GT500

Emsisoft Employee
  • Content Count

    11163
  • Joined

  • Days Won

    322

Everything posted by GT500

  1. I'm going over the possible causes of this issue with the developer of OTL. For now, I'll just attach the script to this message, and you can try again. Download the following file, and save it on your desktop: Now open OTL, then open the OTL_Script file, and then copy and paste the contents into OTL's Custom Scans/Fixes box. After that, click the Run Fix button to start the fix, and attach the logs just like last time.
  2. Speaking of Steven, apparently he's going to do a presentation about these scam artists at VB2012. It should be worth listening to, since he's been collecting information on them since some time in 2008.
  3. Reminds me of some of the scams that Steven Burn used to have fun researching and reporting to the authorities.
  4. Could you add C:\Windows\System32\rundll32.exe and C:\Windows\SysWOW64\rundll32.exe to the Firewall list as Allowed and to the Programs list as Trusted in Online Armor, and let me know if that helps with some of the issues. You may also want to consider uninstalling the Windows Update that caused the problems (it was not a required security update), and see if that resolves the issue.
  5. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  6. OK, based on that log I would believe it is safe to run ComboFix. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  7. From what I can see in your logs, when you copied and pasted the script into OTL it all ran together on a single line (which means that OTL was not able to read the script). May I ask what web browser you were using when you followed my instructions for the OTL script? I tested this in Internet Explorer 8 and Opera 11.62, and the script copied properly, so I'm curious as to why it didn't copy properly when you tried it.
  8. I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box: :OTL IE - HKCU\..\URLSearchHook: - No CLSID value found IE - HKCU\..\URLSearchHook: {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) IE - HKCU\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) IE - HKCU\..\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}: "URL" = http://search.babylon.com/?q={searchTerms}&AF=108714&babsrc=SP_ss&mntrId=3ad6c62d000000000000701a04a7fc5a IE - HKCU\..\SearchScopes\{35F13640-21F5-4C96-AC97-0C05689AA9C2}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=ARCD&o=102810&src=kw&q={searchTerms}&locale=en_US&apn_ptnrs=8W&apn_dtid=YYYYYYSVUS&apn_uid=05512adf-0d62-4ca3-8be5-af722c7acdc9&apn_sauid=119F5D15-4550-417B-9CC4-14BFB6A0AA59 IE - HKCU\..\SearchScopes,DefaultScope = {0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9} IE - HKCU\..\SearchScopes\{90E2EC71-0346-4D81-9690-11A368762396}: "URL" = http://ws.infospace.com/playsushi_tbar/ws/redir?_iceUrl=true& user_id=%userid&tool_id=60231&qkw={searchTerms} O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O2 - BHO: (Babylon toolbar helper) - {2EECD738-5844-4a99-B4B6-146BF802613B} - C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.5.3.17\bh\BabylonToolbar.dll File not found O2 - BHO: (no name) - {5C255C8A-E604-49b4-9D64-90988571CECB} - No CLSID value found. O2 - BHO: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O2 - BHO: (SingleInstance Class) - {FDAD4DA1-61A2-4FD8-9C17-86F7AC245081} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\YTSingleInstance.dll (Yahoo! Inc) O3:[b]64bit:[/b] - HKLM\..\Toolbar: (no name) - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - !{98889811-442D-49dd-99D7-DC866BE87DBC} - No CLSID value found. O3 - HKLM\..\Toolbar: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files (x86)\Yahoo!\Companion\Installs\cpn\yt.dll (Yahoo! Inc.) O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - Locked - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (Ask Toolbar) - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files (x86)\Ask.com\GenericAskToolbar.dll (Ask) :Commands [EMPTYTEMP] Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  9. I've been testing this for more than 3 hours now, and I do not see any logs showing Emsisoft Anti-Malware trying to update after 10:00PM. Please let me know if I got the settings exactly the same as yours.
