WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93125 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] Malwarebytes not working Plus More

Started by topband , Mar 01 2009 08:59 PM

Page 4 of 11
2
3
4
5
6

This topic is locked

152 replies to this topic

#46 topband

Authentic Member

Authentic Member
83 posts

Posted 07 April 2009 - 12:35 PM

Hi OM After I got that WIKI file removed/reparied? with HJT ----COMputer B started working real well ...fast enufff...start up time normalized ...and did not seem to be any underlying stuff ...so ...I will perform the procedure you sent and also begin to dissect Computer A which will have to be transmitted (at this point) from Computer B and to process any work on Computer A I will have to download and burn and install the program to move it to A ...which is my main computer and has most of my Entertianment Biz stuff Thanks Om ...stand by and I'll transmit the data from current procedure within 24 hrs or so John Hancock

Advertisements

Register to Remove

#47 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 07 April 2009 - 02:39 PM

Hi Topband, I shall be waiting. A couple of things to be careful of when transfering files/programs between the computers. Do not let the CD autoplay/autorun. Make certain there aren't any hidden files on the CD At the top of windows explorer, click tools, folder options, click the view tab check Display the contents of system folders check Show hidden files and folders uncheck "Hide extensions for known file types" box uncheck "Hide protecting operating system files" box have a look for any files like autorun.inf or files you did not copy to the CD. We do not want whatever is on Computer A to jump to Computer B

Proud Graduate of the WTT Classroon
If you are happy with the help you recieved, please consider making a Donation
Curiosity didn't kill the cat. Ignorance did, curiosity was framed.
Learn how to protect Yourself

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#48 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 10 April 2009 - 09:37 AM

Hi Topband, How are you making out? Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#49 topband

Authentic Member

Authentic Member
83 posts

Posted 10 April 2009 - 10:20 AM

hi om doing fine ... haven't got it scanned yet ...i will pursue that course today and post back the latest ...seems to be running OK ..i'll send diagnostic symptoms as i use it today and scan it thank you jh

#50 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 10 April 2009 - 10:22 AM

Hi TopBand, Ok, :thumbup:

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#51 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 14 April 2009 - 02:08 AM

Hi Topband, You still with us? :unsure:

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#52 topband

Authentic Member

Authentic Member
83 posts

Posted 14 April 2009 - 11:37 AM

Yes Sir ... I am going to enact those procedures within the next 24 hrs ... been delayed ...but observing computer functions which I will post pls keep this ticket open cuz we will get to Comp A ---i have to switch up the screen and stuff ...thnx om jh

#53 topband

Authentic Member

Authentic Member
83 posts

Posted 20 April 2009 - 07:52 PM

Was not able to get the scan to open it looked like a java error in that only the empty screen showed up where the scanner should be

here is the latest HIJACK file cuz COMP B is getting funny .... so back to sq 1 to figure the comp b puzzle maybe

thnx om ...sorry for the delays....trying to do to many things

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:37 PM, on 4/20/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Piolet\Piolet.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\Program Files\Flock\flock.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181019296906
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c9b72abb9fd676) (gupdate1c9b72abb9fd676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8813 bytes

#54 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 21 April 2009 - 03:03 AM

Hi Topband,

What symptoms are you having?

Use this version of ESET instead

http://forums.whatth...-online-scanner

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#55 topband

Authentic Member

Authentic Member
83 posts

Posted 21 April 2009 - 12:51 PM

Hi OM

Symptoms are an unusually long time to get my 'FLOCK' browser starting and some programs like HJT starting ...eventually they start up and work reasonably well but it feels like a lag somewhere ....this COMP B is older technology than COMP A ...so that may be it ...it's a VAIO circa 2003? or 04? ...anyway thats the latest i'll update you soon on the speed/ functionality and other issues as I use it thru the next few sessions and then hopefully we can get COMPUTER A (which is my main tool) working again ...Thank You OM

JH

Did the Scan you most recently suggested with EXPLORER and got this :

C:\Documents and Settings\John Hancock\Desktop\john hancock\John Hancock12-24\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP248\A0082701.rbf probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined
C:\Documents and Settings\John Hancock\Desktop\john hancock\John Hancock12-24\System Volume Information\_restore{549DE6A1-CCD3-45E9-A3FB-BD70F79FB4CC}\RP248\A0082737.rbf probably a variant of Win32/Adware.Agent application cleaned by deleting - quarantined

