Virus or???

J

jjonsalt

New Member
Yesterday I was using my laptop, Dell XPS M 1330, Vista Home Premium 32 bit, when the attached came up on my screen. I was online but had not been to any site that I don't normally frequent. I had not nor do I ever open any email I don't know for sure is OK. The only thing different was I had tried, Without success, to uninstall a program (ESTsoft) because it seemed connected to the warning I was getting. I tried both directly (uninstall in Explorer) and via Control Panel. I can't use the internet regardless of what browser I try. Ideas?
 
Last edited:
Please use a usb flash to transfer a downloaded copy of combofix(link to download is below) to the infected computer's desktop and run it. When downloading combofix when it asks you to save it, rename it to combo-fix not the default combofix. Renaming the file should allow it to run. You may need to run it safe mode.

If you still can't get combofix to run then download and run rkill.scr to kill the active infection so you can run combofix. But do not reboot the system after running rkill until you can get combofix to run. The infection may stop rkill from running fully. If a black screen pops up and then goes away, just keep trying to run rkill in succession until it completes. There will be a log that pops up when done and if it says that it killed a process then you should have access to internet and downloading again. In that case download and run the following programs.

Please download Malwarebytes' Anti-Malware from here or here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware


Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log


Download and Run ComboFix
If you already have Combofix, please delete this copy and download it again as it's being updated regularly.
Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.


In your next reply please post:
  • The ComboFix log
  • A fresh HiJackThis log
  • An update on how your computer is running
 
I had to use "Safe Mode". I tried to copy and paste to Word, PhotoShop, etc but got a message that the program was to be delited. I hope this attachment works.
 
Last edited:
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box

Code: 
File::
c:\users\Craig\AppData\Local\awobiwelohawuro.dll
c:\users\Craig\AppData\Local\ulozudana.dll
c:\users\Craig\AppData\Local\iyaveraxif.dll
c:\users\Craig\AppData\Local\Lkudiduhakat.dat
c:\users\Craig\AppData\Local\abeyezevuqana.dll

3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!


CFScript-1.gif


ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.

In my last post I asked you to run malwarebytes and hijackthis and I don't see the logs please do the following. There is no need to attach the logs, just copy and paste them into your reply.

Please download Malwarebytes' Anti-Malware from here or

here and save it to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to
    • Update Malwarebytes' Anti-Malware
    • and Launch Malwarebytes' Anti-Malware
  • then click Finish.
  • If an update is found, it will download and install the latest version. Please keep updating until it says you have the latest version.
  • Once the program has loaded, select Perform quick scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • A log will be saved automatically which you can access by clicking on the Logs tab within Malwarebytes' Anti-Malware


Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.

Post the logfile that HijackThis produces along with the Malwarebytes Anti-Malware log
 
Hi again. When I tried to join the text (renamed to CFScript.txt) to ComboFix on the desktop I got the first message below on the affected laptop (Windows Home Premium 32 bit). I thought I would do the procedure on my desktop (Windows Home Premium 64 bit) and the transfer the joined result to my laptop, but then I got the second message below. What would you please suggest now? Thanks
 
Last edited:
Combofix can't be ran on a 64 bit system. Please run Malwarebytes and hijackthis and post the logs, we will go back to combofix later.
 
Let me ask this, I have another laptop that uses XP 32 bit. Should I try joining on it and transferring to the affective laptop?
 
Malwarebytes is outdated, you need to update it. Open malwarebytes, click on the update tab, click on check for updates, keep doing this until it says you have the latest version. Then do a quick scan on your system, a full scan is not needed.

You also gave me the wrong combofix log. I need the one that was created after you ran the script i gave you.

I need a hijackthis log also.

Download the HijackThis installer from here.
Run the installer and choose Install, indicating that you accept the licence agreement. The installer will place a shortcut on your desktop and launch HijackThis.

Click Do a system scan and save a logfile

Most of what HijackThis lists will be harmless or even essential, don't fix anything yet.
 
Trying again, hope I get it right this time. When I tried to save one of the files (see photo below) I got a message that I couldn't. I included the file from the last one I sent. Cont in 2nd post.
 
Please do not attach logs. just copy and paste the logs into your reply. The attachments don't work.
 
ComboFix 10-09-12.04 - Craig 09/16/2010 9:14.1.2 - x86 MINIMAL
Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.1.1033.18.3581.2969 [GMT -4:00]
Running from: h:\new folder\Combo-Fix.exe
SP: Windows Defender *disabled* (Updated) {D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}
.

