9 replies to this topic

[jwgnle]

Copied over from the following thread http://www.malwareby...showtopic=30004 per AdvancedSetup (Admin)....

This post/thread is not about malware removal. It's about a fresh install of Windows 7 Ultimate and the subsequent loading of Malwarebytes and it not apparently running correctly (slowing than stopping around the 17,000+/- count which ultimently results in a "not responding" error and a ctrl-alt-del into Task Manager to kill MBAM). The advise provided so far eluded to a possible AVG anti-virus issue/conflict... I tried the suggested remedy which did not solve the issue. I than removed AVG altogether and reinstalled Malwarebytes which did not resolve the issue. So I would have to assume the issue does not lie with AVG anti-virus... In that this is a new install of Windows 7, I doubt that it has anything to do with an infection of malware...

Additionally... I can't complete the request of "Please print out, read and follow the directions here...." because MBAM won't complete to generate a report to post. As mentioned in first post, on other machines in the family (running XP), Quick Scan takes about 5 minutes.... I've had to kill MBAM after more than 60 minutes run time / not responding which did not result in an MBAM report...

Jim
Tucson, AZ


ADDITIONAL Information to add: Following suggestions on a few other Admin Solution posts, I tried the following: Again, this is on a clean install of Windows 7 Ultimate with Office 2007 Student Ed. loaded as well... AVG anti-virus has been removed completely...

Changed file name of MBAM.exe to winlogon.exe and executed the renamed file and ran Quick Scan. Shocking in that this ran and completed right at 5 minutes... No errors, exceptions, etc. found. Changed the name back to MBAM.exe and re-ran... Slows and hangs at around the 17,000+/- count. At the time this happens, the scan is in the Registry scanning Windows / IE records and CPU usage is pegged at 100%... Changed back to winlogon.exe - Runs without issue.... But instead of the CPU being pegged at 100% usage, it's running around 35-40% usage....

Having "success" with that, I re-installed AVG anti-virus... Running MBAM.exe, same results - slows and hangs. Changde the file name to winlogon.exe and it runs without issue... 5 minutes, no issues, errors found...

Summary: MBAM.exe, Quick Scan, slows and locks at 17,000+/- counts, CPU pegged at 100%, Ctrl-Alt-Del required to terminate... MBAM.exe file renamed to winlogon.exe, AVG anti-virus loaded, completes Quick Scan in 5 minutes, CPU usage 35-40%, No errors found...

What can be done in order to get MBAM to run under it's proper file name? Stumped!

Thanks in advance for any help and/or insight that can be provided.

Regards,

Jim
Tucson, AZ

[screen317]

Hi and welcome to Malwarebytes,

Please give more information about your Windows installation. Did you format before installing Windows 7, or is it an upgrade from Vista, or an over the top installation? Is it 32 or 64bit?


Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

[jwgnle]

screen317, on Nov 7 2009, 10:48 PM, said:

Hi and welcome to Malwarebytes,

Please give more information about your Windows installation. Did you format before installing Windows 7, or is it an upgrade from Vista, or an over the top installation? Is it 32 or 64bit?


Download DDS by sUBs and save it to your Desktop.

Double-click on the DDS icon and let the scan run. When it has run two logs will be produced, please post the one that is not minimized.

-screen317

Thank you for your reply... Very much appreciated.

I had XP Pro installed and booted from the Windows 7 CD and installed over the existing XP installation after performing a "delete existing partition", "create partition for new install" and a "quick format"... 32bit

I had trouble with the link you provided for DDS download. When I clicked it, I received a screen full of jibberish. Did a Google search and found a DDS.scr file vs the DSS.pif you had link with. The DDR.scr file created two files as you mentioned and I believe I pasted the correct one below... Let me know what additional information, etc. you need.