THEN I did the HJT and got this:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:43 AM, on 4/21/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Flock\flock.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_219B3E1547538286.dll
O3 - Toolbar: &Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181019296906
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} (OnlineScanner Control) - http://download.eset...lineScanner.cab
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c9b72abb9fd676) (gupdate1c9b72abb9fd676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8863 bytes

Advertisements

Register to Remove

#56 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 21 April 2009 - 06:44 PM

We need some file informantion
Hi Topband,

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path, into the "Suspicious files to scan" box on the top of the page:

C:\WINDOWS\system32\NeroCheck.exe
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#57 topband

Authentic Member

Authentic Member
83 posts

Posted 21 April 2009 - 07:17 PM

Hi OM ...here is the scan ....NERO is an installed CD Editing and burning software I have ...it looks not to be updated however ......

VirSCAN.org Scanned Report :
Scanned time : 2009/04/21 18:12:41 (PDT)
Scanner results: All Scanners reported not find malware!
File Name : NeroCheck.exe
File Size : 155648 byte
File Type : PE32 executable for MS Windows (GUI) Intel 80386 32-bit
MD5 : 3e4c03cefad8de135263236b61a49c90
SHA1 : 02ff27df6bdaec02b455dc611ef2d090fb8271d4
Online report : http://virscan.org/r...6b61a49c90.html

Scanner Engine Ver Sig Ver Sig Date Time Scan result
a-squared 4.0.0.32 20090422050124 2009-04-22 4.35 -
AhnLab V3 2009.04.22.00 2009.04.22 2009-04-22 0.76 -
AntiVir 7.9.0.148 7.1.3.86 2009-04-21 2.00 -
Antiy 2.0.18 20090421.2315191 2009-04-21 0.12 -
Arcavir 2009 200904211745 2009-04-21 0.07 -
Authentium 5.1.1 200904211722 2009-04-21 1.12 -
AVAST! 3.0.1 090421-0 2009-04-21 0.93 -
AVG 7.5.52.442 270.12.2/2072 2009-04-21 2.02 -
BitDefender 7.81008.2849584 7.24929 2009-04-22 2.62 -
CA (VET) 9.0.0.143 31.6.6468 2009-04-22 10.41 -
ClamAV 0.95 9267 2009-04-21 0.04 -
Comodo 3.8 1124 2009-04-21 0.57 -
CP Secure 1.1.0.715 2009.04.22 2009-04-22 8.49 -
Dr.Web 4.44.0.9170 2009.04.22 2009-04-22 4.48 -
F-Prot 4.4.4.56 20090421 2009-04-21 1.09 -
F-Secure 5.51.6100 2009.04.22.01 2009-04-22 0.08 -
Fortinet 2.81-3.117 10.307 2009-04-21 0.21 -
GData 19.4786/19.306 20090422 2009-04-22 4.20 -
ViRobot 20090421 2009.04.21 2009-04-21 0.81 -
Ikarus T3.1.01.49 2009.04.21.72613 2009-04-21 2.68 -
JiangMin 11.0.706 2009.04.20 2009-04-20 3.44 -
Kaspersky 5.5.10 2009.04.22 2009-04-22 0.08 -
KingSoft 2009.2.5.15 2009.4.21.21 2009-04-21 1.41 -
McAfee 5.3.00 5591 2009-04-21 2.81 -
Microsoft 1.4602 2009.04.22 2009-04-22 6.84 -
mks_vir 2.01 2009.04.21 2009-04-21 2.78 -
Norman 6.00.06 6.00.00 2009-04-21 10.01 -
Panda 9.05.01 2009.04.21 2009-04-21 2.21 -
Trend Micro 8.700-1004 5.980.01 2009-04-21 0.04 -
Quick Heal 10.00 2009.04.21 2009-04-21 4.68 -
Rising 20.0 21.26.14.00 2009-04-21 2.95 -
Sophos 2.85.0 4.40 2009-04-22 2.24 -
Sunbelt 5105 5105 2009-04-21 0.67 -
Symantec 1.3.0.24 20090421.006 2009-04-21 0.25 -
nProtect 20090420.03 3484263 2009-04-20 15.56 -
The Hacker 6.3.4.0 v00312 2009-04-21 0.56 -
VBA32 3.12.10.2 20090421.1001 2009-04-21 1.92 -
VirusBuster 4.5.11.10 10.105.2/1261525 2009-04-21 1.60 -

