My behavior shield is going nuts,

[Patricia.K]

My behavior shield is going nuts, so I did the necessary steps and the MBAM/OTL are attached at the bottom.

Thanks in advance, for any help forthcoming.

This is what the behavior shield looks like for the past week:


This is what the behavior shield has looked like for the past month:


This is what Spybot S&D found and killed as a process:
Apparently (rcimlby.exe), is part of MS OS for the 'Remote Assistance' and may have been a false positive.
I have not tried another Remote Connection with my friend.
I have DL'd the program for MS and will reinstall it after this puter is cleaned.
Spybot S&D may have to go, too many problems with it.


Thank you
Pat K

[Pondus]

Essexboy is notified, he is usually in here 8:00pm - 11:59pm uk time

[Eddy]

If you want to make sure your system is clean, please follow the instructions in the malware removal section on the site in my signature.

Spybot killed rcimlby.exe as a process.
That is correct, it should not load when booting Windows.

[Patricia.K]

Essexboy is notified, he is usually in here 8:00pm - 11:59pm uk time

I'm -700Hrs Mountain Standard Time,,,,Sooo I'm not to sure what time it will be for Essexboy.

[DavidR]

UK time now 18.00 (6pm) local.

[essexboy]

Nothing is apparent in that log - are you still getting the alerts ?

If so I will use a stronger tool

[Patricia.K]

Nothing is apparent in that log - are you still getting the alerts ?

If so I will use a stronger tool

No changes today,,,mind the fact that I've been using the laptop and not the desktop.
As it is, the desktop is so painfully slow that I don't want to use it.
My laptop is just fine, and have no problems with it, as I do not let my son use it EVER.
I've been trying to set up 3 accounts on the desktop, ADMIN(me), User(me), and GUEST(my son), as my son just clicks on and inadvertently DL's everything, without knowing it.
My son recently clicked on PCPitStop, as well as UniBlue, causing OnLine Armor to stop the pc in its tracks.
I don't know what else is in here.

And YES, please use a stronger tool and go deeper,,,,

I'm starting to learn some new things about pc's slowly, and was wondering if these 2 entries in the OTL log are of any concern.
I only use Google with FF and seldom if ever use IE, and only have it because of of MS.

[Patricia.K]

OK, so I just ran a full scan and found a lot of stuff in QUARANTINE, and don't know how to get rid of it, nothing shows up in the CHEST.
I think avast! may have a bug, part of the word DOCuments is missing.

[lukas.hasik]

what is your avast version? Did any alerts from BS appeared?

thx

[essexboy]

Hi patricia - lets get the big boy up and running.  It looks like my websearch is under another user, the initial OTL scan was just for the main user.  If we need to run it again select all users 

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop

• Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
• Double click on ComboFix.exe & follow the prompts.
• As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

[Patricia.K]

essexboy,,,thank you for you patients with me, I will do the COMBOFIX scan 1st thing Sat morning.
FYI,,,I was in the process of setting up 3 accounts on the desktop, ADMIM(me), USER(me) and a GUEST account for my kid and his friends. Hopefully this stops some of the clicking on and inadvertently DLing stuff to the PC.

(((UPDATE)))..............
So I'm on the desktop and am at the ComboFix site, click on the DL button, and the pc freezes up, actually stops dead in its tracks. Ctrl+Alt+Del took 30 min to bring up the desktop page, and another 30 min for some the shortcuts to appear.
Some malware has this ability, from what I read in this forum.
SO,,,(not wanting to infect a 4GB USB stick) when (it's been close to 2Hrs now) the desktop shows up, I should try to do the DL in SAFE MODE with NETWORKING,,,or do the USB thing.......
Please Advise
PK

[essexboy]

Use safe mode with networking and also try this different site for the download http://www.majorgeeks.com/Combofix_d6402.html

[Patricia.K]

Use safe mode with networking and also try this different site for the download http://www.majorgeeks.com/Combofix_d6402.html

Got ComboFix to the desk top using the majorgeeks site after shutting down and restarting 2x.
Was reading HERE:http://www.bleepingcomputer.com/combofix/how-to-use-combofix#forums.
Should I......
#1) Run Combo Fix in Safe Mode?
#2) DL a copy of the Windows XP Recovery Console on the desktop if it should fail to install?

[essexboy]

Yes and yes - although if you can access safe mode with networking combofix should be able to do it

[Patricia.K]

Yes and yes - although if you can access safe mode with networking combofix should be able to do it

OK, finally got back into safe mode with networking thru the command prompt.
1) Disabled Spybot
2) Online Armor was not available in safe mode
3) All of avasts shields were disabled.
4) Started ComboFix
5) Combofix gives me an WARNING!!! that avast real time scanners are still active.
6) I try to "Disable Permanently". My pass word for avast is not accepted(same pw as the admin account).
7) I close the combofix box to disable avast from outside of safe mode and I get 2nd WARNING!!! from combofix "The above realtime scanner(s) are still active but Combofix shall continue to run. Kindly note that this is at your own risk."

What do I do.....
A) Continue to run ComboFix
B) Leave ComboFix as it is and close safe mode and disable avast from admin mode.
C) ?????