[Another MBAM/Security Tool casualty]

Still talking to myself.... but in case anyone reading this is still struggling with this, here is my latest log. It is very important to make sure you are running the latest update of Mbam - 2939. It found 2 additional items on my computer. But, I am still struggling with this virus. Unreal.

Malwarebytes' Anti-Malware 1.41

Database version: 2939

Windows 5.1.2600 Service Pack 3

10/10/2009 6:49:02 PM

mbam-log-2009-10-10 (18-49-02).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 134409

Time elapsed: 39 minute(s), 47 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\kamideva.exe (Trojan.Dropper) -> Quarantined and deleted successfully.

C:\Documents and Settings\marc\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

[Another MBAM/Security Tool casualty]

I've spent the entire day cleaning this computer.... it's Security Tool virus is STILL in my start-up tray and my desktop is still all black.

Running Mbam, says I'm all clean. But I'm not. I'm going to try to update Malwarebytes to see if I'm missing something..... but I'm losing all hope.

Here is the latest log:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

10/10/2009 6:08:06 PM

mbam-log-2009-10-10 (18-08-06).txt

Scan type: Full Scan (C:\|D:\|)

Objects scanned: 130583

Time elapsed: 24 minute(s), 24 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

[Another MBAM/Security Tool casualty]

My Win32kDiag Log:

Running from: C:\Documents and Settings\marc\Desktop\Win32kDiag.exe

Log file at : C:\Documents and Settings\marc\Desktop\Win32kDiag.txt

WARNING: Could not get backup privileges!

Searching 'C:\WINDOWS'...

Finished!

[Another MBAM/Security Tool casualty]

My exeHelper log:

exeHelper by Raktor - 09

Build 20090925

Run at 17:11:52 on 10/10/09

Now searching...

Checking for numerical processes...

Checking for bad processes...

Checking for bad files...

Checking for bad registry entries...

Resetting filetype association for .exe

Resetting filetype association for .com

Resetting userinit and shell values...

Resetting policies...

--Finished--

[Another MBAM/Security Tool casualty]

And lastly, my Combo-Fix log:

ComboFix 09-10-10.01 - marc 10/10/2009 16:53.1.1 - NTFSx86

Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.660 [GMT -4:00]

Running from: c:\documents and settings\marc\Desktop\Combo-Fix.exe

AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {51D57A40-BB00-4754-AEA1-30DF654182EB}

AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}

.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

.

c:\windows\system32\proquota.exe was missing

Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe

.

((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))

.

2009-10-10 19:14 . 2009-10-10 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware

2009-10-10 15:13 . 2009-10-10 15:13 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys

2009-10-10 15:13 . 2009-10-10 15:13 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys

2009-10-10 15:13 . 2009-10-10 15:13 -------- d-----w- c:\program files\Prevx

2009-10-10 15:13 . 2009-10-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI

2009-10-10 15:07 . 2009-10-10 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE

2009-10-10 15:07 . 2009-10-10 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache

2009-10-10 14:47 . 2008-04-14 00:12 135680 ----a-w- c:\windows\system32\Littlemonkey.exe

2009-10-10 14:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys

2009-10-10 14:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys

2009-10-10 02:37 . 2009-10-10 02:37 -------- d-----w- c:\program files\Trend Micro

2009-10-10 02:24 . 2009-10-10 02:24 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}

2009-10-10 01:33 . 2009-10-10 01:33 -------- d-sh--w- c:\documents and settings\marc\IECompatCache

.

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

.

2009-08-20 23:26 . 2008-12-18 17:52 -------- d-----w- c:\program files\AutoCAD 2008

2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll

2009-07-18 00:00 . 2008-12-05 16:42 50200 ----a-w- c:\documents and settings\marc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll

2007-08-18 16:31 . 2007-08-18 16:31 38912 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll

2007-08-18 16:31 . 2007-08-18 16:31 102471 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll

2007-08-18 16:31 . 2007-08-18 16:31 93848 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll

2007-08-18 16:31 . 2007-08-18 16:31 94208 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll

2009-07-10 17:37 . 2009-07-10 17:37 1011349 --sha-w- c:\windows\system32\kamideva.exe

.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

.