#58 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 22 April 2009 - 12:18 AM

Hi Topband,

I know Nero is installed but that file running from that location can be good or bad. In this case it's good. :thumbup:

The Kaspersky log would indicate that there was some infection on this machine at one time. We'll give it a shot with combofix and see if anything shows in the log.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Please post back with the combofix log and a new HJT log.

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

#59 topband

Authentic Member

Authentic Member
83 posts

Posted 28 April 2009 - 12:06 AM

Hi OM ...here I is at a later time ...got the COMBOFIX done log right below ...followed by the HJT log ... i'll update you on speed or other issues ...comp b has been running slow and freezy ...we'll try it this way for a short time and await your responses ...thnx

john hancock

ComboFix 09-04-27.03 - John Hancock 04/27/2009 22:51.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.446.164 [GMT -7:00]
Running from: c:\documents and settings\John Hancock\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090427-0] *On-access scanning disabled* (Updated)
FW: NVIDIA Firewall *disabled*
FW: Online Armor Firewall *disabled*
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\ss.sys

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-4-28 )))))))))))))))))))))))))))))))
.

2009-04-22 01:55 . 2009-04-22 01:55 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Apple
2009-04-17 07:04 . 2009-04-17 23:52 -------- d-----w c:\documents and settings\All Users\Application Data\Apple Computer
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Apple
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\program files\Apple Software Update
2009-04-17 07:03 . 2009-04-17 07:03 -------- d-----w c:\documents and settings\All Users\Application Data\Apple
2009-04-17 06:58 . 2009-04-17 23:54 -------- dc----w c:\windows\system32\DRVSTORE
2009-04-17 06:53 . 2009-04-17 07:21 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Apple Computer
2009-04-12 02:41 . 2009-04-12 02:41 62984 ----a-w c:\documents and settings\John Hancock\Application Data\GDIPFONTCACHEV1.DAT
2009-04-10 20:32 . 2009-04-10 20:32 -------- d-sh--w c:\windows\ftpcache
2009-04-07 15:46 . 2009-04-07 15:46 -------- d-----w c:\documents and settings\NetworkService\Local Settings\Application Data\Google
2009-04-07 02:52 . 2009-04-07 18:42 -------- d-----w c:\documents and settings\John Hancock\Application Data\DivX
2009-04-07 02:45 . 2009-04-07 02:45 -------- d-----w c:\documents and settings\LocalService\Local Settings\Application Data\Google
2009-04-07 02:42 . 2009-04-07 02:43 -------- d-----w c:\program files\Common Files\DivX Shared
2009-04-04 03:18 . 2009-04-04 03:18 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\WMTools Downloaded Files
2009-04-04 02:31 . 2009-04-04 02:31 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Identities
2009-04-03 19:53 . 2009-04-03 19:53 -------- d-----w c:\program files\Trend Micro
2009-04-03 19:37 . 2009-04-03 19:37 -------- d-----w c:\program files\Common Files\Hewlett-Packard
2009-04-03 19:35 . 2004-09-29 19:08 61440 ----a-w c:\windows\system32\HPZinw12.exe
2009-04-03 19:35 . 2004-09-29 19:14 69632 ----a-w c:\windows\system32\HPZipm12.exe
2009-04-03 19:35 . 2004-09-29 19:09 57344 ----a-w c:\windows\system32\HPZisn12.dll
2009-04-03 19:35 . 2004-09-29 19:09 94208 ----a-w c:\windows\system32\HPZipt12.dll
2009-04-03 19:35 . 2004-09-29 19:15 204800 ----a-w c:\windows\system32\HPZipr12.dll
