[kelkay]

I decided to run this to see if it would help. It may be a false positive of the Cleanup program I did earlier at your request. I thought I would show it to you anyway. If it is a false positive, please let me know so I can inform the Malwarebytes people.

Malwarebytes' Anti-Malware 1.23
Database version: 989
Windows 5.1.2600 Service Pack 3

8:47:28 PM 7/24/2008
mbam-log-7-24-2008 (20-47-22).txt

Scan type: Full Scan (C:\|D:\|)
Objects scanned: 179694
Time elapsed: 44 minute(s), 10 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\cleanup.bat (Trojan.Agent) -> No action taken.
C:\install.bat (Trojan.Agent) -> No action taken.

[Advertisements]

How do I disable Spyware Blaster?

It doesn't have an uninstaller in the Add\Remove Programs?

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

File::C:\avexport.batC:\cleanup.exeC:\cleanup.batC:\WINDOWS\system32\20.tmpC:\WINDOWS\TEMP\mc21.tmpC:\DOCUME~1\Kelly\LOCALS~1\Temp\OYKNVASYNG.exeC:\Program Files\wt3d.iniC:\install.batDriver::MEMSWEEP2OYKNVASYNGmchInjDrvRegistry::[-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv][-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

How is the computer doing?

[JSntgRvr]

How do I disable Spyware Blaster?

It doesn't have an uninstaller in the Add\Remove Programs?

• Copy the entire contents of the Quote Box below to Notepad.
• Name the file as CFScript.txt
• Change the Save as Type to All Files
• and Save it on the desktop

File::C:\avexport.batC:\cleanup.exeC:\cleanup.batC:\WINDOWS\system32\20.tmpC:\WINDOWS\TEMP\mc21.tmpC:\DOCUME~1\Kelly\LOCALS~1\Temp\OYKNVASYNG.exeC:\Program Files\wt3d.iniC:\install.batDriver::MEMSWEEP2OYKNVASYNGmchInjDrvRegistry::[-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\mchInjDrv][-HKEY_LOCAL_MACHINE\system\ControlSet002\Services\MEMSWEEP2]

Once saved, referring to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report along with a Hijackthis log..

How is the computer doing?

[kelkay]

The computer seems to be doing better, faster. I found out how to disable Spyware Blaster. I will do the next steps now.

[kelkay]

PM Sent about this last step you mentioned.

[JSntgRvr]

Go!

[JSntgRvr]

This weekend will be hard for me to be here. Hopefully at least once a day only. Make sure you have one antivirus (Not two) active. Same thing applies to a firewall. I 'll be reading your post tomorrow in the evening.

[kelkay]

I understand, and I really want to thank you very much. I hope you have time to see this to know whether or not I messed this up. I still had stuff active, as I didn't realize this was going to run the program when I dragged and dropped that file. I got things shut off, but then it restarted, and the firewall came on...not sure if the program did right or not.

ComboFix 08-07-24.1 - Kelly 2008-07-24 21:13:16.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.604 [GMT -5:00]
Running from: C:\Documents and Settings\Kelly\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Kelly\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\avexport.bat
C:\cleanup.bat
C:\cleanup.exe
C:\DOCUME~1\Kelly\LOCALS~1\Temp\OYKNVASYNG.exe
C:\Program Files\wt3d.ini
C:\WINDOWS\system32\20.tmp
C:\WINDOWS\TEMP\mc21.tmp
.

[kelkay]

softwareupdate.exe wants to control C:\WINDOWS\system32\DllHost.exe (Process ID =3984) I hit deny since I don't know what this is. This is from my Online Armor firewall. It won't stop even though I hit block, it just keeps asking me. So I am going to hit block, remember my decision, until I hear from you about this. I am afraid it is not a trusted program. Now under that notification Apple Software Update is asking for permission, maybe it belongs to that. I granted that one permission.

[JSntgRvr]

softwareupdate.exe wants to control C:\WINDOWS\system32\DllHost.exe (Process ID =3984) I hit deny since I don't know what this is. This is from my Online Armor firewall. It won't stop even though I hit block, it just keeps asking me. So I am going to hit block, remember my decision, until I hear from you about this. I am afraid it is not a trusted program. Now under that notification Apple Software Update is asking for permission, maybe it belongs to that. I granted that one permission.

That' s part of Quick Time. No problems in allowing it.

Go OFF-line. Disconnect the Network cable if needed, then disable all your security. Attempt CFScript once again, once done, re-activate your security, go online and post the resulting report.

[kelkay]

Is there a way to stop Online Armor from going active after I pause it, if COMBOFIx wants to restart like it did last time?

[kelkay]

If I exit the program, it still comes back and on with full enabling.

[JSntgRvr]

http://www.tallemu.c...essSettings.htm

Turn off major Online Armor features: Mail Shield, Web Shield and Program Guard and Firewall.

[kelkay]

I think I had better delete the ComboFix.exe and the other file, and do it all over again, because I think my firewall blocked it partially last night. Then to top it off Kaspserky saw it as an invader today.

[kelkay]

Oh okay, that sounds good. Thanks.

[kelkay]

Can I drag ComboFix to the recycle bin? I could not find it on add/remove programs. When I try to delete it it says it is a program. I was afraid I was messing it up if I did.