The Official Malware/Antivirus Thread - Need help or general advice? Read this first!

[Bearcat]

This thread provides information on malware removal, links to malware removal tools, and recommendations & links to anti-virus software. The intention of this thread is to provide quick and accurate support for malware-related issues and questions.

Many people here are willing to provide assistance if you're having computer problems, and this thread is not meant to discourage people from asking for help.... but, please read the information provided first, or else there's a good chance you'll be sent here, here, or here . We aren't Geek Squad, so while we won't grossly overcharge you for information and advice, we also aren't responsible for anything you do to your computer.

Also, feel free to make suggestions on the content of this post, and I'll try to keep it up to date.

Research

A lot of information can be found at this EliteKiller link, including...

• Links to recommended malware scanning & removal tools, including the Rogue Removal Kit (which includes combofix), malwarebytes (aka MBAM), and Hitman Pro.
• A link to HiJackThis, which creates a log of registry entries, running services, etc; that can be posted here for additional support.
• Reviews, recommendations, and links to antivirus software, on-demand scanners, and online scanners.
• Information on firewalls and unsecured networks, as well as malware/virus prevention.

Malware Removal

If you think your computer is infected, the EliteKiller link provides a thorough solution. Simply put...

Quote:

Originally Posted by mikeyis4dcats.

Step 1 go here http://www.elitekiller.com/malware.htm and read up

Step 2 download the Rogue Removal Kit http://www.elitekiller.com/files/rogueremoval.zip

Step 3 unzip the Kit, read the instruction file and run the tools in the order given.

Step 4 Thank me in about 3 hours for fixing your shit.

The Rogue Removal Kit is is a zipped file that includes malwarebytes, CCleaner (a registry cleaner that will also delete temporary files), Combofix, Hitman Pro, and HiJackThis (HiJackThis is optional, see below). The instructions guide you through running these tools in Safe Mode With Networking; then running malwarebytes and an online scanner in Normal Mode.

Some people don't recommend running Combofix unless you're fairly certain you need to use it, but I've never heard of people having major problems with it. Here's a list of symptoms to Vundo infections, which may help determine if you need to run Combofix. You can also look here to see instructions with screenshots on how to use Combofix.

Taken from the readme in the Rogue Removal Kit:

Quality Online Virus Scanners: (all scanners offer detection and removal)

F-Secure
NOD32
Bitdefender

Quality Free Anti-Virus Software:

Panda Cloud
Microsoft Security Essentials
Antivir
Avast!
AVG


My two cents on downloading anti-malware software...

• Download it from another computer if possible, or from Safe Mode With Networking on the infected machine.
• Verify you are downloading from a legit source and are not being redirected to a site where you'll end up downloading more malware. If you click on any links above, verify the link in the bottom left before clicking on it, then after clicking the link verify that's where you were taken in the address bar.
• The elitekiller article mentions downloading the software to a USB drive. Do not download the software to a USB drive on the infected machine if you're not in Safe Mode, or else you risk infecting the USB drive and other computers you connect the drive to in the future.

Other Helpful Tips & Tools

Rkill will kill processes that may be preventing scanners from completely removing malware.

To get into Safe Mode With Networking, press F8 every couple of seconds while the computer is starting (before the Windows splash screen). If you see the Windows splash screen, you will need to try again. The safe thing to do is log into Windows, restart, and try pressing F8 several times before seeing the Windows splash screen. Alternatively, my advice that falls into the category of “what I'd do if it was my own computer, but wouldn't tell someone to do it if I worked in tech support” would be, if you didn't get into Safe Mode the first time and you're at the Windows splash screen, hold down the power button until the computer turns off. When you start the computer again, it should automatically ask you if you want to go into Safe Mode With Networking.

If you get a Blue Screen of Death after selecting Safe Mode With Networking, read the following posts on how to fix it:
http://blog.didierstevens.com/2006/06/22/save-safeboot/
http://blog.didierstevens.com/2006/0...ring-safeboot/
http://blog.didierstevens.com/2007/0...th-a-reg-file/


Still infected, or just want to make sure everything is okay?

HiJackThis is a tool that will create a log file that can be analyzed by geeks to see what is running on your computer. Install and run HiJackThis (preferably in Safe Mode With Networking), and select 'Do a system scan and save a log file'. You can then copy/paste the output to this thread, and with any luck, someone will stop by and let you know what you can delete. You can then checkmark the items in HiJackThis and click 'Fixed checked'.

