GT500

Emsisoft Employee
  • Content Count

    10989
  • Joined

  • Days Won

    315

Everything posted by GT500

  1. We are capable of merging and extending licenses. Just make sure that if you currently have a 3-PC license that you purchase a new 3-PC license during the promo, otherwise we may only extend you current 3-PC license by a third of a year.
  2. Well, lets try deleting it, and see if anything complains. Here's another ComboFix script with instructions: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7453-pc-infected-by-trojans/ KillAll:: FileLook:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll File:: C:\Program Files\Common Files\Microsoft Shared\ink\lpsPlugin.dll [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  3. My apologies for the slow response. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  4. You could try something such as System Repair Engineer (you can get it from the download page at this link) to perform a check on your system and repair common problems. I doubt it can fix everything, however it may help make your life a bit easier. When you run System Repair Engineer, go to System Repair on the left, and then go to the Advanced Repair tab. Make sure that it is set to Recommended Fix Level and click the Auto Repair button.
  5. You're quite welcome. Here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Adobe Acrobat Reader is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it). Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader. (please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader) 4. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 5. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 6. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  6. Please start with the instructions at this link, and attach your logs to a reply by using the More Reply Options button to the lower-right of where you type in your reply to this topic.
  7. Yes, that is a Realtek file. I do not believe it is necessary in order for your audio to work, and just gives you extra configuration options. You can read more at SystemLookup.
  8. It is possible that something was preventing it from being deleted. Assuming that the file was created by the Java interpreter, it could have still had a lock on the file. I can't say for certain, however, as I am not a researcher and do not have the technical details of the infection.
  9. Are you able to start Windows normally?
  10. OK, from your logs it looks like your system is clean now. Here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Adobe Acrobat Reader is Updated: Click on the Start button. Click on Control Panel . Click Uninstall a program . Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it). Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader. (please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader) 4. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 5. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 6. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  11. Quoting from the Java.com FAQ for Java 7: "The new release of Java is first made available to the developers to ensure no major problems are found before we make it available on the java.com website for end users to download the latest version. If you are interested in trying Java SE 7 it can be downloaded from Oracle.com" Feel free to use Java 7 if you want, however please make sure to keep it updated as a lot of exploits love to use Java these days (although from what I am hearing from researchers it sounds like the latest versions of the Blackhole exploit try to hit you with Java, Flash, and Adobe Acrobat vulnerabilities all at the same time in the hopes of finding something exploitable). That reminds me that I need to add Adobe Acrobat to my update instructions. If you haven't already done so, you may wish to uninstall any old versions of Adobe Acrobat Reader that you have installed, and download and install the latest version from Adobe at this link. You may also wish to use a third-party PDF viewer such as PDF-XChange Viewer (free and premium versions) and Foxit Reader (free).
  12. OK, here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel . Click Add or Remove Programs . Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Adobe Acrobat Reader is Updated: Click on the Start button. Click on Control Panel . Click Add or Remove Programs . Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it). Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader. (please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader) 4. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs . Click on Windows Update . If you have never run Windows Update, then it will probably need to install an ActiveX control and update the Windows Update software before it can continue, so make sure you keep an eye out for that pale-yellow bar that pops up at the top of the page when Windows Update needs to install a new component, and click on the yellow bar and select to allow it. Once it is loaded, click on the Express button. It will check for available updates, and once it is done you can click the Install Updates button. It may ask you to accept a license agreement before it installs, so make sure you say Yes . When it is done installing updates, it may ask you to restart your computer, so close anything you are working on and allow it to restart. Note that the update process can take a while, and you may need to run it several times before all of the updates get installed. 5. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 6. Empty The System Restore: Click on the Start button. Right-click on My Computer Select Properties from the list. In the window that pops up, click on the System Restore tab. Click the check box to Turn off System Restore . Click the Apply button at the bottom-right, and answer Yes to the question. Depending on how much data is saved in the System Restore, it could take more than a few minutes to empty it. Click the check box to Turn off System Restore again and click OK to turn the System Restore back on. Click on the Start button again. Go to All Programs . Go to Accessories . Go to System Tools . Click on System Restore . Select Create a restore point on the right, and click Next at the bottom. Enter a description for the restore point, and click Create . Click Close to finish the process.