2009-04-03 19:35 . 2004-09-29 19:12 278584 ----a-w c:\windows\system32\HPZidr12.dll
2009-04-03 19:34 . 2009-04-03 19:35 -------- d-----w c:\program files\HP
2009-04-03 19:31 . 2009-04-03 19:38 68300 ----a-w c:\windows\hpoins05.dat
2009-04-03 19:31 . 2005-07-29 01:28 19696 ------w c:\windows\hpomdl05.dat
2009-04-03 19:30 . 2005-07-29 01:28 51120 ----a-w c:\windows\system32\drivers\HPZid412.sys
2009-04-03 19:30 . 2005-07-29 01:28 21744 ----a-w c:\windows\system32\drivers\HPZius12.sys
2009-04-03 19:30 . 2005-07-29 01:28 16496 ----a-w c:\windows\system32\drivers\HPZipr12.sys
2009-04-03 19:29 . 2005-07-29 01:28 708608 ----a-w c:\windows\system32\hpotiop.dll
2009-04-03 19:29 . 2005-07-29 01:28 278528 ----a-w c:\windows\system32\hpgwiamd.dll
2009-04-03 19:29 . 2005-07-29 01:28 274432 ----a-w c:\windows\system32\HPZc3212.dll
2009-04-03 19:29 . 2005-07-29 01:28 229376 ----a-w c:\windows\system32\hpovst08.dll
2009-04-03 19:29 . 2005-07-29 01:28 393216 ----a-w c:\windows\system32\hpzcon12.dll
2009-04-03 19:29 . 2005-07-29 01:28 196608 ----a-w c:\windows\system32\hpzcoi12.dll
2009-04-03 19:29 . 2005-07-29 01:28 139345 ----a-w c:\windows\system32\hpzlnt12.dll
2009-04-03 19:29 . 2009-04-18 00:03 -------- d-----w C:\Temp
2009-04-03 19:29 . 2009-04-03 19:30 -------- d-----w c:\temp\HP_WebRelease
2009-04-03 17:27 . 2009-04-03 17:27 0 ----a-w c:\windows\nsreg.dat
2009-04-03 17:27 . 2009-04-03 17:27 -------- d-----w c:\documents and settings\John Hancock\Application Data\Flock
2009-04-03 17:27 . 2009-04-03 17:27 -------- d-----w c:\documents and settings\John Hancock\Local Settings\Application Data\Flock
2009-04-03 17:26 . 2009-04-27 15:42 -------- d-----w c:\program files\Flock
2009-04-03 02:49 . 2008-06-13 13:10 272128 -c----w c:\windows\system32\dllcache\bthport.sys
2009-04-03 02:49 . 2008-06-13 13:10 272128 ------w c:\windows\system32\drivers\bthport.sys
2009-04-03 02:48 . 2009-04-27 15:30 -------- d-----w c:\documents and settings\John Hancock\Application Data\OnlineArmor
2009-04-03 02:48 . 2009-04-03 02:48 -------- d-----w c:\documents and settings\All Users\Application Data\OnlineArmor
2009-04-03 02:47 . 2008-12-13 09:26 30920 ----a-w c:\windows\system32\drivers\OAmon.sys
2009-04-03 02:47 . 2008-12-13 09:26 28872 ----a-w c:\windows\system32\drivers\OAnet.sys
2009-04-03 02:47 . 2008-12-13 09:26 178376 ----a-w c:\windows\system32\drivers\OADriver.sys
2009-04-03 02:47 . 2009-04-03 02:47 -------- d-----w c:\program files\Tall Emu
2009-04-03 02:44 . 2009-02-20 18:09 63488 -c----w c:\windows\system32\dllcache\icardie.dll
2009-04-03 02:40 . 2009-04-03 02:40 1172 ----a-w c:\windows\mozver.dat
2009-04-03 02:27 . 2001-08-17 20:48 12160 -c--a-w c:\windows\system32\dllcache\mouhid.sys
2009-04-03 02:27 . 2001-08-17 20:48 12160 ----a-w c:\windows\system32\drivers\mouhid.sys
2009-04-03 02:27 . 2001-08-17 21:02 9600 -c--a-w c:\windows\system32\dllcache\hidusb.sys
2009-04-03 02:27 . 2001-08-17 21:02 9600 ----a-w c:\windows\system32\drivers\hidusb.sys
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\documents and settings\John Hancock\Application Data\Malwarebytes
2009-04-03 01:37 . 2009-03-26 23:49 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-03 01:37 . 2009-03-26 23:49 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-03 01:37 . 2009-04-03 01:37 -------- d-----w c:\program files\Malwarebytes' Anti-Malware
2009-04-03 01:34 . 2003-03-18 20:20 1060864 ----a-w c:\windows\system32\MFC71.dll
2009-04-03 01:34 . 2009-04-03 01:34 -------- d-----w c:\program files\Alwil Software
2009-04-03 01:30 . 2009-04-03 02:01 -------- d-----w c:\windows\system32\CatRoot_bak

