GT500

Emsisoft Employee
  • Content Count

    12848
  • Joined

  • Days Won

    387

Everything posted by GT500

  1. Lets try this: Hold down the Windows key on your keyboard (the one with the little Windows logo on it, usually between the Ctrl and Alt keys) and tap the R key. Type control netconnections into the field and click OK. Right-click on your network connection (usually "Local Area Connection", unless it's wireless) and select Properties from the list. Make sure that OA Helper Driver is in the list. It will look like this (click on the picture to make it bigger): Let me know if that's there.
  2. May I ask if you use your computer for software development? Andrey let me know that you appear to have something called "madCodeHook library" installed, which he thinks may be responsible for the issue.
  3. OK, I have confirmation that the Trace.File.Agent (A) detection was a false positive, and that it has been fixed. Those logs you posted show that AdwCleaner and Junkware Removal Tool removed a lot of stuff, so hopefully your web browser performance is better after that. Please let me know if everything seems OK now.
  4. OK, I've sent an e-mail to our developers to let them know that you posted the logs. I'll let you know what they tell me.
  5. Right now my recommendation is to uninstall Emsisoft Anti-Malware, restart your computer, and then download and install the latest version from this link.
  6. Please try to follow the instructions at this link. If you are not able to follow those instructions, then please let us know what happens when you try to follow them.
  7. Personally, I think that's a false positive, however I will verify that with our research team. While we wait for that, I do recommend running the following utilities: Please download AdwCleaner and save it on your desktop. Close all open programs and internet browsers (you may want to print our or write down these instructions first). Double click on adwcleaner.exe to run the tool. Click on Delete. Confirm each time with Ok. You will be prompted to restart your computer. A text file will open n Notepad after the restart (this is the log of what was removed), which you can save on your desktop. Please attach that log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply. If you lose that log file for any reason, you can find it at C:\AdwCleaner[s1] on your computer. Please download Junkware Removal Tool and save it on your desktop. Shut down your anti-virus, anti-spyware, and firewall software now to avoid potential conflicts. Run the tool by double-clicking it. If you are using Windows Vista or Windows 7, right-click it and select Run as administrator. The tool will open and start scanning your system. Please be patient as this can take a while to complete depending on your system's specifications. On completion, a log is saved to your desktop and will automatically open. Please attach the JRT log file to a reply by clicking the More Reply Options button to the lower-right of where you type in your reply.
  8. Now that I think about it, Kevin had you run ComboFix, so lets uninstall that as well. Here are the instructions: Hold down the Windows key on your keyboard (it has the little Windows logo on it, next to the Ctrl key) and press R to open the Run dialog. Type ComboFix /Uninstall in the field (make sure to leave a space just before the /) and then click OK ComboFix should take care of the rest. Feel free to create a new System Restore Point after doing that.
  9. OK, ComboFix may have deleted everything that needed to be deleted (although it also deleted something called technic-launcher.jar, which sounds like the Technic Pack for Minecraft). Go ahead and delete all of the logs that are on your desktop, and then run OTL again and get me a fresh OTL log.
  10. With no Windows XP disk, it will not be possible to use the System File Checker to verify if System Files have been modified or corrupted. It is still possible to replace those System Files (or at least most of them) by reinstalling Service Pack 3 for Windows XP. Please try the following: Download the Service Pack 3 for Windows XP installer from Microsoft at this link. Once that's done, restart your computer in Safe Mode by following the instructions at this link. Run the installer for Service Pack 3. Once it is done, restart your computer normally. Let me know if that helps at all.
  11. Lets try the following to get some Debug Logs: Uninstall Online Armor. Restart your computer twice. Follow the instructions at this link to install Online Armor with Debug Mode enabled (skip the first part, and scroll down to the part that is below the line). After installing with Debug Mode enabled, and seeing the error message, ZIP the entire Logs folder (normally C:\Program Files\Online Armor\Logs) and attach it to a reply by using the More Reply Options button to the lower-right of where you type in your reply. Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder.
  12. It is when Online Armor is in Advanced Mode. In Normal Mode it should work fine just by allowing the program though the firewall.
