Home Mail MemberMap Chat (0) Wallpapers
Go Back   ChiefsPlanet > The Ed & Dave Lounge > Media Center

Reply
 
Thread Tools Display Modes
Old 08-18-2010, 12:28 AM  
Bearcat Bearcat is offline
Rock Chalk
 
Bearcat's Avatar
 
Join Date: Nov 2000
Location: Kansas City
Casino cash: $6307
The Official Malware/Antivirus Thread - Need help or general advice? Read this first!

This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.

Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.

Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.

Research


A lot of information can be found at this EliteKiller link, including...
  • Links to recommended malware scanning & removal tools, including the Rogue Removal Kit (which includes combofix), malwarebytes (aka MBAM), and Hitman Pro.
  • A link to HiJackThis, which creates a log of registry entries, running services, etc; that can be posted here for additional support.
  • Reviews, recommendations, and links to antivirus software, on-demand scanners, and online scanners.
  • Information on firewalls and unsecured networks, as well as malware/virus prevention.

Malware Removal

If you think your computer is infected, the EliteKiller link provides a thorough solution. Simply put...

Quote:
Originally Posted by mikeyis4dcats. View Post
Step 1 go here http://www.elitekiller.com/malware.htm and read up

Step 2 download the Rogue Removal Kit http://www.elitekiller.com/files/rogueremoval.zip

Step 3 unzip the Kit, read the instruction file and run the tools in the order given.

Step 4 Thank me in about 3 hours for fixing your shit.

The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.

Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.

Taken from the readme in the Rogue Removal Kit:

Quality Online Virus Scanners: (all scanners offer detection and removal)


F-Secure
NOD32
Bitdefender

Quality Free Anti-Virus Software:

Panda Cloud
Microsoft Security Essentials
Antivir
Avast!
AVG


My two cents on downloading anti-malware software...
  • Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.
  • Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.
  • The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.

Other Helpful Tips & Tools

Rkill will kill processes that may be preventing scanners from completely removing malware.

To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.

If you get a Blue Screen of Death after selecting Safe Mode With Networking, read the following posts on how to fix it:
http://blog.didierstevens.com/2006/06/22/save-safeboot/
http://blog.didierstevens.com/2006/0...ring-safeboot/
http://blog.didierstevens.com/2007/0...th-a-reg-file/


Still infected, or just want to make sure everything is okay?

HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.

If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.

You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.


Windows Performance

A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.

To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.

Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore.

Last edited by Bearcat; 03-27-2012 at 04:07 PM..
Posts: 27,136
Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.Bearcat has an IQ even higher than Frankie's.
  Reply With Quote
Old 04-13-2014, 08:24 AM   #391
OnTheWarpath58 OnTheWarpath58 is offline
37 FOREVER
 
OnTheWarpath58's Avatar
 

Join Date: Sep 2005
Casino cash: $5985
Posts: 49,766
OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.
  Reply With Quote
Old 04-13-2014, 08:35 AM   #392
Fish Fish is offline
Missing Dick Curl
 
Fish's Avatar
 

Join Date: Sep 2005
Casino cash: $6835
I don't see anything malicious. Lots and lots of clutter. But nothing malicious. You could improve performance by turning off a bunch of stuff that's autostarting when it doesn't need to. But I don't see any bugs...
__________________
Posts: 25,805
Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.
  Reply With Quote
Old 04-13-2014, 08:36 AM   #393
OnTheWarpath58 OnTheWarpath58 is offline
37 FOREVER
 
OnTheWarpath58's Avatar
 

Join Date: Sep 2005
Casino cash: $5985
Quote:
Originally Posted by Fish View Post
I don't see anything malicious. Lots and lots of clutter. But nothing malicious. You could improve performance by turning off a bunch of stuff that's autostarting when it doesn't need to. But I don't see any bugs...
Like?