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-04-28 03:39 . 2007-06-07 17:49 -------- d-----w c:\program files\Piolet
2009-04-17 23:54 . 2009-04-17 07:14 -------- d-----w c:\program files\iTunes
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\iPod
2009-04-17 23:53 . 2009-04-17 23:51 -------- d-----w c:\program files\Common Files\Apple
2009-04-17 23:53 . 2009-04-17 23:53 -------- d-----w c:\program files\Bonjour
2009-04-17 23:53 . 2009-04-17 23:52 -------- d-----w c:\program files\QuickTime
2009-04-07 18:45 . 2007-03-09 21:33 -------- d-----w c:\program files\Party Expert File
2009-04-07 02:49 . 2007-06-05 03:49 -------- d-----w c:\program files\Google
2009-04-07 02:48 . 2007-09-15 19:06 -------- d-----w c:\program files\DivX
2009-03-19 23:32 . 2009-04-17 23:54 23400 ----a-w c:\windows\system32\drivers\GEARAspiWDM.sys
2009-03-06 14:44 . 2004-08-04 12:00 283648 ----a-w c:\windows\system32\pdh.dll
2009-03-03 00:18 . 2004-08-04 12:00 826368 ----a-w c:\windows\system32\wininet.dll
2009-02-24 19:35 . 2009-04-07 02:46 9464 ------w c:\windows\system32\drivers\cdralw2k.sys
2009-02-24 19:35 . 2009-04-07 02:46 9336 ------w c:\windows\system32\drivers\cdr4_xp.sys
2009-02-24 19:35 . 2009-04-07 02:46 43528 ------w c:\windows\system32\drivers\PxHelp20.sys
2009-02-24 19:35 . 2009-04-07 02:46 129784 ------w c:\windows\system32\pxafs.dll
2009-02-24 19:35 . 2009-04-07 02:46 120056 ------w c:\windows\system32\pxcpyi64.exe
2009-02-24 19:35 . 2009-04-07 02:46 118520 ------w c:\windows\system32\pxinsi64.exe
2009-02-24 19:34 . 2009-02-24 19:34 90112 ----a-w c:\windows\system32\dpl100.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx0c.dll
2009-02-24 19:34 . 2009-02-24 19:34 823296 ----a-w c:\windows\system32\divx_xx07.dll
2009-02-24 19:34 . 2009-02-24 19:34 815104 ----a-w c:\windows\system32\divx_xx0a.dll
2009-02-24 19:34 . 2009-02-24 19:34 802816 ----a-w c:\windows\system32\divx_xx11.dll
2009-02-24 19:34 . 2009-02-24 19:34 684032 ----a-w c:\windows\system32\DivX.dll
2009-02-20 18:09 . 2004-08-04 12:00 78336 ----a-w c:\windows\system32\ieencode.dll
2009-02-09 10:20 . 2004-08-04 12:00 723456 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 10:20 . 2004-08-04 12:00 399360 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 10:20 . 2004-08-04 12:00 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 10:20 . 2004-08-04 12:00 616960 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 10:19 . 2004-08-04 12:00 1846272 ----a-w c:\windows\system32\win32k.sys
2009-02-06 17:24 . 2004-08-04 12:00 2180480 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 17:14 . 2004-08-04 12:00 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 16:54 . 2004-08-04 12:00 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 16:49 . 2004-08-03 22:59 2057728 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 20:08 . 2004-08-04 12:00 55808 ----a-w c:\windows\system32\secur32.dll
2009-02-24 19:34 . 2009-02-24 19:34 1044480 ----a-w c:\program files\mozilla firefox\plugins\libdivx.dll
2009-02-24 19:34 . 2009-02-24 19:34 200704 ----a-w c:\program files\mozilla firefox\plugins\ssldivx.dll
2009-04-03 17:13 . 2007-09-15 19:10 67688 ----a-w c:\program files\mozilla firefox\components\jar50.dll
2009-04-03 17:13 . 2007-09-15 19:10 54368 ----a-w c:\program files\mozilla firefox\components\jsd3250.dll
2009-04-03 17:13 . 2007-09-15 19:10 34944 ----a-w c:\program files\mozilla firefox\components\myspell.dll
2009-04-03 17:13 . 2007-09-15 19:10 46712 ----a-w c:\program files\mozilla firefox\components\spellchk.dll
2009-04-03 17:13 . 2007-09-15 19:10 172136 ----a-w c:\program files\mozilla firefox\components\xpinstal.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhotoShow Deluxe Media Manager"="c:\progra~1\Ahead\Ahead\data\Xtras\mssysmgr.exe" [2004-05-12 196608]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-07 68856]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="c:\windows\IME\imjp8_1\IMJPMIG.EXE" [2004-08-04 208952]
"PHIME2002ASync"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"PHIME2002A"="c:\windows\system32\IME\TINTLGNT\TINTSETP.EXE" [2004-08-04 455168]
"nTrayFw"="c:\program files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe" [2005-07-30 270336]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2005-10-10 7286784]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2005-10-10 86016]
"NeroFilterCheck"="c:\windows\system32\NeroCheck.exe" [2001-07-09 155648]
"F5D9050"="c:\program files\Belkin\F5D9050\Belkinwcui.exe" [2006-03-14 1585152]
"Piolet"="c:\program files\Piolet\Piolet.exe" [2007-04-13 5988352]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2009-02-05 81000]
"@OnlineArmor GUI"="c:\program files\Tall Emu\Online Armor\oaui.exe" [2008-12-13 6223048]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2009-01-05 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-04-02 342312]
"SoundMan"="SOUNDMAN.EXE" - c:\windows\soundman.exe [2005-09-22 90112]
"nwiz"="nwiz.exe" - c:\windows\system32\nwiz.exe [2005-10-10 1519616]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="c:\progra~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 39264]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.exe.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Gamma Loader.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-3-9 98304]
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 29696]
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"EnableProfileQuota"= 1 (0x1)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{4F07DA45-8170-4859-9B5F-037EF2970034}"= "c:\progra~1\TALLEM~1\ONLINE~1\oaevent.dll" [2008-12-13 886984]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\NVIDIA Corporation\\NetworkAccessManager\\Apache Group\\Apache2\\bin\\Apache.exe"=
"c:\\Program Files\\Piolet\\Piolet.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