Thanks again.... Jim

LOG File

DDS (Ver_09-10-26.01) - NTFSx86
Run by Jim at 23:56:28.36 on Sat 11/07/2009
Internet Explorer: 8.0.7600.16385
Microsoft Windows 7 Ultimate 6.1.7600.0.1252.1.1033.18.2047.1018 [GMT -7:00]

SP: Spybot - Search and Destroy *enabled* (Updated) {ED588FAF-1B8F-43B4-ACA8-8E3C85DADBE9}

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\system32\svchost.exe -k RPCSS
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\wltrysvc.exe
C:\Windows\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Windows\system32\taskhost.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Windows\System32\wltray.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\Acronis\TrueImageHome\TrueImageMonitor.exe
C:\Program Files\Acronis\TrueImageHome\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Windows\system32\SearchIndexer.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Windows\System32\svchost.exe -k LocalServicePeerNet
C:\Windows\System32\svchost.exe -k secsvcs
C:\Windows\system32\taskhost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Jim\Desktop\dds.scr
C:\Windows\system32\conhost.exe
C:\Windows\system32\wbem\wmiprvse.exe

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.msnbc.com/
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: Spybot-S&D IE Protection: {53707962-6f74-2d53-2644-206d7942484f} - c:\progra~1\spybot~1\SDHelper.dll
BHO: Adobe PDF Conversion Toolbar Helper: {ae7cd045-e861-484f-8273-0445ee161910} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
TB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
EB: Adobe PDF: {182ec0be-5110-49c8-a062-beb1d02a220b} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll
uRun: [Sidebar] c:\program files\windows sidebar\sidebar.exe /autoRun
uRun: [SpybotSD TeaTimer] c:\program files\spybot - search & destroy\TeaTimer.exe
mRun: [Broadcom Wireless Manager UI] c:\windows\system32\wltray
mRun: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttray
mRun: [SynTPStart] c:\program files\synaptics\syntp\SynTPStart.exe
mRun: [TrueImageMonitor.exe] c:\program files\acronis\trueimagehome\TrueImageMonitor.exe
mRun: [AcronisTimounterMonitor] c:\program files\acronis\trueimagehome\TimounterMonitor.exe
mRun: [Acronis Scheduler2 Service] "c:\program files\common files\acronis\schedule2\schedhlp.exe"
mRun: [Acrobat Assistant 8.0] "c:\program files\adobe\acrobat 8.0\acrobat\Acrotray.exe"
mRun: [<NO NAME>]
mRun: [Adobe ARM] "c:\program files\common files\adobe\arm\1.0\AdobeARM.exe"
mRun: [avast!] "c:\program files\alwil software\avast4\ashDisp.exe"
mPolicies-system: ConsentPromptBehaviorAdmin = 5 (0x5)
mPolicies-system: ConsentPromptBehaviorUser = 3 (0x3)
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: Append to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
IE: {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - {53707962-6F74-2D53-2644-206D7942484F} - c:\progra~1\spybot~1\SDHelper.dll
LSA: Authentication Packages = msv1_0 relog_ap

================= FIREFOX ===================

FF - ProfilePath - c:\users\jim\appdata\roaming\mozilla\firefox\profiles\sbv5b0yz.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.com/

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-11-7 114768]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-11-7 20560]
R2 aswMonFlt;aswMonFlt;c:\windows\system32\drivers\aswMonFlt.sys [2009-11-7 53328]
R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2009-11-4 269648]
R2 SBSDWSCService;SBSD Security Center Service;c:\program files\spybot - search & destroy\SDWinSec.exe [2009-11-4 1153368]
R3 GTIPCI21;GTIPCI21;c:\windows\system32\drivers\gtipci21.sys [2006-4-6 88192]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2009-11-4 19160]
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-11-4 38224]
R3 NETw2v32;Intel® PRO/Wireless 2915ABG Network Connection Driver for Windows Vista;c:\windows\system32\drivers\NETw2v32.sys [2007-3-6 2595840]
R3 SMSCIRDA;SMSC Infrared Device Driver;c:\windows\system32\drivers\smscirda.sys [2007-4-25 31232]
S3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\drivers\b57nd60x.sys [2009-7-13 229888]