  13. I am not personally aware of any. The last time I did a search I was only able to find one that was in the format that Online Armor uses, however I imagine that there are more than one out there. Yes, we maintain our own Host Rules for EAM so that the Surf Protection offers protection against malicious websites without needing to import your own rules. We actually used to use the database from hpHosts to supplement our host rules, however we are currently maintaining the database on our own. The databases in MVPS HOSTS and hpHosts will contain things that we do not include in our Host Rules. For instance, Steven Burn will add things to hpHosts that we wouldn't normally add to our own Host Rules. I remember this question, but I thought I had already answered it. The Host Rules are the rules for the Surf Protection. No other component in EAM uses them, so if you turn off Surf Protection then the Host Rules are not being used. Technically that's not 'excluded', that's just set to "Always Allow". The program would still be monitored, it would just always be allowed rather than asking you what to do. If you want to completely exclude something from protection, then follow these instructions: Open Emsisoft Anti-Malware from the icon on the desktop. Click Guard in the menu on the left. Go to the File Guard tab. In the lower-left corner, just above Alerts, click on the Manage whitelist link. In the box under Type click the little down arrow and change it from File to Process (you may need to click in the box for the arrow appear). Click in the white box below Item to make a button with three dots (...) appear, and then click the ... button. Navigate to the directory where the files you wish to exclude are located, and double-click on one of them to add it. Repeat the last 3 steps as needed to add each file to the exclusions list. Click the OK button at the bottom when done, and close Emsisoft Anti-Malware. The Behavior Blocker in EAM/Mamutu and the HIPS in Online Armor work differently. The Behavior Blocker actually tries to determine if a program is safe, whereas anything not 'Trusted' in OA will generate a warning about behavior monitored by the HIPS. The process is similar to adding a Process exclusion to the Whitelist, however you would add it as a File exclusion rather than a Process exclusion.
  14. Well, that does not appear to have removed anything I put in the script. The script looks OK to me, so lets get a log from ComboFix. Please download ComboFix from this link and follow the instructions below to run it. Note that some infections will block it from running if you save it as ComboFix so you may wish to rename it in order to prevent this. Make sure you remember what you changed the name to. * IMPORTANT !!! Save ComboFix to your Desktop Disable your AntiVirus, AntiSpyware, and Firewall applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools See HERE for help Double click on the ComboFix icon on your desktop (it has a red and white icon that looks like a white cat's head in a red circle) and follow the prompts. As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware. Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console. **Please note: (This applies to Windows XP systems only) If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message: Click on Yes, to continue scanning for malware. When finished, ComboFix will produce a log. Note: 1. Do not click in ComboFix's window while it's running. That may cause it to stall! 2. Remember to re-enable your anti-virus and anti-spyware before reconnecting to the Internet. Attach logs for: (USE THE "MORE REPLY OPTIONS" BUTTON TO BE ABLE TO DO THIS) ComboFix (C:\combofix.txt)Let me know of any problems you may have encountered with the above instructions and also let me know how things are running now!
  15. That looks good to me. Here's some final instructions for you: 1. Make Sure Java is Updated: Click on the Start button. Click on Control Panel. Click Uninstall a program. Look for Java in the list (should be alphabetical), and uninstall all versions of Java that you find listed. Click on this link and download and install the latest Java (the Windows Online download will be faster). 2. Make Sure Adobe Flash is Updated: Click on this link and download the latest version of Adobe Flash Player for your web browser. You will need to close your web browser when installing Flash. 3. Make Sure Adobe Acrobat Reader is Updated: Click on the Start button. Click on Control Panel. Click Uninstall a program. Look for any versions of Adobe Reader or Adobe Acrobat Reader in the list (should be alphabetical), and uninstall all of them (if you have Adobe Acrobat, which is the premium software from Adobe, then you do not need to uninstall it). Click on this link to go to the Adobe Reader download page, make sure to unselect any offers for toolbars or other free software, and download and install the latest version of Adobe Reader. (please note that some people do prefer to use third-party PDF viewers such as PDF X-Change Viewer and Foxit Reader which are not as commonly exploited as Adobe Reader, so if you would prefer to use one of those then you do not need to download and install Adobe Reader) 4. Make Sure Your Computer Has The Latest Windows Updates: Click on the Start button. Go to All Programs. Click on Windows Update. Click Check for updates in the menu on the left (should be near the top). Once it is done checking for updates, click the Install updates button on the right. Make sure that if your computer wants to restart after the updates are done, that you allow it so. 5. Web Of Trust Extension: While this is not a requirement, I highly recommend that you click this link and check out the Web Of Trust extension for your web browser. It will add an extra layer of protection to your web browsing for free, and it is especially helpful when doing searches on Google, Yahoo!, Bing, etc. as it will point out what sites are considered trustworthy and what sites are not by drawing a colored circle to the right of each search result. Green means trusted, red means not trusted, yellow is in between, and white means it is not in Web Of Trust's database. 