FoxtrotAlpha

Still talking to myself.... but in case anyone reading this is still struggling with this, here is my latest log. It is very important to make sure you are running the latest update of Mbam - 2939. It found 2 additional items on my computer. But, I am still struggling with this virus. Unreal. Malwarebytes' Anti-Malware 1.41 Database version: 2939 Windows 5.1.2600 Service Pack 3 10/10/2009 6:49:02 PM mbam-log-2009-10-10 (18-49-02).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 134409 Time elapsed: 39 minute(s), 47 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 2 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: C:\WINDOWS\system32\kamideva.exe (Trojan.Dropper) -> Quarantined and deleted successfully. C:\Documents and Settings\marc\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

I've spent the entire day cleaning this computer.... it's Security Tool virus is STILL in my start-up tray and my desktop is still all black. Running Mbam, says I'm all clean. But I'm not. I'm going to try to update Malwarebytes to see if I'm missing something..... but I'm losing all hope. Here is the latest log: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 10/10/2009 6:08:06 PM mbam-log-2009-10-10 (18-08-06).txt Scan type: Full Scan (C:\|D:\|) Objects scanned: 130583 Time elapsed: 24 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected)

My Win32kDiag Log: Running from: C:\Documents and Settings\marc\Desktop\Win32kDiag.exe Log file at : C:\Documents and Settings\marc\Desktop\Win32kDiag.txt WARNING: Could not get backup privileges! Searching 'C:\WINDOWS'... Finished!

My exeHelper log: exeHelper by Raktor - 09 Build 20090925 Run at 17:11:52 on 10/10/09 Now searching... Checking for numerical processes... Checking for bad processes... Checking for bad files... Checking for bad registry entries... Resetting filetype association for .exe Resetting filetype association for .com Resetting userinit and shell values... Resetting policies... --Finished--