If you don't get a quick response here or would rather do it yourself, you can also go to http://hijackthis.de/, which is an online analyzer for your HiJackThis log. Simply copy and paste the log into the text box and click the Analyze button. During my testing of the site, I found it wasn't perfect, especially when a proxy was setup (the visitor rating would be 'extremely nasty', but the site itself would say it was safe)... but, it's at least a good tool that can significantly shorten the time it takes to analyze the log, and it gives you an idea of which entries you can delete or at least Google/post here for further research.

You can also look at the responses to HiJackThis posts in this thread to get an idea of what is safe and what should be removed.


Windows Performance

A good starting point to knowing what processes and services are running on your computer is a HiJackThis log. There's also a lot of information that's only a Google search away.

To manage the process that start when Windows starts, use msconfig (Start button -> Run... -> msconfig -> Startup tab). This is a good resource on startup processes, and it includes a large database of startup processes with information on whether they're required to run Windows or if it's okay to uncheck them. You basically want processes that are in c:\Windows checked, and you can generally uncheck processes in c:\program files (but there are exceptions, like your antivirus), but do some research (Google, the provided links, this thread) if you're not sure. Adobe, Apple (including qttask, Boujour, AppleUpdater, etc), and any messenger program (unless you have it sign you in at startup) are always the first ones to get unchecked on my computer.

Services can be a little tougher to manage, because it's usually a much longer list, and it's not as simple as flipping them on or off. This is a great resource for managing Windows services (Start button -> Run... -> services.msc). Simply choose your version of Windows and then click on the Service Configuration link. It presents the default setup, a safe setup (what most people can use without any consequences), a tweaked setup for faster startup, and a bare bones setup for the super geek. There's also a Tweaks page for stuff like Adding/Removing programs and System Restore.

[Dr. Gigglepants]

If anyone could offer any help with an install of Microsoft Security Essentials it would be greatly appreciated. My wife is running Windows 7 Home Premium 64-bit (Service Pack 1) on her laptop. The first thing I did when we got the laptop was uninstall McAfee and install Eset. Now that the Eset subscription is out I want to install MSE since it is free, and the other laptops in the house are running it just fine.

Yesterday I uninstalled Eset using the Windows Uninstaller, restarted, and downloaded the MSE install file from their website. I downloaded the Windows 7 64-bit version of MSE. I ran the .exe file and it gave me the error code 0x8004FF81. I googled it and there isn't a definite answer as to what this error code is.

I think Eset is completely uninstalled, I checked C:\Program Files\Eset and C:\Program Data\Eset and both of those folders are gone. There is, however, a C:\Program Files (x86)\McAfee folder for some reason.

1) Do you think if I delete the McAfee folder it will let me install MSE?
2) Could anything bad happen if I delete the McAfee folder? (When I go into control panel\Programs and Features there is no listing for McAfee, so it looks like it is completely uninstalled except for this folder that still exists).

Thank you tech gurus of ChiefsPlanet!

[QuikSsurfer]

Quote:

Originally Posted by Dr. Gigglepants

If anyone could offer any help with an install of Microsoft Security Essentials it would be greatly appreciated. My wife is running Windows 7 Home Premium 64-bit (Service Pack 1) on her laptop. The first thing I did when we got the laptop was uninstall McAfee and install Eset. Now that the Eset subscription is out I want to install MSE since it is free, and the other laptops in the house are running it just fine.

Yesterday I uninstalled Eset using the Windows Uninstaller, restarted, and downloaded the MSE install file from their website. I downloaded the Windows 7 64-bit version of MSE. I ran the .exe file and it gave me the error code 0x8004FF81. I googled it and there isn't a definite answer as to what this error code is.

I think Eset is completely uninstalled, I checked C:\Program Files\Eset and C:\Program Data\Eset and both of those folders are gone. There is, however, a C:\Program Files (x86)\McAfee folder for some reason.

1) Do you think if I delete the McAfee folder it will let me install MSE?
2) Could anything bad happen if I delete the McAfee folder? (When I go into control panel\Programs and Features there is no listing for McAfee, so it looks like it is completely uninstalled except for this folder that still exists).

Thank you tech gurus of ChiefsPlanet!

Try running both of these uninstaller tools -- one is for ESET and the other is for McAfee.

