# malware issue?, HIJACK log



## lion149

Looking for a little help folks, screen has a dancing mutlicolored coffee cup that pops up on the screen. Can't seem to get rid of it...



Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:03:58 PM, on 12/15/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
c:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\UPHClean\UPHClean.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\WINDOWS\system32\CCM\CcmExec.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Security Management System\MultimaxClientService.exe
C:\WINDOWS\SYSTEM32\DWRCST.exe
C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\CCM\Cache\CEN001FD.2.System\x86\APPV4_6Clientx86Upgrade.EXE
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Security Management System\ServiceMonitor.exe
C:\Program Files\Security Management System\Multimax.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SCServer\SCServer.exe
C:\Documents and Settings\trsecurity\Desktop\HijackThis.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080125
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://tranenettrn1/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080125
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = NOINTERNET
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe"
O1 - Hosts: 206.44.52.245 trnsecurity
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoftGridTray] "C:\Program Files\Microsoft Application Virtualization Client\SFTTray.exe" /autostart
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: Security Management System.lnk = C:\Program Files\Security Management System\Multimax.exe
O4 - Global Startup: SMS Service Monitor.lnk = C:\Program Files\Security Management System\ServiceMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://tranenettrn1/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.IRCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = corp.irco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B906FBFB-BDD6-4276-B47A-4228FF64D3BE}: NameServer = 206.44.51.216,206.44.199.32
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.IRCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.irco.com,ingerrand.com,am.corp.priv,emai.corp.priv,ap.corp.priv,corp.priv,MGDIR.IRCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{B906FBFB-BDD6-4276-B47A-4228FF64D3BE}: NameServer = 206.44.51.216,206.44.199.32
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.IRCO.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.irco.com,ingerrand.com,am.corp.priv,emai.corp.priv,ap.corp.priv,corp.priv,MGDIR.IRCO.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{B906FBFB-BDD6-4276-B47A-4228FF64D3BE}: NameServer = 206.44.51.216,206.44.199.32
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.irco.com,ingerrand.com,am.corp.priv,emai.corp.priv,ap.corp.priv,corp.priv,MGDIR.IRCO.COM
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SMS Client Services (MultimaxClientService) - Group 4 Technology - C:\Program Files\Security Management System\MultimaxClientService.exe

--
End of file - 9358 bytes


----------



## gamblingman

You need to scan with Malwarebytes before running HiJackThis. Follow the instructions please.

- - - -
Please, don't do anything else on the computer while working with these programs. Close all other open windows before proceeding through these instructions and perform all the below in normal boot, *NOT* safe mode.:


Please download Malwarebytes' Anti-Malware HERE or HERE and save it to your desktop.


Double-click *mbam-setup.ex*e and follow the prompts to install the program.
    At the end, be sure a checkmark is placed next to
o *Update Malwarebytes' Anti-Malware*
        o and *Launch Malwarebytes' Anti-Malware*​
    then click *Finish*.
    If an update is found, it will download and install the latest version. *Please keep updating until it says you have the latest version.*
    Once the program has loaded, select *Perform quick scan*, then click *Scan*.
    When the scan is complete, click *OK*, then *Show Results* to view the results.
    Be sure that everything is checked, and click *Remove Selected*.
    A log will be saved automatically which you can access by clicking on the *Logs *tab within Malwarebytes' Anti-Malware


After running Malwarebytes, create a new HijackThis log:

Click *Do a system scan and save a logfile*
_
Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log.


----------



## lion149

I already ran Malwarebytes, but ill do it again and the repost the log...


----------



## lion149

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5324

Windows 5.1.2600 Service Pack 3
Internet Explorer 6.0.2900.5512

12/15/2010 10:34:03 PM
mbam-log-2010-12-15 (22-34-03).txt

Scan type: Full scan (B:\|C:\|)
Objects scanned: 252651
Time elapsed: 38 minute(s), 55 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 3
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\ForceClassicControlPanel (Hijack.ControlPanelStyle) -> Value: ForceClassicControlPanel -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper (PUM.Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSMHelp (PUM.Hijack.Help) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Internet Explorer\Control Panel\HomePage (Hijack.Homepage) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


----------



## johnb35

WE need to see the malwarebytes log please.  What you posted was the hijackthis log.


----------



## johnb35

Is it possible for you to post a screen shot of this coffee cup?


----------



## lion149

eh not really kind of a pain, when you remote connect to the pc you do not see it. 

Its simple, it is a box that bounces around the screen similar to the way a screen saver would. After each bounce it will change color, and it appreas to have a symbol that resembles a coffee cup in the middle.


