Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool virus


  • Please log in to reply
13 replies to this topic

#1 melissa76961

melissa76961

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 02 October 2009 - 11:02 AM

Several weeks ago I got and removed the Total Security 2009 virus. Now my computer is acting crazy and I noticed a new icon 'Security Tool' on my desktop. I tried to run my Malware program and it wouldn't let me run it. I can't even restart my computer to run it in the safe mode. What should I do? Please make your instructions easy to understand since I am not a big computer person. Thank you.

BC AdBot (Login to Remove)

 


#2 Computer Pro

Computer Pro

  • Members
  • 2,448 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:20 PM

Posted 02 October 2009 - 02:16 PM

Hello and welcome to Bleeping Computer.

Please subscribe to your topic so that you will be notified as soon as I post a reply, instead of you having to check the topic all of the time. This will allow you to get an email notification when I reply.

To subscribe, go to your topic, and at the top right hand corner by your first post, click the Options button and then click Track this topic. The bullet the immediate notification bubble. Then press submit.


Lets take a look with Malwarebytes

Please download Malwarebytes' Anti-Malware from here:
Malwarebytes
Please rename the file BEFORE downloading to zztoy.exe instead of mbam-setup.exe

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.

Double Click zztoy.exe to install the application.
* Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select "Perform Full Scan", then click Scan.
* The scan may take some time to finish,so please be patient.
* When the scan is complete, click OK, then Show Results to view the results.
* Make sure that everything is checked, and click Remove Selected.
* When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
* The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
* Copy&Paste the entire MBAM report (even if it does not find anything) in your next reply

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process, if asked to restart the computer, please do so immediately.


If Malwarebytes won't install or run

Some types of malware will disable MBAM and other security tools. If MBAM will not install, try renaming it. Right-click on the mbam-setup.exe file and change the .exe extension to .bat, .com, .pif, or .scr and then double-click on it to run.

If after installation, MBAM will not run, open the Malwarebytes' Anti-Malware folder in Program Files, right-click on mbam.exe and change the .exe as noted above. Then double-click on it to run.
Computer Pro

#3 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 02 October 2009 - 05:20 PM

I tried to download the malwarebytes program that you told me to try. When I did...I couldn't proceed anywhere with it because my computer screen is only showing a blue screen. I can't see the icon on my desktop to click on it. I also wasn't given the option upon downloading it to rename it. What should I do?

#4 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 02 October 2009 - 08:45 PM

I have the icons on my desktop now but not my wallpaper...just a blue screen. When I try to run Malwarebytes it gives me the following error message : C:\Program Files\Malwarebytes'Anti-Malware\mbam.exe and says Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item.

I have tried running this in safe mode as well and it does the same thing.
Any idea what I should do?

#5 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 PM

Posted 02 October 2009 - 09:37 PM

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.

-- Vista users can refer to these instructions to open a command prompt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#6 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 05 October 2009 - 08:59 AM

I tried to run the win32diag program after downloading it but it only gave me a blank black page. Any other ideas?

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 PM

Posted 05 October 2009 - 09:46 AM

Did you try the Run command "cmd"?

Alternatively, you can download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 05 October 2009 - 03:21 PM

Yes, I did the run command cmd and it gave me some information. But didn't post it because the first part didn't work. Is it safe to post the information that I get after running that program on this site that everyone can see?

#9 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 05 October 2009 - 03:22 PM

Correction.....But I didn't post it because the other program didn't run.

#10 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 PM

Posted 06 October 2009 - 08:12 AM

Is it safe to post the information that I get after running that program on this site that everyone can see?

I would not have asked you to post that information if it were not safe.

Correction.....But I didn't post it because the other program didn't run.

Please clarify...what other program did not run?

Did you try Peek.bat?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#11 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 06 October 2009 - 09:32 AM

I couldn't run the win32diag.exe or the peek.bat. It was like it wouldn't let me download it to my computer or something. I did manage to type in the cdmat the run command and got the following : Volume in drive C has no label.
Volume Serial Number is D89C-F61B

Directory of C:\WINDOWS\$NtUninstallKB968389$

08/10/2004 07:00 AM 407,040 netlogon.dll
1 File(s) 407,040 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 07:12 PM 181,248 scecli.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 07:12 PM 407,040 netlogon.dll

Directory of C:\WINDOWS\SoftwareDistribution\Download\9866fb57abdc0ea2f5d4e132d055ba4e

04/13/2008 07:11 PM 56,320 eventlog.dll
3 File(s) 644,608 bytes

Directory of C:\WINDOWS\system32

08/10/2004 07:00 AM 180,224 scecli.dll

Directory of C:\WINDOWS\system32

02/06/2009 01:46 PM 408,064 netlogon.dll

Directory of C:\WINDOWS\system32



Does any of that mean anything to you?

#12 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 PM

Posted 06 October 2009 - 10:15 AM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other rootkits can even terminate your by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

Start a new topic and post your DDS log along with the Log.txt report in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If DDS will not run, then just post the results of Log.txt. Be sure to include a note that you tried to follow the Prep Guide but were unable to get DDS to run.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#13 melissa76961

melissa76961
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:03:20 PM

Posted 06 October 2009 - 12:05 PM

Ok. Thank you very much for all your help.

#14 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,756 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:04:20 PM

Posted 07 October 2009 - 07:31 AM

Not a problem and good luck.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users