Hi,
This is my first post here and I’ve tried searching, but I haven’t found an answer.
I’ve had Avast (Free version) for the home on my laptop for a couple of years now with no problems. I just yesterday downloaded onto my parents’ desktop (they had McAfee but it expired and I didn’t want them to pay for it) and I’m having trouble with it.
It’s constantly popping up with 2 warning messages- indicating that ossproxy.exe and AppInit.dll are problems. I keep telling it to move to the chest. However, this message keeps popping up (not immediately, but with enough frequency that’s it’s annoying and making me want to uninstall Avast).
The file path for both are in the TEMP folder, so I emptied the folder, but that doesn’t seem to help. And there doesn’t seem to be a correlation between when the warning pops up and what site I’m on (sometimes I’m not even on the internet and it pops up). I’ve also tried restarting the computer but that hasn’t helped.
I don’t have very advanced computer skills, so please be aware of this if you reply back with suggestions. I’d REALLY appreciate some help! And as quickly as possible!
THANK YOU!
If it keeps coming back, there is likely to be an undetected or hidden element to the infection that restores or downloads the file again. What is your firewall ?
If you haven’t already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
- SUPERantispyware On-Demand only in free version.
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.
Ensure that you have all remnants of McAfee removed.
McAfee has an uninstall tool that you could run to ensure any possible remnants are removed.
http://download.mcafee.com/products/licensed/cust_support_patches/VSCleanupTool.exe
2007 version - http://download.mcafee.com/products/licensed/cust_support_patches/MCPR.exe
See http://www.liutilities.com/products/wintaskspro/processlibrary/ossproxy/ as this could be part of an internet acceleration program, do you happen to have this (?) thought it is strange that it is found in a temp folder and not a program files folder if you had the program.
ossproxy.exe is an executable belonging to Marketscore ossproxy, an application which provides Internet acceleration.
Hi DPFW16 & DavidR,
If DPFW16 has the accelerator trackware there, it can be cleansed manually in the following way:
MarketScore Removal Instructions
Kill the following processes
nsosscfg.exe, nscheck.exe, mksc.exe, ossproxy.exe
Unregister the following DLLs and reboot
csloa.dll, okshook.dll, osconfig.dll, osmim.dll, osrouter.dll in Windows\system32
Delete these registry entries
HKEY_CLASSES_ROOT\clsid{b2c03e2e-2219-4ff9-810a-540aca63f8d9}
HKEY_CLASSES_ROOT\interface{f88527e2-a8a7-4227-8683-05cfa4eec511}
HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\nscheck
HKEY_CURRENT_USER\software\netsetter
HKEY_CURRENT_USER\software\netsetter\ossproxy\settings
HKEY_LOCAL_MACHINE\software\classes\clsid{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\classes\interface{f88527e2-a8a7-4227-8683-05cfa4eec511}
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig.2
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig\clsid
HKEY_LOCAL_MACHINE\software\classes\nsconfig.nsbrowserconfig\curver
HKEY_LOCAL_MACHINE\software\classes\typelib{169c7855-c096-4d45-803b-6441552a7e92}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}\installer
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}\systemcomponent
HKEY_LOCAL_MACHINE\software\microsoft\code store database\distribution units{35b7e48b-9d81-4c6c-9578-5fd4f620d886}
HKEY_LOCAL_MACHINE\software\microsoft\systemcertificates\root\certificates\a32c2b8361ca79fb7dcd14cbda793d0df855991c\blob
HKEY_LOCAL_MACHINE\software\microsoft\systemcertificates\root\certificates\f8d953700e84f3945390c81a1a3bf929c8a29eb7\blob
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/nsconfig.dll.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/downloaded program files/nsconfig.dll{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/csloa.d__.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/csloa.d__{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/okshook.dll.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/okshook.dll{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osconfig.dll.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osconfig.dll{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osmim.dll.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/osmim.dll{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/ossproxy.ex_.owner
HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\moduleusage\c:/winnt/system32/ossproxy.ex_{2f9bfca0-082b-4aaf-96e5-6dc17ebc8335}
HKEY_LOCAL_MACHINE\software\netsetter\osmim
Remove the following files
marketscore.txt, nsosscfg.exe.