And lastly, my Combo-Fix log: ComboFix 09-10-10.01 - marc 10/10/2009 16:53.1.1 - NTFSx86 Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1015.660 [GMT -4:00] Running from: c:\documents and settings\marc\Desktop\Combo-Fix.exe AV: CyberDefender Internet Security *On-access scanning enabled* (Updated) {51D57A40-BB00-4754-AEA1-30DF654182EB} AV: Prevx 3.0 *On-access scanning enabled* (Updated) {D486329C-1488-4CEB-9CC8-D662B732D901} . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . c:\windows\system32\proquota.exe was missing Restored copy from - c:\windows\ServicePackFiles\i386\proquota.exe . ((((((((((((((((((((((((( Files Created from 2009-09-10 to 2009-10-10 ))))))))))))))))))))))))))))))) . 2009-10-10 19:14 . 2009-10-10 19:14 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware 2009-10-10 15:13 . 2009-10-10 15:13 27656 ----a-w- c:\windows\system32\drivers\pxsec.sys 2009-10-10 15:13 . 2009-10-10 15:13 22024 ----a-w- c:\windows\system32\drivers\pxscan.sys 2009-10-10 15:13 . 2009-10-10 15:13 -------- d-----w- c:\program files\Prevx 2009-10-10 15:13 . 2009-10-10 19:57 -------- d-----w- c:\documents and settings\All Users\Application Data\PrevxCSI 2009-10-10 15:07 . 2009-10-10 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\PrivacIE 2009-10-10 15:07 . 2009-10-10 15:07 -------- d-sh--w- c:\windows\system32\config\systemprofile\IETldCache 2009-10-10 14:47 . 2008-04-14 00:12 135680 ----a-w- c:\windows\system32\Littlemonkey.exe 2009-10-10 14:28 . 2009-09-10 18:54 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys 2009-10-10 14:28 . 2009-09-10 18:53 19160 ----a-w- c:\windows\system32\drivers\mbam.sys 2009-10-10 02:37 . 2009-10-10 02:37 -------- d-----w- c:\program files\Trend Micro 2009-10-10 02:24 . 2009-10-10 02:24 -------- dc----w- c:\documents and settings\All Users\Application Data\{EF63305C-BAD7-4144-9208-D65528260864} 2009-10-10 01:33 . 2009-10-10 01:33 -------- d-sh--w- c:\documents and settings\marc\IECompatCache . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2009-08-20 23:26 . 2008-12-18 17:52 -------- d-----w- c:\program files\AutoCAD 2008 2009-08-05 09:01 . 2004-08-04 12:00 204800 ----a-w- c:\windows\system32\mswebdvd.dll 2009-07-18 00:00 . 2008-12-05 16:42 50200 ----a-w- c:\documents and settings\marc\Local Settings\Application Data\GDIPFONTCACHEV1.DAT 2009-07-17 19:01 . 2004-08-04 12:00 58880 ----a-w- c:\windows\system32\atl.dll 2007-08-18 16:31 . 2007-08-18 16:31 38912 ----a-w- c:\program files\mozilla firefox\plugins\atgpcdec.dll 2007-08-18 16:31 . 2007-08-18 16:31 102471 ----a-w- c:\program files\mozilla firefox\plugins\atgpcext.dll 2007-08-18 16:31 . 2007-08-18 16:31 93848 ----a-w- c:\program files\mozilla firefox\plugins\ieatgpc.dll 2007-08-18 16:31 . 2007-08-18 16:31 94208 ----a-w- c:\program files\mozilla firefox\plugins\mwmcli.dll 2009-07-10 17:37 . 2009-07-10 17:37 1011349 --sha-w- c:\windows\system32\kamideva.exe . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Note* empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes Anti-Malware (reboot)"="c:\program files\Malwarebytes' Anti-Malware\pixie.exe" [2009-09-10 1312080] "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2007-06-29 286720] "IntelZeroConfig"="c:\program files\Intel\Wireless\bin\ZCfgSvc.exe" [2007-02-21 819200] "IntelWireless"="c:\program files\Intel\Wireless\Bin\ifrmewrk.exe" [2007-02-21 970752] "igfxtray"="c:\windows\system32\igfxtray.exe" [2006-09-15 94208] "igfxpers"="c:\windows\system32\igfxpers.exe" [2006-09-15 118784] "igfxhkcmd"="c:\windows\system32\hkcmd.exe" [2006-09-15 77824] "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 40048] "BluetoothAuthenticationAgent"="bthprops.cpl" - c:\windows\system32\bthprops.cpl [2008-04-14 110592] c:\documents and settings\All Users\Start Menu\Programs\Startup\ Bluetooth Manager.lnk - c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2007-5-22 2756608] [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services] "drv"=2 (0x2) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "c:\\WINDOWS\\system32\\spoolsv.exe"= "c:\\Program Files\\Intel\\Wireless\\Bin\\WLKEEPER.exe"= "c:\\Program Files\\Prevx\\prevx.exe"= "c:\\Program Files\\Intel\\Wireless\\Bin\\EvtEng.exe"= R0 pxscan;pxscan;c:\windows\system32\drivers\pxscan.sys [10/10/2009 11:13 AM 22024] R0 pxsec;pxsec;c:\windows\system32\drivers\pxsec.sys [10/10/2009 11:13 AM 27656] R2 CSIScanner;CSIScanner;c:\program files\Prevx\prevx.exe [10/10/2009 11:13 AM 4368952] [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}] "c:\windows\system32\rundll32.exe" "c:\windows\system32\iedkcs32.dll",BrandIEActiveSetup SIGNUP . Contents of the 'Scheduled Tasks' folder . . ------- Supplementary Scan ------- . uStart Page = hxxp://www.cnn.com/ FF - ProfilePath - c:\documents and settings\marc\Application Data\Mozilla\Firefox\Profiles\prv98ipr.default\ FF - prefs.js: browser.startup.homepage - www.cnn.com FF - prefs.js: keyword.URL - hxxp://us.yhs.search.yahoo.com/avg/search?fr=yhs-avg&type=yahoo_avg_hs2-tb-web_us&p= FF - plugin: c:\program files\Mozilla Firefox\plugins\npatgpc.dll FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\DotNetAssistantExtension\ . - - - - ORPHANS REMOVED - - - - Toolbar-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) WebBrowser-{CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) HKLM-Run-MbWzdFPAP-EXL540 - E:\PdtGuide.exe ************************************************************************** catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2009-10-10 16:59 Windows 5.1.2600 Service Pack 3 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ************************************************************************** [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\vsdatant] "ImagePath"="a" . --------------------- DLLs Loaded Under Running Processes --------------------- - - - - - - - > 'explorer.exe'(848) c:\windows\system32\WININET.dll c:\windows\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.3053_x-ww_b80fa8ca\MSVCR80.dll c:\windows\system32\ieframe.dll c:\windows\system32\webcheck.dll . ------------------------ Other Running Processes ------------------------ . c:\program files\Intel\Wireless\Bin\EvtEng.exe c:\program files\Intel\Wireless\Bin\S24EvMon.exe c:\program files\Intel\Wireless\Bin\WLKEEPER.exe c:\program files\Intel\Wireless\Bin\RegSrvc.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe c:\windows\system32\UTSCSI.EXE c:\windows\system32\rundll32.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\program files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe c:\program files\Intel\Wireless\Bin\Dot1XCfg.exe . ************************************************************************** . Completion time: 2009-10-10 17:01 - machine was rebooted ComboFix-quarantined-files.txt 2009-10-10 21:01 Pre-Run: 71,059,283,968 bytes free Post-Run: 71,118,860,288 bytes free WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS [operating systems] c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect 134 --- E O F --- 2009-09-09 04:04

