Vista Security Tool 2010

Solved/Closed
J - Mar 16, 2010 at 04:22 PM
 supanuba - Apr 16, 2010 at 06:21 PM
Hello,
HELP I CANT GET RID OF IT AND NOTHING ELSE WORKS ITS For vista and its newest virus

23 replies

Blocked Profile
Mar 16, 2010 at 04:32 PM
Dear Sir,

Your post actually lacks specific information. However, I will request you to get through the below instructions to get the problem solved.

http://ccm.net/faq/6844-rogue-vista-internet-security-2010-pro-removal

Thanks in advance.
1
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 16, 2010 at 04:52 PM
Hello,

With all due respect for my friend Ash Perez

Here is how to get rid of this scam rogue virus designed to get to your credit card account and it is a good thing you did not fall for it.

Please follow the following procedure carefully and to the letter.

Security tool is a rogue virus which is self protective, thus it will prevent any antivirus from fonctionning.

You must kill the processes which the virus is presently running. If you don't it will keep reproducing the files for ever.

To kill the processes:

Download to your desktop and run Rogue Kill:

https://download.bleepingcomputer.com/grinler/rkill.com

5.You should now see a window that shows all of your desktop icons, including the rkill.com program. Now double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Tool when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Tool . So, please try running Rkill until malware is no longer running.

Please, DO NOT REBOOT your computer or the processes will come back to haunt you!

Download to your desktop Malwarebyte.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it Explorer.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

Once your computer is clean and working normally just to be on the safe side
*Turn off system restore and wait 30 seconds,
*Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.
It is better to go back to an infected restore point if something goes wrong then to not be able to undo changes that were damaging.

Once all this is completed, I always suggest to delete Malwarebyte as some people have reported that it may interfere with other antivirus applications.

Please let us know about the results which I am sure will be positive.

Regards
1
chattycathy526
Mar 16, 2010 at 08:04 PM
Hello

I am now performing the system scan as you recommended....I just did the rkill.com

How do I turn off system restore and then turn it back on and make a new date

Also previously I had done the scan and it found the files and supposedly deletd them....however it did not do the trick and the vista security tool was still hijacking. I hope the rkill.com put a stop to that
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 04:36 AM
Dear Cath,

I trust you perform the RKill before you "Malwarebyted" for it is important to remove the malicious processes first as the the dead trojan will ressucitate.

Malwarebyte should take at least 90 minutes. Let me know when it is done and I will answer on system restore.

Thank you
0
chattycathy526
Mar 17, 2010 at 07:18 AM
I did do the rkill first.....then a full scan.....got rid of all infected files......virus is still there.....stilling getting popups and it stops me from connecting to the internet......doing another scan

What else can I do

Thanks so much for helping me
0
chattycathy526
Mar 17, 2010 at 08:55 AM
I do the kill and scan and it keeps coming back....what do I do

Cathy
0
hi
I had this virus on my pc recently and successfuly removed it by using Sytem Restore
Just go to control panel and use the system restore to restore your computer to an earlier date (before infection occurred) and away you go
simple
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Apr 2, 2010 at 04:17 PM
That is a good idea, however you may still remain with the a virus in your system volume information, who knows when it will return to haunt you?
0
umm to Jon Locke like i tried ur way but for some reason it like shuted off my pc and now i still hav it
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 09:33 AM
Okay,

No virus has ever resisted me.

I assume that when you say scan and scan you mean with Rkill.

Let us do it this way.

Download Process Explorer and save on C:

http://live.sysinternals.com/procexp.exe

Run the tool and spot any unusual processes especially those that are numeric, or says pcsecurity, vista security, dr.guard, etc

Kill the process or processes!

Do not reboot your machine as the processes will be reanimated and come back to haunt you.

Then follow the exact procedure I indicated to you for Malwarebyte.

Let me know
0
chattycathy526
Mar 17, 2010 at 10:01 AM
the file they keep killing is
C:\users\chattycathy526\appdata\local\ave.exe

How do I go about finding it on the computer

soeone said once you find it there will be a file with 8 numbers that yoyu need to delete
0

Didn't find the answer you are looking for?

Ask a question
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 10:21 AM
Pardon me but who are they when you say the file THEY kept killing ?
0
chattycathy526
Mar 17, 2010 at 10:29 AM
I am sorry

rkill

keeps killing the same file.....but it keeps coming back

I just ran the rkill again and it killed the following files

C:\users\chattycathy526\AppData\local\ave.exe

C:\Users\CHATTY~1\AppData\Local\Temp\is-V62UQ.tmp\InnoMonitor.exe
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 10:35 AM
Please stop and close the RKill

Download Process Explorer and save on C:

http://live.sysinternals.com/procexp.exe

Run the tool and spot any unusual processes especially those that are numeric, or says pcsecurity, vista security, dr.guard, etc

Kill the process or processes!