Remember, I'm as green as it gets when it comes to these things.
Posts: 49,766
OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.OnTheWarpath58 is obviously part of the inner Circle.
  Reply With Quote
Old 04-13-2014, 04:41 PM   #394
alanm alanm is offline
Incognito
 
alanm's Avatar
 

Join Date: Aug 2000
Location: Nebraska/Wyoming/Colorado
Casino cash: $5846
How can I uninstall/reinstall Internet Explorer in windows 8? It isn't listed in Programs and features.
__________________
It bears repeating, **** Herm, Pioli, Haley, and Crennel for ****ing up my franchise for a goddamn decade.
Buehler 445
Posts: 29,798
alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.alanm Forgot to Remove His Claytex and Got Toxic Shock Syndrome.
  Reply With Quote
Old 04-13-2014, 04:48 PM   #395
Fish Fish is offline
Missing Dick Curl
 
Fish's Avatar
 

Join Date: Sep 2005
Casino cash: $6835
Quote:
Originally Posted by OnTheWarpath58 View Post
Like?

Remember, I'm as green as it gets when it comes to these things.
I'll try and type up some instructions when I get the time.
__________________
Posts: 25,805
Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.
  Reply With Quote
Old 04-17-2014, 10:12 PM   #396
Fish Fish is offline
Missing Dick Curl
 
Fish's Avatar
 

Join Date: Sep 2005
Casino cash: $6835
Quote:
Originally Posted by OnTheWarpath58 View Post
Like?

Remember, I'm as green as it gets when it comes to these things.
OK... Registry Editing 101:

Click on the Start Menu.

Type regedit in the Search field. Click enter to open Registry Editor.

It will be listed in a folder-looking format.

The top most folders will be
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HEKY_USERS
HEKY_CURRENT_CONFIG

To keep it simple, you'll only focus on a few folder locations. These folder locations are:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

These locations are what correspond with the "HKLM\..\Run:" entries in your HijackThis log. Navigate to these folder locations. The following are what you can safely delete to increase performance without losing any functionality:

O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch

O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [APSDaemon] "C:\Program Files\Common Files\Apple\Apple Application Support\APSDaemon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun

O4 - HKCU\..\Run: [Google Update] "C:\Users\*******\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [BIBLauncher] C:\Program Files\Business-in-a-Box\BIBLauncher.exe
O4 - HKCU\..\Run: [PlayOn] C:\Program Files\MediaMall\PlayOn.exe

O4 - HKCU\..\Run: [Akamai NetSession Interface] "C:\Users\*********\AppData\Local\Akamai\netsession_win.exe"

Also remove this which is in Start Menu\Programs\Startup\

O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe

Close Registry Editor.

Click on Start Menu.

Type services.msc in Search Field.

Open Services.

This is a list of all services running on your system. Most entries have explanations. Different options for Autostart, Manual. Go through the list and see what you recognize as not necessary for loading auto.

For you, all of the following you can safely turned from autostart to manual start without losing any functionality:

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe

O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe


O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe

O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe

O23 - Service: ScsiAccess - Unknown owner - C:\Program Files\Photodex\ProShow Producer\ScsiAccess.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

Hope that helps...
__________________

Last edited by Fish; 04-17-2014 at 10:22 PM..
Posts: 25,805
Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.
  Reply With Quote
Old 04-30-2014, 11:34 AM   #397
Mr. Kotter Mr. Kotter is offline
Lookin' for the answers...
 
Mr. Kotter's Avatar
 

Join Date: Apr 2001
Location: Somewhere else
Casino cash: $749
I think my kid's computer is infected with the ME IE Zero Day virus. I guess MS is working on a patch, but I think the computer is already infected. The machine will only start in "safe mode," and multiple attempts to restore in safe mode have not been successful.

Any suggestions short of reinstalling Windows 7 Home Premium? If I do need to reinstall...in the restore and recovery ap...can I use the "fix" option, or do I need to reinstall everything? Will I need to reload the personal files from backup after I re-install Windows?

Again, any help would be greatly appreciated. And no, I'm not considering self-immolation, anti-freeze, an AIDS tree, or a rusty razor blade. At least not yet. Thanks, in advance for your concerns though.

Would mikey's EliteKiller link be the best route to remove it? I'm mildly tech savvy, but certainly no wizard or geeksquad guy. I'm just looking for the quickest and easiest fix--as time is at a premium for our family for the next couple weeks. If the EliteKiller thing is it, then so be it. Otherwise, any suggestions to help me remove the virus instead of starting over, would be greatly appreciated...