Okay - another update. I can get online with the PC now. I've got Mbam loaded & running fine (renamed the .exe file) and I've purchased & run PrevX3.0. Both programs cleaned out a bunch of things... I ran each one twice. When I restart, I still see a 'fake' icon in my startup menu as well as my quick-launch that says it's "Malwarebytes' Anti-Malware", but it is STILL THE SECURITY TOOL virus. How is that possible? Is this virus that awful? I'm going to try to run the Combo-Fix program listed in another thread and see where that gets me. Below is my Mbam log: Malwarebytes' Anti-Malware 1.41 Database version: 2775 Windows 5.1.2600 Service Pack 3 10/10/2009 3:46:39 PM mbam-log-2009-10-10 (15-46-39).txt Scan type: Full Scan (C:\|) Objects scanned: 131134 Time elapsed: 30 minute(s), 15 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 0 Registry Values Infected: 2 Registry Data Items Infected: 1 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: (No malicious items detected) Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rugijaman (Trojan.Vundo.H) -> Quarantined and deleted successfully. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\39051523 (Rogue.Multiple) -> Quarantined and deleted successfully. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully. Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) And here is the HijackThis log: Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 4:34:29 PM, on 10/10/2009 Platform: Windows XP SP3 (WinNT 5.01.2600) MSIE: Internet Explorer v8.00 (8.00.6001.18702) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\Program Files\Intel\Wireless\Bin\EvtEng.exe C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Prevx\prevx.exe C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe C:\WINDOWS\system32\UTSCSI.EXE C:\WINDOWS\Explorer.EXE C:\Program Files\Prevx\prevx.exe C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe C:\WINDOWS\system32\igfxpers.exe C:\WINDOWS\system32\hkcmd.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosBtProc.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cnn.com/ R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = O1 - Hosts: ::1 localhost O1 - Hosts: 209.44.111.62 aware-protect.com O1 - Hosts: 209.44.111.62 www.aware-protect.com O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O3 - Toolbar: (no name) - {CCC7A320-B3CA-4199-B1A6-9F516DD69829} - (no file) O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\pixie.exe" /runcleanupscript O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [MbWzdFPAP-EXL540] E:\PdtGuide.exe O4 - HKLM\..\Run: [intelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [intelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe O9 - Extra button: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\PROGRA~1\MOZILL~1\plugins\MyWebEx\419\mwmie.dll O9 - Extra 'Tools' menuitem: Start WebEx MeetMeNow - {F5AD6CC5-776C-4DBB-B38F-F5404A3582F3} - C:\PROGRA~1\MOZILL~1\plugins\MyWebEx\419\mwmie.dll O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase1140.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1203829378437 O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe O23 - Service: CSIScanner - Prevx - C:\Program Files\Prevx\prevx.exe O23 - Service: Intel® PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe O23 - Service: Intel® PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe O23 - Service: Intel® PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: USBest Service Zero (UTSCSI) - USBest - C:\WINDOWS\system32\UTSCSI.EXE O23 - Service: Intel® PROSet/Wireless SSO Service (WLANKEEPER) - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe -- End of file - 6547 bytes