((((((((((((((((((((((((( Files Created from 2010-08-16 to 2010-09-16 )))))))))))))))))))))))))))))))
.

2010-09-16 13:19 . 2010-09-16 13:19 -------- d-----w- c:\users\Craig\AppData\Local\temp
2010-09-16 13:19 . 2010-09-16 13:19 -------- d-----w- c:\users\Public\AppData\Local\temp
2010-09-16 13:19 . 2010-09-16 13:19 -------- d-----w- c:\users\Default\AppData\Local\temp
2010-09-16 13:12 . 2010-09-16 13:13 -------- d-----w- C:\32788R22FWJFW
2010-09-15 20:12 . 2010-09-15 20:12 -------- d-----w- c:\program files\Trend Micro
2010-09-15 20:11 . 2010-09-15 20:11 -------- d-----w- c:\users\Craig\AppData\Roaming\Malwarebytes
2010-09-15 20:10 . 2010-04-29 19:39 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-09-15 20:10 . 2010-09-15 20:10 -------- d-----w- c:\programdata\Malwarebytes
2010-09-15 20:10 . 2010-04-29 19:39 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-09-15 20:10 . 2010-09-15 20:10 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-09-13 13:27 . 2010-09-13 13:37 -------- d-----w- C:\Combo-Fix
2010-09-13 13:15 . 2010-09-13 13:15 2838 ----a-w- c:\users\Craig\AppData\Local\awobiwelohawuro.dll
2010-09-13 10:23 . 2010-09-13 10:23 2838 ----a-w- c:\users\Craig\AppData\Local\ulozudana.dll
2010-09-13 02:28 . 2010-09-13 02:28 2838 ----a-w- c:\users\Craig\AppData\Local\iyaveraxif.dll
2010-09-13 02:09 . 2010-09-13 13:08 2838 ----a-w- c:\users\Craig\AppData\Local\Lkudiduhakat.dat
2010-09-13 02:09 . 2010-09-13 02:09 2838 ----a-w- c:\users\Craig\AppData\Local\abeyezevuqana.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-09-13 13:14 . 2010-03-29 15:06 31871 ----a-w- c:\programdata\nvModes.dat
2010-09-13 02:30 . 2010-03-29 00:00 12 ----a-w- c:\windows\bthservsdp.dat
2010-09-11 23:03 . 2010-04-08 16:53 1 ----a-w- c:\users\Craig\AppData\Roaming\OpenOffice.org\3\user\uno_packages\cache\stamp.sys
2010-09-04 13:16 . 2010-05-20 16:49 -------- d-----w- c:\program files\Microsoft Silverlight
2010-08-16 18:27 . 2010-03-28 22:33 72840 ----a-w- c:\users\Craig\AppData\Local\GDIPFONTCACHEV1.DAT
2010-08-15 22:35 . 2010-04-08 16:49 -------- d-----w- c:\program files\OpenOffice.org 3
2010-08-14 07:05 . 2010-03-31 00:01 -------- d-----w- c:\program files\Microsoft Works
2010-08-14 07:02 . 2006-11-02 11:18 -------- d-----w- c:\program files\Windows Mail
2010-07-31 20:12 . 2010-07-31 20:12 -------- d-----w- c:\users\Craig\AppData\Roaming\TeamViewer
2010-07-15 15:31 . 2010-04-03 02:48 243024 ----a-w- c:\windows\system32\drivers\avgtdix.sys
2010-07-15 15:31 . 2010-07-15 15:31 12536 ----a-w- c:\windows\system32\avgrsstx.dll
2010-07-15 15:31 . 2010-04-03 02:48 216400 ----a-w- c:\windows\system32\drivers\avgldx86.sys
2010-07-12 18:32 . 2010-07-15 12:40 822784 ----a-w- c:\users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\xjzknkju.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
2010-06-26 06:05 . 2010-08-13 22:43 916480 ----a-w- c:\windows\system32\wininet.dll
2010-06-26 06:02 . 2010-08-13 22:43 71680 ----a-w- c:\windows\system32\iesetup.dll
2010-06-26 06:02 . 2010-08-13 22:43 109056 ----a-w- c:\windows\system32\iesysprep.dll
2010-06-26 04:25 . 2010-08-13 22:43 133632 ----a-w- c:\windows\system32\ieUnatt.exe
2010-06-21 13:37 . 2010-08-13 22:43 2037760 ----a-w- c:\windows\system32\win32k.sys
2010-06-18 17:31 . 2010-08-13 22:43 36864 ----a-w- c:\windows\system32\rtutils.dll
2010-06-18 15:04 . 2010-08-13 22:42 302080 ----a-w- c:\windows\system32\drivers\srv.sys
2010-06-18 15:04 . 2010-08-13 22:42 144896 ----a-w- c:\windows\system32\drivers\srv2.sys
2007-02-21 19:49 . 2007-02-21 19:49 8192 --sha-w- c:\windows\Users\Default\NTUSER.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender"="c:\program files\Windows Defender\MSASCui.exe" [2008-01-19 1008184]
"OEM02Mon.exe"="c:\windows\OEM02Mon.exe" [2007-05-10 36864]
"OEM02Cfg.exe"="OEM02Cfg.exe" [2007-10-11 28672]
"SigmatelSysTrayApp"="c:\program files\SigmaTel\C-Major Audio\WDM\sttray.exe" [2007-09-13 405504]
"RemoteControl"="c:\program files\CyberLink\PowerDVD\PDVDServ.exe" [2003-11-01 32768]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 9.0\Reader\Reader_sl.exe" [2010-06-20 35760]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-06-09 976832]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"GrpConv"="grpconv -o" [X]
"Malwarebytes' Anti-Malware"="c:\program files\Malwarebytes' Anti-Malware\mbamgui.exe" [2010-04-29 437584]

