ossproxy.exe & AppInit.dll- HELP!

[DPFW16]

Hi,
  This is my first post here and I've tried searching, but I haven't found an answer.
  I've had Avast (Free version) for the home on my laptop for a couple of years now with no problems.  I just yesterday downloaded onto my parents' desktop (they had McAfee but it expired and I didn't want them to pay for it) and I'm having trouble with it.
  It's constantly popping up with 2 warning messages- indicating that ossproxy.exe and AppInit.dll are problems.  I keep telling it to move to the chest.  However, this message keeps popping up (not immediately, but with enough frequency that's it's annoying and making me want to uninstall Avast). 
  The file path for both are in the TEMP folder, so I emptied the folder, but that doesn't seem to help.  And there doesn't seem to be a correlation between when the warning pops up and what site I'm on (sometimes I'm not even on the internet and it pops up).  I've also tried restarting the computer but that hasn't helped.
  I don't have very advanced computer skills, so please be aware of this if you reply back with suggestions.  I'd REALLY appreciate some help!  And as quickly as possible! 
  THANK YOU!

[DavidR]

If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.


Ensure that you have all remnants of McAfee removed.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe

####
See http://www.liutilities.com/products/wintaskspro/processlibrary/ossproxy/ as this could be part of an internet acceleration program, do you happen to have this (?) thought it is strange that it is found in a temp folder and not a program files folder if you had the program.

ossproxy.exe is an executable belonging to Marketscore ossproxy, an application which provides Internet acceleration.

[polonus]

Hi DPFW16 & DavidR,

If DPFW16 has the accelerator trackware there, it can be cleansed manually in the following way:

MarketScore Removal Instructions
Kill the following processes
nsosscfg.exe, nscheck.exe, mksc.exe, ossproxy.exe
Unregister the following DLLs and reboot
csloa.dll, okshook.dll, osconfig.dll, osmim.dll, osrouter.dll in Windows\system32\
Delete these registry entries
HKEY_CLASSES_ROOT\clsid\{b2c03e2e-2219-4ff9-810a-540aca63f8d9}
HKEY_CLASSES_ROOT\interface\{f88527e2-a8a7-4227-8683-05cfa4eec511}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\nscheck
HKEY_CURRENT_USER\software\netsetter
HKEY_CURRENT_USER\software\netsetter\ossproxy\settings
HKEY_LOCAL_MACHINE\software\classes\clsid\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\classes\interface\{f88527e2-a8a7-4227-8683-05cfa4eec511}
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig.2
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig\clsid
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig\curver
HKEY_LOCAL_MACHINE\software\classes\typelib\{169c7855-c096-4d45-803b-6441552a7e92}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}\installer
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}\systemcomponent
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units\{35b7e48b-9d81-4c6c-9578-5fd4f620d886}
HKEY_LOCAL_MACHINE\software\microsoft\systemcertificates\root\certificates\a32c2b8361ca79fb7dcd14cbda793d0df855991c\blob
HKEY_LOCAL_MACHINE\software\microsoft\systemcertificates\root\certificates\f8d953700e84f3945390c81a1a3bf929c8a29eb7\blob
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/nsconfig.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/nsconfig.dll\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/csloa.d__\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/csloa.d__\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/okshook.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/okshook.dll\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osconfig.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osconfig.dll\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osmim.dll\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osmim.dll\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/ossproxy.ex_\.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/ossproxy.ex_\{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\netsetter\osmim
Remove the following files
marketscore.txt, nsosscfg.exe.
csloa.dll, mksc.exe, okshook.dll, osconfig.dll, osmim.dll, osrouter.dll, ossproxy.exe in Windows\system32\
nscheck.exe, nscheck.lgc in Windows\system\
///////////////////////////////
If it is just the file, consider this removal procedure:
 ossproxy.exe Manual Detection

Below are manual removal instructions for ossproxy.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.

Note: This manual removal process may be difficult and you run the risk of destroying your computer. We recommend that you use the SAS tool to check for ossproxy.exe from here: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
else:
Step 1: Use Windows File Search Tool to Find ossproxy.exe Path

   1. Go to Start > Search > All Files or Folders.
   2. In the "All or part of the the file name" section, type in " ossproxy.exe" file name(s).
   3. To get better results, select "Look in: Local Hard Drives" or "Look in: My Computer" and then click "Search" button.
   4. When Windows finishes your search, hover over the "In Folder" of " ossproxy.exe", highlight the file and copy/paste the path into the address bar. Save the file's path on your clipboard because you'll need the file path to delete ossproxy.exe in the following manual removal steps.


