Avast WEBforum
Other => Viruses and worms => Topic started by: thekochs on April 03, 2012, 11:34:43 PM
-
I didn't want to repost this entire thread so here is the link: http://forum.avast.com/index.php?topic=95962.0
At this point I'm trying to figure out if there is malware or virus generating this request and if not how to supress the message ?
You can see from referenced thread the system appears clean and this pops up as soon as I open IE8.
Thx.
-
Follow this guide and attach the logs from malwarebytes quick scan / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0
when done one of the malware removal specialists will help you.....you may have to wait untill tomorrow night
-
Thx.....I will have to set aside some time and download and run all scans to post.
I'll repost details in few days.
Regards.
-
Here are the MBAM & OTL logs.
I have the Avast (which shows no threats) but is 2MB....guess I can't upload that file ?
-
Here are the RK logs......
The popup still happens after I followed the instructions per the link and rebooted PC.
-
Here is aswMBR log.
I do have RollBack RX installed on this computer and I know it changes the MBR so I did not try to "fix" by this replacing a new MBR.
I would need to uninstall RX first then proceed with fix.
Please help on any suggestions............I'm at my wits end.....frustrating. :(
Thx !
-
Essexboy,
I have not done aything else but have been reading on ComboFix, TDSSKiller & Kasperky Resue Disc 10.
I'll wait for instructions from first.
Also, key to note...........
* I do have Macrium Reflect on the machine so will take full image prior.
* I also have Horizon DataSys RollBack RX(http://www.horizondatasys.com/169614.ihtml) installed which is great program but machine was infected past and past snapshot point. This program does alter the MBR and the state of the physical HDD is the baseline....not all the new edits/changes. Also, they warn of software A/V programs that load prior to their POST console driver load or very low level stuff.....guess can cause issues. Thus, I'd probably need to uninstall this first and have the XP Pro SP3 machine in a normal Windows O/S state....no RollBackRX in MBR.
Thx.
-
Hi,
The aswMBR log looks ok...let me look over the other logs and I will return as quickly as I can. For the time being could you let me know exactly what symptoms you are experiencing that makes you think it might be malware. :)
-
Hi,
It seems you had Norton/Symantec on your system at one time and some of the files are still hanging around. Download and run the tool here >> ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe to remove all of Symantec.
----------
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
:Files
ipconfig /flushdns /c
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=-
"80:TCP"=-
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Hi,
The aswMBR log looks ok...let me look over the other logs and I will return as quickly as I can. For the time being could you let me know exactly what symptoms you are experiencing that makes you think it might be malware. :)
What happens is every time I open IE8 the Avast Web Shield pops-up that URL Blocked http://rk400.com/?sov=rook-s1ysoft.com, THREAT Detected and Blocked. Looking on the web this appears to be a bad site...known. This Avast popup happens two-three times then stops. The thing is I've done nothing but open IE8.....Google or Yahoo home page....nothing typed in. I'm glad Avast blocks it but something in the PC is seeing explorer come up and is trying to access the site.....thus, I assume a Malware or Rootkit type thing. Does that make sense ?
-
Hi,
It seems you had Norton/Symantec on your system at one time and some of the files are still hanging around. Download and run the tool here >> ftp://ftp.symantec.com/public/english_us_canada/removal_tools/Norton_Removal_Tool.exe to remove all of Symantec.
----------
Please download and run ERUNT (http://www.snapfiles.com/get/erunt.html) (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
:Files
ipconfig /flushdns /c
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=-
"80:TCP"=-
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Thx....I'll try this tommorow....late here on East Coast and I have early morning appt !
I've used ERUNT for years.....like it alot......think when I cleaned this PC origonally I forgot to put it back on......I'll do that.
Also, thx for the cleaner link on Norton.....I used to have it then AVG, now Avast. Not to be negative to Norton or AVG but they went from great products to total bloat-wear on my PCs......I love Avast.....wow !
-
Hi,
Take your time with running the fix.
Not to be negative to Norton or AVG but they went from great products to total bloat-wear on my PCs......I love Avast.....wow !
Let's make sure all of AVG is removed as well. Download and run the removal tool found here >> http://download.avg.com/filedir/util/support/avg_remover_stf_x86_2011_1322.exe
-
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKLM\..\SearchScopes\{443789B7-F39C-4b5c-9287-DA72D38F4FE6}: "URL" = http://slirsredirect.search.aol.com/slirs_http/sredir?sredir=843&query={SearchTerms}&invocationType=tb50-ie-dlink-chromesbox-en-us
O1 - Hosts: 192.168.1.103 NPI99CF7E
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\ShellBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {A057A204-BACC-4D26-9990-79A187E2698E} - No CLSID value found.