  13. You're quite welcome. Please let us know if you continue to have trouble.
  14. OK, that log looks better. I take it that you are no longer having trouble with SafeSurf and that everything looks OK on your end?
  15. OK, that log is looking much better. Let me know if your computer is still showing any signs of an infection, and if you are still seeing that weird installer thing on startup then get me a fresh OTL log.
  16. OK, I have written a script that will tell ComboFix how to delete some stuff I saw in your log. Here are instructions on what to do with the script: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7588-is-this-malware-safesurf-surfguard/ KillAll:: FCopy:: c:\windows\$hf_mig$\KB2509553\SP3QFE\tcpip.sys | c:\windows\system32\drivers\tcpip.sys File:: c:\windows\$NtUninstallKB951748_0$\tcpip.sys c:\windows\ERDNT\cache\tcpip.sys c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  17. Have you made any modifications to your Windows System Files? There are certain files that people like to patch with third-party fixes for certain issues, and I just want to make sure that you haven't done something like that before I write a fix script.
  18. I'm sorry, that's my fault. I exported the NetScvs from Windows XP, and you're using Windows 7. Here's the proper script and instructions for Windows 7: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/ KillAll:: Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost] "netsvcs"=hex(7):41,65,4c,6f,6f,6b,75,70,53,76,63,00,43,65,72,74,50,72,6f,70,\ 53,76,63,00,53,43,50,6f,6c,69,63,79,53,76,63,00,6c,61,6e,6d,61,6e,73,65,72,\ 76,65,72,00,67,70,73,76,63,00,49,4b,45,45,58,54,00,41,75,64,69,6f,53,72,76,\ 00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\ 62,69,6c,69,74,79,00,49,61,73,00,49,72,6d,6f,6e,00,4e,6c,61,00,4e,74,6d,73,\ 73,76,63,00,4e,57,43,57,6f,72,6b,73,74,61,74,69,6f,6e,00,4e,77,73,61,70,61,\ 67,65,6e,74,00,52,61,73,61,75,74,6f,00,52,61,73,6d,61,6e,00,52,65,6d,6f,74,\ 65,61,63,63,65,73,73,00,53,45,4e,53,00,53,68,61,72,65,64,61,63,63,65,73,73,\ 00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,57,6d,69,00,57,6d,\ 64,6d,50,6d,53,70,00,54,65,72,6d,53,65,72,76,69,63,65,00,77,75,61,75,73,65,\ 72,76,00,42,49,54,53,00,53,68,65,6c,6c,48,57,44,65,74,65,63,74,69,6f,6e,00,\ 4c,6f,67,6f,6e,48,6f,75,72,73,00,50,43,41,75,64,69,74,00,68,65,6c,70,73,76,\ 63,00,75,70,6c,6f,61,64,6d,67,72,00,69,70,68,6c,70,73,76,63,00,73,65,63,6c,\ 6f,67,6f,6e,00,41,70,70,49,6e,66,6f,00,6d,73,69,73,63,73,69,00,4d,4d,43,53,\ 53,00,77,65,72,63,70,6c,73,75,70,70,6f,72,74,00,45,61,70,48,6f,73,74,00,50,\ 72,6f,66,53,76,63,00,73,63,68,65,64,75,6c,65,00,68,6b,6d,73,76,63,00,53,65,\ 73,73,69,6f,6e,45,6e,76,00,77,69,6e,6d,67,6d,74,00,62,72,6f,77,73,65,72,00,\ 54,68,65,6d,65,73,00,42,44,45,53,56,43,00,41,70,70,4d,67,6d,74,00,00 [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  19. Are you sure there isn't already an OTL log saved on your desktop? The only way to save an OTL log with the same name as one that already exists would be to overwrite the old one. I am seeing some services in that log that are missing files. It may not be related to an infection, however it is best to repair them anyway. Please download ComboFix from one of the following links, and follow the instructions below to run it. Save as Combo-Fix.exe during the download. ComboFix must be renamed before you download to your Desktop Link 1 Link 2 * IMPORTANT !!! Save Combo-Fix to your Desktop Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on ComboFix.exe & follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not mouseclick combofix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt) Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  20. OK, it looks like we still need to fix some services, so here's another script. Here is another script with instructions on what to do again: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/ KillAll:: Registry:: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost] "netsvcs"=hex(7):36,74,6f,34,00,41,70,70,4d,67,6d,74,00,41,75,64,69,6f,53,72,\ 76,00,42,72,6f,77,73,65,72,00,43,72,79,70,74,53,76,63,00,44,4d,53,65,72,76,\ 65,72,00,44,48,43,50,00,45,52,53,76,63,00,45,76,65,6e,74,53,79,73,74,65,6d,\ 00,46,61,73,74,55,73,65,72,53,77,69,74,63,68,69,6e,67,43,6f,6d,70,61,74,69,\ 62,69,6c,69,74,79,00,48,69,64,53,65,72,76,00,49,61,73,00,49,70,72,69,70,00,\ 49,72,6d,6f,6e,00,4c,61,6e,6d,61,6e,53,65,72,76,65,72,00,4c,61,6e,6d,61,6e,\ 57,6f,72,6b,73,74,61,74,69,6f,6e,00,4d,65,73,73,65,6e,67,65,72,00,4e,65,74,\ 6d,61,6e,00,4e,6c,61,00,4e,74,6d,73,73,76,63,00,4e,57,43,57,6f,72,6b,73,74,\ 61,74,69,6f,6e,00,4e,77,73,61,70,61,67,65,6e,74,00,52,61,73,61,75,74,6f,00,\ 52,61,73,6d,61,6e,00,52,65,6d,6f,74,65,61,63,63,65,73,73,00,53,63,68,65,64,\ 75,6c,65,00,53,65,63,6c,6f,67,6f,6e,00,53,45,4e,53,00,53,68,61,72,65,64,61,\ 63,63,65,73,73,00,53,52,53,65,72,76,69,63,65,00,54,61,70,69,73,72,76,00,54,\ 68,65,6d,65,73,00,54,72,6b,57,6b,73,00,57,33,32,54,69,6d,65,00,57,5a,43,53,\ 56,43,00,57,6d,69,00,57,6d,64,6d,50,6d,53,70,00,77,69,6e,6d,67,6d,74,00,77,\ 73,63,73,76,63,00,78,6d,6c,70,72,6f,76,00,6e,61,70,61,67,65,6e,74,00,68,6b,\ 6d,73,76,63,00,42,49,54,53,00,77,75,61,75,73,65,72,76,00,53,68,65,6c,6c,48,\ 57,44,65,74,65,63,74,69,6f,6e,00,68,65,6c,70,73,76,63,00,57,6d,64,6d,50,6d,\ 53,4e,00,00 [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  21. Well, that shows that all of the files and folders (as well as the startup entry) related to SafeSurf have been deleted. It shouldn't be bothering you anymore. If you are satisfied with that, then I can leave my final recommendations and close the topic.
