sunnie

the activeX full scan made suggestions which weren't the best, in my opinion, but since you offered to walk me through them, this seems like a non-issue as long as the people you send to use the scan don't act on the results, but rather allow you to walk them through it. reasons I posted about the download is 1. if the current site setup confused me, it will confuse others you counsel. So the new download should be avoided / suggested with care, & when you send people to the website, warn not to allow the download. 2. the download auto-removes or disables by partly removing, as the case may be legit software (sandboxie,kaspersky tdss remover) without stating specifically what it's doing. Even backing out once the scan completes without choosing to let it execute the "system clean", doesn't stop it doing what it does. At minimum, you owe it to your paying customers to communicate with pcpitstop & verify that the download won't disable mbam's realtime protection. Besides that, I thought it reasonable to let you know that it will compound the problems of others who can't figure out why their "fixed" computer isn't working any more & it doesn't seem to offer (on the free download, anyhow) any means of undoing. I thought it would be courteous to give you a heads-up about my experience. Now you know, and it's up to you whether to warn people to stick with active x /do not download OR send people elsewhere, OR walk people through further chaos it will create on their systems. thank you again for your help.

several options for managing hosts files until mbam starts doing so below. Try 1 or more & see what works for you: 1. Hostsman - I find this a wonderful interface to use to manage my hostsfile. Makes it easy to backup, update, scan for issues. http://www.abelhadigital.com/ 2. winpatrol (free or Pro.) Pro will monitor in realtime if you set it to do so. free monitors periodically. Can't rave enough about winpatrol. It's not anti-infection scanner, what it monitors is computer settings & changes to them - not just hosts, file associations, new items wanting to run at startup & provides an easy interface to view and change these things on the fly. stop/start services, information about processes. I am using an older (non-cloud based version) which doesn't monitor the registry. the newer versions do. http://www.winpatrol.com/ 3. I don't use this cause use hostsman/winpatrol. but may be an option for you. in online armor there is an option to prompt if an untrusted program tries to change the hosts. I am sure other hips/firewall combos also offer this feature. Since I use OA paid version, if you plan to downwload it, first verify that the free version does what you want. 4. spybot s&d -- don't enable teatimer (realtime protection - will compete with rest of what you have running.) but do update and immunize- passive list of things it blocks silently including hosts file. in the ie tweaks section, it will "lock hosts files" Note that if you use this together with hostsman, you will need to open spybot s&d, unable this checked "lock hosts file" before it will allow hostsman to update. when done, you would go back into spybot s&d to re-check this. (I don't use this, switched to hostsman, but the sw is there & the lock does the job) http://www.safer-networking.org/index2.html

from pcpitstop site "To get control over your running programs we suggest WinPatrol Plus" fyi; pc pitstop is switching from the older scan you recommended (full) to a new scan pCmatic. when I got to the site, no matter where i went, every "scan now" linked to the pcmatic download. I clicked, expecting active x, instead this downloaded. after a while, I decided to run it -- big mistake. & I want to share my experience with you so you are aware as you advise others, this is new software for them. 1. 1 button cleans all it's findings. no choices. closing it without clicking on the "clean all button" resulted in it cleaning all anyway. Unfortunately, it chose to clean a win.32 trojan and delete a scareware program. It didn't identify either of them by name, but when I realized that it was executing without allowing me any control, I went hunting for info on what it had done. you just told me my GMER etc logs are clean!! re-ran mbam, clean. so went hunting. Found the scan xml file in C:\Documents and Settings\All Users\Application Data\PCPitstop and figured out from there what it had done. had to fully delete sandboxie, and reinstall (the scareware). tdss remover by Kaspersky was the alleged win32 trojan and I'll wait to see if I need it again before reinstalling. (still think I'm an "inexperienced user'? a real inexperienced user would have needed a ton of hand-holding, & wouldn't have a running system right now. 2. after uninstalling PC Pitstop's pcmatic crapware, I went back to pcpitstop site and didn't allow another download. eventually found the way in to the online scan, it took me over 10 minutes of refusing to download till I found active x scanner tucked away in a corner. got the newer scan, not the old Full one. No reason to send you over there to interpret it to me: no malware found -- highlights: it lists as "unknown software" signed by Microsoft components of MSE (I googled msseces.exe, it's the alert notification. turn it off & you wont know what MSE finds) as well as Online Armor, SandboxIE, and Keepass. (It does recognize --- & list as "must run", rather than "optional": Winpatrol Plus.) Not impressive. The fixes suggested are free up space on my hard drive, update a display adapter, & delete 2 "craplets" I used Winpatrol to research the so-called craplets. (1 was truly optional, but I find it convenient to utilize, so won't be disabling it. The other is my integrated graphics controller -- & I don't have a discrete graphics card. According to Bill P., it runs as a Winlogon Notify Service when computer starts & should be left in place. thank you for letting me know that the scan logs are clean. I hope freeing up space on the hard drive is enough to get rid of the remaining sluggish symptoms.

