Security Tools Virus - Malwarebytes will not install in Safe Mode

Hi. I'm having a problem installing Malwarebytes in Safe Mode after being infected with the Security Tools Virus. I read through the tutorial on how to remove the virus but I can't get Malwarebytes to install to begin the process. After I download the program and try the installation, it gives me a message that mbam.exe cannot be found. When I look in the Malwarebytes folder, it appears that no mbam.exe file was ever created. I see a post regarding rootkit removal in a similar thread by boopme but I can't see all of the instructions due to red x's on steps 3, 4, 5, 6 & 10. Any help would be appreciated.

Thanks

Hello,please insta;l and run Malwarebytes from normal mode.

1. Uninstall Malwarebytes' Anti-Malware using Add/Remove programs in the control panel.
2. Restart your computer (very important).
3. Download and run this utility. Mbam clean
4. It will ask to restart your computer (please allow it to).
5. After the computer restarts, install the latest version from here. http://www.malwarebytes.org/mbam-download.php
Note: You will need to reactivate the program using the license you were sent.
Note: If using Free version, ignore the part about putting in your license key and activating.
Launch the program and set the Protection and Registration.
Then go to the UPDATE tab if not done during installation and check for updates.
Restart the computer again and verify that MBAM is in the task tray and run a Quick Scan and post that log.

Some types of malware will disable MBAM (MalwareBytes) and other security tools. If MBAM will not install, try renaming it.

Before saving any of your security programs, rename them first. For example, before you save Malwarebytes', rename it to something like MBblah.exe and then click on Save and save it to your desktop. Same thing after you install it. Before running it, rename the main executable file first
***
Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run..

I tried to restart in normal mode and run Mbam Clean but the virus won't let it run. While in normal mode, i can no longer see my desktop (the screen is black) and I get constant pop-ups from the task tray. I tried to run it anyway but the program gets killed right after I click on it. I tried to run it in Safe Mode but I get the following error: SHGetValue Failed with Error Code 0. Is there anything else that I can do from Safe Mode to try and get Malwarebytes installed?

Thanks

1. Shut your computer down completely then restart

2. As soon as it comes back up to the desktop get the task manager up. (make sure you do it before everything starts loading.)

3. Let the computer load regularly and and everything will come up. (including security tool.)

4. Go to the task manager click the tab "Processes" then look for a process that is just a string of numbers.(It was 70843325.exe for me but maybe its different for everyone) *WRITE THE NUMBER DOWN*

5. Right click the process and tell it to "End Process Tree"

This will shutdown the security tool program down.

6. Then you can go into the C drive and find the security tool folder C:\Documents and Settings\All Users\Application Data (if you can't see the file "Application data" you need to enable hidden files)

*If you cant see hidden files* go to the top of the the window and click tools, go to folder options, click the view tab and under hidden files and folders click show hidden folders

7. Then you will see a folder with the same name *number you saved* as the process you just ended. Inside will be security tool. delete the whole folder.

8. Next go into search and type the *number you saved* and do a scan for all files and folders go into advance and check all system files, hidden files and sub folders. Let it scan. It should find a file, go and delete that as well.

*Now this is not a permanent fix* this will allow you to do some of the other things that much more knowledgeable people than myself on this site have posted.

Once you have done all that i posted then you can log out and go back in and your desktop will be working again and you can start with the other processes that others have posted.

go to this link to finish and make sure all the hidden files and trackers are gone

http://www.bleepingcomputer.com/forums/t/259578/total-security-2009-browser-bug/


Hope it helps.

O.K., so I was able to get the task manager up right when I restarted and kill the process of Security Tools Virus. I was then able to uninstall Malwarebytes with the Add/Remove program. I restarted again and then tried to run the Mbam Clean program but got the same error message as I stated in the previous reply (I was in Safe Mode before and Normal Mode this time). I tried to Install Maywarebytes again (I renamed the install file to inst.exe) but I got the following message:

Unable to execute file
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
CreateProcess Failed; Code 2
The system cannot find the file specified

I searched the Malwarebytes folder and again, there is no mbam.exe file.

Any ideas?

I couldn't get Malwarebytes to work either. That's why i did it the way i specified.

Have you tried all the steps i listed in the last post?

once you have finished all of them download superantispyware

DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked/Uncheck them):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.

Restart Computer load normally (not safe mode)

Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

Hi, also run ATF with SAS...
Next run ATF and SAS:
Note.. SAS doesn't open the registry hives for other user accounts on the system, so scans should be done from each user account.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.

I couldn't get Malwarebytes to work either. That's why i did it the way i specified.

Have you tried all the steps i listed in the last post?

once you have finished all of them download superantispyware

DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked/Uncheck them):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.

Restart Computer load normally (not safe mode)

Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

I'm having the same problem as well. I downloaded mbam and it won't let me run it. I downloaded both atf and sas. When I try to run them, the security tool will not allow me to. A warning in the taskbar appears from Security Tool and says " SUPERAntiSpyware.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using SUPERAntiSpyware.exe to connect to remote host."

How are we supposed to use these if we can't even access them?