Do not reboot your machine as the processes will be reanimated and come back to haunt you.

Then follow the exact procedure I indicated to you for Malwarebyte.

Let me know
0
chattycathy526
Mar 17, 2010 at 11:31 AM
I download the file and installed it then says to get updates and then an error message comes up and I can't run this tool

I have uninstalled and tried again and the same thing happens
0
chattycathy526
Mar 17, 2010 at 12:20 PM
I am doing a full computer scan with The Shield Deluxe 2

It found trojan program Packed Win32.Krap.as

I have deleted it

I can get into the intrnet by going to my desktop and clicking on a shortcut and then clicking on home

It is when I click on Internet Exlplorer that the virus comes back
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 12:17 PM
Try renaming it to Explorer.exe and then run it.

If you still get the same song, try opening your task manager and click on the process tab to see if yu can find the processes to terminate them.

Right clicking on the task bar opens a context menu, which happens to have Task Manager as an option or Open your start menu, and type "taskmgr" (no quotes) in the search bar, and click enter. Doing so should automatically run it.
0
chattycathy526
Mar 17, 2010 at 01:00 PM
You are wonderful....I renamed it go to the file and click on open homepage and it does not come back

What is going to happen when I turn it off and start it again
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 12:30 PM
Packed Win32.Krap.as you say!

Different story all together. Stop everything!

Please Cathy

Download and install Hyjackthis. Request a full scan and save a log. Copy the lof and post it here.

http://free.antivirus.com/hijackthis/

Paste the log and standby for further instruction.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 01:16 PM
Hello Cathy,

How are you doing the Hyjackthis log?