thank you very much for your reply. Please clarify whether these new symptoms are of concern. If not, should I remove from quarantine sptd in tdss? and re-enable the emulation drivers? (sorry for the notepad) yesterday in AM, in user acct: the (pup hijack registry which was clean via mbam) reappeared: no my documents in start. ran mbam, found the hijack again. chose to clean it & rebooted. docs appear (for now?) on start button. re-ran mbam, clean (for now?). my docs appears today as well. also winpatrol plus alerted me to several new hidden filles, which I allowed, & which seem to be tmp/log files operating from sys32. a quick look at the winpatrol online indicates they may be reghive related and need to run, but the names and suffixes aren't identical to winpatrol's listing, & if they need to run where have they been all the years i have my computer till today? on the other hand, i left the disabled items disabled till told to reenable & that may play a part in this, so will wait for advice. Periodically, keypad is resistant to my typing on certain keys while hard drive is noisy. this has been happening over several weeks.

i posted yesterday in the help area including a link to here, so am utilizing this post in case whoever is helping me comes here to read, since instructions are not to post again for 48 hours, & I've got new symptoms. this am, in user acct: the (pup hijack registry which was clean via mbam) reappeared: no my documents in start. ran mbam, found the hijack again. chose to clean it & rebooted. docs appear (for now?) on start button. re-ran mbam, clean (for now). also winpatrol plus alerted me to several new hidden filles, which I allowed, & which seem to be tmp/log files operating from sys32. a quick look at the winpatrol online indicates they may be reghive related and need to run, but the names and suffixes aren't identical to winpatrol's listing, & if they need to run where have they been all the years i have my computer till today? on the other hand, i left the disabled items disabled till told to reenable & that may play a part in this, so will wait for advice. Periodically, keypad is resistant to my typing on certain keys while hard drive is noisy.