csloa.dll, mksc.exe, okshook.dll, osconfig.dll, osmim.dll, osrouter.dll, ossproxy.exe in Windows\system32
nscheck.exe, nscheck.lgc in Windows\system
///////////////////////////////
If it is just the file, consider this removal procedure:
ossproxy.exe Manual Detection
Below are manual removal instructions for ossproxy.exe so you can remove the unwanted file from your PC. Always be sure to back up your PC before you modify anything.
Note: This manual removal process may be difficult and you run the risk of destroying your computer. We recommend that you use the SAS tool to check for ossproxy.exe from here: http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
else:
Step 1: Use Windows File Search Tool to Find ossproxy.exe Path
- Go to Start > Search > All Files or Folders.
- In the “All or part of the the file name” section, type in " ossproxy.exe" file name(s).
- To get better results, select “Look in: Local Hard Drives” or “Look in: My Computer” and then click “Search” button.
- When Windows finishes your search, hover over the “In Folder” of " ossproxy.exe", highlight the file and copy/paste the path into the address bar. Save the file’s path on your clipboard because you’ll need the file path to delete ossproxy.exe in the following manual removal steps.
Step 2: Use Windows Task Manager to Remove ossproxy.exe Processes
- To open the Windows Task Manager, use the combination of CTRL+ALT+DEL or CTRL+SHIFT+ESC.
- Click on the “Image Name” button to search for " ossproxy.exe" process by name.
- Select the " ossproxy.exe" process and click on the “End Process” button to kill it.
Step 3: Detect and Delete Other ossproxy.exe Files
- To open the Windows Command Prompt, go to Start > Run > cmd and then press the “OK” button.
- Type in “dir /A name_of_the_folder” (for example, C:\Spyware-folder), which will display the folder’s content even the hidden files.
- To change directory, type in “cd name_of_the_folder”.
- Once you have the file you’re looking for type in del “name_of_the_file”.
- To delete a file in folder, type in “del name_of_the_file”.
- To delete the entire folder, type in “rmdir /S name_of_the_folder”.
- Select the " ossproxy.exe" process and click on the “End Process” button to kill it,
polonus
Hi,
Thanks to both of you for your responses.
I made sure all of the McAfee components were removed. I also tried the SuperAntiSpyware and it didn’t do anything. I also used Malwarebytes Anti-malware, but that didn’t help, either.
I’m going to try a few more of your suggestions, but some of what you two wrote I have NO idea how to do.
I’m curious why it keeps identifying the path as the temp folder. I’m also curious why none of this occurred with McAfee.
If anyone else has any further suggestions, please feel free! Otherwise, I’ll touch base again once I’ve done some other things.
Thanks again!
Both SAS ans MBAM are best run from safe mode if there is a suspicion of an active piece of malware.
You never said if you used said MarketScore internet accelerator as there is some possibility as polonus mentions of it being more spyware than a useful tool. If so (or not) then you need to investigate if any of these associated files are also on your system:
marketscore.txt, nsosscfg.exe, csloa.dll, mksc.exe, okshook.dll, osconfig.dll, osmim.dll, osrouter.dll, ossproxy.exe in Windows\system32\
nscheck.exe, nscheck.lgc in Windows\system\
Hi DavidR and Polonus,
I face the same pb for two day now, and there is any of the dll indicated in system32 or system.
Even if it is requested to Avast to destroy that warning the files re-appears after few minutes and the warning come back.
A full scan at boot sequence has been requested and no warning appears…
The two files appears in
c:\windows\Temp~os6.tmp
and are name AppInit.dll and ossproxy.exe
Warning is ADWARE for AppInit.dll and VIRUS for ossproxy.exe
This appear yesterday at 13H32.
Please, is someone has idea on this issue ?