I'm guessing it's what they are talking about in these articles:

http://community.norton.com/t5/Norto...g/ba-p/1127768


http://www.maximumpc.com/microsoft_w...ernet_explorer
__________________
Alex Smith will be better than Geno or Cassel, Alex Smith will be better than Geno or Cassel, Alex Smith will be better than Geno or Cassel, Alex Smith will be better than Geno or Cassel...
Posts: 40,004
Mr. Kotter has disabled reputation
  Reply With Quote
Old 04-30-2014, 11:35 AM   #398
BigRock BigRock is offline
Pritay Pritay Pritay Good
 
BigRock's Avatar
 

Join Date: Apr 2005
Location: The State of Euphoria
Casino cash: $5745
Quote:
Originally Posted by Mr. Kotter View Post
I think my kid's computer is infected with the ME IE Zero Day virus. I guess MS is working on a patch, but I think the computer is already infected. The machine will only start in "safe mode," and multiple attempts to restore in safe mode have not been successful.

Any suggestions short of reinstalling Windows 7 Home Premium? If I do need to reinstall...in the restore and recovery ap...can I use the "fix" option, or do I need to reinstall everything? Will I need to reload the personal files from backup after I re-install Windows?

Again, any help would be greatly appreciated. And no, I'm not considering self-immolation, anti-freeze, an AIDS tree, or a rusty razor blade. At least not yet. Thanks, in advance for your concerns though.

Would mikey's EliteKiller link be the best route to remove it? I'm mildly tech savvy, but certainly no wizard or geeksquad guy. I'm just looking for the quickest and easiest fix--as time is at a premium for our family for the next couple weeks. If the EliteKiller thing is it, then so be it. Otherwise, any suggestions to help me remove the virus instead of starting over, would be greatly appreciated...

I'm guessing it's what they are talking about in these articles:

http://community.norton.com/t5/Norto...g/ba-p/1127768


http://www.maximumpc.com/microsoft_w...ernet_explorer
The IE thing isn't really a virus, it's an exploit that could give someone control of your system. It's probably not the cause. I'd start by assuming it's just a run of the mill virus and follow the usual steps.
Posts: 5,930
BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.BigRock Forgot to Remove His Claytex and Got Toxic Shock Syndrome.
  Reply With Quote
Old 06-24-2014, 09:44 AM   #399
Pestilence Pestilence is offline
Want a ride?
 
Pestilence's Avatar
 

Join Date: Dec 2006
Location: Nor-Cal
Casino cash: $1526
Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 8:40:29 AM, on 6/24/2014
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16555)
Boot mode: Normal