I." got another registry value showing up. hkey_current_user\software\microsoft\windows\currentversion\ex plorer\advanced|start_showmydocs" result first appeared Jan 28. told in previous discussion in general forums that mbam has been finding this long time, so may be malware change. http://forums.malwarebytes.org/index.php?showtopic=73724. full scan by MSE found nothing before I posted to mbam (both issues) While waiting for response on msgboard (73724) for this item, in safemode, ran tdss & allowed it to quarantine what the notes tell me is probably a false positive, though not aware which of my sw installed/ uses it: Alert Type: No Access Object Type: File Original Name: C:\WINDOWS\system32\drivers\sptd.sys. AND also in safemode, ran latest definitions Superantispyware, found nothing. II. per instructions on mbam main board, I removed the registry item using mbam (in safemode), then re-ran mbam in safemode and shows is clean. III Couldn't get avira to complete downloading, so instead ran latest dr web scanner in full (admin, OA - program guard & firewall disabled; winpatrol off; MSE realtime protection off & service disabled). Dr web "found & quarantined" something mid-scan, seemed to be continuing the scan, but less than a minute later, windows stop error msg appeared onscreen: "a problem has been detected and windows has shut down to prevent damage to your computer. If this is the first time you've seen this stop error screen, start your computer again... Technical information: Stop: OxOOOOOO7F (OxOOOOOOOD OxOOOOOOOO OxOOOOOOOO OxOOOOOOOO) IV Rebooted & seemed ok, so continued -- same items disabled - Dr Web scan in full began again from beginning. upon completion the only log shows is clean, no earlier log. ("Quarantine" is empty.) No idea whether it found a false positive or a real malware, nor whether it really quarantined what it found or not.Full 2nd Dr web scan took over 30 hours to complete. (Haven't extensively used the computer to find out whether anything has been crippled or removed yet, just scanned & posted) Seemed wise to complete the other scans suggested to find out whether any reason for concern exists. V DDS appears to have run & completed. Only after saving attach.txt and dds.txt, did I notice a popup stating windows scripting is disabled. (I disabled windows scripting myself & use script sentry as backup, though I disabled Scriptsentry before running this.) does windows scripting need to be enabled to complete DDS scan? if so what should I do - disable script sentry again, and also enable windows scripting, (also reboot?) then re-run DDS scan or is the popup just to advise in case i don't know its disabled? thank you for your help. VI. DDS.txt: DDS (Ver_10-12-12.02) - NTFSx86 Run by Administrator at 15:41:36.39 on Fri 02/04/2011 Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_23 ============== Running Processes =============== C:\Program Files\USB Safely Remove\USBSRService.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\Program Files\Tall Emu\Online Armor\OAcat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\system32\msiexec.exe C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Sandboxie\SbieSvc.exe C:\WINDOWS\system32\wbem\wmiprvse.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\dla\tfswctrl.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\WINDOWS\system32\igfxsrvc.exe C:\WINDOWS\stsystra.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\Program Files\Microsoft Security Client\msseces.exe C:\Program Files\Sandboxie\SbieCtrl.