I must leave the forum in 10 minutes or so to return in about three hours. Should I receive your log within 10 minutes I should have time to guide you, otherwise I will talk to you later.
0
chattycathy526
Mar 17, 2010 at 01:26 PM
gfile of Trend Micro HijackThis v2.0.3 (BETA)
Scan saved at 1:15:56 PM, on 3/17/2010
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v8.00 (8.00.6001.18882)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\winlogon.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\Ati2evxx.exe
C:\Windows\system32\Hpservice.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\WLANExt.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\aestsrv.exe
C:\Windows\system32\agrsmsvc.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Windows\SMINST\BLService.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\WUDFHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\System32\mobsync.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Program Files\IDT\WDM\sttray.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Windows Sidebar\sidebar.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Windows\ehome\ehtray.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Program Files\Java\jre6\bin\javaw.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Hewlett-Packard\HP wireless Assistant\WiFiMsg.EXE
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
C:\Windows\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Windows\system32\msiexec.exe
C:\Windows\system32\vssvc.exe
C:\Windows\System32\svchost.exe
C:\Program Files\TrendMicro\HiJackThis\HiJackThis.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.aol.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://safesearch.cyberdefender.com/smallsearch.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.earthlink.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = https://www.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = https://www.bing.com/?toHttps=1&redig=53EEB45F21EA47F2B95DF58497B5E6B6
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = https://www.aol.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://start.earthlink.net/AL/Search
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\chattycathy526\AppData\LocalLow\CyberDefender\cdmyidd.dll
O1 - Hosts: ::1 localhost
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink\Toolbar\EScamBlk.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - (no file)
O2 - BHO: Browser Defender BHO - {2A0F3D1B-0909-4FF4-B272-609CCE6054E7} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink\Toolbar\ElnkPub.dll
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink\Toolbar\ProtctIE.dll
O2 - BHO: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\chattycathy526\AppData\LocalLow\CyberDefender\cdmyidd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.5.4723.1820\swg.dll
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink\Toolbar\uninsttb.dll
O2 - BHO: HP Smart BHO Class - {FFFFFFFF-CF4E-4F2B-BDC2-0E72E116A856} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O3 - Toolbar: MyIdentityDefender - {A26503FE-B3B8-4910-A9DC-9CBD25C6B8D6} - C:\Users\chattycathy526\AppData\LocalLow\CyberDefender\cdmyidd.dll
O3 - Toolbar: MP3 Rocket Toolbar - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink\Toolbar\Toolbar.dll
O3 - Toolbar: PC Tools Browser Guard - {472734EA-242A-422B-ADF8-83D1E48CC825} - C:\Program Files\Spyware Doctor\BDT\PCTBrowserDefender.dll
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\2.0"
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [QlbCtrl.exe] C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [hpqSRMon] C:\Program Files\HP\Digital Imaging\bin\hpqSRMon.exe
O4 - HKLM\..\Run: [HP Health Check Scheduler] c:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe"
O4 - HKLM\..\Run: [SysTrayApp] %ProgramFiles%\IDT\WDM\sttray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [Sidebar] C:\Program Files\Windows Sidebar\sidebar.exe /autoRun
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [DW6] "C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe"
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: MP3 Rocket (Minimized).lnk = C:\Program Files\MP3 Rocket\MP3Rocket.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink\Toolbar\SearchUI.dll/search.html
O8 - Extra context menu item: Google Sidewiki... - res://C:\Program Files\Google\Google Toolbar\Component\GoogleToolbarDynamic_mui_en_96D6FF0C6D236BF8.dll/cmsidewiki.html
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\scieplugin.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: HP Smart Select - {DDE87865-83C5-48c4-8357-2F5B1AA84522} - C:\Program Files\HP\Digital Imaging\Smart Web Printing\hpswp_BHO.dll
O13 - Gopher Prefix:
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos1.walmart.com/WalmartActivia.cab
O16 - DPF: {6F15128C-E66A-490C-B848-5000B5ABEEAC} (HP Download Manager) - https://h20436.www2.hp.com/ediags/dex/secure/HPDEXAXO.cab
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{00B599EE-5D2E-4662-84FF-7BC7D73855F8}: NameServer = 93.188.164.221,93.188.161.89
O17 - HKLM\System\CCS\Services\Tcpip\..\{7EA7CDFF-1CA4-4631-9D69-172807566E9B}: NameServer = 93.188.164.221,93.188.161.89
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 93.188.164.221,93.188.161.89
O17 - HKLM\System\CS1\Services\Tcpip\..\{00B599EE-5D2E-4662-84FF-7BC7D73855F8}: NameServer = 93.188.164.221,93.188.161.89
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 93.188.164.221,93.188.161.89
O20 - AppInit_DLLs: C:\PROGRA~1\PCSECU~1\THESHI~1\r3hook.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll
O23 - Service: Andrea ST Filters Service (AESTFilters) - Andrea Electronics Corporation - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_f691e717\aestsrv.exe
O23 - Service: Agere Modem Call Progress Audio (AgereModemAudio) - Agere Systems - C:\Windows\system32\agrsmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati External Event Utility - ATI Technologies Inc. - C:\Windows\system32\Ati2evxx.exe
O23 - Service: The Shield Deluxe 2008 (AVP) - PCSecurityShield - C:\Program Files\PCSecurityShield\The Shield Deluxe 2008\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Browser Defender Update Service - Unknown owner - C:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exe
O23 - Service: Com4QLBEx - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4QLBEx.exe
O23 - Service: GameConsoleService - WildTangent, Inc. - C:\Program Files\HP Games\My HP Game Console\GameConsoleService.exe
O23 - Service: gupdate1ca1f9a5960b880 - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: HP Service (hpsrv) - Hewlett-Packard Corporation - C:\Windows\system32\Hpservice.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Recovery Service for Windows - Unknown owner - C:\Windows\SMINST\BLService.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Audio Service (STacSV) - IDT, Inc. - C:\Windows\System32\DriverStore\FileRepository\stwrt.inf_a7e996cd\STacSV.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 01:48 PM
Hello Cathy

Thank you for the log and also for the info on the Pack Win virus. Incidently it is not a rogue security virus, just a plain trojan.

Your processes are okay and clean.

Please run Hyjackthis again and just request a scan, no log

When the scan has ended check the following items:

R3 - URLSearchHook: UrlSearchHook Class - {00000000-6E41-4FD3-8538-502F5495E5FC} - C:\Program Files\Ask.com\GenericAskToolbar.dll
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (NOT CRITICAL BUT A SECURITY RISK)
O2 - BHO: Ask Toolbar BHO - {D4027C7F-154A-4066-A1AD-4243D8127440} - C:\Program Files\Ask.com\GenericAskToolbar.dll

The please click on Fix Checked.

Close Hyjackthis

Download to your desktop Malwarebyte.

https://ccm.net/downloads/security-and-maintenance/4621-malwarebytes-anti-malware/­es-anti-malware

Once on your desktop, we must still outwit the virus.