  22. OK, we should be able to use ComboFix to get rid of some of those broken services. I have written a script that will tell ComboFix how to delete some broken services from your logs. Here are instructions on what to do with the script: Download an updated version of ComboFix from one of the following links: [list=] BleepingComputer InfoSpyware [*] Turn off your Anti-Virus software. [*] Click your Start button, go to All Programs (or just Programs on Vista and Windows 7), go to Accessories, and then open Notepad. [*] Please copy and paste the contents of the box below into Notepad (here is a link to instructions if you do not know how to copy and paste): http://support.emsisoft.com/topic/7520-please-help-with-trojancrypte2/ KillAll:: Driver:: zppinger zpjava zpaction zdeviceservice ZDCNDIS5 zBackupAssistService z800obex yediex yats32 XilinxPC4Driver XFX_program XDva004 xaudioservice wzcsvc Wuser32 WUSB54GPV4SRV WUSB54GCSVC WPFFontCache_v0400 wpdusb wmp54gv4svc WmFilter WmBEnum WLAN_USB wkscfgsrv WISTechVIDCAP winvnc4 winpowerrmi winpower windowblinds winachcf WimFltr WGX websenselogserver websensecommunicationagent webrootenterpriseclientservice w810obex w800obex w550bus w39n51 w300bus vzupsvc vzfw vtserver vserial vsapint vrfwsvc VRcore VrAcFil vpn5000service vncdrv vmparport vmodem vmnetuserif vmkbd2 vmauthdservice videX32 Video3D viaudio vet-rec vetmsgnt vetmonnt vetfddnt VCIDRV VCAM VAIOMediaPlatform-PhotoServer-HTTP VAIOMediaPlatform-MusicServer-HTTP vaiomediaplatform-integratedserver-upnp USBModem usbio USBCamera usb_rndisx USB_NDIS_51 UCTblHid U81xmdfl U81xbus U2SP tvtpktfilter TUWinStylerThemeSvc tunnelguardservice trufos truecrypt trioservice trayman traprcvr transarcafsdaemon tosrfcom tosporte tomcatcws3 tng-dtmg tnbrlds tmesrv3 tifm TIEHDUSB thpsrv teefer tdsmapi tdimsys TClass2k tbhsd syslogd sysenforce symsecureport symlcbrd SymIMMP symids symevent symc8xx symappcore symantecantibotagent sym_u3 swwd SWUMX51 SWUMX20 SWNC8U20 SWNC5E00 SWMX00 svv svcwrsssdk suservice surveyor stylexphelper stunnel StkAMini stirusb sthda steamdvr statusagent StarOpen ssscsisv sr SQLBrowser spsslm sprtsvc_smartagent spmd sparrow sonypvu1 softfax SNP2STD snmptrapdservice SndTDriverV32 snac SMTPSVC SMNDIS5 SMCB000 SlWdmSup slservice slapd-data52 sisnic siskp siside SiSGbeXP SiS7018 SIODRV si3114r Shockprf sglfb SGHIDI sfusvc) Zd1211u(zydas sfsync04 sfng32 sfman sfhlp01 SerTVOutCtlr ser2plms SECYPUSB SeaPort se59mdfl se58obex se58mgmt se58bus se44mdm SE2Emgmt SE2Emdfl se2Cunic SE2Cbus SE2Bmdm SE26mdfl sdhelper sddmi2 sdcoreservice screadspool scdemu sbservice SaiU040B SaiMini sagefserver S7oppilx s616obex s616mdfl s125mgmt s117nd5 s116nd5 rxmssync RTLE8023xp RTL8023xp rtl8023 rt2500usb rt2500 rsvp RSAFAL RR2Ctrl rpcapd rollbackclientservice ROB_V RMSvc rmedia rksample rkhdrv31 risdptsk rimsptsk remotelyanywhere regsrvc Rawwan RAPIProtocol rapapp