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\Digital Line Detect\DLG.exe C:\Program Files\FileBX\FileBX.exe C:\Program Files\FastStone Capture\FSCapture.exe C:\Program Files\Foxit Software\Foxit Reader\Foxit Reader.exe C:\Program Files\Sandboxie\SandboxieRpcSs.exe C:\Program Files\Sandboxie\SandboxieDcomLaunch.exe C:\Documents and Settings\User Account Name\Desktop\tdss_remover_latest\dds.scr C:\WINDOWS\System32\svchost.exe -k netsvcs C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup C:\WINDOWS\system32\svchost.exe -k LocalService C:\WINDOWS\system32\svchost.exe -k LocalService ============== Pseudo HJT Report =============== uStart Page = about:blank uSearch Page = hxxp://www.google.com uSearch Bar = hxxp://start.earthlink.net/AL/Search uDefault_Page_URL = about:blank uDefault_Search_URL = hxxp://www.google.com/ie uWindow Title = mSearch Bar = hxxp://www.google.com/ mWindow Title = uInternet Settings,ProxyOverride = *.local uSearchAssistant = hxxp://www.google.com/ie uSearchURL,(Default) = hxxp://www.google.com/search?q=%s mSearchAssistant = hxxp://start.earthlink.net/AL/Search mCustomizeSearch = hxxp://www.google.com/ uURLSearchHooks: SrchHook Class: {44f9b173-041c-4825-a9b9- d914bd9dcbb3} - c:\program files\earthlink totalaccess\ElnIE.dll uURLSearchHooks: H - No File uURLSearchHooks: H - No File BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644- 206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll BHO: DriveLetterAccess: {5ca3d70e-1895-11cf-8e15-001234567890} - c:\windows\system32\dla\tfswshx.dll BHO: RoboForm: {724d43a9-0d85-11d4-9908-00400523e39a} - c:\program files\roboform\ai roboform\roboform.dll BHO: Java Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74- 9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86- eabfe594f69c} - c:\program files\java\jre6 \lib\deploy\jqs\ie\jqs_plugin.dll TB: {0BF43445-2F28-4351-9252-17FE6E806AA0} - No File TB: &RoboForm: {724d43a0-0d85-11d4-9908-00400523e39a} - c:\program files\roboform\ai roboform\roboform.dll TB: {C7768536-96F8-4001-B1A2-90EE21279187} - No File TB: {D554D8FC-B36D-4BB4-93DB-4A3394D505E3} - No File TB: {4E7BD74F-2B8D-469E-88A9-EB6DA381A928} - No File TB: {4D46ED77-1429-4CF6-8F63-C84B5D710BAF} - No File TB: {7792546F-70AE-4ABC-B2B6-BE68E9410002} - No File EB: Copernic Desktop Search 2: {968631b6-4729-440d-9bf4- 251f5593ec9a} - c:\program files\copernic desktop search 2 \DesktopSearchBand202000032.dll EB: Copernic Desktop Search 2: {9c3fca1f-99e3-48f2-a7f4- dd3931b2f99a} - c:\program files\copernic desktop search 2 \DesktopSearchBand202000032.dll uRun: [HostsMan] "c:\program files\hostsman\hm.exe" -s uRun: [HostsServer] "c:\program files\hostsman\hostssrv.exe" --start uRun: [KeePass Password Safe] "c:\program files\keepass password safe\KeePass.exe" uRun: [uSB Safely Remove] c:\program files\usb safely remove\USBSafelyRemove.exe /startup uRun: [sandboxieControl] c:\program files\sandboxie\SbieCtrl.exe uRun: [RoboForm] "c:\program files\roboform\ai roboform\RoboTaskBarIcon.exe" uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe mRun: [synTPEnh] "c:\program files\synaptics\syntp\SynTPEnh.exe" mRun: [igfxpers] c:\windows\system32\igfxpers.exe mRun: [dla] c:\windows\system32\dla\tfswctrl.exe mRun: [intelWireless] "c:\program files\intel\wireless\bin\ifrmewrk.exe" /tf Intel PROSet/Wireless mRun: [intelZeroConfig] "c:\program files\intel\wireless\bin\ZCfgSvc.exe" mRun: [sigmatelSysTrayApp] stsystra.exe mRun: [WinPatrol] c:\program files\billp studios\winpatrol\winpatrol.exe -expressboot mRun: [@OnlineArmor GUI] "c:\program files\tall emu\online armor\oaui.exe" mRun: [MSC] "c:\program files\microsoft security client\msseces.exe" -hide -runkey dRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1 \dw\dwtrig20.exe" -t IE: Add to EverNote - c:\program files\evernote\evernote\enbar.dll/2000 IE: Clear Fields - file://c:\program files\roboform\ai roboform\RoboFormComClearFields.html IE: Customize Menu - file://c:\program