c:\programdata\Microsoft\Windows\Start Menu\Programs\Startup\
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2010-3-28 50688]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableUIADesktopToggle"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WinDefend]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe ARM]
2010-06-09 08:06 976832 ----a-w- c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-06-20 02:04 35760 ----a-w- c:\program files\Adobe\Reader 9.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeCS4ServiceManager]
2008-08-14 14:58 611712 ----a-w- c:\program files\Common Files\Adobe\CS4ServiceManager\CS4ServiceManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG9_TRAY]
2010-07-15 15:31 2065760 ----a-w- c:\progra~1\AVG\AVG9\avgtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Broadcom Wireless Manager UI]
2008-10-13 21:17 3563520 ----a-w- c:\windows\System32\WLTRAY.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
2009-06-16 17:27 13793824 ----a-w- c:\windows\System32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NVHotkey]
2009-06-16 17:27 92704 ----a-w- c:\windows\System32\nvhotkey.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2010-01-11 22:21 246504 ----a-w- c:\program files\Common Files\Java\Java Update\jusched.exe

R1 AvgLdx86;AVG Free AVI Loader Driver x86;c:\windows\system32\Drivers\avgldx86.sys [2010-07-15 216400]
R1 AvgTdiX;AVG Free Network Redirector;c:\windows\system32\Drivers\avgtdix.sys [2010-07-15 243024]
R2 AESTFilters;Andrea ST Filters Service;c:\windows\system32\aestsrv.exe [2007-09-20 73728]
R2 avg9emc;AVG Free E-mail Scanner;c:\program files\AVG\AVG9\avgemc.exe [2010-07-21 921952]
R2 avg9wd;AVG Free WatchDog;c:\program files\AVG\AVG9\avgwdsvc.exe [2010-07-15 308136]
R2 clr_optimization_v4.0.30319_32;Microsoft .NET Framework NGEN v4.0.30319_X86;c:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [2010-03-18 130384]
R3 AVerBDA6x;AVerBDA6x service;c:\windows\system32\DRIVERS\AVerBDA716x.sys [2008-06-23 1020160]
R3 b57nd60x;Broadcom NetXtreme Gigabit Ethernet - NDIS 6.0;c:\windows\system32\DRIVERS\b57nd60x.sys [2007-02-26 179712]
R3 WPFFontCache_v0400;Windows Presentation Foundation Font Cache 4.0.0.0;c:\windows\Microsoft.NET\Framework\v4.0.30319\WPF\WPFFontCache_v0400.exe [2010-03-18 753504]


[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs REG_MULTI_SZ BthServ
LocalServiceAndNoImpersonation REG_MULTI_SZ FontCache
.
.
------- Supplementary Scan -------
.
uInternet Settings,ProxyServer = http=127.0.0.1:6092
uInternet Settings,ProxyOverride = <local>
IE: {{572E3910-4764-4E88-8929-176B2B192FF7} - c:\program files\ESTsoft\ALPass\ALPass.exe
FF - ProfilePath - c:\users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\xjzknkju.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.msnbc.msn.com/
FF - component: c:\program files\AVG\AVG9\Firefox\components\avgssff.dll
FF - component: c:\users\Craig\AppData\Roaming\Mozilla\Firefox\Profiles\xjzknkju.default\extensions\[email protected]\platform\WINNT_x86-msvc\components\lpxpcom.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

