xp security center malware

[gppba]

I have run malwarebytes to remove the security center malware and it has proven dificult to remove. So far nothing has worked.

ddslogs.zip

[miekiemoes]

Hi,

Were you actually be able to run Malwarebytes? If so, can you post the log here? Because it looks like your version of malwarebytes is not up to date since it should remove the malware I can find in your logs.

[gppba]

Hi,

Were you actually be able to run Malwarebytes? If so, can you post the log here? Because it looks like your version of malwarebytes is not up to date since it should remove the malware I can find in your logs.

Hello,

Yes, but I had to DL it to another computer, copy it to a flash drive and then install it onto the infected computer. This malware, or trojan, or whatever it is has hijacked the browser and I can't even update Malwarebytes from the infected puter.

Did you get the zipped file I submitted with this post?

Thanks

Patrick

[miekiemoes]

Hi,

First of all, try Windows safe mode with networking support and see if mbam is be able to update there. Because it's extremely important mbam gets updated, because I know it deals with this variant.

If still no luck with updating... install malwarebytes on the other computer (good computer) and update there. Verify it really has database version 3886 (or up). Then transfer the C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref file from the good computer to the infected computer (let it overwrite the one present on the infected computer).

Then run a scan with malwarebytes again (Quick scan) and post the log in your next reply.

[gppba]

Hi,

First of all, try Windows safe mode with networking support and see if mbam is be able to update there. Because it's extremely important mbam gets updated, because I know it deals with this variant.

If still no luck with updating... install malwarebytes on the other computer (good computer) and update there. Verify it really has database version 3886 (or up). Then transfer the C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref file from the good computer to the infected computer (let it overwrite the one present on the infected computer).

Then run a scan with malwarebytes again (Quick scan) and post the log in your next reply.

Hi,

I did as instructed and Malwarebytes removed 10 more threats. The infected computer is operating normally now. Thank you for your help. I will definately be singing Malwarebytes praises to any that get this problem in the future.

Malwarebytes' Anti-Malware 1.44

Database version: 3886

Windows 5.1.2600 Service Pack 3 (Safe Mode)

Internet Explorer 8.0.6001.18702

3/20/2010 8:03:54 AM

mbam-log-2010-03-20 (08-03-54).txt

Scan type: Quick Scan

Objects scanned: 108199

Time elapsed: 8 minute(s), 7 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 2

Registry Values Infected: 1

Registry Data Items Infected: 1

Folders Infected: 0

Files Infected: 6

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cpqoko6 (Worm.KoobFace) -> Quarantined and deleted successfully.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\apto6ko (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Values Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\tapisrvs (Worm.KoobFace) -> Quarantined and deleted successfully.

Registry Data Items Infected:

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\(default) (Hijack.StartMenuInternet) -> Bad: ("C:\Documents and Settings\Dana McAlister\Local Settings\Application Data\ave.exe" /START "C:\Program Files\Internet Explorer\iexplore.exe") Good: (iexplore.exe) -> Quarantined and deleted successfully.

Folders Infected:

(No malicious items detected)

Files Infected:

C:\WINDOWS\system32\erokosvc.dll (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\system32\drivers\imapioko.sys (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\WINDOWS\ligh (Koobface.Trace) -> Quarantined and deleted successfully.

C:\WINDOWS\lgo (Koobface.Trace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dana McAlister\Local Settings\Application Data\010112010146111103.xxe (Worm.KoobFace) -> Quarantined and deleted successfully.

C:\Documents and Settings\Dana McAlister\Local Settings\Application Data\ave.exe (Rogue.MultipleAV) -> Quarantined and deleted successfully.

[miekiemoes]

Hi,

This looks OK again. I assume issues are resolved now?

[gppba]

Hi,

This looks OK again. I assume issues are resolved now?

Yes, thank you for your help. I have now run malwarebyte on all 6 computers at home and will run it on 2 more at work. Thank you very much.

Patrick

[miekiemoes]

Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.

And if you want to improve speed/system performance after malware removal, take a look here.

Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!

[miekiemoes]

Since this issue is resolved I will close the thread to prevent others from posting here. If you need assistance please start your own topic and someone will be happy to assist you.