FrankR

Sorry been busy on a friday... I restarted the computer again today and the MSE popped up in the tray. The taskmngr has MS security client running (which I suppose is the .exe for MSE). The msconfig -> startup has the "MS Security Client" checked for startup. It just wasnt the obvious title of "MS Essentials" I was looking for. Everything looks back to normal and I appreciate all the help, the removal and all the links to disable useless software and what-have-you. I will certainly keep MBAM up to date and compute more discerningly. Thanks again Mr C. ~FrankR

SystemLook 30.07.11 by jpshortstuff Log created at 19:19 on 15/12/2011 by Sean Administrator - Elevation successful ========== reg ========== [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" "UCam_Menu"=""C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"" "QPService"=""C:\Program Files\HP\QuickPlay\QPService.exe"" "QlbCtrl.exe"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start" "hpqSRMon"="C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe" "hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" "MSC"=""c:\Program Files\Microsoft Security Client\msseces.exe" -hide -runkey" [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents] -= EOF =-

That box was already unchecked. I went to msconfig. Microsoft Security Essentials was not listed in the startup. There is, however, a "Microsoft Security Client."

Perfect....it is now gone. One small thing, my MSE doesnt appear in my tray. I assume its working in the background (maybe I assume too much) but Im not sure if it is turned on upon startup or if I turn it on when I go to Start -> Programs -> MSE. Nothing in the settings deal with shortcuts or tray icons.

I also dealt with this malware and unhid some things. However now my start menu looks quite inadequate:

Trust me, I want to rid myself of unwanted programs. Its just that I went to control panels and uninstalled the viewer, however I still see it in my task manager. I even restarted to see if the ViewpointService.exe was still starting up and sure enough it is (despite my control panel uninstalling it). Thoughts? Could I just deleted the files from my C: or is that not preferred? The item is gone from the control panel but the file remains... I did get MSE up and running, it is now catching up with updates. I also disabled the 5 services listed on the link as it instructed.

The viewer. Im kinda thinking that is something that is part of my hp or OS. I dont see it on my control panel uninstall list and the task manager thinks its part of the system: The OTL did make me reboot. Here is the log that popped up after reboot. 12152011_123153.log

Here it is. Extras.Txt OTL.Txt

Uninstall went ok...I downloaded the exe went to install and toward the end of the install this popped up:

Problem with combofix. When it was up and running it disabled my MS Essentials. The moment I uninstalled combo fix, the red MS Essentials popped back in the tray and its still doing the same stuff I captured on the screenshots. So I dont know if I need to reinstall MS Essentials or what. I did update java and took care of OTL as described.

Its running pretty good. I will have to reinstall MS Essentials, but other than that I cant complain. Updating MBAM and scanning when things get slow... Thanks for all your help MrC.

Malwarebytes' Anti-Malware 1.51.2.1300 www.malwarebytes.org Database version: 8365 Windows 6.0.6002 Service Pack 2 Internet Explorer 7.0.6002.18005 12/13/2011 10:43:52 mbam-log-2011-12-13 (10-43-52).txt Scan type: Quick scan Objects scanned: 175082 Time elapsed: 3 minute(s), 43 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) I couldnt find where the mbam txt is saved or I would have made it an attachment. Thanks so much Mr C

Ignore that and/or delete. Sorry.

Im not sure if combofix is able to finish... Its stuck on the bluescreen where it says it "should take less than 10mins or sometimes twice as long". Then a popup came up saying my system has a "rootkit zero access, it messes with the tcp/ip stack" and I should restart if I cannot access internet. Is it safe to restart with combofix up?

Ok did the combofix. I had the rootkit zero access. MrC, should I continue the instructions on on the combofix link you gave me with the manual "windows recovery"? Or is that only if my OS was disturbed? I guess I dont know if the "automatic install of Recovery Console" occurred. BTW, thanks for the help. ComboFix.txt

This is what my Essentials is doing tome after the fix. I know yall arent MS but advice would be appreciated if its part of the malware or just simply turned off Essentials. If Im reading it right, it uninstalled it.

Well crap. Microsoft Security Essentials is red and "at risk" I open from tray. "Security Essentials isn't monitoring your computer because the program's service stopped. You should restart now. Real-time protection: Off Virus and spyware definitions: Out of date" I clicked the "Start Now" button and "The specified service does not exist as an installed service."

So MBAM is set up with default settings...I switched the "General Settings > Warn if outdated" down to 1 day. I guess thats about as good as it gets on the free version...I will get the full version the next paycheck after the holidays, for the realtime protection. Attachments enclosed. Thanks MrC! Extras.Txt OTL.Txt

DLd the exehelper on mac, usbed it to the PC in safe mode. Was able to run mbam.exe in safe mode...currently found the 4 files. Now I can open all types of files. I am gonna reboot in normal mode and do a long scan (for justincase). Once that gets done I will reconnect that PC and bring the logs....a few quick questions tho 1) So what should I make of the kaspersky? Just antiquated version, uninstall? 2)It was only like 10 days since last mbam updated and it didnt 'catch' this malware...Im on the road a lot how often am I gonna need to update so I can be protected. MBAM says an ounce of prevention > a pound of correction. Did I just get a version of a malware that was developed within a week? Thanks Charlie.

My laptop exited firefox and "Windows Security Center" popped up and then a "Vista Security 2012" came up. I restart my laptop in safe mode then hopped on my Mac to look for solutions. I ended up on here: http://www.malwarehelp.org/fake-windows-security-center-analysis-and-removal-2009.html?replytocom=4039 I figured kaspersky would take care of it. So I dld Kaspersky and did all the settings/programs the website suggested ran the scan for a few hours and it found some files to disinfect and some to delete. (YAY! Right?) So I continued on as the website suggested and to start Malwarebytes' scan. I clicked Malwarebytes and sure enough "Windows Security Center" pops up instead of Malwarebytes... On retrospect the guide was for dealing with "Vista Virus 2009" rather than 2012. What do I do? I already have Malwarebytes on my computer...I just cant access it. I dont know if I want to uninstall/reinstall MWBs, it has already taken care of some malware and 'saved' the previous malware's profile (or w/e).