  10. Could you reinstall Online Armor and then enable Beta Updates? There's a possibility that that might fix it.
  11. I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please copy the contents of the following CODE box, and in OTL under the Custom Scans/Fixes box at the bottom, paste in what you just copied from the following CODE box: :OTL DRV - (SASKUTIL) -- C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\SAS_SelfExtract\SASKUTIL.SYS File not found DRV - (SASDIFSV) -- C:\DOKUME~1\ADMINI~1\LOKALE~1\Temp\SAS_SelfExtract\SASDIFSV.SYS File not found DRV - (kqa2h_9.sys) -- C:\WINDOWS\system32\drivers\kqa2h_9.sys File not found IE - HKCU\..\SearchScopes\{c99fdc39-a1ae-4b24-8d71-e5274f8d7c54}: "URL" = http://search.hotspotshield.com/g/results.php?c=s&q={searchTerms} IE - HKCU\..\SearchScopes\{E2BF90E1-4046-446E-BF6B-6830EA7CE4BC}: "URL" = http://websearch.ask.com/redirect?client=ie&tb=AVR-W1&o=100000080&src=crm&q={searchTerms}&locale=de_DE&apn_ptnrs=JM&apn_dtid=YYYYYYYYDE&apn_uid=5531b998-94ca-4145-9340-aedf1c9c1afc&apn_sauid=54FBF6EA-E52C-403F-9D8B-A21E4DA2F227 FF - prefs.js..browser.search.defaultengine: "Ask.com" FF - prefs.js..browser.search.defaultenginename: "Ask.com" FF - prefs.js..browser.search.order.1: "Ask.com" FF - prefs.js..keyword.URL: "http://websearch.ask.com/redirect?client=ff&src=kw&tb=AVR-W1&o=100000080&locale=de_DE&apn_uid=5531b998-94ca-4145-9340-aedf1c9c1afc&apn_ptnrs=JM&apn_sauid=54FBF6EA-E52C-403F-9D8B-A21E4DA2F227&apn_dtid=YYYYYYYYDE&&q=" [2012.03.14 16:21:16 | 000,000,000 | ---D | M] ("Avira SearchFree Toolbar plus Web Protection") -- C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Mozilla\Firefox\Profiles\74ci6ob0.default\extensions\[email protected] O3 - HKCU\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {7AC3E13B-3BCA-4158-B330-F66DBB03C1B5} - No CLSID value found. O3 - HKCU\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O4 - HKLM..\Run: [] File not found O4 - HKCU..\Run: [{FD166C99-1D99-4B1C-E8AD-CE221495990D}] "C:\Dokumente und Einstellungen\Administrator\Anwendungsdaten\Ciryamx\abybwav.exe" File not found O24 - Desktop Components:0 (Die derzeitige Homepage) - About:Home @Alternate Data Stream - 130 bytes -> C:\Dokumente und Einstellungen\All Users\Anwendungsdaten\TEMP:0FF263E8 :Commands [EMPTYTEMP] Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  12. I'm not seeing anything in your ComboFix log that would explain the error messages. Lets get a fresh OTL log and see if it can tell us what happened. Please run OTL by following the instructions below: Click this link to save OTL onto your desktop (please make sure to click 'Save' instead of 'Run'). Double click on the OTL icon on your desktop to run it. Make sure all other windows are closed and to let it run uninterrupted. Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan will take a few minutes. When the scan completes, it will open two Notepad windows. OTL.Txt and Extras.Txt. The first one (OTL.txt) will be automatically saved on your desktop next to OTL, and the second one will need to be saved manually. Please make sure that both OTL.txt and Extras.txt are saved on your desktop, and then attach both of them to a reply so that we can take a look at them.
  13. Please follow the instructions at this link to start your computer in Safe Mode With Networking, and let me know if that helps. I'll take a look at your ComboFix log.
  14. I've asked for some input from our developers on this. I'll let you know what they tell me.
  15. There is a know issue where, after "Update for Windows 7 (KB2640148)" is installed, Online Armor has some trouble verifying certificates for Windows files, although your issue sounds like it may be a little different from the one that was reported by our testers. If it is the same issue, then the best workaround for now is to switch Online Armor into Learning Mode when installing Windows Updates.
  16. I assume that these are the exact update settings you are using (click on the picture if it is too small to read)? I will do some testing to see if I can reproduce this.