R2 gupdate1c9b72abb9fd676;Google Update Service (gupdate1c9b72abb9fd676);c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 133104]
R3 FXDRV;FXDRV; [x]
S1 aswSP;avast! Self Protection; [x]
S1 OADevice;OADriver;c:\windows\system32\drivers\OADriver.sys [2008-12-13 178376]
S1 OAmon;OAmon;c:\windows\system32\drivers\OAmon.sys [2008-12-13 30920]
S1 OAnet;OAnet;c:\windows\system32\drivers\OAnet.sys [2008-12-13 28872]
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 OAcat;Online Armor Helper Service;c:\program files\Tall Emu\Online Armor\oacat.exe [2008-12-13 1402568]
S2 SvcOnlineArmor;Online Armor;c:\program files\Tall Emu\Online Armor\oasrv.exe [2008-12-13 3321032]
S2 WinDefend;Windows Defender;c:\program files\Windows Defender\MsMpEng.exe [2006-11-04 13592]
S3 StreamSurge;StreamSurge Driver (miniport); [x]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ab469fbb-260d-11de-85ba-0015582346bb}]
\Shell\AutoRun\command - .\Encryption Tool\MaxtorEncryption.exe
.
Contents of the 'Scheduled Tasks' folder

2009-04-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 19:34]

