FoxtrotAlpha
-
Posts
8 -
Joined
-
Last visited
Content Type
Events
Profiles
Forums
Posts posted by FoxtrotAlpha
-
-
I've spent the entire day cleaning this computer.... it's Security Tool virus is STILL in my start-up tray and my desktop is still all black.
Running Mbam, says I'm all clean. But I'm not. I'm going to try to update Malwarebytes to see if I'm missing something..... but I'm losing all hope.
Here is the latest log:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
10/10/2009 6:08:06 PM
mbam-log-2009-10-10 (18-08-06).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 130583
Time elapsed: 24 minute(s), 24 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
-
My Win32kDiag Log:
Running from: C:\Documents and Settings\marc\Desktop\Win32kDiag.exe
Log file at : C:\Documents and Settings\marc\Desktop\Win32kDiag.txt
WARNING: Could not get backup privileges!
Searching 'C:\WINDOWS'...
Finished!
-
My exeHelper log:
exeHelper by Raktor - 09
Build 20090925
Run at 17:11:52 on 10/10/09
Now searching...
Checking for numerical processes...
Checking for bad processes...
Checking for bad files...
Checking for bad registry entries...
Resetting filetype association for .exe
Resetting filetype association for .com
Resetting userinit and shell values...
Resetting policies...
--Finished--
-
And lastly, my Combo-Fix log:
ComboFix 09-10-10.01 - marc 10/10/2009 16:53.1.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.660 [GMT -4:00]
Running from: c:\documents and settings\marc\Desktop\Combo-Fix.exe
AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {51D57A40-BB00-4754-AEA1-30DF654182EB}
AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\system32\proquota.exe was missing
Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe
.
((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 )))))))))))))))))))))))))))))))
.
2009-10-10 19:14 . 2009-10-10 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-10-10 15:13 . 2009-10-10 15:13 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys
2009-10-10 15:13 . 2009-10-10 15:13 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys
2009-10-10 15:13 . 2009-10-10 15:13 -------- d-----w- c:\program files\Prevx
2009-10-10 15:13 . 2009-10-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI
2009-10-10 15:07 . 2009-10-10 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE
2009-10-10 15:07 . 2009-10-10 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache
2009-10-10 14:47 . 2008-04-14 00:12 135680 ----a-w- c:\windows\system32\Littlemonkey.exe
2009-10-10 14:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-10-10 14:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-10 02:37 . 2009-10-10 02:37 -------- d-----w- c:\program files\Trend Micro
2009-10-10 02:24 . 2009-10-10 02:24 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864}
2009-10-10 01:33 . 2009-10-10 01:33 -------- d-sh--w- c:\documents and settings\marc\IECompatCache
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-08-20 23:26 . 2008-12-18 17:52 -------- d-----w- c:\program files\AutoCAD 2008
2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll
2009-07-18 00:00 . 2008-12-05 16:42 50200 ----a-w- c:\documents and settings\marc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll
2007-08-18 16:31 . 2007-08-18 16:31 38912 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll
2007-08-18 16:31 . 2007-08-18 16:31 102471 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll
2007-08-18 16:31 . 2007-08-18 16:31 93848 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll
2007-08-18 16:31 . 2007-08-18 16:31 94208 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll
2009-07-10 17:37 . 2009-07-10 17:37 1011349 --sha-w- c:\windows\system32\kamideva.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\pixie.exe" [2009-09-10 1312080]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720]
"IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200]
"IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752]
"igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208]
"igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784]
"igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048]
"BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"drv"=2 (0x2)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\WINDOWS\\system32\\spoolsv.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"=
"c:\\Program Files\\Prevx\\prevx.exe"=
"c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"=
R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [10/10/2009 11:13 AM 22024]
R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [10/10/2009 11:13 AM 27656]
R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [10/10/2009 11:13 AM 4368952]
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
"c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP
.
Contents of the 'Scheduled Tasks' folder
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.cnn.com/
FF - ProfilePath - c:\documents and settings\marc\Application Data\Mozilla\Firefox\Profiles\prv98ipr.default\
FF - prefs.js: browser.startup.homepage - www.cnn.com
FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\
.
- - - - ORPHANS REMOVED - - - -
Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
HKLM-Run-MbWzdFPAP-EXL540 - E:\PdtGuide.exe
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-10-10 16:59
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant]
"ImagePath"="a"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'explorer.exe'(848)
c:\windows\system32\WININET.dll
c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll
c:\windows\system32\ieframe.dll
c:\windows\system32\webcheck.dll
.
------------------------ Other Running Processes ------------------------
.
c:\program files\Intel\Wireless\Bin\EvtEng.exe
c:\program files\Intel\Wireless\Bin\S24EvMon.exe
c:\program files\Intel\Wireless\Bin\WLKEEPER.exe
c:\program files\Intel\Wireless\Bin\RegSrvc.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
c:\windows\system32\UTSCSI.EXE
c:\windows\system32\rundll32.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe
.
**************************************************************************
.
Completion time: 2009-10-10 17:01 - machine was rebooted
ComboFix-quarantined-files.txt 2009-10-10 21:01
Pre-Run: 71,059,283,968 bytes free
Post-Run: 71,118,860,288 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
134 --- E O F --- 2009-09-09 04:04
-
Okay - another update.
