Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Infected with "Total Security", was removed but files remain?

  • Please log in to reply
2 replies to this topic

#1 Aleris


  • Members
  • 2 posts
  • Local time:10:54 AM

Posted 30 August 2009 - 06:41 AM


In short, my problem is this: I never had a serious virus issue before, until yesterday (so I haven't got much experience with all of this). I tried some things to get it removed and indeed, my computer seems to be functioning normal again, but how do I know for sure that it is gone?

In detail: while I was browsing suddenly some fake antivirus program called Total Security installed itself and avast! began giving me warning messages about files called "beep.sys", "null.sys" and "glaide32.sys", all in the Windows/system32/drivers folder and all infected with "Win32:RustNT [Rtk]". It suggested I reboot and do a boot scan, which I did. It found some stuff which I had removed, but when startup was complete the fake antivirus was still there. I used this guide to get rid of the program (http://www.bleepingcomputer.com/virus-removal/remove-total-security) by using Malwarebytes and indeed, the taskbar icon was gone and no more pop-ups. However, avast! kept warning me about a rootkit called "glaide32.sys", which I tried having removed but when I checked the drivers folder where it was located, it was still there. I tried scanning that one file with avast! and with Malwarebytes but neither program could remove it.
Then, and apparently this was a stupid thing to do but please excuse me, I had no idea and I won't try anything like it again, I ran Combofix; I just let it run and after it was done, it had removed the glaide32 file.

However, the "beep.sys" and "null.sys" files remain on my system. Are they bad?

Also, today I did another two Malwarebytes scans and it keeps finding two "Hijack.WindowsUpdates" items, even though it was supposedly clear yesterday. Does this mean there is still something spreading in my system?

I run Windows XP 32bit SP3 by the way.

Thanks very much for your help!

Edited by Aleris, 30 August 2009 - 06:47 AM.

BC AdBot (Login to Remove)


#2 Aleris

  • Topic Starter

  • Members
  • 2 posts
  • Local time:10:54 AM

Posted 31 August 2009 - 05:47 PM

Am I doing something wrong here? I'm really sorry if I am, please just point me in the right direction then.

#3 Straythe


  • Members
  • 124 posts
  • Gender:Not Telling
  • Local time:03:54 AM

Posted 31 August 2009 - 06:20 PM

Hello Aleris. You haven't done anything wrong, it's just really busy around here with so many new infections cropping up. Just keep away from Combofix for now. ;)

Please note I am not a staff member here but perhaps I can help get things started at least.

It's okay to post Malwarebytes logs here; I'd suggest posting the one from your most recent scan.

Next, taking a look with RootRepeal should be helpful in finding anything hidden. There's a guide on how to use it here (by Blade):


And subscribe to your topic so you'll get emailed as soon as someone replies. To do so, go to Options at the top right of your first post, click Track this topic, bullet "Immediate Notification" and hit Proceed.

Good luck - Straythe
***"When you surround an enemy, leave an outlet free [...] to make him believe there is a road to safety, and thus prevent his fighting with the courage of despair." Sun Tzu ***

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users