Running processes:
C:\PROGRA~2\SCRIPT~1\DESKTO~1\CLIENT~1\812~1.7\SLAgent.exe
C:\Program Files (x86)\AlienRespawn\TOASTER.EXE
C:\Program Files (x86)\AlienRespawn\Components\DSUpdate\DSUpd.exe
C:\Program Files (x86)\AlienRespawn\COMPONENTS\SCHEDULER\STSERVICE.EXE
C:\Users\dcbrummer\AppData\Local\LPT\srptm.exe
C:\Program Files (x86)\PrintKey2000\Printkey2000.exe
C:\Cache\pc-client.exe-14.1.0.26983\pc-client.exe
C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe
C:\Program Files (x86)\ScriptLogic\Desktop Authority\Client Files\8.12.7\CBM\ScriptLogic.CBM.UserExperience.exe
C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\acrotray.exe
C:\Program Files (x86)\McAfee\Common Framework\UdaterUI.exe
C:\Program Files (x86)\Common Files\Java\Java Update\jucheck.exe
C:\Program Files (x86)\McAfee\Common Framework\McTray.exe
C:\Program Files\Alienware\Command Center\AlienwareAlienFXController.exe
C:\Program Files\Alienware\Command Center\AWCCApplicationWatcher32.exe
C:\Program Files\Alienware\Command Center\AlienFusionController.exe
C:\Program Files (x86)\DIMS\DIMS.net\DIMSnet.EXE
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe
C:\Program Files (x86)\Trend Micro\HiJackThis\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://AlienwareArena.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.helperbar.com/?p=mKO_AwFzXIpYRZtakQ4j8nRC9pSLLJR98GAGvZ--sx9HMMckaq-YAVaKiMC-AT0Yqw0VwgAFK9R-1qcgWOLJYU78ON5ayxRS59S1BoXvAcFqHPEj945JlcWsy8zVwbvmj3ty22VSQLG5P59vuOfSbFOBfjMq5sjDPIYQICtkYCoZLrIj PJfQr0xIk08q-vF_N19VuJ-xynJ4wg,,&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://feed.helperbar.com/?p=mKO_AwFzXIpYRZtakQ4j8nRC9pSLLJR98GAGvZ--sx9HMMckaq-YAVaKiMC-AT0Yqw0VwgAFK9R-1qcgWOLJYU78ON5ayxRS59S1BoXvAcFqHPEj945JlcWsy8zVwbvmj3ty22VSQLG5P59vuOfSbFOBfjMq5sjDPIYQICtkYCoZLrIj PJfQr0xIk08q-vF_N19VuJ-xynJ4wg,,&q={searchTerms}
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webstart/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10045&barid={D10CBA9A-B9A5-11E2-B43D-F04DA2DE4A5C}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.helperbar.com/?p=mKO_AwFzXIpYRZtakQ4j8nRC9pSLLJR98GAGvZ--sx9HMMckaq-YAVaKiMC-AT0Yqw0VwgAFK9R-1qcgWOLJYU78ON5ayxRS59S1BoXvAcFqHPEj945JlcWsy8zVwbvmj3ty22VSQLG5P59vuOfSbFOBfjMq5sjDPIYQICtkYCoZLrIj PJfQr0xIk08q-vF_N19VuJ-xynJ4wg,,&q={searchTerms}
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.helperbar.com/?p=mKO_AwFzXIpYRZtakQ4j8nRC9pSLLJR98GAGvZ--sx9HMMckaq-YAVaKiMC-AT0Yqw0VwgAFK9R-1qcgWOLJYU78ON5ayxRS59S1BoXvAcFqHPEj945JlcWsy8zVwbvmj3ty22VSQLG5P59vuOfSbFOBfjMq5sjDPIYQICtkYCoZLrIj PJfQr0xIk08q-vF_N19VuJ-xynJ4wg,,&q={searchTerms}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\Windows\SysWOW64\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=userinit.exe
O1 - Hosts: 204.147.113.96 calvalidator.ss.ca.gov
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SmartbarInternetExplorerBHOEngine - {31ad400d-1b06-4e33-a59a-90c2c140cba0} - mscoree.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~2\MICROS~1\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files (x86)\Java\jre7\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files (x86)\Common Files\McAfee\SystemCore\ScriptSn.20140618171432.dll
O2 - BHO: Adobe Acrobat Create PDF Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~2\MICROS~1\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files (x86)\Java\jre7\bin\jp2ssv.dll
O2 - BHO: SmartSelect - {F4971EE7-DAA0-4053-9964-665D8EE6A077} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O3 - Toolbar: QuickShare Widget - {ae07101b-46d4-4a98-af68-0333ea26e113} - mscoree.dll (file missing)
O3 - Toolbar: Adobe Acrobat Create PDF Toolbar - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IAStorIcon] C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe
O4 - HKLM\..\Run: [THX Audio Control Panel] "C:\Program Files (x86)\Creative\THX TruStudio PC\THXAudioCP\THXAudio.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\Windows\UpdReg.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatchTray12OEM.exe"
O4 - HKLM\..\Run: [Desktop Disc Tool] "C:\Program Files (x86)\Roxio\OEM\Roxio Burn\RoxioBurnLauncher.exe"
O4 - HKLM\..\Run: [BCSSync] "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
O4 - HKLM\..\Run: [DesktopAuthority User Experience] "C:\Program Files (x86)\ScriptLogic\Desktop Authority\Client Files\8.12.7\CBM\ScriptLogic.CBM.UserExperience.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files (x86)\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files (x86)\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files (x86)\Adobe\Acrobat 11.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files (x86)\McAfee\Common Framework\udaterui.exe" /StartedFromRunKey
O4 - HKCU\..\Run: [PCShowServer] "C:\Users\dcbrummer\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe"
O4 - HKCU\..\Policies\Explorer\Run: [1] \\cacprc01\PCClient\win\pc-client-local-cache.exe --silent
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')
O4 - Global Startup: Printkey2000.lnk = C:\Program Files (x86)\PrintKey2000\Printkey2000.exe
O8 - Extra context menu item: Append Link Target to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Append to Existing PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert Link Target to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files (x86)\Common Files\Adobe\Acrobat\WCIEActiveX\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~2\MICROS~1\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~2\MICROS~1\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files (x86)\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O16 - DPF: {49312E18-AA92-4CC2-BB97-55DEA7BCADD6} (WMI Class) - http://support.dell.com/systemprofiler/SysProExe.CAB