files\roboform\ai roboform\RoboFormComCustomizeIEMenu.html IE: Fill Forms - file://c:\program files\roboform\ai roboform\RoboFormComFillForms.html IE: Identities Editor - file://c:\program files\roboform\ai roboform\RoboFormComEditIdent.html IE: Logoff - file://c:\program files\roboform\ai roboform\RoboFormComLogoff.html IE: Passcards Editor - file://c:\program files\roboform\ai roboform\RoboFormComEditPass.html IE: Password Generator - file://c:\program files\roboform\ai roboform\RoboFormComPasswordGenerator.html IE: Reset Fields - file://c:\program files\roboform\ai roboform\RoboFormComResetFields.html IE: RoboForm Options - file://c:\program files\roboform\ai roboform\RoboFormComOptions.html IE: RoboForm TaskBar Icon - file://c:\program files\roboform\ai roboform\RoboFormComTaskBarIcon.html IE: RoboForm Toolbar - file://c:\program files\roboform\ai roboform\RoboFormComShowToolbar.html IE: Safenotes Editor - file://c:\program files\roboform\ai roboform\RoboFormComEditNote.html IE: Save Forms - file://c:\program files\roboform\ai roboform\RoboFormComSavePass.html IE: Scan link by Dr.Web - http://www.drweb.com/online/drweb- online-en.html IE: Set Fields - file://c:\program files\roboform\ai roboform\RoboFormComSetFields.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F46} - c:\program files\roboform\ai roboform\RoboFormComFillForms.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F49} - c:\program files\roboform\ai roboform\RoboFormComSavePass.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4C} - c:\program files\roboform\ai roboform\RoboFormComOptions.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F4E} - c:\program files\roboform\ai roboform\RoboFormComCustomizeIEMenu.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F50} - c:\program files\roboform\ai roboform\RoboFormComPasswordGenerator.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F51} - c:\program files\roboform\ai roboform\RoboFormComTaskBarIcon.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F52} - c:\program files\roboform\ai roboform\RoboFormComSetFields.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F53} - c:\program files\roboform\ai roboform\RoboFormComResetFields.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F54} - c:\program files\roboform\ai roboform\RoboFormComClearFields.html IE: {320AF880-6646-11D3-ABEE-C5DBF3571F55} - c:\program files\roboform\ai roboform\RoboFormComLogoff.html IE: {45DB34C3-955C-11D3-ABEF-444553540000} - c:\program files\roboform\ai roboform\RoboFormComEditIdent.html IE: {45DB34C3-955C-11D3-ABEF-444553540001} - c:\program files\roboform\ai roboform\RoboFormComEditPass.html IE: {45DB34C3-955C-11D3-ABEF-444553540002} - c:\program files\roboform\ai roboform\RoboFormComEditNote.html IE: {4C730913-3961-439b-83D5-F4E445520422} - c:\program files\citi virtual account numbers\CitiVAN.exe IE: {724d43aa-0d85-11d4-9908-00400523e39a} - c:\program files\roboform\ai roboform\RoboFormComShowToolbar.html IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe IE: {A5ABA0BB-F195-40d8-A5E9-0801153E6597} - {2151DA8C-C5B6- 4B4F-86AB-BDA449BF8747} - c:\program files\evernote\evernote\enbar.dll IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74- 2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll Trusted Zone: live.com\safety Trusted Zone: microsoft.com\*.update Trusted Zone: microsoft.com\*.windowsupdate Trusted Zone: microsoft.com\go Trusted Zone: microsoft.com\support Trusted Zone: microsoft.com\technet Trusted Zone: microsoft.com\update Trusted Zone: microsoft.com\windowsupdate Trusted Zone: microsoft.com\www Trusted Zone: microsoft.com\www.update Trusted Zone: microsoft.com \*.windowsupdate Trusted Zone: microsoft.net\*.update Trusted Zone: secunia.com\psi