it came back!!! :O(

[JesseXXX]

Old Thread:

http://www.malwarebytes.org/forums/index.php?showtopic=6276

Confused....Malwarebytes fixed the issue, but its back....huh? ... attached is my norton 2009 detection screen image .... I'm running another malwarebytes scan as I type this.....

Update:

Okay, scan finished, it was removed....again..how can I stop this from happening again...? Below is the scan report:

Malwarebytes' Anti-Malware 1.28

Database version: 1270

Windows 5.1.2600 Service Pack 3

10/14/2008 8:38:36 PM

mbam-log-2008-10-14 (20-38-36).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)

Objects scanned: 150535

Time elapsed: 2 hour(s), 1 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Jesse!\Desktop\AntiVirus2008.JPG (Rogue.Antivirus) -> Quarantined and deleted successfully.

[JeanInMontana]

That is an image file. Scan again with MBAM post that log and a HJT log please.

[JesseXXX]

Thanks for helping Jean

MBAM (what/where is this..?) also a HJT log (same, help...not computer literate)

oooo, talking about this:

Malwarebytes' Anti-Malware 1.28

Database version: 1270

Windows 5.1.2600 Service Pack 3

10/14/2008 8:38:36 PM

mbam-log-2008-10-14 (20-38-36).txt

Scan type: Full Scan (A:\|C:\|D:\|E:\|)

Objects scanned: 150535

Time elapsed: 2 hour(s), 1 minute(s), 13 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 1

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\Documents and Settings\Jesse!\Desktop\AntiVirus2008.JPG (Rogue.Antivirus) -> Quarantined and deleted successfully

[JeanInMontana]

Your scanning with MBAM. You have been here before and posted a HiJack This! log. http://www.malwarebytes.org/forums/index.php?showtopic=2936 follow those instructions, please.

[JesseXXX]

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:46:22 PM, on 10/16/2008

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v7.00 (7.00.6000.16735)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\csrss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\Ati2evxx.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Tall Emu\Online Armor\oasrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe

C:\WINDOWS\System32\svchost.exe

C:\PROGRA~1\Iomega\System32\AppServices.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE

C:\Program Files\Tall Emu\Online Armor\oacat.exe

C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Windows Media Player\WMPNetwk.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Norton Internet Security\Norton Internet Security\Engine\16.0.0.125\ccSvcHst.exe

C:\WINDOWS\System32\alg.exe

C:\Program Files\SanDisk\Sansa Updater\SansaDispatch.exe

C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe

C:\Program Files\iTunes\iTunesHelper.exe

C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe

C:\Program Files\Tall Emu\Online Armor\oaui.exe

C:\Program Files\ATI Multimedia\main\ATIDtct.EXE

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Microsoft ActiveSync\wcescomm.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\PROGRA~1\MI3AA1~1\rapimgr.exe

C:\Program Files\Windows Media Player\WMPNSCFG.exe

C:\Program Files\Tall Emu\Online Armor\oahlp.exe

C:\Program Files\iPod\bin\iPodService.exe

C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe

C:\Program Files\Internet Explorer\IEXPLORE.EXE

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Road Runner High Speed Online

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1

O1 - Hosts: GIF89a

[Raid]

Hi There.

Important!

All of the following instructions must be run on the affected computer. Logs from a different computer will not help me help you. So, if you need to download all of this and then copy it to cd or memory stick and take it to the other computer, please do so. Either way, it's important; The logs have to be made by the computer with the problem.

I need you to follow the instructions provided here http://www.malwarebytes.org/forums/index.php?showtopic=2936 first.

I also need for you to download this program http://oldtimer.geekstogo.com/OTListIt.exe to your desktop.

* Close all applications and windows so that you have nothing open and are at your Desktop

* Double-click on the OTListIt.exe file to start OTListIt. OK any warning about running OTListIt.

* Place a checkmark in the "Scan All Users" checkbox (Leave the 'Use Whitelist' checked' and the 'File Age:' at 30 days)

* Click the Run Scan button

Note: Please be patient and let the scan run without using the computer

* When the scan is complete, a text file (OTListIt.Txt) will open in Notepad (if not, it can be found on your Desktop)

* In Notepad, click Edit > Select all then Edit > Copy

* Reply to this topic, click in the topic reply window, and press Ctrl+V to paste the log

* Submit your reply and close the Notepad window with OTList.txt

* Also OTListIt's Extras.txt log file will be minimised in the Taskbar (and located on your Desktop) - click on this and maximise the window

* In Notepad, click Edit > Select all then Edit > Copy

* Reply to this topic again, click in the topic reply window, and press Ctrl+V to paste the extras log

If the files (OTListIt.txt, Extras.txt) do not appear in your taskbar, just open the files in notepad; they will be on your desktop.

Please allow me time to analyze your post. If you don't see a reply from me after 24 hours, feel free to PM me.

[Raid]

I am going to give you the rest of today to respond, or I will be closing the thread with the assumption that you are ok.

[JeanInMontana]

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine. Please start a thread of your own and someone will be happy to help you.