O3 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..\Toolbar\WebBrowser: (no name) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - No CLSID value found.
O15 - HKU\S-1-5-21-1960408961-823518204-682003330-1003\..Trusted Domains: shift.co.kr ([www] http in Trusted sites)
O16 - DPF: DirectAnimation Java Classes file://C:\WINDOWS\Java\classes\dajava.cab (Reg Error: Key error.)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
[5 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[10 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2007/02/18 14:42:57 | 000,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
:Files
ipconfig /flushdns /c
:Reg
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"1900:UDP"=-
"2869:TCP"=-
"139:TCP"=
"445:TCP"=
"137:UDP"=
"138:UDP"=
"10243:TCP"=-
"10280:UDP"=-
"10281:UDP"=-
"10282:UDP"=-
"10283:UDP"=-
"10284:UDP"=-
"3389:TCP"=-
"5985:TCP"=-
"80:TCP"=-
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
OK.....AVG & Norton cleaners run.....thx !!!!
I also attached is the log file after running the custom scan with your paste code. Note, I DID check LOP Check & Purity for this run since you said for the next not to do so....so my assumption was you wanted me to on first run with the code.
-
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
Here is the scan log after.......LOP Check & Purity not checked.
Thx in advance for the help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
-
Hi,
Thx in advance for the help !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
You are more than welcome. :)
--------------
Malwarebytes
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
----------
ESET Online Scanner:
Note: You can use either Internet Explorer or Mozilla FireFox for this scan. You will however need to disable your current installed Anti-Virus, how to do so can be read here (http://"http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.htmll").
Vista users: You will need to to right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
- Please go here (http://www.eset.com/onlinescan/) then click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS1.gif)
Note: If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.
All of the below instructions are compatible with either Internet Explorer or Mozilla FireFox.[/quote]
- Select the option YES, I accept the Terms of Use then click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS2.gif)
- When prompted allow the Add-On/Active X to install.
- Make sure that the option Remove found threats is NOT checked, and the option Scan archives is checked.
- Now click on Advanced Settings and select the following:
- Scan for potentially unwanted applications
- Scan for potentially unsafe applications
- Enable Anti-Stealth Technology
- Now click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS3.gif)
- The virus signature database... will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
- When completed the Online Scan will begin automatically.
- Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
- When completed select Uninstall application on close if you so wish, make sure you copy the logfile first!
- Now click on: (http://i280.photobucket.com/albums/kk173/Dakeyras_album2/EOLS4.gif)
- Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
- Copy and paste that log as a reply to this topic.
Note: Do not forget to re-enable your Anti-Virus application after running the above scan!
----------
In your next reply let me know how your system is running and attach the logs made by Malwarebytes and ESET online scanner.
-
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
Jeff, thx.
I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
I'll run a Quick Scan and post but you saw above in thread a ran a FULL scan in MBAM prior ?...nothing found.
Also, how were the new OTL scan logs after your script you had me run with FIX ?
As FYI, I no longer have this popping up but to be honest this happened a little while back.....was gone for day or so then back again.
Lastly, did you see my aswMBR log above ?....it had this item.....problem ?
12:50:18.812 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
I am taking the family on Easter weekend to relatives so may be Monday before I can run the ESET Online scanner.
-
Hi,
Have a great time with your family over Easter. It is no problem to leave this open. :)
---------
I like to have Malwarebytes run again towards the end in case we shook anything else loose.
---------
The OTL logs were looking pretty good. With Malwarebytes and ESET we are checking for anything left lurking.
--------
The entry that you saw in the aswMBR log is directly related to the RollBack RX on your system. The program itself uses some technology that is seen as a rootkit but it is not actually. :)
-
I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
it usually dont.......never happend to me
if it does....this is how to avoid it - section K
http://forums.malwarebytes.org/index.php?s=54147ebdfdd762abba4d26e1e564e442&showtopic=10138&view=findpost&p=417798
-
I see that you have Malwarebytes already on your computer. Please open Malwarebytes, update it and then run a Quick Scan. Save the log that is created for your next reply.
Jeff, thx.
I have MBAM installed but not enabled as realtime so it won't conflict with Avast which is always on.