----------



## johnb35

Lets get a better feel for whats going on with the system, please do the following.

*Download and Run ComboFix*
*If you already have Combofix, please delete this copy and download it again as it's being updated regularly.*

*Download this file* here :

http://www.bleepingcomputer.com/download/anti-virus/combofix

Then double click *combofix.exe* & follow the prompts.
When finished, it shall produce *a log* for you. *Post that log* in your next reply
*Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall*

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:

The ComboFix log
A fresh HiJackThis log
An update on how your computer is running


----------



## lion149

The pc's performance is not poor by any means, this is really just annoying, i have no idea why someone would bother to create this ha


ComboFix 10-12-16.02 - trsecurity 12/16/2010  18:59:40.1.2 - x86
Microsoft Windows XP Professional  5.1.2600.3.1252.1.1033.18.981.372 [GMT -5:00]
Running from: c:\documents and settings\trsecurity\Desktop\ComboFix.exe
AV: Microsoft Forefront Client Security *Enabled/Updated* {926A3D4F-E4E7-4F47-9902-4EDD55FFE1AF}
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat

----- BITS: Possible infected sites -----

hxxp://trtwsus:8530
.
(((((((((((((((((((((((((   Files Created from 2010-11-17 to 2010-12-17  )))))))))))))))))))))))))))))))
.

2010-12-16 20:51 . 2010-12-16 20:51	--------	d-----w-	c:\documents and settings\trahs
2010-12-16 16:19 . 2010-12-16 16:19	--------	d-----w-	c:\windows\LastGood
2010-12-16 02:53 . 2010-11-29 22:42	38224	----a-w-	c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-16 02:53 . 2010-11-29 22:42	20952	----a-w-	c:\windows\system32\drivers\mbam.sys
2010-12-15 22:01 . 2010-12-15 22:01	--------	d-----w-	c:\windows\system32\wbem\Repository
2010-12-15 16:06 . 2010-12-15 16:06	--------	d-----w-	c:\documents and settings\trsecurity\Application Data\Malwarebytes
2010-12-15 16:06 . 2010-12-15 16:06	--------	d-----w-	c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-15 16:06 . 2010-12-16 02:53	--------	d-----w-	c:\program files\Malwarebytes' Anti-Malware
2010-12-07 12:00 . 2010-12-16 03:38	--------	d-----w-	c:\program files\Passlogix
2010-12-02 17:19 . 2010-12-02 17:21	--------	d-----w-	c:\documents and settings\trsecurity\Application Data\Xerox
2010-12-02 17:19 . 2010-12-02 17:19	--------	d-----w-	c:\documents and settings\All Users\Application Data\Xerox

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-12 23:53 . 2010-09-10 21:52	472808	----a-w-	c:\windows\system32\deployJava1.dll
2010-11-12 21:34 . 2008-04-03 15:28	73728	----a-w-	c:\windows\system32\javacpl.cpl
2010-11-10 04:33 . 2010-07-13 07:17	6273872	----a-w-	c:\documents and settings\All Users\Application Data\Microsoft\Microsoft Forefront\Client Security\Client\Antimalware\Definition Updates\Backup\mpengine.dll
2010-10-19 20:51 . 2009-10-08 13:50	222080	------w-	c:\windows\system32\MpSigStub.exe
2010-09-18 16:23 . 2004-08-11 22:00	974848	----a-w-	c:\windows\system32\mfc42u.dll
2010-09-18 06:53 . 2004-08-11 22:00	974848	----a-w-	c:\windows\system32\mfc42.dll
2010-09-18 06:53 . 2004-08-11 22:00	954368	----a-w-	c:\windows\system32\mfc40.dll
2010-09-18 06:53 . 2004-08-11 22:00	953856	----a-w-	c:\windows\system32\mfc40u.dll
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-06-28 141848]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-06-28 162328]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-06-28 137752]
"SunJavaUpdateSched"="c:\program files\Common Files\Java\Java Update\jusched.exe" [2010-05-14 248552]
"IAAnotif"="c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe" [2007-07-27 178712]
"SoundMAXPnP"="c:\program files\Analog Devices\Core\smax4pnp.exe" [2007-09-25 1036288]
"PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 118784]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-12 39792]
"MsmqIntCert"="mqrt.dll" [2009-06-25 177152]
"SoftGridTray"="c:\program files\Microsoft Application Virtualization Client\SFTTray.exe" [2009-02-16 771416]
"MSN Toolbar"="c:\program files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe" [2010-02-12 240992]
"Microsoft Default Manager"="c:\program files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" [2009-07-17 288080]
"Microsoft Forefront Client Security Antimalware Service"="c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" [2010-07-20 1033600]
"DameWare MRC Agent"="c:\windows\system32\DWRCST.exe" [2010-04-07 85528]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"TSClientMSIUninstaller"="c:\windows\Installer\TSClientMsiTrans\tscuinst.vbs" [2007-10-30 13801]
"TSClientAXDisabler"="c:\windows\Installer\TSClientMsiTrans\tscdsbl.bat" [2008-01-19 2247]