Trusted Zone: windowsupdate.com Trusted Zone: windowsupdate.com\au.download Trusted Zone: windowsupdate.com\download DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} - hxxps://support.dell.com/systemprofiler/SysPro.CAB DPF: {10ABC6DB-E091-4EAE-98DD-21B5A2460714} - hxxp://www.pandasoftware.es/avchecker/controles/AvDetInst.cab DPF: {166B1BCA-3F9C-11CF-8075-444553540000} - hxxp://fpdownload.macromedia.com/get/shockwave/cabs/director/s w.cab DPF: {17492023-C23A-453E-A040-C7C580BBF700} - hxxp://download.microsoft.com/download/C/0/C/C0CBBA88-A6F2- 48D9-9B0E-1719D1177202/LegitCheckControl.cab DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} - hxxp://download.ewido.net/ewidoOnlineScan.cab DPF: {1EF9F042-C2EB-4293-8213-474CAEEF531D} - hxxp://www.trendsecure.com/framework/control/en- US/activex/TmHcmsX.CAB DPF: {22492231-AEF0-49FC-9180-CE8969AB1273} - hxxp://download.sp.f-secure.com/ols/f-secure- rtm/resources/fslauncher.cab DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} - hxxp://download.zonelabs.com/bin/free/cm/ICSCM_ca.cab DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} - hxxp://a516.g.akamai.net/f/516/25175/7d/runaware.download.akam ai.com/25175/citrix/wficat-no-eula.cab DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} - hxxps://support.microsoft.com/OAS/ActiveX/odc.cab DPF: {4B48D5DF-9021-45F7-A240-60304302A215} - hxxp://download.microsoft.com/download/5/c/2/5c2fc4b7-3875- 4eec-946b-ffe15472cabc/WebCleaner.cab DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} DPF: {56393399-041A-4650-94C7-13DFCB1F4665} DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} - hxxp://catalog.update.microsoft.com/v7/site/ClientControl/en/x 86/MuCatalogWebControl.cab?1188991895871 DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} - hxxp://www.amiuptodate.com/vsc/bin/1,0,0,9/McUpdatePortal.cab DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://www.update.microsoft.com/microsoftupdate/v6/V5Controls/ en/x86/client/muweb_site.cab?1255721425250 DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows- i586.cab DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultra shim.cab DPF: {9732FB42-C321-11D1-836F-00A0C993F125} DPF: {99FE5072-78AA-4FEE-89BA-69A5FA55343F} - hxxp://download.microsoft.com/download/B/3/A/B3A2EA73-793D- 4ABE-992D-C81140384044/igdtoolx.cab DPF: {9C024426-7859-4B2D-AB4C-B1E370AE7549} - hxxp://us.mcafee.com/Apps/WSC/en-us/WscWlanScannerCtrl.cab DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - hxxp://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CA B?39295.4206481481 DPF: {A5A76EA0-7B92-4707-9DBF-6F6FE56A6800} - hxxp://scan.networkmagic.com/nmscan/download/WebDiag.4.5.8056. 1-ship-WD.V1.cab DPF: {B1E2B96C-12FE-45E2-BEF1-44A219113CDD} - hxxp://www.superadblocker.com/activex/sabspx.cab DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} DPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_13-windows- i586.cab DPF: {CAFEEFAC-0016-0000-0022-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_22-windows- i586.cab DPF: {CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows- i586.cab DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_23-windows- i586.cab Handler: belarc - {6318E0AB-2E93-11D1-B8ED-00608CC9A71F} - c:\program files\belarc\advisor\system\BAVoilaX.dll Handler: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - c:\program files\common files\pure networks shared\platform\puresp4.dll Notify: !SASWinLogon - c:\program files\superantispyware\SASWINLO.DLL Notify: igfxcui - igfxdev.dll SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7- 94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll SEH: Eudora's Shell Extension: {edb0e980-90bd-11d4-8599- 0008c7d3b6f8} - Eudora's Shell Extension SEH: OA Shell Helper: {4f07da45-8170-4859-9b5f-037ef2970034} - c:\progra~1\tallem~1\online~1\oaevent.dll SEH: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - No File ============= SERVICES / DRIVERS =============== R? BW2NDIS5;BW2NDIS5 R? clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86 R? fsbl-standalone;F-Secure BlackLight Beta Engine Driver R? IKFileFlt;File Filter Driver R? IKFileSec;File Security Driver R? IkSysFlt;System Filter Driver R? IKSysSec;System Security Driver R? McrdSvc;Media Center Extender Service R? NetBurnerService;Net Burner iSCSI Service R? NPF;NetGroup Packet Filter Driver R? PC FineTune Task Manager;PC FineTune Task Manager R? PermissionTVDownloadManager;PermissionTV Download Manager Service R? PSI;PSI R? SASDIFSV;SASDIFSV R? SASKUTIL;SASKUTIL R? Snaptune Recording Service;Snaptune Recording Service R? WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0 R? WsAudioDevice_383;WsAudioDevice_383 S? hotcore3;Hotcore helper S? MpFilter;Microsoft Malware Protection Driver S? NetBurn;Paragon NetBurning Driver S? OAcat;Online Armor Helper Service S? OADevice;OADriver S? OAmon;OAmon S? OAnet;OAnet S? pctfw1;pctfw1 S? SbieDrv;SbieDrv S? StarPortLite;StarPort Storage Controller (Lite) S? SvcOnlineArmor;Online Armor S? USBSafelyRemoveService;USB Safely Remove Assistant =============== File Associations =============== JSEFile=c:\program files\script sentry\ScriptSentry.exe "%1" %* regfile=c:\program files\script sentry\ScriptSentry.exe "%1" %* scrfile="%1" %* VBEFile=c:\program files\script sentry\ScriptSentry.exe "%1" %* VBSFile=c:\program files\script sentry\ScriptSentry.exe "%1" %* =============== Created Last 30 ================ 2011-02-03 13:42:23 5890896 ----a-w- c:\docume~1 \alluse~1\applic~1\microsoft\microsoft antimalware\definition updates\{ff6156c4-3e24-475d-a1d2-572041a8c1a4}\mpengine.dll 2011-02-03 03:22:44 14143488 ----a-w- c:\documents and settings\administrator\ntuser.tmp 2011-02-02 18:18:31 -------- d-----w- C:\TDSSKiller_Quarantine 2011-02-02 03:03:29 -------- d-----w- c:\program files\Hitman Pro 3.5 2011-02-02 03:02:41 -------- d-----w- c:\docume~1\alluse~1\applic~1\Hitman Pro 2011-01-26 16:16:13 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2011-01-26 16:16:05 20952 ----a-w- c:\windows\system32\drivers\mbam.sys 2011-01-25 21:38:12 -------- d-----w- c:\windows\Temp46C98DD5-5E16-94ED-8BB5-6DC527781562-Signatures 2011-01-25 21:38:06 -------- d-----w- c:\program files\Microsoft Security Client ==================== Find3M ==================== 2010-12-13 15:13:18 73728 ----a-w- c:\windows\system32\javacpl.cpl 2010-12-13 15:13:17 472808 ----a-w- c:\windows\system32\deployJava1.dll 2010-12-13 15:12:28 0 ----a-w- c:\windows\system32\REN21.tmp 2010-12-13 15:12:28 0 ----a-w- c:\windows\system32\REN20.tmp 2010-12-13 15:12:28 0 ----a-w- c:\windows\system32\REN1F.tmp 2010-11-18 18:12:44 81920 ----a-w- c:\windows\system32\isign32.dll 2010-11-09 14:52:35 249856 ----a-w- c:\windows\system32\odbc32.dll ============= FINISH: 15:46:07.00 =============== Attach.zip

current user accounts? should i be in the user acct, right click & choose run as current user (assuming its possible)? do this for all the scans asked for or just av? 3. Preferably until the helper tells you otherwise. 4. Any Script blocker only needs be disabled for the few short minutes it takes DDS to run. NoScript addon will not affect DDS. 5. Your choice. From the MBAM log alone, it seems there's not much to be concerned about, but that's why we ask for the other logs. 6. "what won't work while the cd emulation drivers are disabled?" Your CD Emulation software. If you have any. what is cd emulation software? backup drivers? music players?

is this software needed with online armor and other hips software? or redundant?