I'll run a Quick Scan and post but you saw above in thread a ran a FULL scan in MBAM prior ?...nothing found.
Also, how were the new OTL scan logs after your script you had me run with FIX ?
As FYI, I no longer have this popping up but to be honest this happened a little while back.....was gone for day or so then back again.
Lastly, did you see my aswMBR log above ?....it had this item.....problem ?
12:50:18.812 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
I am taking the family on Easter weekend to relatives so may be Monday before I can run the ESET Online scanner.
Here is the MBAM Quick Scan.....nothing found.
I'm calling it quits and will run the ESET Online Scanner Monday......have a great weekend !!!
-
I'm calling it quits and will run the ESET Online Scanner Monday......have a great weekend !!!
You have a great weekend too. If I happen to overlook the log on Monday please send me a PM. :)
-
Well, left the machine alone for the weekend and Avast did its regular scans with no issues found.
Also, as stated above the popup went away for day or so....has done this in the past too but came back.
This morning I opened IE8 and as soon as Google Home page came up the popup did....three times in roughly one minute.
It seems it does 3 attempts eash time I go into IE8 so I waited for the 3rd then went to ESET and followed your instructions.
I disabled Avast Shields prior to running but after the three popups.
The online scanner ran for roughly one hour and found Win32\OpenCandy applicaton threat.
I did not select remove found threats as told.
I also exited without unisntalling app in case I need to go back.
Attached is log in ANSI.
Also, I know there are other programs like ComboFix, Kasperky Rescue CD10, TDSSKiller but I'll await your guidance.
Please let me know next steps ?
Thx again.
-
Hi,
I trust you had a nice weekend? :)
What is the popup saying?
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:Files
C:\Program Files\MediaInfo\OpenCandy\OCSetupHlp.dll
:Commands
[purity]
[emptytemp]
[resethosts]
[clearallrestorepoints]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
What is the popup saying?
I've attached a PDF of the screen capture (pic) of the Avast message box.
I'll wait to run OTL until you can review.
-
Hi,
After looking at that it seems that avast was protecting you from a bad website or possibly something was on the website itself. I don't think that is coming from within your system. Go ahead with OTL. :)
-
Hi,
After looking at that it seems that avast was protecting you from a bad website or possibly something was on the website itself. I don't think that is coming from within your system. Go ahead with OTL. :)
Attached is the OTL log from the custom scan.
The popup still comes up as I rebooted and posted to this thread.
Also, I know Avast is blocking the site but I only open Internet Explorer and it comes up...I do not navigate or even touch anything.
Thus, something seems to be in the system as soon as IE8 comes up it tries to access the site.
I've tried to supress the message in Avast's Site Blocking via http://rk400*.* but does not stop the message.
However, I know this would be a band aid.....not resolving the baseline issue/virus.
Question....ESET Online scanner found Win32\OpenCandy applicaton threat.
Should I run this scanner with the remove threat option ?
Let me know your thoughts and next-steps ?
Thank you again for all the help and patience.
Regards.
-
Hi,
Let's see what this may reveal...
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
-
Hi,
Let's see what this may reveal...
Please download TDSSKiller.zip (http://support.kaspersky.com/downloads/utils/tdsskiller.zip)
- Extract it to your desktop
- Double click TDSSKiller.exe
- when the window opens, click on Change Parameters
- under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
- click OK
- Press Start Scan
- Only if Malicious objects are found then ensure Cure is selected
- Then click Continue > Reboot now
- Copy and paste the log in your next reply
- A copy of the log will be saved automatically to the root of the drive (typically C:\)
Attached is picture & log of what TDSSKiller found.....I recognize both these.....they are part of Macrum Reflect's imaging software. The pssnap is alternative to the Microsoft VSS service, the other is the Reflect service......thus, I did SKIP (note there was no "cure" option......only quarantine or delete...or skip)
Question, is there a reason you did not want me in the ESET Online scanner that found Win32\OpenCandy applicaton threat to run with remove threat option ?
-
Hi,
is there a reason you did not want me in the ESET Online scanner that found Win32\OpenCandy applicaton threat to run with remove threat option ?
Sometimes ESET will remove an entry that does not actually need to go and that is why we ask that you don't remove them. I removed it with OTL. :)
-
Hi,
is there a reason you did not want me in the ESET Online scanner that found Win32\OpenCandy applicaton threat to run with remove threat option ?
