| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 99707 | 2009-05-11 21:52:00 | I seem to have a problem, after using ccleaner or comodo | iammcb (14488) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 773218 | 2009-05-11 21:52:00 | Every time I run ccleaner or comodo registry cleaner this windows destination installer thingee pops up. And starts to install something. Then my firewall starts sending me alerts that the program MSI6E.tmp wants to run. As Im not sure what these tmp. files are trying to install I end up selecting block. So then another one will have a go. So far this morning I have blocked the following MSI12.tmp, MSI18.tmp, MSI1B.tmp, MSI1D.tmp, MSI29.tmp, MSI2E.tmp, MSI3.tmp, MSI35.tmp, MSI3A.tmp, MSI3F,tmp MSI44.tmp, MSI4D.tmp, MSI5E.tmp, MSI8.tmp, MSI76.tmp, MSI87.tmp, MSI90.tmp, MSI95.tmp, MSID.tmp. (they all have 0.0.0.0, product verison (0.0.0.0) file version, beside them in my firewall programs page. If I click on more information I always go to the same page www.tallemu.com Which really isnt helpful at all. Otherwise things seem to be working fine. But it is very persistant. Appears to be something about Inproc server32???? (Have no idea what that is about). Any Information would be appreciated. :thanks |
iammcb (14488) | ||
| 773219 | 2009-05-11 22:02:00 | Looks like some of those tmp files can belong to Norton AV, Nero, Google toolbar. And other programs BTW, trojan remover in your sig is up to 6.7.8 not 1.3.5. And I think your malwarebytes is out of date |
Speedy Gonzales (78) | ||
| 773220 | 2009-05-11 22:09:00 | What firewall do you have? A few of those files could be malware-download HijackThis and post a log here: www.trendsecure.com Disable System restore to avoid reinfection. Right click Mycomputer>properties>system restore tab>Tick "disable system restore on all drives" Then download MBAM, update and perform a full scan. www.malwarebytes.org Just saw you already had those programs...:p Blam |
Blam (54) | ||
| 773221 | 2009-05-11 22:15:00 | Hi Speedy Oh okay, So I dont have any of those programs installed. However nortons was on here when first purchased. after a recovery i always uninstall it. I am updating Malwarebytes now. Just checked trojan remover (sorry) it is 6.7.8 it seems the updater is 1.3.5 though So Ive just blocked another MSI99.tmp from installing. How do i disable this windows installer permanently. From installing programs I dont want? Thanks |
iammcb (14488) | ||
| 773222 | 2009-05-11 22:17:00 | Windows Installer is needed-the problem lies within the root cause, which I suspect is malware. Post a log here-I have suspicions Blam |
Blam (54) | ||
| 773223 | 2009-05-11 22:21:00 | Hi Blam I have online Armor 3.5.0.9 I have hijack this 2.0.2 and Malwarebytes 1.36 I have just updated it and now im running a scan. (see my signature:) I disabled system restore last time i was here (on both drives) I didnt turn them back on either. I wasnt sure if i was supposed too? Heres my hijack this log Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 9:21:59 a.m., on 12/05/2009 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18372) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Tall Emu\Online Armor\OAcat.exe C:\Program Files\Tall Emu\Online Armor\oasrv.exe C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe C:\Program Files\Alwil Software\Avast4\ashServ.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Common Files\LightScribe\LSSrvc.exe C:\Program Files\Alwil Software\Avast4\ashWebSv.exe C:\WINDOWS\Explorer.EXE C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe C:\Program Files\Tall Emu\Online Armor\oaui.exe C:\Program Files\Tall Emu\Online Armor\OAhlp.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.trademe.co.nz R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.trademe.co.nz R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.trademe.co.nz R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = www.dvdvideosoft.com O2 - BHO: Ad Annihilator Kernel - {15BB258F-B477-4DF6-A4E7-65EA4B016CB0} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O2 - BHO: Kutano Add-on - {18D81A5F-F8A5-4B78-A6CC-7E37DCAFC0BB} - C:\Program Files\Kutano\Kutano\kutano_ie_client.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O2 - BHO: WOT Helper - {C920E44A-7F78-4E64-BDD7-A57026E7FEB7} - C:\Program Files\WOT\WOT.dll O3 - Toolbar: WOT - {71576546-354D-41c9-AAE8-31F2EC22BF0D} - C:\Program Files\WOT\WOT.dll O3 - Toolbar: &Ad Annihilator - {A1C18A7B-55E9-4DA3-A880-D112C791A9D8} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O4 - HKLM\..\Run: [ avast! ] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe O4 - HKLM\..