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://akamaicdn.webex.com/client/W...x/ieatgpc1.cab
O16 - DPF: {E6F480FC-BD44-4CBA-B74A-89AF7842937D} (SysInfo Class) - http://content.systemrequirementslab...ri_4.5.1.0.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = County.Solano.Sol
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = County.Solano.Sol
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = County.Solano.Sol
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: Adobe Flash Player Update Service (AdobeFlashPlayerUpdateSvc) - Adobe Systems Incorporated - C:\Windows\SysWOW64\Macromed\Flash\FlashPlayerUpdateService.exe
O23 - Service: @%SystemRoot%\system32\Alg.exe,-112 (ALG) - Unknown owner - C:\Windows\System32\alg.exe (file missing)
O23 - Service: Alienware Fusion Service (AlienFusionService) - Alienware - C:\Program Files\Alienware\Command Center\AlienFusionService.exe
O23 - Service: AutoMate 6 (AutoMate6) - Network Automation, Inc. - C:\Program Files (x86)\AutoMate 6\AMTS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files (x86)\Bonjour\mDNSResponder.exe
O23 - Service: @%SystemRoot%\system32\efssvc.dll,-100 (EFS) - Unknown owner - C:\Windows\System32\lsass.exe (file missing)
O23 - Service: @%systemroot%\system32\fxsresm.dll,-118 (Fax) - Unknown owner - C:\Windows\system32\fxssvc.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files (x86)\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
O23 - Service: Intel(R) Rapid Storage Technology (IAStorDataMgrSvc) - Intel Corporation - C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe
O23 - Service: @keyiso.dll,-100 (KeyIso) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: Local Print Agent - PrintFleet Inc - C:\Program Files (x86)\Local Print Agent\Local Print Agent.exe
O23 - Service: LPT System Updater Service (LPTSystemUpdater) - Unknown owner - C:\Program Files (x86)\LPT\srpts.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files (x86)\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\Common Files\McAfee\SystemCore\\mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files (x86)\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: McAfee Validation Trust Protection Service (mfevtp) - Unknown owner - C:\Windows\system32\mfevtps.exe (file missing)
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: @comres.dll,-2797 (MSDTC) - Unknown owner - C:\Windows\System32\msdtc.exe (file missing)
O23 - Service: @%SystemRoot%\System32\netlogon.dll,-102 (Netlogon) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - Unknown owner - C:\Windows\system32\nvvsvc.exe (file missing)
O23 - Service: NVIDIA Update Service Daemon (nvUpdatusService) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe
O23 - Service: PaperCut Print Provider (PCPrintProvider) - PaperCut Software International Pty Ltd - C:\Program Files\PaperCut MF\providers\print\win\pc-print.exe
O23 - Service: @%systemroot%\system32\psbase.dll,-300 (ProtectedStorage) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: RoxMediaDB12OEM - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxMediaDB12OEM.exe
O23 - Service: Roxio Hard Drive Watcher 12 (RoxWatch12) - Sonic Solutions - C:\Program Files (x86)\Common Files\Roxio Shared\OEM\12.0\SharedCOM\RoxWatch12OEM.exe
O23 - Service: @%systemroot%\system32\Locator.exe,-2 (RpcLocator) - Unknown owner - C:\Windows\system32\locator.exe (file missing)
O23 - Service: @%SystemRoot%\system32\samsrv.dll,-1 (SamSs) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: ScriptLogic CBM Service - ScriptLogic Software Corporation - C:\Program Files (x86)\ScriptLogic\Desktop Authority\Client Files\8.12.7\CBM\ScriptLogic.CBM.Agent.exe
O23 - Service: SoftThinks Agent Service (SftService) - SoftThinks SAS - C:\Program Files (x86)\AlienRespawn\sftservice.EXE
O23 - Service: ScriptLogic Service (SLClient) - ScriptLogic Software Corporation - C:\Program Files (x86)\ScriptLogic\Desktop Authority\Client Files\8.12.7\SLClient.exe
O23 - Service: SNMP Trap (SNMPTRAP) - Unknown owner - C:\Windows\System32\snmptrap.exe (file missing)
O23 - Service: @%systemroot%\system32\spoolsv.exe,-1 (Spooler) - Unknown owner - C:\Windows\System32\spoolsv.exe (file missing)
O23 - Service: @%SystemRoot%\system32\sppsvc.exe,-101 (sppsvc) - Unknown owner - C:\Windows\system32\sppsvc.exe (file missing)
O23 - Service: NVIDIA Stereoscopic 3D Driver Service (Stereo Service) - NVIDIA Corporation - C:\Program Files (x86)\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files (x86)\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: @%SystemRoot%\system32\ui0detect.exe,-101 (UI0Detect) - Unknown owner - C:\Windows\system32\UI0Detect.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vaultsvc.dll,-1003 (VaultSvc) - Unknown owner - C:\Windows\system32\lsass.exe (file missing)
O23 - Service: @%SystemRoot%\system32\vds.exe,-100 (vds) - Unknown owner - C:\Windows\System32\vds.exe (file missing)
O23 - Service: @%systemroot%\system32\vssvc.exe,-102 (VSS) - Unknown owner - C:\Windows\system32\vssvc.exe (file missing)
O23 - Service: @%systemroot%\system32\wbengine.exe,-104 (wbengine) - Unknown owner - C:\Windows\system32\wbengine.exe (file missing)
O23 - Service: @%Systemroot%\system32\wbem\wmiapsrv.exe,-110 (wmiApSrv) - Unknown owner - C:\Windows\system32\wbem\WmiApSrv.exe (file missing)
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - C:\Program Files (x86)\Windows Media Player\wmpnetwk.exe (file missing)
Posts: 44,522
Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.
  Reply With Quote
Old 06-24-2014, 11:05 AM   #400
Fish Fish is offline
Missing Dick Curl
 
