My behavior shield is going nuts, so I did the necessary steps and the MBAM/OTL are attached at the bottom.

Thanks in advance, for any help forthcoming.

This is what the behavior shield looks like for the past week:

http://i1193.photobucket.com/albums/aa356/ptknight454/9Total.jpg

This is what the behavior shield has looked like for the past month:

http://i1193.photobucket.com/albums/aa356/ptknight454/15Total.jpg

This is what Spybot S&D found and killed as a process:
Apparently (rcimlby.exe), is part of MS OS for the ‘Remote Assistance’ and may have been a false positive.
I have not tried another Remote Connection with my friend.
I have DL’d the program for MS and will reinstall it after this puter is cleaned.
Spybot S&D may have to go, too many problems with it.

http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-04_002058.jpg

Thank you
Pat K

Essexboy is notified, he is usually in here 8:00pm - 11:59pm uk time

If you want to make sure your system is clean, please follow the instructions in the malware removal section on the site in my signature.

Spybot killed rcimlby.exe as a process.
That is correct, it should not load when booting Windows.

I’m -700Hrs Mountain Standard Time,Sooo I’m not to sure what time it will be for Essexboy.

UK time now 18.00 (6pm) local.

Nothing is apparent in that log - are you still getting the alerts ?

If so I will use a stronger tool

No changes today,mind the fact that I’ve been using the laptop and not the desktop.
As it is, the desktop is so painfully slow that I don’t want to use it.
My laptop is just fine, and have no problems with it, as I do not let my son use it EVER.
I’ve been trying to set up 3 accounts on the desktop, ADMIN(me), User(me), and GUEST(my son), as my son just clicks on and inadvertently DL’s everything, without knowing it.
My son recently clicked on PCPitStop, as well as UniBlue, causing OnLine Armor to stop the pc in its tracks.
I don’t know what else is in here.

And YES, please use a stronger tool and go deeper,

I’m starting to learn some new things about pc’s slowly, and was wondering if these 2 entries in the OTL log are of any concern.
I only use Google with FF and seldom if ever use IE, and only have it because of of MS.

http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-09_222042.jpg

http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-09_223312.jpg

OK, so I just ran a full scan and found a lot of stuff in QUARANTINE, and don’t know how to get rid of it, nothing shows up in the CHEST.
I think avast! may have a bug, part of the word DOCuments is missing.

http://i1193.photobucket.com/albums/aa356/ptknight454/2011-02-10_045817avast.jpg

what is your avast version? Did any alerts from BS appeared?

thx

Hi patricia - lets get the big boy up and running. It looks like my websearch is under another user, the initial OTL scan was just for the main user. If we need to run it again select all users

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

essexboy,thank you for you patients with me, I will do the COMBOFIX scan 1st thing Sat morning.
FYI,I was in the process of setting up 3 accounts on the desktop, ADMIM(me), USER(me) and a GUEST account for my kid and his friends. Hopefully this stops some of the clicking on and inadvertently DLing stuff to the PC.

(((UPDATE)))…
So I’m on the desktop and am at the ComboFix site, click on the DL button, and the pc freezes up, actually stops dead in its tracks. Ctrl+Alt+Del took 30 min to bring up the desktop page, and another 30 min for some the shortcuts to appear.
Some malware has this ability, from what I read in this forum.
SO,(not wanting to infect a 4GB USB stick) when (it’s been close to 2Hrs now) the desktop shows up, I should try to do the DL in SAFE MODE with NETWORKING,or do the USB thing…
Please Advise
PK

Use safe mode with networking and also try this different site for the download http://www.majorgeeks.com/Combofix_d6402.html

Got ComboFix to the desk top using the majorgeeks site after shutting down and restarting 2x.
Was reading HERE:http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums.
Should I…
#1) Run Combo Fix in Safe Mode?
#2) DL a copy of the Windows XP Recovery Console on the desktop if it should fail to install?

Yes and yes - although if you can access safe mode with networking combofix should be able to do it

OK, finally got back into safe mode with networking thru the command prompt.

1. Disabled Spybot
2. Online Armor was not available in safe mode
3. All of avasts shields were disabled.
4. Started ComboFix
5. Combofix gives me an WARNING!!! that avast real time scanners are still active.
6. I try to “Disable Permanently”. My pass word for avast is not accepted(same pw as the admin account).
7. I close the combofix box to disable avast from outside of safe mode and I get 2nd WARNING!!! from combofix “The above realtime scanner(s) are still active but Combofix shall continue to run. Kindly note that this is at your own risk.”

What do I do…
A) Continue to run ComboFix
B) Leave ComboFix as it is and close safe mode and disable avast from admin mode.
C) ???

Run combofix even with the warning - but do not allow Avast to quarantine or delete anything whilst combofix is running. This is because some of combofixes behaviour would appear the same as malware

ComboFix ran fine with no problems from avast!
ComboFix.txt is attached at the bottom.

PK

Again not a lot showing there - is behaviour shield still going nuts ? Are they related to OA I wonder ?

I have excluded OA/Spybot/Mbam/avast! from each other. Avast!, has 3 places I exclude from, the ‘On Demand Scans’ the ‘File system shield settings/Exclusions’ and ‘Behaviour Shield/Trusted Processes’.

,crap,just got a BSOD on the desktop,
“IRQL_NOT_LESS_OR_EQUAL”,Hmmmmm

OK,So no biggie on the BSOD.
Remove OTL and ComboFix?, try something else? GMER, TDSSKiller?

Nothing new on the Behaviour Shield.

If you are happy to play I have lots of toys ;D

Could you upload the zip file to Mediafire and post the sharing link.

Download AVPTool from Here to your desktop

Run the programme you have just downloaded to your desktop (it will be randomly named )

First we will run a virus scan

On the first tab select all elements down to Computer and then select start scan
Once it has finished select report and post that.

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpfront.jpg

Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users[i]your name[/i]\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

http://i1224.photobucket.com/albums/ee362/Essexboy3/avpmanual.jpg