QV2KUX qserver ql1240 qconsvc pxfhbus pwisvc PTDCMdm psdistributionagent psadd prtg4service prodrv06 procexp90 prevxdriver prevxagent PQNTDrv pmsveh pmj151la pinetmgr PhilCam8116 pgsql-8.0 pepifilter pensup penrendezvous pdlnepkt pdlnebas pdlndldl pdiddcci pcx1unic pctoolsfirewallplus PCTINDIS5 pclepci pca pav_service passthru papyjoy papycpu2 Packet p2pgasvc P16X ossrv OsaFsLoc oraclesnmppeermasteragent oracleservicelocalora oracleorahomepagingserver oracleorahomedatagatherer oraclemtsrecoveryservice oracleformsserver-forms60server-oraform oracledbconsoleorcl openvpnservice ooclevercacheagent olapserver odysseyIM4 odysseyIM3 NWSNS NWFILTER NWDNS NVXBAR NVTCP nvstor64 nvport nvnetbus nvgts nvatabus nvata nv4 nuvaud2 ntuneservice ntlmssp nscservice NPPTNT npkcusb npkcsvc npfmntor npapimon nod32krn nmwcdcj nmap nidomainservice NICSer_WPC300N ni_nic nhcDriverDevice ngserver ngdbserv netw4x32 NETw3x32 netsvc neokdss NCPro navapel navap mysqlinventime MxlW2k MTsensor mssql$microsoftsmlbiz MSSQL$AUTODESKVAULT mskservice msi_wlan_service msgsrvservice MSFWDrv MSCamSvc mrobeservice MRESP50a64 MRESP50 mraid35x mqdmmdm MQAC mps9 MpFilter mmc_2K mhn mgabg mdmxsdk mdm mcvsrte mcusrmgr mcproxy mcontrol mcmscsvc mclogmanagerservice maxbackserviceint MaVctrl MaRdPnp mail2ec MagicTune mafwboot macformatservice MA8032U MA8032M lxdm_device lxcz_device lxcg_device lxcf_device lxcc_device lxby_device lxbx_device lvsrvlauncher lvpr2mon lvmvdrv lvckap LVBulk lpx lp6nds35 logmein lockmgr LMS LMouKE LMouFilt LMIRfsDriver lmimaint lktimesync LHidFilt lcs lbrtfdc L1e Ktp KS0108 KMW_KBD kmixer KLOGNT kbfiltr k750obex jsdaemon JiaoIO JiaoCap jaguar iwebcal IWCA ithsgt iteatapi itchfltr issvc issm iSMBIOS isapisearch ipssvc ipsraidn IPSECSHM IPFilter ipcsvc iPassPeriodicUpdateService iPassPeriodicUpdateApp ip6fw Invoker IntelC52 inport ino_flpy infrastructure incdsrv incdrm incdpass imap4d32 iksyssec IJPLMSVC igateway iftpsvc IFP700 idisw2km icollectservice ibmcicstransactiongateway IASJet iap iam iAimTV6 iAimTV5 iaimtv1 iAimFP7 i81x i2omp hwpsgt hwdatacard hsxhwazl HPFECP20 hpci houdinilicenseserver hidgame hf30service hcwPVRP2 hap17v2k GVCplDrv gotomypc GoToAssist GoogleDesktopManager-010708-104812 GoBack2K giveio ghaio gdrv GBDevice FVXSCSI ftpds FreeTdi freepops freebsd forcewarewebinterface fix FirePM firelm01 fips filterservice filemon701 filechecker FETNDIS fa_scheduler Exportit EU3_USB epoxusdm eloggersvc6 elockservice elnkupdateservice eamon eabfiltr DynDNS_Updater_Service dvpapi dsproct dsbrokerservice drvnddm drvmcdb dntus26 dnsexit dmio d-link_st3402 DLH5X dlbu_device dlaudfam digictrl DeviceScanner Defrag32b deckzpsx dcstor32 dcpflics DCamUSBMke2 DCamUSBGrandTek DCamUSBDXGTech dbmang db2jds CXAVXBAR cwafreportscheduler cusrvc ctxcpuusync ctprxy2k CTEXFIFX.DLL CTEDSPSY.DLL ctdvda2k ctaud2k cpqnicmgmt cpqfcalm cportclm COMMONFX.DLL com0com cmdagent