fake "windows security center" virus; won't allow me to run any programs

[jim0watkins]

Hello,   I have a virus on my personal emachines computer (Windows XP, Service Pack 2), which won't let me use any programs.  I disconnected that computer from the internet so that other computers in my home won't be affected (I don't know if that actually works), and went through the guide provided by this website.

Step A:  I use McAfee, which reports that it may be out of date (although this might be the virus talking).  I am unable to uninstall McAfee since I can't access it or the "add/remove software" function.

Step B:  I use the McAfee's firewall.  I don't know if this is sufficient (should I have had another program for firewall?).  I face the same problem since I can't uninstall McAfee.  Also I have the multiple-computer deal with McAfee, so even if i could install it, I'm not sure it would be a great idea.

Step 1:  N/A.  I can't add or remove programs.

Step 2:  I installed CCleaner, but I couldn't open it once it was installed.

Step 3:  I couldn't install SuperAntiSpyware.

Step 4:  I installed MalwareBytes, but I can't run it.

Step 5:  my Java is always updated since I need it to run BlackboardLearningSystem (my school's information system).

Step 6:  I can't install HijackThis.

And that's all there is to it for now.  I saw the other threads that were similar to mine, but I am heeding your advice about starting my own thread before doing anything rash.   Any help is greatly appreciated.         Jim

[dwf4646]

Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster Jay

[Dr Jay]

RKill by Grinler
Link #1
Link #2
Link #3

• Download Link #1.
  
• Save it to your Desktop.
  
• Double click the RKill desktop icon.
  If you are using Vista please right click and run as Admin!
  
• A black screen will briefly flash indicating a successful run.
• If this does not occur please delete that application and download Link #2.
  
• Continue process until the tool runs.
• If the tool does not run from any of the links tell me about it.

This only kills the active infection, the actual infection will not be gone.

==============

Please visit this webpage for a tutorial on downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

See the area: Using ComboFix, and when done, post the log back here.

[jim0watkins]

Hi,  and thanks for your help.   I downloaded all three rkill applications, and none of them worked.  Every time I try to run one, I get the damned "Application could not be executed.  The file rkill.xxx is infected."  What should I do?

[dwf4646]

Hello, your comment has been removed. Please do not post malware advice, or post here in the malware forum, unless you need help. ~ DragonMaster Jay

[jim0watkins]

actually your way doesn't work... so how about you start being respectful and let the actual specialist handle the problem... thanks

[Dr Jay]

Try either one of these links to see if it will run.

http://download.bleepingcomputer.com/grinler/iExplore.exe

http://download.bleepingcomputer.com/grinler/eXplorer.exe

[jim0watkins]

For the first one, iExplorer, I got a message saying "An unknown error occured.  The program will be terminated".  And the second one gave me the same message, followed by the usual "File cannot be executed.  The file explorer.exe is infected".  This one's pretty tough huh?

[Dr Jay]

Yeah, but no biggie.

Look in the Task Manager and find a process called "av.exe" or "ave.exe"

Once you find it, right click on it, and click End Process.

=========

Then, try to run ComboFix again.

If you cannot find AV or AVE, then let me know.

[jim0watkins]

When I try to download combofix from the link you gave me at bleepingcomputer.com, a trojan called "Artemis" comes with it (although my laptop's mcafee seems to stop it).  Should I download it anyways?  Or is there a way to avoid that?

[jim0watkins]

OK.  Some big changes have happened.  When I booted my computer, Mcafee virus scan started on its own (I couldn't get it to start before).  Then I opened the task manager but couldn't find av.exe or ave.exe (there were 10 svchost.exe however).  Then I tried to open rkill and it worked, this is what it gave me:

This log file is located at C:\rkill.log.
Please post this only if requested to by the person helping you.
Otherwise you can close this log when you wish.
Ran as Owner on 26/04/2010 at 9:12:52.

Processes terminated by Rkill or while it was running:

C:\Documents and Settings\Owner\Desktop\rkill.scr

Rkill completed on 26\04\2010 at 9:13:00.

I'm not sure what that means, but it seems that I'm now able to open programs.  I'm thinking that I can go back to the original steps and start CCleaner?  What do you think?

[Dr Jay]

McAfee has a lot of fake detections with their new "artemis" engine. Don't worry.

Please reboot to Safe Mode with Networking (tap the F8 key just before Windows starts to load and select the Safe Mode with Networking option from the menu).

Then, try for ComboFix again.

[jim0watkins]

Hi,   nothing happens when I press F8.  The only menu I can get is with F10 which is just the boot menu.

[Dr Jay]

What does the boot menu show?

[jim0watkins]

it shows:

Hard Disk
   -Ch1 M.       :  ST3200827A
   -USB-HDD0 :   WD  2500BEV  E  (my external hard drive)
CDROM
   -CH2 M.       :   TSSTcorpCD/DVDW  T
Network
   -Onboard Lan Device

... and that's all.