c:\documents and settings\trsecurity\Start Menu\Programs\Startup\
Security Management System.lnk - c:\program files\Security Management System\Multimax.exe [2007-3-19 14262272]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SMS Service Monitor.lnk - c:\program files\Security Management System\ServiceMonitor.exe [2007-3-19 180224]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableChangePassword"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu"= 1 (0x1)
"NoSMHelp"= 1 (0x1)
"NoSMMyPictures"= 1 (0x1)
"NoSMConfigurePrograms"= 1 (0x1)
"NoCloseDragDropBands"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-129962\Scripts\Logon\0\0]
"Script"=TRN_IT.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-129962\Scripts\Logon\0\1]
"Script"=Prdlogin.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-155707\Scripts\Logon\0\0]
"Script"=TRN_IT.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-155707\Scripts\Logon\0\1]
"Script"=Trnlogin.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-155707\Scripts\Logon\0\2]
"Script"=Apply Patch and Backup.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-155707\Scripts\Logon\0\3]
"Script"=Saftey Page Open.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-155707\Scripts\Logon\0\4]
"Script"=xmlout.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-1312930728-1107937768-2541483392-155707\Scripts\Logon\0\5]
"Script"=PSTfind.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3289705215-1832128825-2807327032-259017\Scripts\Logon\0\0]
"Script"=IETrustedZones.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3289705215-1832128825-2807327032-259017\Scripts\Logon\1\0]
"Script"=Proxy.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3289705215-1832128825-2807327032-259017\Scripts\Logon\2\0]
"Script"=TRN_IT.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3289705215-1832128825-2807327032-259017\Scripts\Logon\2\1]
"Script"=Prdlogin.VBS

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-3289705215-1832128825-2807327032-259017\Scripts\Logon\2\2]
"Script"=TRN_FOREFRONT.vbs

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\FCSAM]
@="Service"

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\WINDOWS\\system32\\mqsvc.exe"=
"c:\\Program Files\\Security Management System\\MultimaxClientService.exe"=
"c:\\Program Files\\Security Management System\\Multimax.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"135:TCP"= 135:TCP:Unspecified

R1 dwvkbd;DameWare Virtual Keyboard 32 bit Driver;c:\windows\system32\drivers\dwvkbd.sys [2/15/2007 7:00 AM 26624]
R2 ASFAgent;ASF Agent;c:\program files\Intel\ASF Agent\ASFAgent.exe [1/23/2007 3:58 AM 133968]
R2 FCSAM;Microsoft Forefront Client Security Antimalware Service;c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe [7/20/2010 11:09 AM 16896]
R2 FcsSas;Microsoft Forefront Client Security State Assessment Service;c:\program files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe [10/22/2009 6:31 PM 69512]
R2 MOM;MOM;c:\program files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe [7/21/2005 10:14 AM 134656]
R2 MultimaxClientService;SMS Client Services;c:\program files\Security Management System\MultimaxClientService.exe [3/19/2007 5:35 AM 2273280]
R2 sftlist;Application Virtualization Client;c:\program files\Microsoft Application Virtualization Client\sftlist.exe [2/16/2009 7:47 AM 424808]
R3 DwMirror;DwMirror;c:\windows\system32\drivers\DamewareMini.sys [2/7/2007 7:00 AM 3712]
R3 sftfs;sftfs;c:\program files\Microsoft Application Virtualization Client\drivers\SftFSXP.sys [2/16/2009 7:47 AM 465752]
R3 sftplay;sftplay;c:\program files\Microsoft Application Virtualization Client\drivers\sftplayxp.sys [2/16/2009 7:47 AM 188264]
R3 Sftredir;Sftredir;c:\windows\system32\drivers\Sftredirxp.sys [2/16/2009 7:47 AM 21864]
R3 sftvol;sftvol;c:\program files\Microsoft Application Virtualization Client\drivers\SftVolXP.sys [2/16/2009 7:47 AM 12648]
R3 sftvsa;Application Virtualization Service Agent;c:\program files\Microsoft Application Virtualization Client\sftvsa.exe [2/16/2009 7:47 AM 186728]
S2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3/18/2010 12:16 PM 130384]
S3 AsfAlrt;AsfAlrt Service;c:\windows\system32\drivers\Asfalrt.sys [1/23/2007 3:45 AM 42832]
S3 pmxmouse;PMXMOUSE;c:\windows\system32\drivers\pmxmouse.sys [2/13/2008 8:39 AM 18432]
S3 pmxusblf;PMXUSBLF;c:\windows\system32\drivers\pmxusblf.sys [2/13/2008 8:39 AM 14336]
S3 WinRM;Windows Remote Management (WS-Management);c:\windows\system32\svchost.exe -k WINRM [8/11/2004 5:00 PM 14336]
S3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [3/18/2010 12:16 PM 753504]
S4 eikvriqxo;eikvriqxo;c:\windows\system32\svchost.exe -k netsvcs [8/11/2004 5:00 PM 14336]