clr_optimization_v2.0.50215_32 citrixxteserver cicsclient centennialclientagent CDRPDACC cdr4_xp cdr4_2k cdmservice c-dillasrv CdaD10BA CdaC15BA ccsetmgr ccalib8 cavasm ca-messagequeuing CAMCHALA CAMCAUD Cam5603C caisafe cachemgr caccprovsp CA561 bwsvc bwmservice btwrchid btwmodem btnhnd btnetfilter bt3cser BsHelpCS BRCMDECO botcbs blueservice blueletaudio bh611 bgsvcgen beatjamupnpmusicserver bdselfpr bdfdll bcftdi bantext backupexecrpcservice backupexecagentaccelerator axsnmsvc avp avgtdi avgfwsrv avgclean avg7updsvc AVerBDA ATSWPDRV atmeltpm atkkeyboardservice atkdisplf ativraxx atinrvxx atikmdag ATIBTCAP ati atfsd atdisk AtcL002 atchksrv asuskeyboardservice aslm75 artourservice arp1394 Appn APLMp50 antivirservice amon AmdLLD ALYac_PZSrv Alpham1 AlKernel aliadwdm alcxsens alcan5wn akshhl aic78u2 agpcpq agnwifi agentsrv AFGSp50 aexnsclienttransport aec aeaudio ADSMService adobeversioncue adobeactivefilemonitor5.0 acsvc ac97intc abp480n5 a8djavs A88xEnc a016obex a016mdfl {a7447300-8075-4b0d-83f1-3d75c8ebc623} {85ccb53b-23d8-4e73-b1b7-9ddb71827d9b} NetSvc:: zppinger zpjava zpaction zdeviceservice ZDCNDIS5 zBackupAssistService z800obex yediex yats32 XilinxPC4Driver XFX_program XDva004 xaudioservice wzcsvc Wuser32 WUSB54GPV4SRV WUSB54GCSVC WPFFontCache_v0400 wpdusb wmp54gv4svc WmFilter WmBEnum WLAN_USB wkscfgsrv WISTechVIDCAP winvnc4 winpowerrmi winpower windowblinds winachcf WimFltr WGX websenselogserver websensecommunicationagent webrootenterpriseclientservice w810obex w800obex w550bus w39n51 w300bus vzupsvc vzfw vtserver vserial vsapint vrfwsvc VRcore VrAcFil vpn5000service vncdrv vmparport vmodem vmnetuserif vmkbd2 vmauthdservice videX32 Video3D viaudio vet-rec vetmsgnt vetmonnt vetfddnt VCIDRV VCAM VAIOMediaPlatform-PhotoServer-HTTP VAIOMediaPlatform-MusicServer-HTTP vaiomediaplatform-integratedserver-upnp USBModem usbio USBCamera usb_rndisx USB_NDIS_51 UCTblHid U81xmdfl U81xbus U2SP tvtpktfilter TUWinStylerThemeSvc tunnelguardservice trufos truecrypt trioservice trayman traprcvr transarcafsdaemon tosrfcom tosporte tomcatcws3 tng-dtmg tnbrlds tmesrv3 tifm TIEHDUSB thpsrv teefer tdsmapi tdimsys TClass2k tbhsd syslogd sysenforce symsecureport symlcbrd SymIMMP symids symevent symc8xx symappcore symantecantibotagent sym_u3 swwd SWUMX51 SWUMX20 SWNC8U20 SWNC5E00 SWMX00 svv svcwrsssdk suservice surveyor stylexphelper stunnel StkAMini stirusb sthda steamdvr statusagent StarOpen ssscsisv sr SQLBrowser spsslm sprtsvc_smartagent spmd sparrow sonypvu1 softfax SNP2STD snmptrapdservice SndTDriverV32 snac SMTPSVC SMNDIS5 SMCB000 SlWdmSup slservice slapd-data52 sisnic siskp siside SiSGbeXP SiS7018 SIODRV si3114r Shockprf sglfb SGHIDI sfusvc) Zd1211u(zydas sfsync04 sfng32 sfman sfhlp01 SerTVOutCtlr ser2plms SECYPUSB SeaPort se59mdfl se58obex se58mgmt se58bus se44mdm SE2Emgmt SE2Emdfl se2Cunic SE2Cbus SE2Bmdm SE26mdfl sdhelper sddmi2 sdcoreservice