2009-04-27 c:\windows\Tasks\GoogleUpdateTaskMachine.job
- c:\program files\Google\Update\GoogleUpdate.exe [2009-04-07 02:42]

2009-04-27 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Windows Defender\MpCmdRun.exe [2006-11-04 02:20]
.
.
------- Supplementary Scan -------
.
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
uInternet Settings,ProxyOverride = *.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office10\EXCEL.EXE/3000
Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - c:\program files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - hxxp://download.eset.com/special/eos-beta/OnlineScanner.cab
FF - ProfilePath - c:\documents and settings\John Hancock\Application Data\Mozilla\Firefox\Profiles\n4xju13y.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - component: c:\program files\Mozilla Firefox\components\xpinstal.dll
FF - component: c:\program files\Mozilla Firefox\extensions\talkback@mozilla.org\components\qfaservices.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-04-27 22:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2009-04-28 22:59
ComboFix-quarantined-files.txt 2009-04-28 05:59

Pre-Run: 2,082,111,488 bytes free
Post-Run: 4,126,105,600 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

228 --- E O F --- 2009-04-27 15:43

HERE IS THE HJT LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:18 PM, on 4/27/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16827)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Tall Emu\Online Armor\oasrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Update\GoogleUpdate.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Tall Emu\Online Armor\oaui.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Tall Emu\Online Armor\oahlp.exe
C:\Program Files\Tall Emu\Online Armor\oacat.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Flock\flock.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O1 - Hosts: ::1 localhost
O1 - Hosts: 91.212.65.122 www.antiwareprotect.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [F5D9050] C:\Program Files\Belkin\F5D9050\Belkinwcui.exe
O4 - HKLM\..\Run: [Piolet] C:\Program Files\Piolet\Piolet.exe SILENT
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\Ahead\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx...owserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181019296906
O16 - DPF: {7530BFB8-7293-4D34-9923-61A11451AFC5} - http://download.eset...lineScanner.cab
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Update Service (gupdate1c9b72abb9fd676) (gupdate1c9b72abb9fd676) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oacat.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe

--
End of file - 8950 bytes

#60 oldman960

Forum God

Retired Classroom Teacher
14,770 posts

Posted 28 April 2009 - 12:34 AM

Hi Topband.

You did pick up something in your Hosts file . You have a hardware firewall and a software firewall installed, which usually is Ok. How was this computer before you installed Online Armor?

We will fix up your Hosts file.

Download the HostsXpert 4.3 - Hosts File Manager.

Unzip HostsXpert 4.3 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.3 - Hosts File Manager
Run HostsXpert 4.3 - Hosts File Manager from the folder you extracted it to
Click on "File Handling".
Click on "Restore MS Hosts File".
Click OK on the Confirmation box.
Click on "Make Read Only?"
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.

Combofix may have flagged a clean file

Please follow all previous instructions regarding security programs.

Open a new Notepad session

Click the Start button, click run
in the run box type notepad
click ok
In the notepad, Click "Format" and be certain that Word Wrap is not checked.
Copy and paste all the text in the code box below into the Notepad. Do Not copy the word CODE

Do Not copy the word CODE

DEQUARANTINE::
C:\Qoobox\Quarantine\c\windows\system32\drivers\ss.sys

Quit::

Registry::

In the notepad

Click File, Save as..., and set the Save in to your Desktop
In the filename box, type (including quotation marks) as the filename: "CFScript.txt"
Click save

Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown below.

This will start ComboFix again.Close all browser/windows first.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Posted Image

We need some file informantion

Make sure to use Internet Explorer for this
Please go to VirSCAN.org FREE on-line scan service
Copy and paste the following file path, into the "Suspicious files to scan" box on the top of the page:

c:\windows\system32\drivers\ss.sys
Click on the Upload button
If a pop-up appears saying the file has been scanned already, please select the ReScan button.
Once the Scan is completed, click on the "Copy to Clipboard" button. This will copy the link of the report into the Clipboard.
Paste the contents of the Clipboard in your next reply.

Post back with the combofix log, the VirScan results and a new HJT log.

Any better?

Thanks

Microsoft MVP 2011-2015

Threads will be closed if no response after 5 days.

Body Background

skin color theme