Right click on the MBAM icon and click on rename. Rename it Explorer.exe.

Install Malwarebyte and launch it. From the second tab, update it.

Pretty please, request a FULL system scan which should take more than hour. Once the scan is finish, delete all of item that were found.

Once your computer is clean and working normally just to be on the safe side
•Turn off system restore and wait 30 seconds,
•Turn it back on and create a new restore point.

This way it gets rid of anything bad that might have gotten saved in a restore point and you have a clean restore point to use in the near future if needed.
Do not turn it off until your computer is clean and working normally because you might need to use it if something goes wrong during the clean-up process.

To disable system restore and create a new restore point, here are two links with some pics

https://www.howtogeek.com/howto/windows-vista/disable-system-restore-in-windows-vista/

https://www.howtogeek.com/howto/windows-vista/create-a-restore-point-for-windows-vistas-system-restore/

Please let me know how you did. From here on end, I think we can cry victory.

Jules
0
chattycathy526
Mar 17, 2010 at 03:11 PM
When I do the hijack log....the C: files do not come up so I can't check them
0
chattycathy526
Mar 17, 2010 at 04:21 PM
Evetytime I try to update malwarebyte I get an error message Do I d0 a scan without the update
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 04:52 PM
Dear Cathy,

When you run Hyjackthis, do not request a log, just the scan and you will see the check boxes.

Because of the virus, Malwarebyte may have been corrupted. Download a fresh copy and insure you rename it to Explorer.exe.

See you later alligator
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 17, 2010 at 06:26 PM
Hello Cathy,

How did you do?

7:30 PM here and logging off.

Talk to you tomorrow.
0
chattycathy526
Mar 17, 2010 at 07:25 PM
I downloaded a new malwaebytes but still could not update.
I am now doing a scan with StopZilla and so far it has found two trojans, a hijacker and a rogue...it is 58% complete at this point
Does this program work ok?

This StopZilla was the only one that I could get current updates and then a scan.
0
chattycathy526
Mar 17, 2010 at 10:41 PM
Bad New.....did scan with Stopzilla. It found a lot of infected files. I deleted them. Then it asked me to reboot...I did....Tried to get on internet.....computer is still hijacked with vista security tool. Also
computer is running really slow...took forever to reboot.

I am ready to pul my hair out.....what is going on?
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 05:06 AM
Cathy

Pretty please, did you remove the items I listed on Hyjackthis? This is the heart of the procedure. Then even after your removed the Hyjackthis items and can't update Malwarebyte please run it. Of course, Stopzilla will not help.
Please confirm that you have removed the items from Hyjackthis. Thank you.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 05:08 AM
Cathy

Pretty please, did you remove the items I listed on Hyjackthis? This is the heart of the procedure. Then even after your removed the Hyjackthis items and can't update Malwarebyte please run it. Of course, Stopzilla will not help.
Please confirm that you have removed the items from Hyjackthis. Thank you.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 05:08 AM
Cathy

Pretty please, did you remove the items I listed on Hyjackthis? This is the heart of the procedure. Then even after your removed the Hyjackthis items and can't update Malwarebyte please run it. Of course, Stopzilla will not help.
Please confirm that you have removed the items from Hyjackthis. Thank you.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 06:49 AM
Great! I hope that have not returned since you probably rebooted yesterday.

Now, if you have renamed Malwarebyte to Explorer.exe, try to update Malwarebyte, if it does not update, please nevermind and run it while you are off Internet.

In the process you may be asked to reboot your machine. You can safely do so and the scan will continue.
0
chattycathy526
Mar 18, 2010 at 06:55 AM
i justed deleted the malwarebyte that would not update and download ed another it just automatically updated. I saved yhe setup to desktop, renamed it Explorer,exe and then installed it...it is now doing a complete scan
0
chattycathy526
Mar 18, 2010 at 06:57 AM
I did check those items I deleted from hijack and they have not returned
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 07:02 AM
Wonderful!

Already you should see some improvement. Please, go ahead with Malwarebyte as indicated above.

I am impatient to see the results.
0
chattycathy526
Mar 18, 2010 at 07:16 AM
The Stopzilla did find many files with rogue, trojan and hijacker....I did remove them..
I am beginning to wonder if I will ever get rid of ths virus....obviously I am talking to you from my work computer. Why does this malwarebyte do the trick?
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 07:22 AM
Because it is a deep clean tool which goes right down into the system volume information and it detects everything.

