protection system virus is running rings around malewarebytes

[newbie14]

So the other day I found that I have a fake windows security center virus called "protection system". It blocks malewarebytes, Spybot search and destroy, and SUPERantispyware programs from running. I have read a few different guides like this one http://www.bleepingcomputer.com/virus-remo...otection-system on how to remove this virus but none of them work. All of them reccomend downloading and running malwarebytes.

A couple of big problems with this. The virus is blocking me from going to malwarebyes website or even this forum (posting from a friend's pc). I had an older version of malwarebyes on my pc and managed to run in by renaming the mbam.exe file. Now it's even worse, now the task bar and start button are hidden and can't be unlocked, Also I can't even restore to an earlier point or search the files on my pc. Before I scanned with malwarebyes I could at least do that.

Now I can't even run malwarebyes when I try I get an error message "run time372 Failed to load 'vbalGrid' from vbalsgrid6.ocx". I had a friend download the latest version of malwarebyes installation and burn it onto a CD under a different name. I can install it but not actually run it even though I changed the name of the .exe file. Also the virus keeps trying to uninstall malwarebyes.

I would post a hijack this log but like I said I can't even get on this site with my pc. I can go to other sites but nothing to do with malwarebyes, I can't even search for the name.

I'm all out of ideas. This is one seriously smart and nasty virus. Any advice?

[Maniac]

Greetings.

To get you fixed up please follow the instructions here:

I'm infected - What do I do now?

And post your logs in a new topic here:

Malware Removal - HijackThis Logs

Please be sure not to install any software or use any removal or scanning tools exept those that you are

instructed to by the expert who will be assisting you as doing so can make their job much more difficult.

note: if for some reason you are unable to run some or any of the tools in the first link, then skip that step and move on to the next one.

If you can't even run HijackThis, then just post here: Malware Removal - HijackThis Logs describing your issues and an expert will reply with further instructions.

I hope I was helpful. Good luck and safe surfing.

[mountaintree16]

I am really not an expert, but trying to help the best I can. Does the computer you are using now have a burner? I'll message one of our admins here for yah.

Nevermind, he's already reading the thread. I'll let him take it from here

[mountaintree16]

newbie14

Did you try this already?

http://www.malwarebytes.org/forums/index.php?showtopic=17607

[newbie14]

I tried changing the name of the .exe file and that worked once, but now I just get the failed to load vbalgrid..... error message I mentioned earlier. Also the virus has since deleted the Hijackthis program, and won't let me go on to the websites or antispyware programs or even search for them. I ran a hijackthis scan yesterday, would the log be stored somewhere other than the program folder? I'm pretty much out of ideas since I can't even restore and it has made my task bar disapear and even the windows key won't work. I could really use some help because this seems like one nasty destructive virus.

[mountaintree16]

ugh.

do you have a log from hijack this or did that get deleted as well?

I tried changing the name of the .exe file and that worked once, but now I just get the failed to load vbalgrid..... error message I mentioned earlier. Also the virus has since deleted the Hijackthis program, and won't let me go on to the websites or antispyware programs or even search for them. I ran a hijackthis scan yesterday, would the log be stored somewhere other than the program folder? I'm pretty much out of ideas since I can't even restore and it has made my task bar disapear and even the windows key won't work. I could really use some help because this seems like one nasty destructive virus.

[Kondro]

did you try booting to safe mode and running it? If you can boot to "safe mode with networking" that is even better because you can install MBAM and then update it before running the scan.

[AdvancedSetup]

Scan and post logs - read note at bottom in green

If you're having Malware related issues with your computer that you're unable to resolve.

1. Please read and follow the instructions provided here: I'm infected - What do I do now?
2. If needed please post your logs in a NEW topic here: Malware Removal - HijackThis Logs
   
3. When posting logs please do not use any Quote, Code, or other tags. Please copy/paste directly into your post and do not attach files unless requested.
   

• Please do not post any logs in the General forum. We do not work on any logs posted in the General forum.
  
• Please do not install any software or use any removal/scanning tool except for those you're requested to run by the Helper that will assist you.
  
• Using these other tools often makes the cleanup task more difficult and time consuming.
  
• If you have already submitted for assistance at one of the other support sites on the Internet then you should not post a new log here, you should stay working with the Helper from that site until the issue is resolved.
  
• Do not assume you're clean because you don't see something in the logs. Please wait until the person assisting you provides feedback.
  
• There are often many others that require asistance as well, so please be patient. If no one has responded within 48 hours then please go ahead and post a request for review
  

• NOTE: If for some reason you're unable to run some or any of the tools in the first link, then skip that step and move on to the next one. If you can't even run HijackThis, then just proceed and post a NEW topic as shown in the second link describing your issues and someone will assist you as soon as they can.
  