Eset: http://download.eset.com/special/ESETUninstaller.exe

McAfee: http://download.mcafee.com/products/...tches/MCPR.exe

Report back

[Dr. Gigglepants]

Quote:

Originally Posted by QuikSsurfer

Try running both of these uninstaller tools -- one is for ESET and the other is for McAfee.

Eset: http://download.eset.com/special/ESETUninstaller.exe

McAfee: http://download.mcafee.com/products/...tches/MCPR.exe

Report back

Ran both, restarted, downloaded MSE again, it gave me the same error code when I tried to install it.

[QuikSsurfer]

Quote:

Originally Posted by Dr. Gigglepants

Ran both, restarted, downloaded MSE again, it gave me the same error code when I tried to install it.

Hmmm -- might want to try cleaning up the MSE install. There is a MS fix-it we could run to try and remove all MS security tools and any registry entries that may be there -- then trying re-downloading and installing MSE again.

http://support.microsoft.com/mats/Pr..._and_Uninstall

Quote:

This tool is designed to fix un-installation issues like, MSE registry issues, removes remnants of Microsoft Security Essentials from your computer.
a. To do this run the FixIt tool from the following links.
b. Click the below link and select Run Now button.
http://support.microsoft.com/mats/Pr..._and_Uninstall
c. After downloading and running for the first time
d. Select Run on small pop-up window and select Run on Internet Explorer-Security Warning Window.
e. Select Detect problems and let me select the files to apply.
f. Select Uninstalling.
g. After detecting problems Select Microsoft Security Client to uninstall and click Next.
h. Repeat the steps from b to f and, this time select Microsoft Antimalware from list to uninstall and click Next.
i. Restart your computer and reinstall Microsoft Security essentials.

[Dr. Gigglepants]

Quote:

Originally Posted by QuikSsurfer

Hmmm -- might want to try cleaning up the MSE install. There is a MS fix-it we could run to try and remove all MS security tools and any registry entries that may be there -- then trying re-downloading and installing MSE again.

http://support.microsoft.com/mats/Pr..._and_Uninstall

Well, I ran the fix-it program and I couldn't find either of those programs from your post in the list, Eset and McAfee were also not listed. I also couldn't find any other programs in the list that looked like they would be anti-virus programs. I'm not sure what else to do at this point, I do appreciate your help though, QS.

[QuikSsurfer]

Quote:

Originally Posted by Dr. Gigglepants

Well, I ran the fix-it program and I couldn't find either of those programs from your post in the list, Eset and McAfee were also not listed. I also couldn't find any other programs in the list that looked like they would be anti-virus programs. I'm not sure what else to do at this point, I do appreciate your help though, QS.

Well while we figure this out, go ahead and install another AV on your rig - definitely don't need to leave it unprotected.
I absolutely love the Panda Cloud AV - free
http://www.cloudantivirus.com/en/#!/...virus-download

I'd recommend it over pretty much all the free AVs out there.

[Dr. Gigglepants]

Got Panda installed and it's working great already! Thanks again.

[the Talking Can]

just had fun with a 'live security platinum' virus....yeesh

hitmanpro is boss

seems to be going around this month

[Buehler445]

Blech.

Wife's computer is being a bitch. I restarted it and it has the black screen with a throbbing Windows Icon and Starting Windows underneath it.

Been there about 10 minutes. Was there 10 minutes or so before I took the battery out.

Any ideas?

[Buehler445]

Quote:

Originally Posted by Buehler445

Blech.

Wife's computer is being a bitch. I restarted it and it has the black screen with a throbbing Windows Icon and Starting Windows underneath it.

Been there about 10 minutes. Was there 10 minutes or so before I took the battery out.

Any ideas?

I got ahold of DaFace and worked through some shit. I (DaFace more than me) thinks the HD is boned.

[OnTheWarpath15]

The more Mrs. OTW58 uses our desktop computer, the slower it gets. Wondering if someone could take a look at my HijackThis log and tell me what the **** I can get rid of.

TIA.