=============== Created Last 30 ================

2009-11-08 00:44:47 53328 ----a-w- c:\windows\system32\drivers\aswMonFlt.sys
2009-11-05 20:35:44 29272 ----a-r- c:\windows\system32\AdobePDF.dll
2009-11-05 19:06:27 0 d-----w- c:\programdata\FLEXnet
2009-11-05 19:06:25 0 d-----w- c:\program files\common files\Macrovision Shared
2009-11-05 19:00:49 0 d-----w- c:\programdata\Adobe
2009-11-05 05:23:27 0 d-sh--w- c:\windows\system32\%APPDATA%
2009-11-05 04:22:31 32656 ----a-w- c:\windows\system32\msonpmon.dll
2009-11-05 04:21:22 0 d-----w- c:\windows\PCHEALTH
2009-11-05 04:19:53 0 d-----w- c:\programdata\Microsoft Help
2009-11-05 03:19:49 0 d-----w- c:\program files\VS Revo Group
2009-11-05 03:07:47 23 --sha-w- c:\windows\system32\edacded0.dat
2009-11-05 03:07:47 23 ----a-w- c:\windows\system32\bcdadac7.xml
2009-11-05 03:07:28 0 d-----w- c:\program files\jv16 PowerTools 2009
2009-11-05 02:58:23 0 d-----w- c:\programdata\Acronis
2009-11-05 02:58:10 44384 ----a-w- c:\windows\system32\drivers\tifsfilt.sys
2009-11-05 02:58:10 441760 ----a-w- c:\windows\system32\drivers\timntr.sys
2009-11-05 02:58:07 129248 ----a-w- c:\windows\system32\drivers\snapman.sys
2009-11-05 02:58:02 368544 ----a-w- c:\windows\system32\drivers\tdrpman.sys
2009-11-05 02:33:51 0 d-----w- c:\program files\Atomic Clock Sync
2009-11-04 17:01:07 0 d-----w- c:\program files\CCleaner
2009-11-04 13:45:29 0 d-----w- c:\programdata\Spybot - Search & Destroy
2009-11-04 13:45:29 0 d-----w- c:\program files\Spybot - Search & Destroy
2009-11-04 13:37:41 0 ---ha-w- c:\windows\system32\drivers\Msft_Kernel_SynTP_01000.Wdf
2009-11-04 13:37:36 0 d-----w- c:\program files\Synaptics
2009-11-04 13:16:13 0 d---a-w- c:\programdata\TEMP
2009-11-04 13:16:03 118784 ----a-w- c:\windows\system32\MSSTDFMT.DLL
2009-11-04 13:16:03 1071088 ----a-w- c:\windows\system32\MSCOMCTL.OCX
2009-11-04 13:16:02 0 d-----w- c:\program files\SpywareBlaster
2009-11-04 13:08:51 0 d-----w- c:\programdata\WinZip
2009-11-04 12:45:20 0 d-----w- c:\users\jim\appdata\roaming\Malwarebytes
2009-11-04 12:45:18 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-11-04 12:45:16 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-11-04 12:45:14 0 d-----w- c:\programdata\Malwarebytes
2009-11-04 12:45:14 0 d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-11-04 06:45:40 0 ----a-w- c:\windows\ativpsrm.bin
2009-11-04 06:43:52 257024 ----a-w- c:\windows\system32\msv1_0.dll
2009-11-04 06:40:59 728648 ----a-w- c:\windows\system32\drivers\dxgkrnl.sys
2009-11-04 06:40:59 71168 ----a-w- c:\windows\system32\fontsub.dll
2009-11-04 06:40:59 507568 ----a-w- c:\windows\system32\winload.exe
2009-11-04 06:40:59 442920 ----a-w- c:\windows\system32\winresume.exe
2009-11-04 06:40:59 293888 ----a-w- c:\windows\system32\atmfd.dll
2009-11-04 06:40:59 2613248 ----a-w- c:\windows\explorer.exe
2009-11-04 06:40:59 1320960 ----a-w- c:\windows\system32\CertEnroll.dll
2009-11-04 06:40:59 108544 ----a-w- c:\windows\system32\t2embed.dll
2009-11-04 06:40:58 12625408 ----a-w- c:\windows\system32\wmploc.DLL
2009-11-04 06:40:06 34816 ----a-w- c:\windows\system32\msasn1.dll
2009-11-04 06:32:08 0 d-----w- c:\programdata\Hewlett-Packard
2009-11-04 06:16:47 0 d-----w- c:\program files\AVG
2009-11-04 05:57:14 195456 ------w- c:\windows\system32\MpSigStub.exe
2009-11-04 05:32:45 86016 ------w- c:\windows\system32\wltrynt.dll
2009-11-04 05:32:45 65536 ------w- c:\windows\system32\WLTRYSVC.EXE
2009-11-04 05:32:45 294912 ------w- c:\windows\system32\BCMLogon.dll
2009-11-04 05:32:45 192512 ------w- c:\windows\system32\AegisI5.exe
2009-11-04 05:32:45 17801 ----a-w- c:\windows\system32\drivers\AegisP.sys
2009-11-04 05:32:44 819303 ------w- c:\windows\system32\wltray.EXE
2009-11-04 05:32:43 954474 ------w- c:\windows\system32\BCMWLTRY.EXE
2009-11-04 05:32:43 1953900 ------w- c:\windows\system32\bcmcfg.cpl
2009-11-04 05:32:43 1396831 ------w- c:\windows\system32\AegisE5.dll
2009-11-04 05:32:43 122981 ------w- c:\windows\system32\preflib.dll
2009-11-04 05:25:06 69632 ------w- c:\windows\system32\bcmwlD2K.EXE
2009-11-04 05:25:06 376320 ------w- c:\windows\system32\drivers\BCMWL5.SYS
2009-11-04 05:25:06 176128 ------w- c:\windows\system32\bcmwlu00.exe
2009-11-04 05:17:31 0 d-----w- c:\program files\Analog Devices
2009-11-04 05:14:13 0 d-----w- c:\program files\Broadcom
2009-11-04 05:13:31 0 d-----w- c:\windows\Panther
2009-11-04 05:13:24 8192 --sha-r- C:\BOOTSECT.BAK
2009-11-04 05:13:22 383562 --sha-r- C:\bootmgr
2009-11-04 05:13:21 0 d-sh--w- C:\Boot
2009-11-04 05:12:54 0 d-----w- c:\windows\tiinst
2009-11-04 05:12:27 0 d-sh--w- c:\windows\Installer
2009-11-04 05:12:22 0 d-----w- C:\SWSetup
2009-11-04 05:11:01 0 d-----w- c:\program files\ATI Technologies
2009-11-04 05:10:58 0 d-----w- c:\program files\ATI
2009-11-04 04:31:22 0 --sh--r- C:\winx.ld
2009-11-04 04:31:21 203836 --sh--r- C:\grldr
2009-11-04 04:30:19 0 ---ha-w- c:\windows\system32\drivers\Msft_User_WpdFs_01_09_00.Wdf
2009-11-04 04:27:11 713888 ----a-w- c:\windows\system32\PerfStringBackup.INI
2009-11-04 04:26:55 0 d-----w- c:\windows\system32\wbem\Performance