\Run: [@OnlineArmor GUI] "C:\Program Files\Tall Emu\Online Armor\oaui.exe" O8 - Extra context menu item: [Add to organizer] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3250 O8 - Extra context menu item: [Block this banner] Ctrl+Alt+B - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3245 O8 - Extra context menu item: [Block this popup] Ctrl+Alt+K - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3256 O8 - Extra context menu item: [Find blocking filter] Ctrl+Alt+F - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3254 O8 - Extra context menu item: [Find this resource in resource list] Ctrl+Alt+L - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3253 O8 - Extra context menu item: [Locate target document] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3255 O8 - Extra context menu item: [Open all links] - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3247 O8 - Extra context menu item: [Resume resource loading] Ctrl+Alt+R - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3251 O8 - Extra context menu item: [Show/hide menu and toolbars] Ctrl+Alt+M - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3252 O8 - Extra context menu item: [Unblock this banner] Ctrl+Alt+U - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3246 O8 - Extra context menu item: [Unblock this popup] Ctrl+Alt+A - res://C:\Program Files\Ad Annihilator\AdAnnihilator.dll/3257 O9 - Extra button: Show or Hide Kutano - {00052796-FEAB-42e6-9D54-F7EEA8C37470} - C:\Program Files\Kutano\Kutano\kutano_ie_client.dll O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll O9 - Extra button: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Options - {6715FB17-6DC8-4ff8-8CED-9BEFC28E2704} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: (no name) - {80D24BA0-53C8-4bfa-BE1D-450474F0E738} - C:\Program Files\Kutano\Kutano\kutano_ie_client.dll O9 - Extra 'Tools' menuitem: Kutano - {80D24BA0-53C8-4bfa-BE1D-450474F0E738} - C:\Program Files\Kutano\Kutano\kutano_ie_client.dll O9 - Extra button: (no name) - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra 'Tools' menuitem: Ad Annihilator Toolbar - {BB15D76F-6189-4c89-A9F8-CED4F9D01328} - C:\PROGRA~1\ADANNI~1\ADANNI~1.DLL O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=64&bd=presario&pf=laptop O16 - DPF: {0742B9EF-8C83-41CA-BFBA-830A59E23533} (Microsoft Data Collection Control) - support.microsoft.com O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - update.microsoft.com O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - fpdownload2.macromedia.com O17 - HKLM\System\CCS\Services\Tcpip\..\{6A049996-C61E-4441-8E9D-C0B09A292F64}: NameServer = 203.97.78.43 203.97.78.44 O18 - Protocol: wot - {C2A44D6B-CB9F-4663-88A6-DF2F26E4D952} - C:\Program Files\WOT\WOT.dll O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll O23 - Service: AddFiltr - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\AddFiltr.exe O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - c:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe O23 - Service: Online Armor Helper Service (OAcat) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\OAcat.exe O23 - Service: Online Armor (SvcOnlineArmor) - Tall Emu - C:\Program Files\Tall Emu\Online Armor\oasrv.exe -- End of file - 7973 bytes |
iammcb (14488) | ||
| 773224 | 2009-05-11 22:36:00 | I would get rid of Ad annihilator and use privoxy instead (sourceforge.net) if you use IE. Click on the Win32 download Install it then go to tools / internet options / connections / LAN settings, then click on proxy server / advanced. Type 127.0.0.1 to the right of http and 8118 in for the port Uninstall all versions of java, its out of date, then update it. One of those files may belong to that HP program. I have no idea what WOT is or does |
Speedy Gonzales (78) | ||
| 773225 | 2009-05-11 22:42:00 | WOT is the Web of Trust Addon. From the HJT log it seems there is nothing nasty...unsure of what those temporary files are. What happens when you allow removal of them? Blam |
Blam (54) | ||
| 773226 | 2009-05-11 22:48:00 | hi speedy yeah i was thinking about that IE8 add on too:) as when i installed it it said not verified. So i disabled all add ons that werent verified. too be safe. However this problem started to occur after i installed ccleaner and ran it. so that was about a week ago now. Java came with open office. so i may not be able to uninstall it? It was on the pcworld cd. I will try to update it though. (Much more recent than the preinstalled version i had.) Maybe it has something with HP Software Update? who knows heres my malwarebytes log Malwarebytes' Anti-Malware 1.36 Database version: 2110 Windows 5.1.2600 Service Pack 2 12/05/2009 9:41:47 a.m. mbam-log-2009-05-12 (09-41-47).txt Scan type: Full Scan (C:\|D:\|E:\|) Objects scanned: 123737 Time elapsed: 20 minute(s), 17 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) |
iammcb (14488) | ||
| 773227 | 2009-05-11 22:53:00 | Blam what to you mean by that "What happens when you allow removal of them" If you mean what happens when i tell my firewall to block them The windows installer just sits there until i click the cancel button. Then it will say are you sure? I click on "course im sure im not installing a program at the moment...lol..." Then it says unable to write blah blah blah to the registry error blah blah blah (I think something like that.) I dont really know what the HP files are either??? |
iammcb (14488) | ||
| 1 2 | |||||