.

*Note* empty entries & legit default entries are not shown

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\pixie.exe" [2009-09-10 1312080]

"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]

"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]

"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]

"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]

"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]

"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]

"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]

"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]

c:\documents and settings\All Users\Start Menu\Programs\Startup\

Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]

"drv"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]

"%windir%\\system32\\sessmgr.exe"=

"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

"c:\\WINDOWS\\system32\\spoolsv.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"=

"c:\\Program Files\\Prevx\\prevx.exe"=

"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=

R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [10/10/2009 11:13 AM 22024]

R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [10/10/2009 11:13 AM 27656]

R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [10/10/2009 11:13 AM 4368952]

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]

"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP

.

Contents of the 'Scheduled Tasks' folder

.

.

------- Supplementary Scan -------

.

uStart Page = hxxp://www.cnn.com/

FF - ProfilePath - c:\documents and settings\marc\Application Data\Mozilla\Firefox\Profiles\prv98ipr.default\

FF - prefs.js: browser.startup.homepage - www.cnn.com

FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=

FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll

FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\

.

- - - - ORPHANS REMOVED - - - -

Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

HKLM-Run-MbWzdFPAP-EXL540 - E:\PdtGuide.exe

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net

Rootkit scan 2009-10-10 16:59

Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully

hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]

"ImagePath"="a"

.

--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'explorer.exe'(848)

c:\windows\system32\WININET.dll

c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll

c:\windows\system32\ieframe.dll

c:\windows\system32\webcheck.dll

.

------------------------ Other Running Processes ------------------------

.

c:\program files\Intel\Wireless\Bin\EvtEng.exe

c:\program files\Intel\Wireless\Bin\S24EvMon.exe

c:\program files\Intel\Wireless\Bin\WLKEEPER.exe

c:\program files\Intel\Wireless\Bin\RegSrvc.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

c:\windows\system32\UTSCSI.EXE

c:\windows\system32\rundll32.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe

.

**************************************************************************

.

Completion time: 2009-10-10 17:01 - machine was rebooted

ComboFix-quarantined-files.txt 2009-10-10 21:01

Pre-Run: 71,059,283,968 bytes free

Post-Run: 71,118,860,288 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe

[boot loader]

timeout=2

default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS

[operating systems]

c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

134 --- E O F --- 2009-09-09 04:04

[Another MBAM/Security Tool casualty]

Okay - another update.

I can get online with the PC now.

I've got Mbam loaded & running fine (renamed the .exe file) and I've purchased & run PrevX3.0. Both programs cleaned out a bunch of things... I ran each one twice.

When I restart, I still see a 'fake' icon in my startup menu as well as my quick-launch that says it's "Malwarebytes' Anti-Malware", but it is STILL THE SECURITY TOOL virus. How is that possible? Is this virus that awful?

I'm going to try to run the Combo-Fix program listed in another thread and see where that gets me.

Below is my Mbam log:

Malwarebytes' Anti-Malware 1.41

Database version: 2775

Windows 5.1.2600 Service Pack 3

10/10/2009 3:46:39 PM

mbam-log-2009-10-10 (15-46-39).txt

Scan type: Full Scan (C:\|)

Objects scanned: 131134

Time elapsed: 30 minute(s), 15 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 2

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rugijaman (Trojan.Vundo.H) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39051523 (Rogue.Multiple) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

And here is the HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 4:34:29 PM, on 10/10/2009

Platform: Windows XP SP3 (WinNT 5.01.2600)

MSIE: Internet Explorer v8.00 (8.00.6001.18702)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