Step 2: Use Windows Task Manager to Remove ossproxy.exe Processes

   1. To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
   2. Click on the "Image Name" button to search for " ossproxy.exe" process by name.
   3. Select the " ossproxy.exe" process and click on the "End Process" button to kill it.

   
Step 3: Detect and Delete Other ossproxy.exe Files

   1. To open the Windows Command Prompt, go to Start > Run > cmd and then press the "OK" button.
   2. Type in "dir /A name_of_the_folder" (for example, C:\Spyware-folder), which will display the folder's content even the hidden files.
   3. To change directory, type in "cd name_of_the_folder".
   4. Once you have the file you're looking for type in del "name_of_the_file".
   5. To delete a file in folder, type in "del name_of_the_file".
   6. To delete the entire folder, type in "rmdir /S name_of_the_folder".
   7. Select the " ossproxy.exe" process and click on the "End Process" button to kill it,

polonus

[DPFW16]

Hi,
  Thanks to both of you for your responses.
  I made sure all of the McAfee components were removed.  I also tried the SuperAntiSpyware and it didn't do anything.  I also used Malwarebytes Anti-malware, but that didn't help, either. 
  I'm going to try a few more of your suggestions, but some of what you two wrote I have NO idea how to do. 
  I'm curious why it keeps identifying the path as the temp folder.  I'm also curious why none of this occurred with McAfee.
  If anyone else has any further suggestions, please feel free!  Otherwise, I'll touch base again once I've done some other things.
  Thanks again!

 

[DavidR]

Both SAS ans MBAM are best run from safe mode if there is a suspicion of an active piece of malware.

You never said if you used said MarketScore internet accelerator as there is some possibility as polonus mentions of it being more spyware than a useful tool. If so (or not) then you need to investigate if any of these associated files are also on your system:

marketscore.txt, nsosscfg.exe, csloa.dll, mksc.exe, okshook.dll, osconfig.dll, osmim.dll, osrouter.dll, ossproxy.exe in Windows\system32\

nscheck.exe, nscheck.lgc in Windows\system\

[db60]

Hi DavidR and Polonus,
I face the same pb for two day now, and there is any of the dll indicated in system32 or system.
Even if it is requested to Avast to destroy that warning the files re-appears after few minutes and the warning come back.
A full scan at boot sequence has been requested and no warning appears...
The two files appears in
c:\windows\Temp\~os6.tmp\
and are name AppInit.dll and ossproxy.exe
Warning is ADWARE for AppInit.dll and VIRUS for ossproxy.exe

This appear yesterday at 13H32.
Please, is someone has idea on this issue ?
Best regards
Domi

[DavidR]

Well as my first reply states if it constantly comes back something hidden or undetected is restoring it and that has to be found, I gave links to two anti-spyware/malware programs to be run from safe mode.

So you should start with these tools, run one and post the report of the scan findings, then run the second.

[DPFW16]

Hi,
  Just wanted to touch base with people.  I gave up and just deleted Avast.  I'm using AVG now and this warning hasn't popped up.  It might still be a problem, but, honestly, this is my parents' computer and they don't do anything sensitive on here, so even if this problem still exists, it's unlikely to do harm.  I'm going with "out of sight, out of mind" on this one.
  Thanks to everyone who helped!

[DavidR]

Your welcome, though turning a blind eye isn't the best option.

[polonus]

Hi DavidR,

Even if this comes OEM installed, it is unwanted from a user's viewpoint and if avast flags it, better get rid of it. If you like to live "in the accepted consensus world", that is what you'd rather do - change your av-solution and, yes, turn a blind eye,

pol

[db60]

Hi all,
i think that the idea of DFP is the best... I don't understand why you are promoting in this forum some tools from other supplier to check the mentioned problem?
When i made the choice of avast, i was looking for a anti-virus software. In any case it seems that this tool is not enough updated to solve an attack.
Then it is maybe better to move to another solution.
I don't understand that there is no automatic upload of the pb to avast and there is no real support for the user!
Best regards
Domi

[micky77]

Hi all,
i think that the idea of DFP is the best... I don't understand why you are promoting in this forum some tools from other supplier to check the mentioned problem?
When i made the choice of avast, i was looking for a anti-virus software. In any case it seems that this tool is not enough updated to solve an attack.
Then it is maybe better to move to another solution.
I don't understand that there is no automatic upload of the pb to avast and there is no real support for the user!
Best regards
Domi

Why don't you download and run HijackThis,a scan will take seconds.You can then copy/paste the log results here.Or bury your head in the sand.
http://filehippo.com/download_hijackthis/