6. Empty The System Restore: Click on the Start button. Right-click on Computer Select Properties from the list. In the window that pops up, click on the System protection link in the menu on the left. The buttons may not be clickable for a few moments, but once you can click on them select the drive in the list near the bottom that shows protection is on (this will usually be you C: drive) and click the Configure... button. Click the button near the bottom-right that says Delete to clear all System Restore data. Once finished, click OK to close that window. Now you will want to make sure that the correct drive is selected again (usually your C: drive) and click on the Create button to create a new restore point. Fill in a name for the restore point, and click the Create button. Once it is done, you can close the windows that were opened to get to the System Restore settings.
  16. OK, that looks good. I just want to do one last check, to see if there are some modified registry entries that will need to be repaired. We'll use OTL for this scan, but we're going to paste something into the Custom Scans/Fixes box before we run the scan. Go ahead and lunch OTL, and then copy and paste the contents of the following box into the Custom Scans/Fixes box at the bottom of the OTL window: HKEY_CLASSES_ROOT\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s HKEY_CURRENT_USER\Software\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8} /s HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{7C857801-7381-11CF-884D-00AA004B2E24} /s Note: If all of that appears on one line after you paste it into OTL, then let me know. Each line in the box should be on its own line in OTL.After pasting that into the Custom Scans/Fixes box in OTL, go ahead and click the Run Scan button and let it run its scan. When it's done, it will open the OTL log in Notepad, and save it on your desktop for you. Please attach that log to a reply for me to review.
  17. ICMP isn't a major security risk. People will be able to ping your IP address over the Internet, but you will still be protected by Online Armor. As for iReboot specifically, it appears to be from NeoSmart Technologies, which is supposed to be a reputable software company (I've used their EasyBCD in the past). bcdedit.exe is a Microsoft program called "Boot Configuration Data Editor", and it is safe (as long as you don't accidentally break your boot configuration with it). You can read a little more about it here.
  18. We'll need a full memory dump for our developers to take a look at in order to determine the cause of the issue. Please follow the instructions at this link, and then the next time it happens there will be a file named MEMORY.DMP in the root of your C: drive. If you could ZIP this file and upload it to a file sharing service so that you can send us a link, then that would be great. File sharing websites can include sites such as RapidShare/DepositFiles/BayFiles/etc. If you have DropBox, Google Cloud Storage, or Microsoft SkyDrive then those services are usually more reliable. Note that, if you don't have a utility such as 7-Zip, WinZip, or WinRar that you can ZIP files and folders by right-clicking on them, going to Send To, and clicking on Compressed (zipped) Folder. If you need to reduce the file size more than ZIP is capable of, note that the 7z format from 7-Zip and the RAR format from WinRar will reduce the size of files better than ZIP will.
  19. I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window: Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  20. OK, that just had three things that could be removed (one of them wasn't actually malicious and another was already in the ComboFix quarantine). I have written a cleanup script for OTL (if you need to, you may download OTL from this link). Please download the following OTL_Script file, and save it on your desktop. After saving it, open it, run OTL, and copy and paste the contents of the OTL_Script file into the Custom Scans/Fixes box at the bottom of the OTL window: Then click the Run Fix button at the top. Let the program run unhindered, restart your computer when it is done (it may automatically restart your computer on its own). After your computer has restarted, please open OTL again and click the Quick Scan button. Attach the log it produces in your next reply (just the OTL log, as I don't need to see the Extras log again). You will need to click the button that says More Reply Options to the lower-right of where you type your reply to be presented with the attachment controls.
  21. According to that ComboFix log, there are more than 500 system files (that includes backups of those files) that are failing a signature check. It is also not showing any backups of those files that are passing the signature check, which means that you will need your Windows XP disk to restore the files. Do you have a Windows XP disk (note that it should be the same edition that you have installed, which OTL says is Professional Edition)?
  22. According to Andrey, the memory dump showed that Online Armor wasn't blocking anything. That's why he wanted to see Debug Logs, as he's fairly certain that they will contain more information than the memory dump. Windows sends a signal to each process asking them to terminate. This allows for each process to terminate on its own, so that they can save any data they need to and close and open file or registry handles.
  23. What happens if you switch it to Normal Mode?
  24. You're quite welcome. Please let us know if you have any further issues.