It is recommended by all the experts on this forum including those on the other versions of Kioskea (French, German, Spanish, etc.)

Just curious, what city are you working in?

Anyway, hope to hear from you when you return to your personal desktop.
0
chattycathy526
Mar 18, 2010 at 07:27 AM
I am in Houston, TX....where are you?
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 07:40 AM
Way up north, across the border, 30 miles north of Three Rivers (between Montreal and Quebec City) a city called Shawinigan, Quebec, Canada.
0
chattycathy526
Mar 18, 2010 at 08:08 AM
I love Canada!! Scan has been going 1 hour 15 minutes....at this point it has not found anything,,,,stil scanning
0
chattycathy526
Mar 18, 2010 at 08:23 AM
What happens if Malwarbytes does not find anything?
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 10:42 AM
I doubt very much if Malwarebyte does not find anything. But, since you asked, I have, in a locked cabinet, a secret potion which is sure to safely put the virus to sleep forever.
0
chattycathy526
Mar 18, 2010 at 10:52 AM
It found nine and I have removed them and now it wants me to reboot. However, I have to go meet with customers and won't be back until around 5:00pm central time. I will reboot it then....
any other instructions? You are the most patient peson I have ever seen! Thanks for all you are doing to help me

Cathy
0
chattycathy526
Mar 18, 2010 at 05:47 PM
Hi
I have now rebooted.....should I try to browse the internet? That is always when the virus comes bck
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 18, 2010 at 11:06 AM
No more instruction until you have finished rebooting and finished the scan.
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 19, 2010 at 05:22 AM
Hello Cathy,

First, please do the system restore as indicated above.

Then, be daring and brave: browse to your heart's content.

Let me know how well your system works.

Regards

P.S. Your accent is charming.
0
chattycathy526
Mar 19, 2010 at 07:49 AM
Well I have complete deverything and it is working.....however, it is vety SLOW. Also did you say to uninstall the malware bytes now. Why has the computer become so slow.?
I sure appreciate all of your help..."ya<ll" are great!!
0
Ambucias Posts 47359 Registration date Monday February 1, 2010 Status Moderator Last seen September 1, 2021 11,251
Mar 19, 2010 at 08:16 AM
Hello Cathy,

Well at least we got the thing working and that we sent the Trojan Horse to the glue factory.

Slow you say, now we are fighting ninja turtles.

When you say slow, I assume that is while you are surfing, if so, I suspect the presence of spyware which are attempting to hyjack your browser. you may be able to see it in a Hyjackthis log in the form of a "BHO no name no file".

Now lets get down to business.

Please download Spybot Search and Destroy. During the installation process, your will be given the choice on components to install. Uncheck "Tea Timer" as I find it to be a nuisance.

Once installed, scan your system. After the scan, delete the items marked in red, but before you do let me know which ones were found.

You will be able to get Spybot through this link:

https://ccm.net/downloads/security-and-maintenance/4561-spybot-search-destroy/

Finally, you may have some applications that start at boot time which run in the background and consume your resources. Usually these applications do not need to start at boot time.

You can download and run this small tool called startuplite, which will guide you, just follow the prompts.

https://www.malwarebytes.com/mwb-download/

Finally, if you wish to check your system's intrusion safety (firewall and all) while you are surfing, you can give it the following test.

http://www.pcflank.com/pcflankleaktest.htm

Am I giving too much info at a time?

Catch you later alligator...
0
chattycathy526
Mar 19, 2010 at 09:01 AM
Not at all....I am now doing the spybot scan....I will let you know what it finds
0
chattycathy526
Mar 19, 2010 at 10:11 AM
here is what skybot found
DoubleClick = 1 entries Browser
FastClick - 1 entries Browser
MediaPlex = 2 entries Browser
RightMedia - 1 entries browser
Statcounter = 1 entries Browser
0
Hi,

I'm sorry for hijacking your board but I've been trying to follow your instructions to get rid of this annoying spyware. I too started off with the rkill and then malwarebytes and it hasn't worked. Now I've been trying to continue with your advice but when I try to download the process explorer to my C drive it says I don't have the authority to do that. Now I'm stuck and I really don't know what to do!!!

Again, sorry for the interruption.

Tash
0
chattycathy526
Mar 19, 2010 at 10:41 AM
Hey Tash
We are here to help each other....this is not an interruption but friends helping friends
0
Thanks Cathy, I'm just stressing out so much cos I've got an exam on Monday and need my notes and the internet to revise and I can't use them!!!!
0