I can get online with the PC now.
I've got Mbam loaded & running fine (renamed the .exe file) and I've purchased & run PrevX3.0. Both programs cleaned out a bunch of things... I ran each one twice.
When I restart, I still see a 'fake' icon in my startup menu as well as my quick-launch that says it's "Malwarebytes' Anti-Malware", but it is STILL THE SECURITY TOOL virus. How is that possible? Is this virus that awful?
I'm going to try to run the Combo-Fix program listed in another thread and see where that gets me.
Below is my Mbam log:
Malwarebytes' Anti-Malware 1.41
Database version: 2775
Windows 5.1.2600 Service Pack 3
10/10/2009 3:46:39 PM
mbam-log-2009-10-10 (15-46-39).txt
Scan type: Full Scan (C:\|)
Objects scanned: 131134
Time elapsed: 30 minute(s), 15 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rugijaman (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39051523 (Rogue.Multiple) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
And here is the HijackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:29 PM, on 10/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
C:\WINDOWS\system32\UTSCSI.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Prevx\prevx.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe
C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe
C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O1 - Hosts: ::1 localhost
O1 - Hosts: 209.44.111.62 aware-protect.com
O1 - Hosts: 209.44.111.62 www.aware-protect.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file)
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\pixie.exe" /runcleanupscript
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MbWzdFPAP-EXL540] E:\PdtGuide.exe
O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Bluetooth Manager.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\PROGRA~1\MOZILL~1\plugins\MyWebEx\419\mwmie.dll
O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\PROGRA~1\MOZILL~1\plugins\MyWebEx\419\mwmie.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203829378437
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe
O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe
O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE
O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
--
End of file - 6547 bytes
-
Another little update: I just restarted again, to see if I can figure out how to get the PC online and noticed the 'malwarebytes' icon in my tray & right clicked on it (it said 'Malwarebytes Anti-Malware) so I clicked it and - I sh!t you not - it launched the damn Security Tool virus AGAIN. The Mbam icon launched the Security Tool virus.
I suppose this means I'm back to square one. SIgh.
-
I'm no computer wizard.... but my husband is worse. He received the "Security Tool" virus last night and I've been up all night trying to fix this thing. I'm going to try my best to be concise & keep my cool while giving as much info as I can as to what has and has not worked for me, cuz this thing is STILL MOCKING ME in my start-up menu and quick start tray.
- Husband received the virus last night around 7pm
- I shut his computer down instantly and grilled him about what he'd been clicking on.
- He says 'nothing', he was Googling CBS sports-something and when he clicked on the Google result the 'security tool' popped up & launched itself, telling him he was infected blah...blah...blah. This is the second time in 3 months something like this has happened, god love him. Apparently the firewall and AVG did nothing to protect him.
I immediately tried to launch mbam.exe because that's what worked last time.... but the file 'could not be found'. Searching some of the forums here I realized the virus is disabling it. So, I was able to download it to a flash drive from my Mac, restart the PC in 'safe' mode and with about 17 tries, very quickly copy-paste it to the desktop before it was deleted. Thinking myself very clever, I renamed MBAM and ran it twice in safe mode, both times it came up with 11 items to remove. When I restarted a third time, F8 safemode no longer worked (it just ran all these lines of text and just stopped)- so I have to go through msconfig to 'diagnostic startup'. I run my MBAM again and the same 11 items show up detected again. Note: the PC can no longer get on the internet, wired or wireless, so MBAM 1.41 was NOT updated when I ran it. I'm deleting the items, so why are they not going away?
This morning - it's all still there. The 'Security Tool' icons, the strange '.dll' errors when I start up....my desktop is odd looking (all black), so I know something is still going on. I can not do a system restore, because the computer is saying there is no date to go back and restore. I can't get online. When I run the process explorer, I see no string of numbers or anything that looks obvious, but I clearly still have the virus.
Desperate - I went to my office across town, downloaded MBAM and ran the update, renamed it, saved it to a flash drive and came home and ran it again. It found 0 items in safe mode. So, I restarted in Normal mode and it found 2 items.
Below are the logs from both HijackThis and the post-2 item removal from MBAM (nevermind - forum won't let me upload the HijackThis log, only the mbam log).
I really appreciate any help I can get. We have 2 other computers, but they are Macs. So, anything I download to 'fix' it, has to be pre-updated and able to be moved from a flash disk. Sigh. I will see if I can get the PC back online while I wait for someone to reply.
Thanks in advance for a reply!
- Husband received the virus last night around 7pm
Another MBAM/Security Tool casualty
in Resolved Malware Removal Logs
Posted
Still talking to myself.... but in case anyone reading this is still struggling with this, here is my latest log. It is very important to make sure you are running the latest update of Mbam - 2939. It found 2 additional items on my computer. But, I am still struggling with this virus. Unreal.
Malwarebytes' Anti-Malware 1.41
Database version: 2939
Windows 5.1.2600 Service Pack 3
10/10/2009 6:49:02 PM
mbam-log-2009-10-10 (18-49-02).txt
Scan type: Full Scan (C:\|D:\|)
Objects scanned: 134409
Time elapsed: 39 minute(s), 47 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\kamideva.exe (Trojan.Dropper) -> Quarantined and deleted successfully.
C:\Documents and Settings\marc\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.