  17. Please post a RogueKiller log by following the instructions below: Download RogueKiller from this link, and save it on your desktop. Run RogueKiller (please note that if it doesn't work the first time, you can try it again several times and it may start to work): On Windows XP make sure you are logged in as an administrator and double-click on the RogueKiller icon. On Windows 7 and Vista simply right-click on the RogueKiller icon, and select to Run as administrator. [*] Click the Scan button in the upper-right corner (don't worry about the rest of the options for now). [*] In the middle, on the left, it will tell you the status. When it says Scan Finished, then please close RogueKiller. It will warn you that nothing has been deleted and ask you if you want to quit, so be sure to click the Yes button. [*] There will be a new file and folder saved on your desktop. The folder (usually named RK_Quarantine) can be deleted. The file (usually named RKreport or RKreport[1]) contains the log. [*] Please attach the RKreport file to a reply by using the More Reply options button to the lower-right of where you type in your reply.
  18. OK, lets go ahead and move on to ComboFix. I just wanted the RogueKiller log to make sure that there wasn't a ZeroAccess infection, and that TDSSKiller has verified that ZeroAccess is not present. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  19. That would depend on what is wrong with the flash drive. If it is just a partition/filesystem issue, then that should be fixable. Also, many retailers can look up your receipt if you paid with a credit or debit card. If you paid with cash then it wouldn't be possible (unless you purchased from Fry's Electronics and one of the sales guys printed out a 'quote' for you).
  20. I assume this was happening on Windows 7? Do you know if you installed the optional update "Update for Windows 7 (KB2640148)"?
  21. OK, according to our developers Emsisoft Anti-Malware 6.5 will scan files as fast as it can pull data off of your hard drives, so if you have fast hard drives then the scan speeds will eat up more CPU time. In the next major version, we intend to add a mechanism where you can control CPU usage (I would believe it involves limiting the number of threads that EAM will create or CPU cores that EAM will attempt to use, so you can prevent it from completely using your entire processor).
  22. From what I'm seeing, this laptop probably isn't more than one or two years old, so the fan shouldn't have died even with 100% CPU usage. Let me ask the developers if there's a way to reduce CPU usage while scanning.
  23. Please post a RogueKiller log by following the instructions below: Download RogueKiller from this link, and save it on your desktop. Run RogueKiller (please note that if it doesn't work the first time, you can try it again several times and it may start to work): On Windows XP make sure you are logged in as an administrator and double-click on the RogueKiller icon. On Windows 7 and Vista simply right-click on the RogueKiller icon, and select to Run as administrator. [*] Click the Scan button in the upper-right corner (don't worry about the rest of the options for now). [*] In the middle, on the left, it will tell you the status. When it says Scan Finished, then please close RogueKiller. It will warn you that nothing has been deleted and ask you if you want to quit, so be sure to click the Yes button. [*] There will be a new file and folder saved on your desktop. The folder (usually named RK_Quarantine) can be deleted. The file (usually named RKreport or RKreport[1]) contains the log. [*] Please attach the RKreport file to a reply by using the More Reply options button to the lower-right of where you type in your reply.
  24. Please uninstall Online Armor, restart your computer, then click on the Start button, type network connections into the search field at the bottom of the Start Menu, click on View network connections in the search results (should be at the top of the list), and right-click on your network interface and select Properties. There should be a list in the middle of the window of components that your network connection is using. Look through that list for anything related to Online Armor, and if you find one then click on it to select it and then click on the Uninstall button. If you have more than network interface, then you should repeat that for each one. After that, check and see if you can delete those phantom devices in the Device Manager.