screadspool scdemu sbservice SaiU040B SaiMini sagefserver S7oppilx s616obex s616mdfl s125mgmt s117nd5 s116nd5 rxmssync RTLE8023xp RTL8023xp rtl8023 rt2500usb rt2500 rsvp RSAFAL RR2Ctrl rpcapd rollbackclientservice ROB_V RMSvc rmedia rksample rkhdrv31 risdptsk rimsptsk remotelyanywhere regsrvc Rawwan RAPIProtocol rapapp QV2KUX qserver ql1240 qconsvc pxfhbus pwisvc PTDCMdm psdistributionagent psadd prtg4service prodrv06 procexp90 prevxdriver prevxagent PQNTDrv pmsveh pmj151la pinetmgr PhilCam8116 pgsql-8.0 pepifilter pensup penrendezvous pdlnepkt pdlnebas pdlndldl pdiddcci pcx1unic pctoolsfirewallplus PCTINDIS5 pclepci pca pav_service passthru papyjoy papycpu2 Packet p2pgasvc P16X ossrv OsaFsLoc oraclesnmppeermasteragent oracleservicelocalora oracleorahomepagingserver oracleorahomedatagatherer oraclemtsrecoveryservice oracleformsserver-forms60server-oraform oracledbconsoleorcl openvpnservice ooclevercacheagent olapserver odysseyIM4 odysseyIM3 NWSNS NWFILTER NWDNS NVXBAR NVTCP nvstor64 nvport nvnetbus nvgts nvatabus nvata nv4 nuvaud2 ntuneservice ntlmssp nscservice NPPTNT npkcusb npkcsvc npfmntor npapimon nod32krn nmwcdcj nmap nidomainservice NICSer_WPC300N ni_nic nhcDriverDevice ngserver ngdbserv netw4x32 NETw3x32 netsvc neokdss NCPro navapel navap mysqlinventime MxlW2k MTsensor mssql$microsoftsmlbiz MSSQL$AUTODESKVAULT mskservice msi_wlan_service msgsrvservice MSFWDrv MSCamSvc mrobeservice MRESP50a64 MRESP50 mraid35x mqdmmdm MQAC mps9 MpFilter mmc_2K mhn mgabg mdmxsdk mdm mcvsrte mcusrmgr mcproxy mcontrol mcmscsvc mclogmanagerservice maxbackserviceint MaVctrl MaRdPnp mail2ec MagicTune mafwboot macformatservice MA8032U MA8032M lxdm_device lxcz_device lxcg_device lxcf_device lxcc_device lxby_device lxbx_device lvsrvlauncher lvpr2mon lvmvdrv lvckap LVBulk lpx lp6nds35 logmein lockmgr LMS LMouKE LMouFilt LMIRfsDriver lmimaint lktimesync LHidFilt lcs lbrtfdc L1e Ktp KS0108 KMW_KBD kmixer KLOGNT kbfiltr k750obex jsdaemon JiaoIO JiaoCap jaguar iwebcal IWCA ithsgt iteatapi itchfltr issvc issm iSMBIOS isapisearch ipssvc ipsraidn IPSECSHM IPFilter ipcsvc iPassPeriodicUpdateService iPassPeriodicUpdateApp ip6fw Invoker IntelC52 inport ino_flpy infrastructure incdsrv incdrm incdpass imap4d32 iksyssec IJPLMSVC igateway iftpsvc IFP700 idisw2km icollectservice ibmcicstransactiongateway IASJet iap iam iAimTV6 iAimTV5 iaimtv1 iAimFP7 i81x i2omp hwpsgt hwdatacard hsxhwazl HPFECP20 hpci houdinilicenseserver hidgame hf30service hcwPVRP2 hap17v2k GVCplDrv gotomypc GoToAssist GoogleDesktopManager-010708-104812 GoBack2K giveio ghaio gdrv GBDevice FVXSCSI ftpds FreeTdi freepops freebsd forcewarewebinterface fix FirePM firelm01 fips filterservice filemon701 filechecker FETNDIS fa_scheduler Exportit EU3_USB epoxusdm eloggersvc6 elockservice elnkupdateservice eamon eabfiltr DynDNS_Updater_Service dvpapi dsproct dsbrokerservice drvnddm drvmcdb dntus26 dnsexit dmio