Sometimes ESET will remove an entry that does not actually need to go and that is why we ask that you don't remove them. I removed it with OTL. :)
Oh....OK.
So, not sure where we are.......... :-\
I'm no expert but seems the computer has a virus that every time you open Internet Explorer trys to access the http://rk400.com/?sov=rook-s1ysoft.com site.....which Avast promptly blocks. It seems to do this three times in succession then no more until you close out of IE and re-open. I have no idea the virus but I'm also puzzled I canot block this attempt via Avast Site Blocker by putting in the string http://rk400*.* into Avast's site blocker.....perhaps I am doing this wrong ? I would assume this Avast site blocking option/feature would block the attempt so I did not even see the popup. As stated, this would be a band-aid and not solve the underlying issue.....even mask it.....but if this is a non-lethal virus we cannot find perhaps the solution if we can get it to work ?
I don't want to give up but I've had two instances where the popup did not come up for couple days.....one was after the first OTL custom scan you asked me to do....one prior but cannot remember what I had done. Not sure if there is a link here anyway....but it did stop for coupple days....seems odd.
Do you want me to re-run ESET as before to see what comes up ?
Any others to try ?
-
I tried to access the same site and got the same results as you. Do you receive the same results when opening Firefox or Google Chrome?
Let's take a look and see what we have
In the run box type the following
diskmgmt.msc
When disc management opens expand it so that all drives are visible
Take a screenshot and post it here
Are you able to burn a CD on another computer ?
-
I tried to access the same site and got the same results as you. Do you receive the same results when opening Firefox or Google Chrome?
Let's take a look and see what we have
In the run box type the following
diskmgmt.msc
When disc management opens expand it so that all drives are visible
Take a screenshot and post it here
Are you able to burn a CD on another computer ?
I ran ESET again this morning.....see new log.
Also, attached is JPEG of diskmgmt.msc screen shot.
I can burn CD on other machine.....let me know what you want to do.
Also, remember I have RollBackRX installed.
-
Hi,
Both of those look good. ESET is picking up the old OpenCandy entry but it is in the OTL quarantine so it is fine.
Do the popups occur in other browsers than Internet Explorer?
Run a new scan with OTL and attach the new logs. :)
-
Hi,
Both of those look good. ESET is picking up the old OpenCandy entry but it is in the OTL quarantine so it is fine.
Do the popups occur in other browsers than Internet Explorer?
Run a new scan with OTL and attach the new logs. :)
Is there anything customer on the OTL scan you want me to do ?
I do not have any other browsers installed (never wanted to go down that path.....too many things IE makes simple for me and not big enough power user to need other browsers).
-
Hi,
Is there anything customer on the OTL scan you want me to do ?
You know what...put the following into Custom Scans/Fixes
netsvcs
/md5start
consrv.dll
/md5stop
-
Hi,
Is there anything customer on the OTL scan you want me to do ?
You know what...put the following into Custom Scans/Fixes
netsvcs
/md5start
consrv.dll
/md5stop
I did not get a chance to do this "customized" scan......will do/re-run soon and post. However, here is OTL scan with just using "SCAN" button as-is.
To be clear using your previous OTL instructions.........
Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL using...........
netsvcs
/md5start
consrv.dll
/md5stop
Then click the Run Fix button at the top.
Let the program run unhindered. There will be a log created when it completes that I will need in your next reply.
Reboot when it is done.
Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
You also mentioned above a CD.....something you want me to burn and try ?
-
Hi,
Sorry if my instructions weren't clear enough. :(
Place the following text in the code box into the Custom Scans/Fix section of OTL
netsvcs
/md5start
consrv.dll
/md5stop
Once pasted into the Custom Scans/Fix section press Run Scan. This will produce a log that I will need in your next reply.
Don't worry about the burning CD right now. :)
-
Hi,
Sorry if my instructions weren't clear enough. :(
Place the following text in the code box into the Custom Scans/Fix section of OTL
netsvcs
/md5start
consrv.dll
/md5stop
Once pasted into the Custom Scans/Fix section press Run Scan. This will produce a log that I will need in your next reply.
Don't worry about the burning CD right now. :)
Your instructions were clear but I wanted to make 100% sure how you wanted me to run.....since I know one wrong step in thse things can cause more issues.
Attached is OTL Log with custom items added.
Also, had idea.......