Fish's Avatar
 

Join Date: Sep 2005
Casino cash: $6835
Dude, that system is a mess.

Looks like it's infected with Snap.Do, according to this line:

C:\Users\dcbrummer\AppData\Local\LPT\srptm.exe

That will take over your browser and change your browser settings/homepage/search/etc.
Manually remove Snap.Do: http://www.pcthreat.com/parasitebyid-24962en.html

Likely related, but your browser search is already hosed, according to this line:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.helperbar.com/?p=mKO_AwF...YQICtkYCoZLrIj PJfQr0xIk08q-vF_N19VuJ-xynJ4wg,,&q={searchTerms}

The following lines very likely could be a rootkit:

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

Are you in a managed corporate environment or something? You've also got a program called DesktopAuthority running. It's a pretty powerful IT Admin app that can give the admin pretty much complete control of your computer. It can even monitor keystrokes and shit if the admin chose to use it that way. If you're in a corporate managed environment, it's probably OK. But if not, that could be serious trouble. I notice it's an Alienware with lots of normal consumer stuff, but also some admin stuff and Papercut client.

Regardless, your system need to be cleaned ASAP. I'd recommend a complete reimage or reinstall if possible. It might already be too far gone. But you might be able to resuscitate it. I'd run the malware cleaners listed in the OP. I'd also include Malwarebytes Anti-malware.

Considering all the unnecessary stuff running in the background, your system would feel like a new machine if you would format and reinstall. If you're in a corp environment, tell your IT to backup and reimage that mofo.
__________________
Posts: 25,805
Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.
  Reply With Quote
Old 06-24-2014, 11:09 AM   #401
Pestilence Pestilence is offline
Want a ride?
 
Pestilence's Avatar
 

Join Date: Dec 2006
Location: Nor-Cal
Casino cash: $1526
Quote:
Originally Posted by Fish View Post
Dude, that system is a mess.