==================== Find3M ====================

2009-08-18 06:33:52 1193832 ----a-w- c:\windows\system32\FM20.DLL
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfd.dat
2009-07-14 04:56:42 31548 ----a-w- c:\windows\inf\perflib\0409\perfc.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfi.dat
2009-07-14 04:56:42 291294 ----a-w- c:\windows\inf\perflib\0409\perfh.dat
2009-07-14 04:41:57 174 --sha-w- c:\program files\desktop.ini
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfi.dat
2009-07-14 00:34:40 291294 ----a-w- c:\windows\inf\perflib\0000\perfh.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfd.dat
2009-07-14 00:34:38 31548 ----a-w- c:\windows\inf\perflib\0000\perfc.dat
2009-06-10 21:26:35 9633792 --sha-r- c:\windows\fonts\StaticCache.dat
2009-07-14 01:14:45 396800 --sha-w- c:\windows\winsxs\x86_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7600.16385_none_f12e83abb108c86c\WinMail.exe

============= FINISH: 23:57:11.79 ===============

[screen317]

Hi,

Usually the symptoms you are describing are indicative of an infection. Theoretically it's possible for malware to survive a "Quick Format" into a new installation, and since you installed a 32bit version of Windows 7, the infection could still be alive. Trouble is, many of the tools we use are not yet compatible with Windows 7. There are a few things I would like to try.


First, please download ATF Cleaner by Atribune from here, and save it to your Desktop.

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache

The rest are optional - if you want to remove the whole lot, check Select All.
Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

Next, do the following in this order:

1. Uninstall Malwarebytes' Anti-Malware using Add or Remove programs in the Control Panel.
2. Restart your computer (very important).
3. Download and run this utility.
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here.

Note: You will need to reactivate the program using the license you were sent via e-mail if you purchased it.


See if it will run now, named as mbam.exe.

If no joy, please use the Internet Explorer browser and click here to use the F-Secure Online Scanner.

• Click Start Scanning.
  
• You should get a notification bar (on top) to install the ActiveX control.
  
• Click on it and select to install the ActiveX.
  
• Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  
• In case you are having problems with installing the ActiveX/starting the scan, please read here.
  
• Click the Full System Scan button.
  
• It will start to download scanner components and databases. This can take a while.
  
• The main scan will start.
  
• Once the scan has finished scanning, click the Automatic cleaning (recommended) button
  
• It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  
• The cleaning can take a while, so please be patient.
  
• Then click the Show report button and Copy/Paste what is present under results in your next reply.

Next, download my Security Check from here or here.

• Save it to your Desktop.
  
• Double click SecurityCheck.exe and follow the onscreen instructions inside of the black box.
  
• A Notepad document should open automatically called checkup.txt; please post the contents of that document.

-screen317

[jwgnle]

Thank you Chris for the guidance... Followed the steps to a tee. Results as follows:

Phase I

Ran ATF-Cleaner and cleaned everything... Roughly 86Mb of files.
Uninstalled MBAM and ran the MBAM Cleaner...
Reinstalled MBAM and updated....
Same results... Runs fine until around 16,000, slows down and hangs around 17,000 +/-

Phase II

Ran on-line F-Secure via Firefox...
Found (1) malware... TrackingCookie.2o7 (spyware)... Partial file pasted below, whole file attached. Too large and doesn't look "right"...
Removed with F-Secure Scanner
Ran SecurityCheck... Results posted below....
Attempted a Quick Scan with MBAM again.... Same results

F-Secure Scan Partial:
Scanning Report
Monday, November 9, 2009 18:55:33 - 19:30:19

Computer name: NC8230-JIM-WIN7
Scanning type: Scan system for malware, spyware and rootkits
Target: C:\
1 malware found
TrackingCookie.2o7 (spyware)

* System (Disinfected)

Statistics
Scanned:

* Files: 111729
* System: 3538
* Not scanned: 1894

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* Not cleaned: 0
* Submitted: 0

SecurityCheck Results
Results of screen317's Security Check version 0.99.0
Windows 7 (UAC is enabled)
``````````````````````````````
Antivirus/Firewall Check:
Windows Firewall Enabled!
avast! Antivirus
WMIC entry does not exist for antivirus; attempting automatic update.
avast! updated!
``````````````````````````````
Anti-malware/Other Utilities Check:
SpywareBlaster 4.2
Spybot - Search & Destroy
CCleaner
Adobe Flash Player 10
``````````````````````````````
Process Check:
objlist.exe by Laurent
Alwil Software Avast4 aswUpdSv.exe
Alwil Software Avast4 ashServ.exe
Alwil Software Avast4 ashDisp.exe
Alwil Software Avast4 ashMaiSv.exe
Alwil Software Avast4 ashWebSv.exe
``````````````````````````````
DNS Vulnerability Check:
GREAT! (Not vulnerable to DNS cache poisoning)

`````````End of Log```````````


What do you think? A reinstall of Windows 7 after a complete hard drive format?

Jim
Tucson, AZ

Attached Files

•  F_Secure_Scan_File.txt   679.43K   17 downloads

[screen317]

Hi,

My apologies for the delay.

Let's investigate further.

Please run a GMER Rootkit scan:

Download GMER's application from here:
http://www.gmer.net/gmer.zip

Unzip it and start the GMER.exe
Click the Rootkit tab and click the Scan button.

Once done, click the Copy button.
This will copy the results to your clipboard.
Paste the results in your next reply.

Warning ! Please, do not select the "Show all" checkbox during the scan.

-screen317

[jwgnle]

Hi Chris -

Not a problem... Figured something came up.... Had read a few things in the last couple of days and saw something about installing Windows 7 on a system having run XP.... It mentioned a full format vs a quick format and add your concern mentioned earlier, I bite the bullet today and did just that.... Back up and running... Have loaded MBAM, updated and tried Quick Scan.

Low-and-behold... It works!

[screen317]

Glad to hear it.

Anything else I can help you with?

[jwgnle]

That's it for now Chris...

I greatly appreciate your help it helping resolve this perplexing issue... If anything, learned a few things about Windows 7... I'm thinking the file I uploaded says it all. Left behind remnants of XP from a quick format of the hard drive can still be recognized... MBAM must have been getting "lost" in the run-on "file paths" it found.... Thanks again for the help... Malwarebytes and it's volunteer supporters are the best!

Jim
Tucson, AZ

[screen317]

Glad we could help.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.