and Settings\LocalService\svchost.exe Was removed by one of the tools ... so the registry entry did not cause further problems. I don't know which tool removed the file, it could have been MBAM ... Anyways, thanks to Malwarebytes, I am glad to be able to use my PC again. On the reecommendation of one of your Moderators, I will post in the HJT forum to make sure that anything that might remain is looked at. Thanks Kevin

Hello Jean, Thanks for your quick reply, and for your concern. I will post in the HJT forum as you recommend. I just want to make sure that the original reason for my post doesn't get lost. Edit: Sorry ... I just realized that should have been posted in the support forum ... General Malwarebytes' Anti-Malware Forum I'll repost this MBAM issue there. Thanks again, Kevin

First, I have to say MBAM is the GREATEST! I recently had an infection (several at once) ComboFix and SDFix removed the first 4 files, with no re-infections: C:\Windows\System32\sockins32.dll C:\Windows\System32\sft.res C:\Windows\System32\sockots64.dll C:\Windows\System32\adsn.dll But these files were only partly handled by each of those tools, so these files re-infected after reboot: C:\Documents and Settings\(USER)\ftp34.dll C:\Windows\System32\ftp34.dll C:\Documents and Settings\(USER)\svchost.exe C:\Windows\System32\drivers\services.exe C:\Documents and Settings\(USER)\Start Menu\Programs\Startup\userinit.exe C:\userinit.exe Malwarebytes Anti-Malware to the rescue! It cleaned this all up and more, and no re-infections. One VERY-MINOR point though ... the Registry entry: O4 - HKUS\S-1-5-18\..\Run: [winlogon] C:\Documents and Settings\LocalService\svchost.exe (User 'SYSTEM') was not cleaned by MBAM. (I removed the registry entry with HJT-2.02) The file: C:\Documents and Settings\LocalService\svchost.exe Was removed by one of the tools ... so the registry entry did not cause further problems. I don't know which tool removed the file, it could have been MBAM ... Anyways, thanks to Malwarebytes, I am glad to be able to use my PC again. Kevin