--- Other Services/Drivers In Memory ---

*Deregistered* - uphcleanhlp

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
WINRM	REG_MULTI_SZ   	WINRM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost  - NetSvcs
eikvriqxo
.
Contents of the 'Scheduled Tasks' folder

2010-12-16 c:\windows\Tasks\MP Scheduled Quick Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-07-20 16:09]

2010-12-16 c:\windows\Tasks\MP Scheduled Scan.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-07-20 16:09]

2010-12-16 c:\windows\Tasks\MP Scheduled Signature Update.job
- c:\program files\Microsoft Forefront\Client Security\Client\Antimalware\MpCmdRun.exe [2010-07-20 16:09]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080125
mStart Page = hxxp://www.dell.com
uInternet Settings,ProxyServer = NOINTERNET
uInternet Settings,ProxyOverride = <local>
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~2\Office12\EXCEL.EXE/3000
TCP: {B906FBFB-BDD6-4276-B47A-4228FF64D3BE} = 206.44.51.216,206.44.199.32
.
- - - - ORPHANS REMOVED - - - -

AddRemove-{92F2A534-C3E4-4B18-BEBD-329F5E848C8B} - c:\program files\Altiris\Altiris Agent\AeXNSAgent.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-16 19:06
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...  

scanning hidden autostart entries ... 

scanning hidden files ...  

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-12-16  19:09:30
ComboFix-quarantined-files.txt  2010-12-17 00:09

Pre-Run: 64,059,740,160 bytes free
Post-Run: 64,715,542,528 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

- - End Of File - - 415AE2A2ECAC63C06AFBFFE06432B62B

Logfile of Trend Micro HijackThis v2.0.4
Scan saved at 7:32:29 PM, on 12/16/2010
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft Application Virtualization Client\sftvsa.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\UPHClean\UPHClean.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\Microsoft Operations Manager 2005\MOMService.exe
C:\WINDOWS\system32\mqsvc.exe
C:\Program Files\Microsoft Application Virtualization Client\sftlist.exe
C:\WINDOWS\system32\mqtgsvc.exe
C:\Program Files\Security Management System\MultimaxClientService.exe
C:\Program Files\Microsoft Application Virtualization Client\sftdcc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\Common Files\Java\Java Update\jusched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Security Management System\ServiceMonitor.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe
c:\Program Files\Microsoft Forefront\Client Security\Client\SSA\FcsSas.exe
C:\Program Files\Microsoft\Search Enhancement Pack\SeaPort\SeaPort.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\trsecurity\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3080125
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = NOINTERNET
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Search Helper - {6EBF7485-159F-4bff-A14F-B9E3AAC4465B} - C:\Program Files\Microsoft\Search Enhancement Pack\Search Helper\SEPsearchhelperie.dll
O2 - BHO: Windows Live ID Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: MSN Toolbar BHO - {d2ce3e00-f94a-4740-988e-03dc2f38c34f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: MSN Toolbar - {8dcb7100-df86-4384-8842-8fa844297b3f} - C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\npwinext.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [SoftGridTray] "C:\Program Files\Microsoft Application Virtualization Client\SFTTray.exe" /autostart
O4 - HKLM\..\Run: [MSN Toolbar] "C:\Program Files\MSN Toolbar\Platform\4.0.0401.0\mswinext.exe"
O4 - HKLM\..\Run: [Microsoft Default Manager] "C:\Program Files\Microsoft\Search Enhancement Pack\Default Manager\DefMgr.exe" -resume
O4 - HKLM\..\Run: [Microsoft Forefront Client Security Antimalware Service] "c:\Program Files\Microsoft Forefront\Client Security\Client\Antimalware\MSASCui.exe" -hide
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.bat" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
O4 - Startup: Security Management System.lnk = C:\Program Files\Security Management System\Multimax.exe
O4 - Global Startup: SMS Service Monitor.lnk = C:\Program Files\Security Management System\ServiceMonitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://tranenettrn1/
O16 - DPF: {05CA9FB0-3E3E-4B36-BF41-0E3A5CAA8CD8} (Office Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=58813
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = CORP.IRCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = corp.irco.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{B906FBFB-BDD6-4276-B47A-4228FF64D3BE}: NameServer = 206.44.51.216,206.44.199.32
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = CORP.IRCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = CORP.IRCO.COM,INGERRAND.COM,MGDIR.IRCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\..\{B906FBFB-BDD6-4276-B47A-4228FF64D3BE}: NameServer = 206.44.51.216,206.44.199.32
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = CORP.IRCO.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = CORP.IRCO.COM,INGERRAND.COM,MGDIR.IRCO.COM
O17 - HKLM\System\CS2\Services\Tcpip\..\{B906FBFB-BDD6-4276-B47A-4228FF64D3BE}: NameServer = 206.44.51.216,206.44.199.32
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = CORP.IRCO.COM,INGERRAND.COM,MGDIR.IRCO.COM
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: SMS Client Services (MultimaxClientService) - Group 4 Technology - C:\Program Files\Security Management System\MultimaxClientService.exe

