Member Avatar for Stefano Mtangoo

There is this virus/malware that is not detected by McAfee, Avast, etc. It is very sturbborn. I have tried to scan with prevx but need licence to remove it. Malwarebyte cannot do anything....help please.

Here are some Links of people with same problem:
http://answers.yahoo.com/question/index?qid=20090121011856AAGzwNo

I have attached the report
Thanks alot

malware_scanned.JPG 64.61 KB
  • 2 Contributors
  • 3 Replies
  • 197 Views
  • 2 Days Discussion Span
  • Latest Post Latest Post by crunchie

Recommended Answers

All 3 Replies

Member Avatar for crunchie

Even though you say MBA-M can do nothing, I would still like you to do the following please;

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

====

Download HijackThis Executable from here. Save it to your desktop.
Start HJT & press the "Do a system scan and save a log file" button. When the scan is finished a window will pop up giving you the option of where to save it. Save it to desktop where it is easy to access. Open the log file and then go to the format Tab and make sure that wordwrap is unchecked. Copy the entire contents of the file & paste it into the body of your post. DO NOT FIX ANYTHING YET. Most of what is there is necessary for the running of your system.

Member Avatar for Stefano Mtangoo

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:11:03, on 1/25/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\WINDOWS\system32\svchost.exe
C:\Downloads\Software\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://intranet.vodacom.co.tz
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan Enterprise\scriptcl.dll
O2 - BHO: FDMIECookiesBHO Class - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - C:\PROGRA~1\FREEDO~1\iefdm2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKUS\S-1-5-21-613696747-971654793-1845911597-7488\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /b (User 'imwakilembe')
O4 - HKUS\S-1-5-21-613696747-971654793-1845911597-7488\..\Run: [MicroseX] C:\Recycle\X-5-4-27-2345678318-4567890223-4234567884-2341\RisinG.exe (User 'imwakilembe')
O4 - HKUS\S-1-5-21-613696747-971654793-1845911597-7488\..\Run: [Windows Security Service] C:\CONFIG\S-1-5-21-1482476501-1644491937-682003330-1013\Cfg.exe (User 'imwakilembe')
O4 - HKUS\S-1-5-21-613696747-971654793-1845911597-7488\..\Run: [Windows Video Drivers] C:\RECYCLER\S-1-5-21-7568411530-1006273648-251811096-0363\winlogon.exe (User 'imwakilembe')
O4 - HKUS\S-1-5-21-613696747-971654793-1845911597-7702\..\Run: [NokiaPCInternetAccess] "C:\Program Files\Nokia\PC Internet Access\NPCIA.exe" /b (User 'smtangoo')
O4 - S-1-5-21-613696747-971654793-1845911597-7702 Startup: WinMySQLadmin.lnk = I:\xampplite\mysql\bin\winmysqladmin.exe (User 'smtangoo')
O4 - S-1-5-21-613696747-971654793-1845911597-7702 User Startup: WinMySQLadmin.lnk = I:\xampplite\mysql\bin\winmysqladmin.exe (User 'smtangoo')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Download all with Free Download Manager - file://C:\Program Files\Free Download Manager\dlall.htm
O8 - Extra context menu item: Download selected with Free Download Manager - file://C:\Program Files\Free Download Manager\dlselected.htm
O8 - Extra context menu item: Download video with Free Download Manager - file://C:\Program Files\Free Download Manager\dlfvideo.htm
O8 - Extra context menu item: Download with Free Download Manager - file://C:\Program Files\Free Download Manager\dllink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://intranet.vodacom.co.tz
O15 - Trusted Zone: http://www.mywds.com (HKLM)
O15 - Trusted Zone: http://*.tzvodavl01 (HKLM)
O15 - ESC Trusted Zone: http://*.0.0.0.0 (HKLM)
O15 - ESC Trusted Zone: http://www.msn.co.in (HKLM)
O15 - ESC Trusted Zone: http://by1fd.bay1.hotmail.msn.com (HKLM)
O15 - ESC Trusted Zone: http://ie.search.msn.com (HKLM)
O15 - ESC Trusted Zone: http://popup.msn.com (HKLM)
O15 - ESC Trusted Zone: http://rad.msn.com (HKLM)
O15 - ESC Trusted Zone: http://search.msn.com (HKLM)
O15 - ESC Trusted Zone: http://loginnet.passport.com (HKLM)
O15 - ESC Trusted Zone: http://login.passport.net (HKLM)
O15 - ESC Trusted Zone: http://www.pcquest.com (HKLM)
O15 - ESC Trusted Zone: http://dealerweb.vodacom.co.tz (HKLM)
O15 - ESC Trusted Zone: http://intranet.vodacom.co.tz (HKLM)
O15 - ESC Trusted IP range: http://10.10.96.125 (HKLM)
O15 - ESC Trusted IP range: http://10.10.96.127 (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = VODACOMTZ.COM
O17 - HKLM\Software\..\Telephony: DomainName = VODACOMTZ.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = VODACOMTZ.COM
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = VODACOMTZ.COM
O23 - Service: CVSNT Locking Service 2.5.03.2382 (cvslock) - Unknown owner - C:\Program Files\CVSNT\cvslock.exe
O23 - Service: CVSNT Dispatch service 2.5.03.2382 (cvsnt) - March Hare Software Ltd - C:\Program Files\CVSNT\cvsservice.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 6716 bytes

Member Avatar for crunchie

And the rest?

Log is clean.

Please Run the ESET Online Scanner and post the ScanLog with your post for assistance.

  • You will need to use Internet Explorer to complete this scan.
  • You will need to temporarily Disable your current Anti-virus program.
  • Be sure the option to Remove found threats is Un-checked at this time (we may have it clean what it finds at a later time), and the option to Scan unwanted applications is Checked.
  • When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us as directed below.

NOTE: If you are unable to complete the ESET scan, please try another from the list below:

Kaspersky Online Scanner Panda Active Scan Trend Micro HouseCall F-Secure Online Virus Scanner

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.