[polonus]

To DB60 & DPFW16,

What DB60 is saying here, can almost be taken as slanderous. What if we propose a hjt scan log txt to get a better understanding of the initial infection, are we then accused of additionally using third party software (because avast cannot do its homework?) This was an independent tool that was acquired by TrendMicro's  that has attributed nothing to its further development and is running it into the ground actually (while it has had its best days because of the development in malicious technologies), same as with MCAfee's acquiring SiteAdvisor, same story. What about Trend Micro promoting their online scanner via RUBotted? And I can go on here for a while. I do not hear you about these things.
The avast virus and worm section has a couple of normal users, volunteers like essexboy, oldman, and some other that are full trained malware fighters: the tools they propose are being used at the major Anti Malware Forum Sites and are taught at Anti Malware Boot Camps or University as you like.
While no av solution can catch all malware, and that goes for ALL anti-malware solutions, we sometimes use a cocktail of programs additional to avast's like DrWeb's CureIt, comboscript, DDS scanner, analyzers, killtools, StartDreck etc. etc. according to the infection at hand.
Just stating that avast is not able to compete with other solitairy av scanners and therefore .... it is just absurdity of the highest order, and shows that you do not know what you are talking about - period.
All those that give advice here are normal avast users (while the mods may seldom put a word in here, but only when appropriate).

I think that a lot of other av webforums cannot give the extensive support we give here, so I am waiting for an apology, because you have accused us falsely,

polonus (malware fighter and avast user)

[DPFW16]

To DB60 & DPFW16,

What DB60 is saying here, can almost be taken as slanderous. What if we propose a hjt scan log txt to get a better understanding of the initial infection, are we then accused of additionally using third party software (because avast cannot do its homework?) This was an independent tool that was acquired by TrendMicro's  that has attributed nothing to its further development and is running it into the ground actually (while it has had its best days because of the development in malicious technologies), same as with MCAfee's acquiring SiteAdvisor, same story. What about Trend Micro promoting their online scanner via RUBotted? And I can go on here for a while. I do not hear you about these things.
The avast virus and worm section has a couple of normal users, volunteers like essexboy, oldman, and some other that are full trained malware fighters: the tools they propose are being used at the major Anti Malware Forum Sites and are taught at Anti Malware Boot Camps or University as you like.
While no av solution can catch all malware, and that goes for ALL anti-malware solutions, we sometimes use a cocktail of programs additional to avast's like DrWeb's CureIt, comboscript, DDS scanner, analyzers, killtools, StartDreck etc. etc. according to the infection at hand.
Just stating that avast is not able to compete with other solitairy av scanners and therefore .... it is just absurdity of the highest order, and shows that you do not know what you are talking about - period.
All those that give advice here are normal avast users (while the mods may seldom put a word in here, but only when appropriate).

I think that a lot of other av webforums cannot give the extensive support we give here, so I am waiting for an apology, because you have accused us falsely,

polonus (malware fighter and avast user)

Hi,
  What did I do? 
  I didn't bash the program.  I didn't express dissatisfaction with ANY help ANYONE gave.  I even thanked people for their help! 
  All I said was that I tried a few suggestions and they didn't help and I, personally, don't have the time or computer skill to rule out every possible cause.  Given my skills and limited time, it is best for me to just try a different program.
  So, why do I owe YOU an apology?  NOW I'M insulted by YOU.


-DPFW16     

[polonus]

Hi DPFW16,

This was not personal, so you cannot feel like that. I just like to have pointed out to you that the easy solution you are looking for, just with some of these malware infestations, sometimes do not exist, whatever special av program you may seek out or not. One av solution covers this, another one covers another scala. And my motto is : "Security is more of an attitude", and everybody can learn that. First thing to consider is - "How did I get infected in the first place". A lot of users have their computer(s) and third party programs not updated and fully patched, for instance older vulnerable Java versions. Malcreants are just waiting for that, and bingo. Then again a lot of users use full admin rights on their systems, malware can do far more havoc on these systems than with normal user rights. Sometimes malware cannot be cleansed by just av-software alone, and a recovery CD is needed or a specially crafted tool or program or script, that is where we people (the malware fighters) come in and we put a lot of spare time into this just because we like to do this. Switching to another av program because that means an easy way out  does not seem to appeal very much to me, but maybe I am of the old school and that is not the general attitude of the user of this day and age that wants a quick solution and cannot be bothered much . If you feel insulted about this last sentence then that is your problem, not mine,

polonus