Since the Avast Blocker message says the source is C:\Program Files\Internet Explorer\ws2help.dll my thought was to view all O/S files and take a copy from other XP SP3 machine and replace.....basically deleting/replacing this help file/DLL. I went to the folder and even when I set to view O/S files I coudl not find this DLL. Do you think that would work if we could replace some how ?
Additionally, I see IE8 in my ADD/Remove....how about uninstalling and re-installing IE8 ?
FYI....I do have RollBackRX on this machine so I can easily save a snapshot of a current point prior to any of these and roll back to that point, even pre-O/S load. Unlike SystemRestore it rolls back everything.....all/any changes....even O/S.
-
Hi,
I like the idea of reinstalling IE but let me look over the logs really quick. It may be a bit because I have to travel for work today. I hope that isn't a problem.
-
Hi,
I like the idea of reinstalling IE but let me look over the logs really quick. It may be a bit because I have to travel for work today. I hope that isn't a problem.
Take your time......the machine is used some but not main one....thank goodness.
FYI, just downloaded and installed the new Microsoft XP Updates.....went fine....their Malicous Software update ran....guess it did not find anything. :(
If we decide to uninstall IE8 let me know steps.....I assume just to go into Add/Remove and hit the IE8 and select uninstall.
Assuming this goes well I'm not sure what it will leave me with ?...perhaps no Web Browser or will it leave earlier version ?
Assuming I have no web browser how/where do I download IE8 (I assume IE9+ is only for W7 ?).
I found this but only 16MB.....seems small and wondering if will work with no browser...perhaps it is an upgrade only EXE ?
http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-8
Should I try IE7 then upgrade ?: http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=2
As always, thx for the help.
-
Hi,
Do you recognize the following >> C:\Program Files\DriveSitter\DriveSitter.exe
----------
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O16 - DPF: {1455BE02-C41B-4115-B21C-32380507DC8F} file:///C:/WINDOWS/Temp/MxTextAreaU.cab (MxTextAreaU Class)
O16 - DPF: {1C18220D-EC23-48C8-B35E-857ADE9D1465} file:///C:/WINDOWS/Temp/Potential.cab (Potential Class)
O16 - DPF: {223216F6-B9FE-406D-9ED6-143FCE3A07B8} file:///C:/WINDOWS/Temp/MxLogicalTRU.cab (MxLogicalTRU Class)
O16 - DPF: {2F98EA90-EAE1-4AB5-AE89-DA073D824589} file:///C:/WINDOWS/Temp/MxBinderU.cab (MxBinderU Class)
O16 - DPF: {31538FAB-8051-4CFA-ACA4-B2668718B6F8} file:///C:/WINDOWS/Temp/MxMenuU.cab (MxMenuU Class)
O16 - DPF: {4F57AF1B-5470-47EE-A5AA-D1EA4B3C42A6} file:///C:/WINDOWS/Temp/XChartU.cab (XChartU Class)
O16 - DPF: {5C32688E-CEBE-419D-9C63-0704A2331EEC} file:///C:/WINDOWS/Temp/MxFileControlU.cab (MxFileControlU Class)
O16 - DPF: {71E7ACA0-EF63-4055-9894-229B056E9C31} file:///C:/WINDOWS/Temp/MxGridU.cab (MxGridU Class)
O16 - DPF: {84168FE7-B960-402B-BC0E-E7214D2CFC10} file:///C:/WINDOWS/Temp/MxResourceMngU.cab (MxResourceMngU Class)
O16 - DPF: {90CAA259-71ED-42CB-BEB8-95281CCF9E58} file:///C:/WINDOWS/Temp/MxTabU.cab (MxTabU Class)
O16 - DPF: {9683681E-FAD6-45F1-86B3-FD60C7101BC9} file:///C:/WINDOWS/Temp/MxReportU.cab (MxReportU Class)
O16 - DPF: {9F0AA341-1D10-4B18-B70B-6AA49CE7F5D6} file:///C:/WINDOWS/Temp/MxImageSetU.cab (MxImageSetU Class)
O16 - DPF: {AF989B7C-8AC3-40BC-B749-EB335BDFD190} file:///C:/WINDOWS/Temp/MxDataSetU.cab (MxDataSetU Class)
O16 - DPF: {B1405FE9-DEF8-4679-A3BC-C05F1330CDDD} file:///C:/WINDOWS/Temp/MxMGridU.cab (MGridU Class)
O16 - DPF: {BB4533A0-85E0-4657-9BF2-E8E7B100D47E} file:///C:/WINDOWS/Temp/MxComboU.cab (MxComboU Class)
O16 - DPF: {BDEB0088-66F9-4A55-ABD2-0BF8DEEC1196} file:///C:/WINDOWS/Temp/teechart8.cab (TeeChart Pro Activex control v8)
O16 - DPF: {C1781C5C-0C32-40F2-8927-46FE4BCB5B87} file:///C:/WINDOWS/Temp/MxTreeU.cab (MxTreeU Class)
O16 - DPF: {D7779973-9954-464E-9708-DA774CA50E13} file:///C:/WINDOWS/Temp/MxMaskEditU.cab (MxMaskEditU Class)
O16 - DPF: {F73C0958-D8FE-43A5-9BB0-0F651C5A2BCC} file:///C:/WINDOWS/Temp/MxRadioU.cab (MxRadioU Class)
:Files
ipconfig /flushdns /c
:Commands
[purity]
[resethosts]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
-
Do you recognize the following >> C:\Program Files\DriveSitter\DriveSitter.exe
It is the SMART HDD monitoring software.....works great.....tried alot of these type programs and have used this for years.