Another little update: I just restarted again, to see if I can figure out how to get the PC online and noticed the 'malwarebytes' icon in my tray & right clicked on it (it said 'Malwarebytes Anti-Malware) so I clicked it and - I sh!t you not - it launched the damn Security Tool virus AGAIN. The Mbam icon launched the Security Tool virus. I suppose this means I'm back to square one. SIgh.

I'm no computer wizard.... but my husband is worse. He received the "Security Tool" virus last night and I've been up all night trying to fix this thing. I'm going to try my best to be concise & keep my cool while giving as much info as I can as to what has and has not worked for me, cuz this thing is STILL MOCKING ME in my start-up menu and quick start tray. Husband received the virus last night around 7pm I shut his computer down instantly and grilled him about what he'd been clicking on. He says 'nothing', he was Googling CBS sports-something and when he clicked on the Google result the 'security tool' popped up & launched itself, telling him he was infected blah...blah...blah. This is the second time in 3 months something like this has happened, god love him. Apparently the firewall and AVG did nothing to protect him. I immediately tried to launch mbam.exe because that's what worked last time.... but the file 'could not be found'. Searching some of the forums here I realized the virus is disabling it. So, I was able to download it to a flash drive from my Mac, restart the PC in 'safe' mode and with about 17 tries, very quickly copy-paste it to the desktop before it was deleted. Thinking myself very clever, I renamed MBAM and ran it twice in safe mode, both times it came up with 11 items to remove. When I restarted a third time, F8 safemode no longer worked (it just ran all these lines of text and just stopped)- so I have to go through msconfig to 'diagnostic startup'. I run my MBAM again and the same 11 items show up detected again. Note: the PC can no longer get on the internet, wired or wireless, so MBAM 1.41 was NOT updated when I ran it. I'm deleting the items, so why are they not going away? This morning - it's all still there. The 'Security Tool' icons, the strange '.dll' errors when I start up....my desktop is odd looking (all black), so I know something is still going on. I can not do a system restore, because the computer is saying there is no date to go back and restore. I can't get online. When I run the process explorer, I see no string of numbers or anything that looks obvious, but I clearly still have the virus. Desperate - I went to my office across town, downloaded MBAM and ran the update, renamed it, saved it to a flash drive and came home and ran it again. It found 0 items in safe mode. So, I restarted in Normal mode and it found 2 items. Below are the logs from both HijackThis and the post-2 item removal from MBAM (nevermind - forum won't let me upload the HijackThis log, only the mbam log). I really appreciate any help I can get. We have 2 other computers, but they are Macs. So, anything I download to 'fix' it, has to be pre-updated and able to be moved from a flash disk. Sigh. I will see if I can get the PC back online while I wait for someone to reply. Thanks in advance for a reply! mbam_log_2009_10_10__13_27_27_.txt