Jump to content

Windows Security Center Malware


Recommended Posts

My machine has been infected with the Windows Security Center malware, and I'm unable to launch my currently installed version of MBAM. Same for my Mcafee security software and for System Restore (tried all in normal mode, safe mode, and via command line interface in both normal and safe modes)...in all cases, no response.

I've also tried renaming the MBAM exe file...same result.

I saw a string in the forum regarding a similar problem, and downloaded the random name version of MBAM...got it on the desktop, but can't open it. I get the 730 (0, 0) code when I try to open it (via the random name exe, after renaming it, and via the winlogon exe file in the installer folder).

I thought that it might help to uninstall my current version of MBAM, but uninstall tool does not work (it shows as an active task in Task Manager, but nothing happens and there is no activity in the progress bar.

UPDATE:

I was finally able to get my current version of MBAM uninstalled. After doing so, I was able to run the random-name version and update it with current database...however, the PC keeps locking up before I'm able to complete a full scan. NOTE - locking up after 10-20 minutes of use is another of the symptoms since this machine got infected.

I then ran a quick scan and was able to complete it...found five infected objects, removed them and restarted. Re-opened random name version of MBAM and just started a full scan. Hopefully, the machine will be able to get through it now that I got rid of the infected files found in the quick scan.

Here is the MBAM report from the quick scan:

Malwarebytes' Anti-Malware 1.44

Database version: 3593

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

1/18/2010 1:49:17 PM

mbam-log-2010-01-18 (13-49-17).txt

Scan type: Quick Scan

Objects scanned: 109643

Time elapsed: 11 minute(s), 6 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 1

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 1

Files Infected: 2

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

\\?\globalroot\systemroot\system32\H8SRTtftlpjaxbj.dll (Trojan.Vundo) -> Delete on reboot.

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

C:\Program Files\malware Defense (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

Files Infected:

\\?\globalroot\systemroot\system32\H8SRTtftlpjaxbj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Program Files\malware Defense\md.db (Rogue.MalwareDefense) -> Quarantined and deleted successfully.

I will update as soon as the full scan completes (or not!).

SECOND UPDATE:

OK, made it thru a full scan...no problems found, but MBAM did prompt me to restart (as if it had found infected files).

I then downloaded standard version of MBAM, installed it, updated it and ran quick scan again. Found 10 infected objects; report follows:

Malwarebytes' Anti-Malware 1.44

Database version: 3595

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/18/2010 4:19:25 PM

mbam-log-2010-01-18 (16-19-25).txt

Scan type: Quick Scan

Objects scanned: 111834

Time elapsed: 8 minute(s), 34 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 1

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 9

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\h8srtd.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\H8SRTrgrqoxuxpm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTtftlpjaxbj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.

C:\Documents and Settings\Administrator\Local Settings\Temp\H8SRT5493.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTbvmpporimx.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTdpueggiywv.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h8srtkrl32mainweq.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\h8srtshsyst.dll (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\H8SRTqxfmnjlncx.dat (Rootkit.TDSS) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\H8SRTwkmpxevdlv.sys (Rootkit.TDSS) -> Quarantined and deleted successfully.

Ran another full scan, and found no problems. Report from this scan is as follows:

Malwarebytes' Anti-Malware 1.44

Database version: 3595

Windows 5.1.2600 Service Pack 3

Internet Explorer 8.0.6001.18702

1/18/2010 5:12:48 PM

mbam-log-2010-01-18 (17-12-48).txt

Scan type: Full Scan (C:\|)

Objects scanned: 175152

Time elapsed: 50 minute(s), 48 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Is there anything I should do to assure that this nasty piece of malware is truly eliminated from my PC? Thanks for any suggestions or guidance you may be able to provide.

Link to post
Share on other sites

  • Staff

Since there is no feedback anymore, I assume this issue is resolved ... so, this Topic is closed.

If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.