Looks like it's infected with Snap.Do, according to this line:

C:\Users\dcbrummer\AppData\Local\LPT\srptm.exe

That will take over your browser and change your browser settings/homepage/search/etc.
Manually remove Snap.Do: http://www.pcthreat.com/parasitebyid-24962en.html

Likely related, but your browser search is already hosed, according to this line:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://feed.helperbar.com/?p=mKO_AwF...YQICtkYCoZLrIj PJfQr0xIk08q-vF_N19VuJ-xynJ4wg,,&q={searchTerms}

The following lines very likely could be a rootkit:

O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /autoRun (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [mctadmin] C:\Windows\System32\mctadmin.exe (User 'NETWORK SERVICE')

Are you in a managed corporate environment or something? You've also got a program called DesktopAuthority running. It's a pretty powerful IT Admin app that can give the admin pretty much complete control of your computer. It can even monitor keystrokes and shit if the admin chose to use it that way. If you're in a corporate managed environment, it's probably OK. But if not, that could be serious trouble. I notice it's an Alienware with lots of normal consumer stuff, but also some admin stuff and Papercut client.

Regardless, your system need to be cleaned ASAP. I'd recommend a complete reimage or reinstall if possible. It might already be too far gone. But you might be able to resuscitate it. I'd run the malware cleaners listed in the OP. I'd also include Malwarebytes Anti-malware.

Considering all the unnecessary stuff running in the background, your system would feel like a new machine if you would format and reinstall. If you're in a corp environment, tell your IT to backup and reimage that mofo.
Yeah....work environment. I ran Malwarebytes and removed around 20 different ****ing things. I've now run it two more times just to make sure it didn't miss anything. Desktop Authority and Papercut are mandated by my work....so they aren't going anywhere.
Posts: 44,522
Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.
  Reply With Quote
Old 06-24-2014, 11:57 AM   #402
Fish Fish is offline
Missing Dick Curl
 
Fish's Avatar
 

Join Date: Sep 2005
Casino cash: $6835
I'd run EliteKiller as well. Or Spybot/Superantispyware. Just to be sure.

You might also consider deleting your old restore points. Shit can reinfect a system that way.

Quote:
To delete all restore points

Open System by clicking the Start button Picture of the Start button, right-clicking Computer, and then clicking Properties.

In the left pane, click System protection. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.

Under Protection Settings, click Configure.

Under Disk Space Usage, click Delete.

Click Continue, and then click OK.
Tell your IT to get a real antivirus client that can prevent that shit. McAfee sucks goat balls.
__________________
Posts: 25,805
Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.Fish is obviously part of the inner Circle.
  Reply With Quote
Old 06-24-2014, 12:05 PM   #403
Pestilence Pestilence is offline
Want a ride?
 
Pestilence's Avatar
 

Join Date: Dec 2006
Location: Nor-Cal
Casino cash: $1526
Quote:
Originally Posted by Fish View Post
Tell your IT to get a real antivirus client that can prevent that shit. McAfee sucks goat balls.
I tell them that all the time. It's the government....so it comes down to "whatever is cheaper to run".
Posts: 44,522
Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.Pestilence is obviously part of the inner Circle.
  Reply With Quote
Old 06-24-2014, 06:16 PM   #404
DaveNull DaveNull is offline
Veteran
 
DaveNull's Avatar
 

Join Date: Nov 2011
Location: Villa Straylight
Casino cash: $5877
Unless you got infected doing something on your work computer that you shouldn't have been doing, it's not your ****ing problem.
Posts: 1,240
DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.DaveNull would the whole thing.
  Reply With Quote
Old 09-04-2014, 02:16 PM   #405
ROYC75 ROYC75 is offline
Time For Your Wake Up Call !!!
 
ROYC75's Avatar
 

Join Date: Oct 2000
Location: Barn Yard
Casino cash: $4292
Pepper zip ? WTF ?

My file extensions are trying to be sent as a Pepper Zip now ? I have scanned the pc, found the uninstall icon, done that but there is still an intact file attachment somewhere. I can not compress a file to email out to a client.

Anybody have any info on a pepper zip ?
Posts: 27,205
ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.ROYC75 wants to die in a aids tree fire.
  Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump




All times are GMT -6. The time now is 04:48 PM.


Powered by vBulletin® Version 3.8.0
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.