http://www.otwesten.de/drivesitter/
Is this an issue or just a FYI question to me ?
Still want me to run OTL with about custom list ?
-
Yes please run OTL with the fix that I provided. :)
-
Yes please run OTL with the fix that I provided. :)
Here are both the logs.......after custom/fix....and after reboot then general scan.
Popup still happens. :(
-
Hi,
This is a sneaky one. I appreciate your patience. :)
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
IE - HKLM\..\SearchScopes,DefaultScope =
IE - HKLM\..\SearchScopes\{530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}&sourceid=ie7&rls=com.microsoft:en-US&ie=utf8&oe=utf8
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
IE - HKCU\..\SearchScopes,DefaultScope = {530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}
IE - HKCU\..\SearchScopes\{530BA5C2-9B7B-45A3-A57E-52197F6C7ABC}: "URL" = http://www.google.com/search?q={searchTerms}&rls=com.microsoft:{language}:{referrer:source?}&ie={inputEncoding}&oe={outputEncoding}&sourceid=ie7&rlz=1I7ADRA_enUS471
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = <local>
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
I see that you have Firefox on your system...do you receive the same problem when opening Firefox?
-
I see that you have Firefox on your system...do you receive the same problem when opening Firefox?
I don't have Firefox that I know of ??? .....never used it or any other web browser except IE.
Since I'm not a power user like that.....thus IMHO the trade-offs of not using IE is not worth it.....for me. :)
Should I somehow take this off ?
I'll run the new scan soon.....thx !
-
No joy in Muddville.......still pops up. :'(
Attached is fixed/custom scan log and after reboot scan.
-
Hi,
Let's try something a little bit different...
Are you able to download the Smart HDD program again if we removed it? If so, please uninstall the program and see if you are still receiving the popups. :)
-
Hi,
Let's try something a little bit different...
Are you able to download the Smart HDD program again if we removed it? If so, please uninstall the program and see if you are still receiving the popups. :)
You mean DriveSitter ?
http://www.otwesten.de/drivesitter/index.htm
Sure.....I can uninstall it no problem.
I have the installer and license key to re-install if needed.
Plus, I have RollBack RX so I can easily roll back the system to point prior to uninstall.
FYI, I have five other PCs......two XP SP3, three W7 64bit, that use this program now....no pop-up.
Also, should I can also go ahead an try to unistall IE8, clean PC, then re-install IE8 ?
I should probably CCLeaner (use it alot) to clean reg, delete the C:Program Files IE directory, etc.
I can download the installer prior but only red flag there is it is only 16MB exe file.
If I have no browser is this the full installer or will I be stuck in that this EXE is expecting and existing IE install to "upgrade" or use as web access ?
http://windows.microsoft.com/en-US/internet-explorer/downloads/ie-8
-
Hi,
Yeah go ahead and remove it for now and let's just see what happens. Don't worry about removing IE8 though. :)
As for CCleaner...DO NOT use it as a registry cleaner and I don't recommend any software as a registry cleaner. More often than not they cause much more harm than they are worth. Sometimes they can even ruin the registry. :)
-
Yeah go ahead and remove it for now and let's just see what happens.
I did the uninstall and what is wierd is on reboot I got the attached Windows error message on DriveSitter on screen at boot..
Also still getting the threat popups.