--
End of file - 8548 bytes


----------



## johnb35

There is a lot of login scripts there.  Do you know anything about them?                                                                                                                                                                                                                                                                                                                
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.v bs" (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientAXDisabler] cmd.exe /C "%systemroot%\Installer\TSClientMsiTrans\tscdsbl.b at" (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.v bs" (User 'Default user')

Is this a personal computer or a work computer?


----------



## lion149

This is a work pc i have been stuck on...


----------



## johnb35

Since this is a work computer, we can no longer help you.  You need to get assistance from the network admin.


----------



## lion149

I am the network admin...at this point it really doesn’t matter, im a just going to back up the data and zti it on Monday. I just wanted to avoid losing my time to do so, thank you for your help.


----------



## lion149

Random: I meant to post this up since it was such odd issue, godforbid someonelse run into it could save them a headache

The above post about potential malware turned out to be a screen saver built into the monitor.
I am not kidding it is some off no name brand monitor and under settings (the user accidentally pushed this) is a small dancing coffee cup screen saver option.

Just thought id share...if it helps 1 person in this world this was worth typing in my eye's.


----------



## scotter

*How to restore/fix display?*

Hi all,
I've got the display hijack issue.
An AV scan hit 1.7m files, so everything should be on the drive.  
Most icons are gone.  The few that are left all work.
start -> all programs ....<empty>
my computer -> C ....shows no files or folders.
Anything I can do to recover?  
Anything I can check in the registry?
Thanks,
Scott


----------



## johnb35

scotter said:


> Hi all,
> I've got the display hijack issue.
> An AV scan hit 1.7m files, so everything should be on the drive.
> Most icons are gone.  The few that are left all work.
> start -> all programs ....<empty>
> my computer -> C ....shows no files or folders.
> Anything I can do to recover?
> Anything I can check in the registry?
> Thanks,
> Scott



Please run the following and post the logs first.

Please download Malwarebytes' Anti-Malware from *here* or *here* and save it to your desktop.

Double-click *mbam-setup.exe* and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to
*Update Malwarebytes' Anti-Malware*
and *Launch Malwarebytes' Anti-Malware*
 
then click *Finish*.
If an update is found, it will download and install the latest version.  *Please keep updating until it says you have the latest version.*
Once the program has loaded, select *Perform quick scan*, then click *Scan*.
When the scan is complete, click *OK*, then *Show Results* to view the results.
Be sure that everything is checked, and click *Remove Selected*.
A log will be saved automatically which you can access by clicking on the *Logs* tab within Malwarebytes' Anti-Malware

If for some reason Malwarebytes will not install or run please download and run Rkill.scr,  Rkill.exe, or Rkill.com  but *DO NOT *reboot the system and then try installing or running Malwarebytes.  If Rkill (which is a black box) appears and then disappears right away or you get a message saying rkill is infected, keep trying to run rkill until it over powers the infection and temporarily kills it.  Once a log appears on the screen, you can try running malwarebytes or downloading other programs.



Download the HijackThis installer from *here*.  
Run the installer and choose *Install*, indicating that you accept the licence agreement.  The installer will place a shortcut on your desktop and launch HijackThis.

Click *Do a system scan and save a logfile*

_Most of what HijackThis lists will be harmless or even essential, don't fix anything yet._

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


----------