Best regards
Domi
Well as my first reply states if it constantly comes back something hidden or undetected is restoring it and that has to be found, I gave links to two anti-spyware/malware programs to be run from safe mode.
So you should start with these tools, run one and post the report of the scan findings, then run the second.
Hi,
Just wanted to touch base with people. I gave up and just deleted Avast. I’m using AVG now and this warning hasn’t popped up. It might still be a problem, but, honestly, this is my parents’ computer and they don’t do anything sensitive on here, so even if this problem still exists, it’s unlikely to do harm. I’m going with “out of sight, out of mind” on this one.
Thanks to everyone who helped!
Your welcome, though turning a blind eye isn’t the best option.
Hi DavidR,
Even if this comes OEM installed, it is unwanted from a user’s viewpoint and if avast flags it, better get rid of it. If you like to live “in the accepted consensus world”, that is what you’d rather do - change your av-solution and, yes, turn a blind eye,
pol
Hi all,
i think that the idea of DFP is the best… I don’t understand why you are promoting in this forum some tools from other supplier to check the mentioned problem?
When i made the choice of avast, i was looking for a anti-virus software. In any case it seems that this tool is not enough updated to solve an attack.
Then it is maybe better to move to another solution.
I don’t understand that there is no automatic upload of the pb to avast and there is no real support for the user!
Best regards
Domi
Why don’t you download and run HijackThis,a scan will take seconds.You can then copy/paste the log results here.Or bury your head in the sand.
http://filehippo.com/download_hijackthis/
To DB60 & DPFW16,
What DB60 is saying here, can almost be taken as slanderous. What if we propose a hjt scan log txt to get a better understanding of the initial infection, are we then accused of additionally using third party software (because avast cannot do its homework?) This was an independent tool that was acquired by TrendMicro’s that has attributed nothing to its further development and is running it into the ground actually (while it has had its best days because of the development in malicious technologies), same as with MCAfee’s acquiring SiteAdvisor, same story. What about Trend Micro promoting their online scanner via RUBotted? And I can go on here for a while. I do not hear you about these things.
The avast virus and worm section has a couple of normal users, volunteers like essexboy, oldman, and some other that are full trained malware fighters: the tools they propose are being used at the major Anti Malware Forum Sites and are taught at Anti Malware Boot Camps or University as you like.
While no av solution can catch all malware, and that goes for ALL anti-malware solutions, we sometimes use a cocktail of programs additional to avast’s like DrWeb’s CureIt, comboscript, DDS scanner, analyzers, killtools, StartDreck etc. etc. according to the infection at hand.
Just stating that avast is not able to compete with other solitairy av scanners and therefore … it is just absurdity of the highest order, and shows that you do not know what you are talking about - period.
All those that give advice here are normal avast users (while the mods may seldom put a word in here, but only when appropriate).
I think that a lot of other av webforums cannot give the extensive support we give here, so I am waiting for an apology, because you have accused us falsely,
polonus (malware fighter and avast user)
Hi,
What did I do?
I didn’t bash the program. I didn’t express dissatisfaction with ANY help ANYONE gave. I even thanked people for their help!
All I said was that I tried a few suggestions and they didn’t help and I, personally, don’t have the time or computer skill to rule out every possible cause. Given my skills and limited time, it is best for me to just try a different program.
So, why do I owe YOU an apology? NOW I’M insulted by YOU.