Something wierd going on with this....ideas ?...perhaps some way to remove this now in OTL custom ?
I ran a generic OTL scan and attached.
-
Hi,
Could you attach a screen shot of the Avast warning that you are receiving please? :)
-
Hi, Could you attach a screen shot of the Avast warning that you are receiving please? :)
See attached.
Wondering if DriveSitter is really un-installed but the "virus/malware" is still there hiding as DriveSitter and hence the Windows message ?
Any way to use OTL to blow away the rest of DriveSitter (or what is representing itself as DriveSitter) for good and see ?
-
Hi,
Sorry for my delay. I have been speaking with a colleague about your logs. Let's try this...
You have both IE7 and IE8 on your system still. Completely uninstall IE8 then check to see if the problem still occurs with Internet Explorer 7. :)
-
Hi,
Sorry for my delay. I have been speaking with a colleague about your logs. Let's try this...
You have both IE7 and IE8 on your system still. Completely uninstall IE8 then check to see if the problem still occurs with Internet Explorer 7. :)
Will do on Monday......not at home this weekend.
Also, how do I get rid if the remnants of DriveSitter ?
Is there a custom script in OTL you can provide that will remove whatever is giving me the Windows error ?
Thx.
-
Hi,
Let's remove what we can see of DriveSitter with OTL.
Run OTL.exe
- Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
:Services
:OTL
O4 - HKLM..\Run: [DriveSitter Pro] C:\Program Files\DriveSitter\DriveSitter.exe (Oliver Marr)
:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]- Then click the Run Fix button at the top
- Let the program run unhindered, reboot when it is done
- Then run a new scan and post a new OTL log ( don't check the boxes beside LOP Check or Purity this time )
----------
Download Revo Uninstaller (http://www.revouninstaller.com/revo_uninstaller_free_download.html)- Double click the installation file on the desktop to run the installer.
- Let it install to the default location.
- Double click the new Revo Uninstaller Icon on the desktop to start the program.
You will now see a list of installed programs that Revo Uninstaller can remove.- Locate the program you are uninstalling <DriveSitter Pro>
- Right Click the Icon then choose Uninstall.
- Click yes to the warning and choose the Uninstall Mode
- Choose the Advanced option and then click Next.
- This will launch the programs built in uninstaller. Be patient it can take several seconds.
- Once the uninstaller is done click Next.
- Revo Uninstaller will now scan for leftover information. Be patient it can take several seconds.
- Once this scan is done click Next.
- You will then be presented of the leftover entries found by Revo Uninstaller
- Look at ALL of the entries to ensure they relate to the uninstall.
- Next click Select All > Delete to remove the entries.
- Click Next.
- If there are any program file folders left over you will be presented with a list to be removed.
- Again look at ALL of the entries to ensure they are related to the uninstall.
- Click Select All > Delete to remove the entries.
- Click Finish to go back to the uninstall list.
- Close the program
----------
In your next reply please attach the new OTL log and let me know if after uninstalling Internet Explorer 8 if the pop-ups still occur. :)
-
OK......I did the custom OTL scan/fix and attached is log.
After reboot I did not get the DriveSitter Windows error popup.
I then did regular OTL scan....attached is log.
I then downloaded, installed and tried REVO.....but guess DriveSitter was really gone.....it found nothing to uninstall.
I then opened IE8 and bang.....got the old threat popup. :(
I then went into ADD/REMOVE and first uinstalled a zillion IE8 updates.
I then uninstalled IE8.
I am now running IE7 and NO threat popups !!!!!.....so far. :-\
I'm going to wait a day or two with IE7 to see if this is just a fluke or not.....recall that this "virus" did go away awhile back for day or so.
Assuming it is solid with no issues for 3+ days......should I install IE8 again ?...I downloaded the install from MS for XP.
Regards.
-
Hi,
Yeah let it run for a couple of days or until a popup happens again (hopefully it won't) and then let me know how things are going. You could probably install IE8 again and not have any problems. If I miss a response please be sure to PM me. :)
-
Hi,
Yeah let it run for a couple of days or until a popup happens again (hopefully it won't) and then let me know how things are going. You could probably install IE8 again and not have any problems. If I miss a response please be sure to PM me. :)
OK....PC/IE7 has run all last week and no popups........ :)
I'll let it run thru Monday and in afternoon I'll install IE8 again.
I will use CCLeaner for any items but for IE8 in Windows XP is there any folders or things I should delete out manually prior to install ?