Quote:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 6:03:16 PM, on 7/22/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\XXXXXX\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Users\XXXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe
C:\Program Files\Alwil Software\Avast5\AvastUI.exe
C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\AAM Updates Notifier.exe
C:\Users\XXXXXXX\AppData\Local\DIRECTV Player\NDSPCShowServer.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe
C:\Users\XXXXXXX\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O3 - Toolbar: Lexmark Toolbar - {1017A80C-6F09-4548-A84D-EDD6AC9525F0} - C:\Program Files\Lexmark Toolbar\toolband.dll
O3 - Toolbar: avast! WebRep - {8E5E2654-AD2D-48bf-AC2D-D17F00898D06} - C:\Program Files\Alwil Software\Avast5\aswWebRepIE.dll
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PSUAMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" /LaunchSysTray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PCShowServer] "C:\Users\CHIPANDSALLY\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\CHIPANDSALLY\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Dropbox.lnk = XXXXXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: APC Data Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\dataserv.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: avast! Antivirus - AVAST Software - C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CLDTVHNService - Unknown owner - C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McciServiceHost - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciServiceHost.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: Panda Product Service (PSUAService) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

[Fish]

Quote:

Originally Posted by OnTheWarpath58

The more Mrs. OTW58 uses our desktop computer, the slower it gets. Wondering if someone could take a look at my HijackThis log and tell me what the **** I can get rid of.

TIA.

Looks like you've got some problems bud. Mainly something that set a Proxy server.

Quote:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421;

To fix this one, you'll need to go to Control Panel\Internet Options\Connections\LAN Settings, and then uncheck everything listed under Proxy Server. The only thing that should be checked on the LAN settings page is Automatically Detect Settings.

That's probably a big part of your problem. And indication that you could be infected with other stuff that might not be making itself evident.

You've got a ton of stuff running that doesn't need to be as well.

Quote:

C:\Users\XXXXXX\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch

O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

All of the above doesn't have to be running at startup, and you'd see a good performance boost if you set these to manual start instead of starting up automatically. But it's not actually hurting anything, just slowing things down. To change these to manual start, go to Control Panel\Administrative Tools\Services. Run the Services app, and go through the list and find the corresponding services that match the above. Change them from Automatic start to Manual. It's good to familiarize yourself with the Services app, because it allows you to control everything that's actively running on your system. Pay notice to what's listed as "Started", and if you have any questions about anything, feel free to ask.

Also, you seem to have both Avast and Panda antivirus running. 2 AV programs running at the same time can produce bad results, and in some cases it will really slow things down. Eliminate one or the other.

I'd begin by making the above changes, and then running Malwarebytes.

I'd really recommend purchasing Malwarebytes Pro as well. I can't stress enough how well the Pro version of the app works. It's an active scanner that catches a bunch of what Avast or Panda would miss. It's very well worth the price for the Pro version.

Hope that helps!

[OnTheWarpath15]

Quote:

Originally Posted by KC Fish

Looks like you've got some problems bud. Mainly something that set a Proxy server.



To fix this one, you'll need to go to Control Panel\Internet Options\Connections\LAN Settings, and then uncheck everything listed under Proxy Server. The only thing that should be checked on the LAN settings page is Automatically Detect Settings.

That's probably a big part of your problem. And indication that you could be infected with other stuff that might not be making itself evident.

You've got a ton of stuff running that doesn't need to be as well.



All of the above doesn't have to be running at startup, and you'd see a good performance boost if you set these to manual start instead of starting up automatically. But it's not actually hurting anything, just slowing things down. To change these to manual start, go to Control Panel\Administrative Tools\Services. Run the Services app, and go through the list and find the corresponding services that match the above. Change them from Automatic start to Manual. It's good to familiarize yourself with the Services app, because it allows you to control everything that's actively running on your system. Pay notice to what's listed as "Started", and if you have any questions about anything, feel free to ask.

Also, you seem to have both Avast and Panda antivirus running. 2 AV programs running at the same time can produce bad results, and in some cases it will really slow things down. Eliminate one or the other.

I'd begin by making the above changes, and then running Malwarebytes.

I'd really recommend purchasing Malwarebytes Pro as well. I can't stress enough how well the Pro version of the app works. It's an active scanner that catches a bunch of what Avast or Panda would miss. It's very well worth the price for the Pro version.

Hope that helps!

I couldn't find some of that stuff in the services app. Set hat I could find to manual, and am restarting. Will run Malwarebyes after restart and post another log.

Thanks for your help.