C:\WINDOWS\system32\UTSCSI.EXE

C:\WINDOWS\Explorer.EXE

C:\Program Files\Prevx\prevx.exe

C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe

C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe

C:\WINDOWS\system32\igfxpers.exe

C:\WINDOWS\system32\hkcmd.exe

C:\WINDOWS\system32\rundll32.exe

C:\WINDOWS\system32\ctfmon.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe

C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe

C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =

O1 - Hosts: ::1 localhost

O1 - Hosts: 209.44.111.62 aware-protect.com

O1 - Hosts: 209.44.111.62 www.aware-protect.com

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\pixie.exe" /runcleanupscript

O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime

O4 - HKLM\..\Run: [MbWzdFPAP-EXL540] E:\PdtGuide.exe

O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"

O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless

O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe

O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe

O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe

O4 - Global Startup: Bluetooth Manager.lnk = ?

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe

O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\PROGRA~1\MOZILL~1\plugins\MyWebEx\419\mwmie.dll

O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\PROGRA~1\MOZILL~1\plugins\MyWebEx\419\mwmie.dll

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203829378437

O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe

O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe

O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe

O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe

O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe

O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe

O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--

End of file - 6547 bytes

[Another MBAM/Security Tool casualty]

Another little update: I just restarted again, to see if I can figure out how to get the PC online and noticed the 'malwarebytes' icon in my tray & right clicked on it (it said 'Malwarebytes Anti-Malware) so I clicked it and - I sh!t you not - it launched the damn Security Tool virus AGAIN. The Mbam icon launched the Security Tool virus.

I suppose this means I'm back to square one. SIgh.

[Another MBAM/Security Tool casualty]

I'm no computer wizard.... but my husband is worse. He received the "Security Tool" virus last night and I've been up all night trying to fix this thing. I'm going to try my best to be concise & keep my cool while giving as much info as I can as to what has and has not worked for me, cuz this thing is STILL MOCKING ME in my start-up menu and quick start tray.

• Husband received the virus last night around 7pm
  
• I shut his computer down instantly and grilled him about what he'd been clicking on.
  
• He says 'nothing', he was Googling CBS sports-something and when he clicked on the Google result the 'security tool' popped up & launched itself, telling him he was infected blah...blah...blah. This is the second time in 3 months something like this has happened, god love him. Apparently the firewall and AVG did nothing to protect him.
  

I immediately tried to launch mbam.exe because that's what worked last time.... but the file 'could not be found'. Searching some of the forums here I realized the virus is disabling it. So, I was able to download it to a flash drive from my Mac, restart the PC in 'safe' mode and with about 17 tries, very quickly copy-paste it to the desktop before it was deleted. Thinking myself very clever, I renamed MBAM and ran it twice in safe mode, both times it came up with 11 items to remove. When I restarted a third time, F8 safemode no longer worked (it just ran all these lines of text and just stopped)- so I have to go through msconfig to 'diagnostic startup'. I run my MBAM again and the same 11 items show up detected again. Note: the PC can no longer get on the internet, wired or wireless, so MBAM 1.41 was NOT updated when I ran it. I'm deleting the items, so why are they not going away?

This morning - it's all still there. The 'Security Tool' icons, the strange '.dll' errors when I start up....my desktop is odd looking (all black), so I know something is still going on. I can not do a system restore, because the computer is saying there is no date to go back and restore. I can't get online. When I run the process explorer, I see no string of numbers or anything that looks obvious, but I clearly still have the virus.

Desperate - I went to my office across town, downloaded MBAM and ran the update, renamed it, saved it to a flash drive and came home and ran it again. It found 0 items in safe mode. So, I restarted in Normal mode and it found 2 items.

Below are the logs from both HijackThis and the post-2 item removal from MBAM (nevermind - forum won't let me upload the HijackThis log, only the mbam log).

I really appreciate any help I can get. We have 2 other computers, but they are Macs. So, anything I download to 'fix' it, has to be pre-updated and able to be moved from a flash disk. Sigh. I will see if I can get the PC back online while I wait for someone to reply.

Thanks in advance for a reply!

mbam_log_2009_10_10__13_27_27_.txt