I guess my fear is even though I'm installing new IE8 there is old DLL or something hanging around that is re-used.
With RollBackRX I can set a restore point prior to this so I can easily/quickly roll back prior to the effort.
-
Hi,
Glad that your system is running well.
When you download IE8 just go ahead and install it. I don't think that there will be any problems and there is nothing you need to remove prior. Like you said though...set a restore point just in case. :)
-
Hi,
Glad that your system is running well.
When you download IE8 just go ahead and install it. I don't think that there will be any problems and there is nothing you need to remove prior. Like you said though...set a restore point just in case. :)
Well......I thought this would be a no-brainer.......installed IE8....it even ran a scan of it's own on install for Malicious software.
Re-boot.....open IE8.....bang.....same old Threat Detected popup. :(
So, I rolled back machine to IE7 and I'm done trying.
Somehow this thing is embedded in IE8 and even a uninstall-re-install (I CCleaned directories, registry, etc.) does not work.
Is there something you think I should have tried on IE8 install ?
If not....I'm done.
-
Hi,
Get me a screen shot of the popup.
-
Hi,
Get me a screen shot of the popup.
Here you go............
-
Hi,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (http://www.virustotal.com)
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\Program Files\Internet Explorer\ws2help.dll
scroll down a bit and click "send file", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
-
Hi,
I need some information on some unidentified files. We will use Virustotal Please submit these files for analysis
To submit a file to virustotal, please click VirusTotal (http://www.virustotal.com)
copy and paste the following into the upload a file box (one at a time if more than one file is listed)
C:\Program Files\Internet Explorer\ws2help.dll
scroll down a bit and click "send file", wait for the results and post them in your next reply.
Please note that sometimes the scans take a few minutes. Please ensure that the scan has completed and the results are complete before submitting the next sample. Also please make sure each result is clearly identified as to which sample they belong to.
----------
I assume I'll need to re-install IE8 ?.....I only ask since not sure if this file is lurking on the computer but only used with IE8 and not IE7 ?
I guess I can check the prog-files\ie\ directory for system and/or hidden files too.
-
No, I am not thinking that yet. Let's just see what VirusTotal says. :)
-
No, I am not thinking that yet. Let's just see what VirusTotal says. :)
I only have IE7 installed......you think this ws2help.dll file is there on the PC ?
-
No, I am not thinking that yet. Let's just see what VirusTotal says. :)
I only have IE7 installed......you think this ws2help.dll file is there on the PC ?
-
It could be....but the problem is that sometimes malware will disguise itself as legit programs and we need to see what VirusTotal is saying about the entry.
-
It could be....but the problem is that sometimes malware will disguise itself as legit programs and we need to see what VirusTotal is saying about the entry.
I see the ws2help.dll file under IE7 install.
I try to copy & paste and also try to browse to the file.....does not "enter" into the VirusTotal file to scan field.
Is there a trick to this since a DLL file ?
I also just tried some other PDF file....no load there either....strange.
-
Hi,
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:file
C:\Program Files\Internet Explorer\ws2help.dll
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
-
Hi,
Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1 (http://jpshortstuff.247fixes.com/SystemLook.exe)
Download Mirror #2 (http://images.malwareremoval.com/jpshortstuff/SystemLook.exe)
- Double-click SystemLook.exe to run it.
- Copy the content of the following codebox into the main textfield:
:file
C:\Program Files\Internet Explorer\ws2help.dll
- Click the Look button to start the scan.
- When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found on your Desktop entitled SystemLook.txt
Here you go............thx.
-
Hi,
Go ahead and delete that file and see if that helps.
-
Hi,
Go ahead and delete that file and see if that helps.
Right now I have IE7......I can delete this DLL ?
I'll then need to re-install IE8 to see if it works......IE7 there is no popup as you know.
-
If you update to IE8 and receive the popups just delete that file. It is bad from what I am seeing of it. :)
-
I set restore point.
Deleted C:\Program Files\Internet Explorer\ws2help.dll file which was one showing in threat pop-up.
Installed IE8.
No popups !!!!
I'll run machine for a week and post back to make sure then we can change thread to [SOLVED].
-
Good Job!! :)
-
I changed title of thread to help out any searchers.
I don't know if the Moderators have special tag for solved threads ?...........but looks like the PC is solid.
Thx for all the help !!!!!
-
You are more than welcome!! Glad that I could help. :)