thank you. since i'm using the free version, it will be the forums. some quick clarifications please - 1. advice is to run mbam & remove all? will it impede things if I don't remove the registry setting unless it is determined that it was set by malware? since on consideration i think i remember disabling recent documents from appearing a long time ago as a security tweak. the question is why only now this setting is showing up on mbam? is this "my documents" in fact the show recent documents setting? 2. mbam only finds the questionable setting in the user acct. therefore, should I be running full MSE scan in user acct or in admin acct? same question for the other scans? will they work in user acct or do they need to run as admin? 3. defogger/disable cd emulation drivers: are these to remain disabled until malware is removed (perhaps 48-72 hours from now)? or only until all the scans are completed & logs are saved & sent? 4. it says to disable anything which catches scripts? does it refer to noscript or scriptsentry? & is there any reason not to just allow dds in scriptsentry? which will ensure I don't forget to re-enable scriptsentry later. 5. is there any reason not to continue using the machine while awaiting response? what won't work while the cd emulation drivers are disabled? thank you again for your guidance.

thanks for your prompt reply. 1 if malware set it, is it reasonable to assume said malware also would appear in log? or would full scan be needed? 2. result first appeared Jan 28, so if mbam has been flagging it a long time, then yes! something has changed my settings without my knowing. if its a recent addition to the mbam database, then its been set that way a while. Do you know how to find out when it became a flagged item?

Malwarebytes' Anti-Malware 1.50.1.1100 www.malwarebytes.org Database version: 5640 Windows 5.1.2600 Service Pack 3 Internet Explorer 8.0.6001.18702 1/30/2011 3:18:02 PM mbam-log-HIJACKstartmenu2011-01-30 (15-17-35).txt Scan type: Quick scan Objects scanned: 166870 Time elapsed: 5 minute(s), 19 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 2 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken. HKEY_CLASSES_ROOT\regfile\shell\open\command\(default) (Broken.OpenCommand) -> Bad: (C:\Program Files\Script Sentry\ScriptSentry.exe "%1" %*) Good: (regedit.exe "%1") -> No action taken. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

got another registry value showing up. hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced|start_showmydocs I have not made any system changes (that I'm aware of) to my system settings, except updating to newest version MSE earlier this week. when my system settings do change, Winpatrol asks for permission before allowing the changes to go through -- and it hasn't alerted me to any recent changes except (allowed) most recent iteration of MSE to run at startup. so either something has slipped through & infected me (unlikely, I hope), OR latest malwarebytes ruleset is now detecting a setting that 'may not be optimal'. Can you tell me whether this detection is in fact a "not optimal setting" or malware? what exactly does this start_show my docs setting allow? and if less than optimal, why and what would be a more advisable setting? thank you.

thank you op. had the same issue this am (may be the snow affecting the connection?) anyhow, followed your "un-install/clean-up/reboot/download/install new mbam" & it seems to be ok now. came here after following error advice to email support. If they find issues other than corrupted file I'll post back here.

Been getting this result for a while, I think since the latest version mbam, and each time choosing ignore doesn't prevent mbam from finding the same thing again next time it scans. It is detecting my setting for scriptsentry as default "open with" for scripts. scriptsentry is really old sw, but no desire not to keep it active. Uses no resources unless activated by a script, in which case everything else has failed me What it then does is pop up a box alerting me script xyz wants to execute & scriptsentry will allow or deny it.) 1. I keep choosing ignore & adding it to ignore list after each scan. Ignore list is populated entirely by the day by day addition of the exact same value. Is there a way to set it to ignore so it stays ignored for future scans? or should I forget about it adding it to the ignore list & just choose to do nothing after each scan? 2. the actual ignore command as it appears in the ignore list shows as category: registry value Item: hkey_classes_root/regfile/shell/open/command|default It doesn't appear to drill down to the script sentry setting. I'm not looking to have the scanner ignore every unusual registry shell detection, just this specific one for script sentry. Does the ignore command above do this? or: How can it be done? thank you for the great protection!! Using it on demand for years, never actually found anything, but glad to have one of the best! winxp sp3 online armor Premium fw & hips MSE Sandboxie Paid Winpatrol Plus On demand: mbam, spybot s&d