O.K. I successfully ran ATF and SAS and got the following log from SAS:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/08/2009 at 03:42 PM

Application Version : 4.29.1002

Core Rules Database Version : 4153
Trace Rules Database Version: 2081

Scan type : Complete Scan
Total Scan Time : 01:54:23

Memory items scanned : 349
Memory threats detected : 3
Registry items scanned : 6322
Registry threats detected : 2
File items scanned : 96773
File threats detected : 12

Adware.Vundo/Variant-[Fixed]
C:\WINDOWS\SYSTEM32\NODOVEKI.DLL
C:\WINDOWS\SYSTEM32\NODOVEKI.DLL
C:\WINDOWS\SYSTEM32\JIWONUTI.DLL
C:\WINDOWS\SYSTEM32\JIWONUTI.DLL
C:\WINDOWS\SYSTEM32\GAGAVOSU.DLL
C:\WINDOWS\SYSTEM32\KIHIPAPO.DLL
C:\WINDOWS\SYSTEM32\LIBOZOWE.DLL
C:\WINDOWS\SYSTEM32\NUNAYETA.DLL
C:\WINDOWS\SYSTEM32\TOKUREPA.DLL
C:\WINDOWS\SYSTEM32\TOPAPOPE.DLL

Adware.Vundo/Variant-QHeader
C:\WINDOWS\SYSTEM32\ZAFESEVU.DLL
C:\WINDOWS\SYSTEM32\ZAFESEVU.DLL

Rogue.Agent/Gen
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#94552126
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#63792431

Adware.Vundo/Variant-Mini
C:\WINDOWS\SYSTEM32\JUNADEZI.DLL
C:\WINDOWS\SYSTEM32\TOMUZIPU.DLL

Adware.Vundo/Variant-EC
C:\WINDOWS\SYSTEM32\KIRENALO.DLL

Next we'll run Drweb-cureit,tell me how it is running after that.


Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:

• Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
• Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
• The Express scan will automatically begin.
  (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
• If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
• If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)

• After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
• In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
• Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
• Please be patient as this scan could take a long time to complete.
• When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
• Click Select All, then choose Cure > Move incurable.
• In the top menu, click file and choose save report list.
• Save the DrWeb.csv report to your desktop.
• Exit Dr.Web Cureit when done.
• Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
• After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

Here's the log from DrWeb:

A0047837.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP447;Trojan.Virtumod.1951;Deleted.;
A0049830.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP447;Trojan.Siggen.3283;Deleted.;
A0057326.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP451;Trojan.Siggen.3283;Deleted.;
A0057329.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP451;Trojan.Siggen.5077;Deleted.;
A0057330.dll;C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP451;Trojan.Virtumod.1955;Deleted.;

This looks good. can you run MBAM yet?
Rerun MBAM (MalwareBytes) like this:

Open MBAM in normal mode and click Update tab, select Check for Updates,when done
click Scanner tab,select Quick scan and scan (normal mode).
After scan click Remove Selected, Post new scan log and Reboot into normal mode.

Malwarebytes will still not run. No mbam.exe file is created upon setup.

We Need to check for Rootkits with RootRepeal

• Download RootRepeal from the following location and save it to your desktop.
  • Direct Download (Recommended)
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Zip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
  • Rar Mirrors - Only if you know what a RAR is and can extract it.
    
    • Primary Mirror
    • Secondary Mirror
    • Secondary Mirror
• Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
• Open on your desktop.
• Click the tab.
• Click the button.
• Check all seven boxes:
• Push Ok
• Check the box for your main system drive (Usually C:), and press Ok.
• Allow RootRepeal to run a scan of your system. This may take some time.
• Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Here's the root repeal log:

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/13 16:07
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xEE496000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF79F3000 Size: 8192 File Visible: No Signed: -
Status: -

Name: mchInjDrv.sys
Image Path: C:\WINDOWS\system32\Drivers\mchInjDrv.sys
Address: 0xF7B8E000 Size: 2560 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xBA0ED000 Size: 49152 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\hiberfil.sys
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Templates\PRESENTA.SHW
Status: Locked to the Windows API!

Path: c:\windows\system32\config\systemprofile\templates\winword2.doc
Status: Allocation size mismatch (API: 64, Raw: 4096)

Path: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Tour Windows XP.lnk
Status: Locked to the Windows API!

Path: C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Start Menu\Programs\Accessories\Entertainment\DESKTOP.INI
Status: Locked to the Windows API!

SSDT
-------------------
#: 041 Function Name: NtCreateKey
Status: Hooked by "PCTCore.sys" at address 0xf734ad72

#: 047 Function Name: NtCreateProcess
Status: Hooked by "PCTCore.sys" at address 0xf732b9a6

#: 048 Function Name: NtCreateProcessEx
Status: Hooked by "PCTCore.sys" at address 0xf732bb98

#: 063 Function Name: NtDeleteKey
Status: Hooked by "PCTCore.sys" at address 0xf734b568

#: 065 Function Name: NtDeleteValueKey
Status: Hooked by "PCTCore.sys" at address 0xf734b820

#: 119 Function Name: NtOpenKey
Status: Hooked by "PCTCore.sys" at address 0xf7349a80

#: 192 Function Name: NtRenameKey
Status: Hooked by "PCTCore.sys" at address 0xf734bc8a

#: 247 Function Name: NtSetValueKey
Status: Hooked by "PCTCore.sys" at address 0xf734b036

#: 257 Function Name: NtTerminateProcess
Status: Hooked by "PCTCore.sys" at address 0xf732b656

==EOF==