d-link_st3402 DLH5X dlbu_device dlaudfam digictrl DeviceScanner Defrag32b deckzpsx dcstor32 dcpflics DCamUSBMke2 DCamUSBGrandTek DCamUSBDXGTech dbmang db2jds CXAVXBAR cwafreportscheduler cusrvc ctxcpuusync ctprxy2k CTEXFIFX.DLL CTEDSPSY.DLL ctdvda2k ctaud2k cpqnicmgmt cpqfcalm cportclm COMMONFX.DLL com0com cmdagent clr_optimization_v2.0.50215_32 citrixxteserver cicsclient centennialclientagent CDRPDACC cdr4_xp cdr4_2k cdmservice c-dillasrv CdaD10BA CdaC15BA ccsetmgr ccalib8 cavasm ca-messagequeuing CAMCHALA CAMCAUD Cam5603C caisafe cachemgr caccprovsp CA561 bwsvc bwmservice btwrchid btwmodem btnhnd btnetfilter bt3cser BsHelpCS BRCMDECO botcbs blueservice blueletaudio bh611 bgsvcgen beatjamupnpmusicserver bdselfpr bdfdll bcftdi bantext backupexecrpcservice backupexecagentaccelerator axsnmsvc avp avgtdi avgfwsrv avgclean avg7updsvc AVerBDA ATSWPDRV atmeltpm atkkeyboardservice atkdisplf ativraxx atinrvxx atikmdag ATIBTCAP ati atfsd atdisk AtcL002 atchksrv asuskeyboardservice aslm75 artourservice arp1394 Appn APLMp50 antivirservice amon AmdLLD ALYac_PZSrv Alpham1 AlKernel aliadwdm alcxsens alcan5wn akshhl aic78u2 agpcpq agnwifi agentsrv AFGSp50 aexnsclienttransport aec aeaudio ADSMService adobeversioncue adobeactivefilemonitor5.0 acsvc ac97intc abp480n5 a8djavs A88xEnc a016obex a016mdfl {a7447300-8075-4b0d-83f1-3d75c8ebc623} {85ccb53b-23d8-4e73-b1b7-9ddb71827d9b} [*] Save this as a Text Document named CFScript in the same location as ComboFix (which should be on your desktop). [*] Close Notepad and verify that the CFScript file is saved on your desktop. [*] Referring to the animated picture below, click the left mouse button on top of the CFScript icon on your desktop, then holding the mouse button down drag the CFScript icon on your desktop onto the ComboFix icon, and then drop it (let go of the mouse button) on top of the ComboFix icon: When finished, it will display a new log in Notepad. Please attach that log to a reply the same way you did before. If you prefer, you can save the log on your desktop to make it easier to find.
  23. My apologies, I may have made an incorrect assumption when I read your post. What version of Online Armor do you have installed? I assume that this is happening on Windows XP?
  24. There's still some strange services in that log. Please download Farbar Service Scanner, save it on your desktop, and follow the instructions below to get me a log. Make sure the following options are checked: Internet Services Windows Firewall System Restore Security Center Windows Update [*]Press "Scan". [*]It will create a log (FSS.txt) in the same directory the tool is run. [*]Please attach the log to a reply by clicking on the More Reply Options button to the lower-right of where you type your reply.
  25. Please follow the instructions at this link to start your computer in Safe Mode With Networking and then try ComboFix again.