---- FIREFOX POLICIES ----
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgbaam7a8h", true);
c:\program files\Mozilla Firefox\greprefs\all.js - pref("network.IDN.whitelist.xn--mgberp4a5d4ar", true);
c:\program files\Mozilla Firefox\defaults\pref\firefox.js - pref("dom.ipc.plugins.enabled", false);
.
- - - - ORPHANS REMOVED - - - -

HKLM-RunOnce-<NO NAME> - (no file)



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-09-16 09:19
Windows 6.0.6002 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2010-09-16 09:20:11
ComboFix-quarantined-files.txt 2010-09-16 13:20
ComboFix2.txt 2010-09-13 13:37

Pre-Run: 158,130,880,512 bytes free
Post-Run: 158,101,729,280 bytes free

- - End Of File - - 14846599C496B148245F902D1A8334E7


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:39:55 PM, on 9/15/2010
Platform: Windows Vista SP2 (WinNT 6.00.1906)
MSIE: Internet Explorer v8.00 (8.00.6001.18943)
Boot mode: Safe mode

Running processes:
C:\Windows\Explorer.EXE
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:6092
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: ALPassHelper Class - {00533B73-E574-46E9-B06A-FDF4592E67CB} - C:\Program Files\ESTsoft\ALPass\ApsHelper14.dll
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG9\avgssie.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [OEM02Mon.exe] C:\Windows\OEM02Mon.exe
O4 - HKLM\..\Run: [OEM02Cfg.exe] OEM02Cfg.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] %ProgramFiles%\SigmaTel\C-Major Audio\WDM\sttray.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
O9 - Extra button: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ESTsoft\ALPass\ALPass.exe
O9 - Extra 'Tools' menuitem: ALPass - {572E3910-4764-4E88-8929-176B2B192FF7} - C:\Program Files\ESTsoft\ALPass\ALPass.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG9\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\system32\aestsrv.exe
O23 - Service: AVG Free E-mail Scanner (avg9emc) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgemc.exe
O23 - Service: AVG Free WatchDog (avg9wd) - AVG Technologies CZ, s.r.o. - C:\Program Files\AVG\AVG9\avgwdsvc.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\514\g2aservice.exe
O23 - Service: NVIDIA Display Driver Service (nvsvc) - NVIDIA Corporation - C:\Windows\system32\nvvsvc.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - IDT, Inc. - C:\Windows\system32\STacSV.exe
O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\Windows\System32\WLTRYSVC.EXE

--
End of file - 4554 bytes


Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4052

Windows 6.0.6002 Service Pack 2 (Safe Mode)
Internet Explorer 8.0.6001.18943

9/16/2010 9:10:19 AM
mbam-log-2010-09-16 (09-10-19).txt

Scan type: Quick scan
Objects scanned: 112907
Time elapsed: 3 minute(s), 19 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
 
Please read through all my posts and follow the directions. I stated that your malwarebytes is outdated and needs to be updated. Have you performed the combofix script yet? Hijackthis needs to be ran in regular mode not safe mode.

I need you to perform those procedures and then post back with the new logs.

If you can't figure it out we can set up a time for me to remotely access your system by using a program called teamviewer and I can clean your system from there.
 
I did (it seemed) update malwarebytes to ver 1.46. I guess I did something wrong there. I joined, or thought I did, combofix script. Perhaps I should allow you to fix it via teamviewer. I can't get the affected laptop online though.
 
You do have the latest version but not the latest database. The latest database version is 4635, you are running 4052 which is months out of date.


Ok, use a usb flash drive to transfer this file over to your infected machine and run it.

download and run rkill.scr to kill the active infection so you can update Malwarebytes and run a new scan. But do not reboot the system after running rkill until you can get malwarebytes to update. The infection may stop rkill from running fully. If a black screen pops up and then goes away, just keep trying to run rkill in succession until it completes. There will be a log that pops up when done and if it says that it killed a process then you should have access to internet and downloading again.
 
No black screen but it seems I tried to run the program a hundred times. I only get the attached message.
 
Last edited:
You must log in or register to reply here.
Back
Top