[OnTheWarpath15]

The Malwarebytes scan came back clean. This is the "new" HijackThis log:

Quote:

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 1:56:14 PM, on 7/23/2012
Platform: Windows 7 SP1 (WinNT 6.00.3505)
MSIE: Internet Explorer v9.00 (9.00.8112.16447)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskhost.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\ATT-SST\McciTrayApp.exe
C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Users\XXXXXXX\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe
C:\Users\XXXXXXXX\AppData\Local\DIRECTV Player\NDSPCShowServer.exe
C:\Windows\system32\conhost.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Users\XXXXXXXX\AppData\Roaming\Dropbox\bin\Dropbox.exe
C:\Users\XXXXXXXX\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local;127.0.0.1:9421
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office14\GROOVEEX.DLL
O2 - BHO: Java(tm) Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: URLRedirectionBHO - {B4F3A835-0E21-4959-BA22-42B3008E02FF} - C:\PROGRA~1\MICROS~2\Office14\URLREDIR.DLL
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [ATT-SST_McciTrayApp] "C:\Program Files\ATT-SST\McciTrayApp.exe"
O4 - HKLM\..\Run: [AdobeAAMUpdater-1.0] "C:\Program Files\Common Files\Adobe\OOBE\PDApp\UWA\UpdaterStartupUtility.exe"
O4 - HKLM\..\Run: [AdobeCS6ServiceManager] "C:\Program Files\Common Files\Adobe\CS6ServiceManager\CS6ServiceManager.exe" -launchedbylogin
O4 - HKLM\..\Run: [Logitech Download Assistant] C:\Windows\system32\rundll32.exe C:\Windows\System32\LogiLDA.dll,LogiFetch
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [PSUAMain] "C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAMain.exe" /LaunchSysTray
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [PCShowServer] "C:\Users\CHIPANDSALLY\AppData\Local\DIRECTV Player\PCShowServerPMWrapper.exe"
O4 - HKCU\..\Run: [Google Update] "C:\Users\CHIPANDSALLY\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Dropbox.lnk = CHIPANDSALLY\AppData\Roaming\Dropbox\bin\Dropbox.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office14\EXCEL.EXE/3000
O8 - Extra context menu item: Se&nd to OneNote - res://C:\PROGRA~1\MICROS~2\Office14\ONBttnIE.dll/105
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: Se&nd to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Program Files\Microsoft Office\Office14\ONBttnIE.dll
O9 - Extra button: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra 'Tools' menuitem: OneNote Lin&ked Notes - {789FE86F-6FC4-46A1-9849-EDE0DB0C95CA} - C:\Program Files\Microsoft Office\Office14\ONBttnIELinkedNotes.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O11 - Options group: [ACCELERATED_GRAPHICS] Accelerated graphics
O18 - Filter hijack: text/xml - {807573E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE14\MSOXMLMF.DLL
O23 - Service: Adobe Acrobat Update Service (AdobeARMservice) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe
O23 - Service: AMD External Events Utility - AMD - C:\Windows\system32\atiesrxx.exe
O23 - Service: APC Data Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\dataserv.exe
O23 - Service: APC UPS Service - American Power Conversion Corporation - C:\Program Files\APC\APC PowerChute Personal Edition\mainserv.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: CLDTVHNService - Unknown owner - C:\Program Files\DirecTV\DirecTV\Kernel\DMP\CLDTVHNService.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Canon Inkjet Printer/Scanner/Fax Extended Survey Program (IJPLMSVC) - Unknown owner - C:\Program Files\Canon\IJPLM\IJPLMSVC.EXE
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logishrd\Bluetooth\LBTServ.exe
O23 - Service: McciCMService - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciCMService.exe
O23 - Service: McciServiceHost - Alcatel-Lucent - C:\Program Files\Common Files\Motive\McciServiceHost.exe
O23 - Service: Mozilla Maintenance Service (MozillaMaintenance) - Mozilla Foundation - C:\Program Files\Mozilla Maintenance Service\maintenanceservice.exe
O23 - Service: Panda Cloud Antivirus Service (NanoServiceMain) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSANHost.exe
O23 - Service: Panda Product Service (PSUAService) - Panda Security, S.L. - C:\Program Files\Panda Security\Panda Cloud Antivirus\PSUAService.exe
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: Adobe SwitchBoard (SwitchBoard) - Adobe Systems Incorporated - C:\Program Files\Common Files\Adobe\SwitchBoard\SwitchBoard.exe

--
End of file - 7468 bytes

Apparently the instructions you gave me on the Proxy didn't work.

[Setsuna]

Just wanted to say I picked up the FBI malware. What do I do?

Edit: Fixed as far as I know. Just did a System Restore.