[newbie14]

Luckily it saved one from yesterday onto the desktop

Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 9:03:48 PM, on 7/7/2009

Platform: Windows XP SP2 (WinNT 5.01.2600)

MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Internet Explorer\Iexplore.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

C:\Program Files\Common Files\Real\Update_OB\realsched.exe

C:\Program Files\ewido anti-spyware 4.0\ewido.exe

C:\Program Files\SUPERAntiSpyware\tool.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe

C:\DOCUME~1\Alex\LOCALS~1\Temp\smss.exe

C:\Program Files\AGI\common\win32\PythonService.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\ewido anti-spyware 4.0\guard.exe

C:\Program Files\ewido\security suite\ewidoctrl.exe

C:\WINDOWS\system32\nvsvc32.exe

C:\WINDOWS\system32\PnkBstrA.exe

C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redirect...c02&lc=0409

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://store.presario.net/scripts/redirect...c02&lc=0409

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Compaq

R3 - URLSearchHook: AGSearchHook Class - {0BC6E3FA-78EF-4886-842C-5A1258C4455A} - C:\Program Files\AGI\common\agcutils.dll

O2 - BHO: C:\WINDOWS\system32\gsf83iujid.dll - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)

O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe"

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [sunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized

O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript

O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k

O4 - HKCU\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\tool.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - HKCU\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe"

O4 - HKCU\..\Run: [Windows System Recover!] C:\DOCUME~1\Alex\LOCALS~1\Temp\smss.exe

O4 - HKLM\..\Policies\Explorer\Run: [dsa7z] C:\WINDOWS\system32\N0EB00K.EXE

O4 - HKUS\S-1-5-21-3660946461-1781414125-3460245079-1006\..\Run: [] (User '?')

O4 - HKUS\S-1-5-21-3660946461-1781414125-3460245079-1006\..\Run: [sUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\tool.exe (User '?')

O4 - HKUS\S-1-5-21-3660946461-1781414125-3460245079-1006\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')

O4 - HKUS\S-1-5-21-3660946461-1781414125-3460245079-1006\..\Run: [VeohPlugin] "C:\Program Files\Veoh Networks\VeohWebPlayer\veohwebplayer.exe" (User '?')

O4 - HKUS\S-1-5-21-3660946461-1781414125-3460245079-1006\..\Run: [Windows System Recover!] C:\DOCUME~1\Alex\LOCALS~1\Temp\smss.exe (User '?')

O4 - HKUS\S-1-5-18\..\Run: [] C:\WINDOWS\TEMP\x5q72b.exe (User '?')

O4 - HKUS\.DEFAULT\..\Run: [] C:\WINDOWS\TEMP\x5q72b.exe (User 'Default user')

O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm

O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html

O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM

O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html

O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html

O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html

O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM

O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html

O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll

O9 - Extra button: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell - {0E17D5B7-9F5D-4fee-9DF6-CA6EE38B68A8} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: (no name) - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra 'Tools' menuitem: ieSpell Options - {1606D6F9-9D3B-4aea-A025-ED5B2FD488E7} - C:\Program Files\ieSpell\iespell.dll

O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll

O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=2c02&lc=0409

O16 - DPF: ppctlcab - http://ppupdates.ca.com/downloads/scanner/ppctlcab.cab

O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/errn200...erInstaller.exe

O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204

O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab

O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5co...b?1100984126890

O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab

O16 - DPF: {99802379-7362-40E2-9D28-8A3B9AF880B7} - http://hotsearchbar.com/toolbar2/winhot32.cab

O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload.adobe.com/pub/shockwave/...ash/swflash.cab

O18 - Filter hijack: text/html - {61c742ae-8618-4e02-aa21-9ffb2cffacee} - C:\WINDOWS\system32\msiebbar.dll

O20 - AppInit_DLLs: karna.dat

O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

O22 - SharedTaskScheduler: Apartment - ThreadingModel - (no file)

O22 - SharedTaskScheduler: rtasgvfu76ew8ndkfno94 - {D76AB2A1-00F3-42BD-F434-00BBC39C8953} - C:\WINDOWS\system32\gsf83iujid.dll (file missing)

O23 - Service: AG Windows Service (AGWinService) - Unknown owner - C:\Program Files\AGI\common\win32\PythonService.exe

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\COMPAQ\Compaq Advisor\bin\compaq-rba.exe

O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe

O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe

O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE

O23 - Service: Content Monitoring Tool (msCMTSrvc) - Unknown owner - C:\WINDOWS\system32\msCMTSrvc.exe (file missing)

O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

O24 - Desktop Component 0: (no name) - http://rds.yahoo.com/_ylt=A9gnMiJvQRVHIpYA...pg/lynching.jpg

--

End of file - 9565 bytes

[mountaintree16]

@ newbie14

thank goodness!

Please post your hijackthis log here: http://www.malwarebytes.org/forums/index.php?showforum=7

Someone will be along to assist you as soon as possible I can't assist you further than this.