-DPFW16
Hi DPFW16,
This was not personal, so you cannot feel like that. I just like to have pointed out to you that the easy solution you are looking for, just with some of these malware infestations, sometimes do not exist, whatever special av program you may seek out or not. One av solution covers this, another one covers another scala. And my motto is : “Security is more of an attitude”, and everybody can learn that. First thing to consider is - “How did I get infected in the first place”. A lot of users have their computer(s) and third party programs not updated and fully patched, for instance older vulnerable Java versions. Malcreants are just waiting for that, and bingo. Then again a lot of users use full admin rights on their systems, malware can do far more havoc on these systems than with normal user rights. Sometimes malware cannot be cleansed by just av-software alone, and a recovery CD is needed or a specially crafted tool or program or script, that is where we people (the malware fighters) come in and we put a lot of spare time into this just because we like to do this. Switching to another av program because that means an easy way out does not seem to appeal very much to me, but maybe I am of the old school and that is not the general attitude of the user of this day and age that wants a quick solution and cannot be bothered much . If you feel insulted about this last sentence then that is your problem, not mine,
polonus
I am sure Polonus did not intend to insult you. But, if you will read other posts in here, it will become very evident that sometimes, many programs must be used in order to clear out some infections. We have to consider each and every possible cause until a solution is found. Otherwise, we are not doing enough to help those who come here looking for help … those like you. Not everything is as cut and dry as any of us would like them to be … and this is very true of malware that is written by those with malformed mentalities. Please do not take that prior statement the wrong way. Such people are very smart.
Yes, you avoid the warnings by going with AVG instead of avast! but is that really better? I understand that you do want to take the time (or not have the time) to solve your problem … and that’s ok. If there is a real problem on your computer, then someday in the near future, you might have all the time needed while your computer sits idly in it’s unusable state of infection.
And yes, we understand you do not have the skills as that is why you asked for help in the first place. As we have too many times in the past and will too many times in the future, we spend our personal time explaining and giving those skills to those who need them. But, the one needing help must also be willing to learn.
Well, I suppose we can not help you. I wish you luck with whatever is wrong with your computer.
To Polonus and CharleyO,
It certainly sounded personal to me- polonus DIRECTED the message to me (and one other person). And he asked for an apology. How else am I supposed to have taken the message? Hopefully you can see why I felt targeted.
Anyway, it certainly wasn’t my intent to upset anyone, although it seems like I have. I’m sorry if some of you don’t agree with my decision, but ultimately it’s MY decision.
Thanks again for everyone’s time. I probably won’t be on again.
Hello, I have the same problem.
However, I really don’t know where to find register files and don’t understand the advice you’ve give DFP.
what I did(I am willing to do anything that may help me get rid of those two files) was to install hijackthis and hereis the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:09:45 PM, on 1/2/2009
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal
Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Windows\System32\hkcmd.exe
C:\Windows\System32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Sony\ISB Utility\ISBMgr.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\KVIrc\kvirc.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\system32\igfxsrvc.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\Workrave\lib\Workrave.exe
C:\Program Files\Sony\VAIO Update 3\VAIOUpdt.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\OpenOffice.org 3\program\soffice.exe
C:\Windows\system32\WTablet\Pen_TabletUser.exe
C:\Program Files\OpenOffice.org 3\program\soffice.bin
C:\Program Files\Apoint\ApMsgFwd.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Last.fm\LastFM.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Windows\system32\conime.exe
C:\Windows\SYSTEM32\WISPTIS.EXE
C:\Program Files\Pidgin\pidgin.exe
C:\Program Files\Internet Explorer\ieuser.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\Macromed\Flash\FlashUtil10a.exe
c:\program files\relevantknowledge\rlvknlg.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
c:\program files\google\googletoolbar1user.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sonystyle.ca/vaio
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
continued log:
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe
O4 - HKLM..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe
O4 - HKLM..\Run: [Persistence] C:\Windows\system32\igfxpers.exe
O4 - HKLM..\Run: [RtHDVCpl] RtHDVCpl.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [ISBMgr.exe] “C:\Program Files\Sony\ISB Utility\ISBMgr.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [Unattend0000000001{5A21AF0B-DBA2-4EC9-ADAC-01D75B420C42}] %PROGRAMFILES%\Sony\First Experience\VAIOWelcome.exe
O4 - HKLM..\Run: [Corel Photo Downloader] “C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel PhotoDownloader.exe” -startup
O4 - HKLM..\Run: [Corel File Shell Monitor] C:\Program Files\Corel\Corel Paint Shop Pro Photo X2\CorelIOMonitor.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [LogitechCommunicationsManager] “C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe”
O4 - HKLM..\Run: [LogitechQuickCamRibbon] “C:\Program Files\Logitech\QuickCam\Quickcam.exe” /hide
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [KVIrc] C:\Program Files\KVIrc\kvirc.exe
O4 - HKCU..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU..\Run: [Skype] “C:\Program Files\Skype\Phone\Skype.exe” /nosplash /minimized
O4 - HKCU..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
O4 - HKCU..\Run: [Workrave] C:\Program Files\Workrave\lib\Workrave.exe
O4 - HKCU..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-19..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User ‘NETWORK SERVICE’)
O4 - Startup: OpenOffice.org 3.0.lnk = C:\Program Files\OpenOffice.org 3\program\quickstart.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02CF1781-EA91-4FA5-A200-646E8241987C} (VaioInfo.CMClass) - http://esupport.sony.com/VaioInfo.CAB
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2008.10.10_v5.5.8/FacebookPhotoUploader5.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1.0.1.0.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IviRegMgr - InterVideo - C:\Program Files\Common Files\InterVideo\RegMgr\iviRegMgr.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Windows\system32\PSIService.exe
O23 - Service: RelevantKnowledge - TMRG, Inc. - C:\Program Files\RelevantKnowledge\rlservice.exe
O23 - Service: VAIO Media plus Content Importer (SOHCImp) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHCImp.exe
O23 - Service: VAIO Media plus Digital Media Server (SOHDms) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDms.exe
O23 - Service: VAIO Media plus Device Searcher (SOHDs) - Sony Corporation - C:\Program Files\Sony\VAIO Media plus\SOHDs.exe
O23 - Service: SonicStage Back-End Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SsBeSvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: TabletServicePen - Wacom Technology, Corp. - C:\Windows\system32\Pen_Tablet.exe
O23 - Service: VAIO Entertainment TV Device Arbitration Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCs\VzHardwareResourceManager\VzHardwareResourceManager.exe
O23 - Service: VAIO Event Service - Sony Corporation - C:\Program Files\Sony\VAIO Event Service\VESMgr.exe
O23 - Service: VAIO Content Metadata Intelligent Analyzing Manager (VcmIAlzMgr) - Sony Corporation - C:\Program Files\Sony\VCM Intelligent Analyzing Manager\VcmIAlzMgr.exe
O23 - Service: VAIO Content Metadata XML Interface (VcmXmlIfHelper) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VcmXml\VcmXmlIfHelper.exe
O23 - Service: VAIO Entertainment UPnP Client Adapter (Vcsw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VCSW\VCSW.exe
O23 - Service: VAIO Entertainment Database Service (VzCdbSvc) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzCdbSvc.exe
O23 - Service: VAIO Entertainment File Import Service (VzFw) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Entertainment Platform\VzCdb\VzFw.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe
–
End of file - 11069 bytes
Analysis of your HJT log :
You do not appear to have an active firewall. Do you?
This one is bad and should be fixed …
c:\program files\relevantknowledge\rlvknlg.exe
(RelevantKnowledge is a MarketScore variant that monitors browsing habits and sends unsolicited advertisements.)
http://www.what-is-exe.com/filenames/rlvknlg-exe.html
This one may be bad depending on if you have a use for it or not. Ir can be kept if need be …
O4 - HKCU..\Run: [Jing] C:\Program Files\TechSmith\Jing\Jing.exe
(as for me, I would not want it on my computer. Please read the analysis for the executable at this link ... http://www.prevx.com/filenames/X612345175237409438-0/JING.EXE.html )
If this one is useful for you, then it can be left alone …
O4 - HKCU..\Run: [Workrave] C:\Program Files\Workrave\lib\Workrave.exe
http://www.windowsstartup.com/wso/detail.php?id=3503
This one is very questionable but it is your choice to keep or not …
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei-3/ZwinkyInitialSetup1 .0.1.0.cab
(as for me, I would not keep it)
This one is also bad and should be fixed …
O23 - Service: RelevantKnowledge - TMRG, Inc. - C:\Program Files\RelevantKnowledge\rlservice.exe
(part of the other bad one above)