Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security tool virus hit my computer...I'm not sure if it is fixed?


  • Please log in to reply
7 replies to this topic

#1 Armie Kim

Armie Kim

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 08 October 2009 - 06:35 PM

I was hit by the Security Tool virus about two hours ago, and I was hit with dozens of pop-ups claiming that my computer was infected. When I tried to run some programs, even "regedit", it said they were infected with a worm and wouldn't open.
I scanned with SUPERAntiSpyware and managed to catch a Trojan.Dropper and several other bugs.
But when I rebooted, I wanted to scan with Malwarebytes since it may completely eliminate the virus. But it would not open. I tried to uninstall and install again, but all it said was "error code 2" and could not "locate the file"
I just did a System Restore since I still got pop-ups, and my computer was successfully restored to an earlier time.
But I still can't open Malwarebytes....
I am also thinking that I still have traces of the Security Tool virus.

Here was the SUPERAntiSpyware scan I got:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/08/2009 at 05:50 PM

Application Version : 4.26.1006

Core Rules Database Version : 4154
Trace Rules Database Version: 2082

Scan type : Quick Scan
Total Scan Time : 00:11:59

Memory items scanned : 423
Memory threats detected : 2
Registry items scanned : 391
Registry threats detected : 1
File items scanned : 7457
File threats detected : 9

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\WEWIDILU.DLL
C:\WINDOWS\SYSTEM32\WEWIDILU.DLL
C:\WINDOWS\SYSTEM32\DERINADE.DLL

Trojan.Dropper/Gen
C:\DOCUME~1\ALLUSE~1\APPLIC~1\83599741\83599741.EXE
C:\DOCUME~1\ALLUSE~1\APPLIC~1\83599741\83599741.EXE
C:\WINDOWS\Prefetch\83599741.EXE-09A0DFD4.pf

Adware.Tracking Cookie
C:\Documents and Settings\owner\Cookies\owner@atdmt[1].txt

Rogue.Agent/Gen
HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#83599741
C:\Documents and Settings\All Users\Application Data\83599741
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\83599741\83599741.EXE
C:\DOCUMENTS AND SETTINGS\OWNER\DESKTOP\SECURITY TOOL.LNK
C:\DOCUMENTS AND SETTINGS\OWNER\START MENU\PROGRAMS\SECURITY TOOL.LNK

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 09 October 2009 - 07:46 AM

Some types of malware will disable Malwarebytes Anti-Malware and other security tools. If MBAM will not run, try renaming it first.
  • Open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on the mbam.exe file and rename it to wuauclt.exe.
  • Double-click on wuauclt.exe to launch the program.
If that did not work, then try renaming and changing the file extension. <- click this link if you do not see the file extension
  • Open the Malwarebytes' Anti-Malware folder in Program Files.
  • Right-click on the wuauclt.exe file, and change the .exe extension to .scr, .com, .pif, or .bat.
  • Double-click on winlogon.scr (or whatever extension you renamed it) to launch the program.
If using Windows Vista, refer to How to Change a File Extension in Windows Vista.

If you still cannot run MBAM or complete a scan in normal mode, then try performing a Quick Scan in "safe mode".

Scanning with Malwarebytes Anti-Malware in safe or normal mode will work but removal functions are not as powerful in safe mode. MBAM is designed to be at full power when malware is running so safe mode is not necessary when using it. In fact, MBAM loses some effectiveness for detection & removal when used in safe mode because the program includes a special driver which does not work in safe mode. Further, scanning in safe mode prevents some types of malware from running so it may be missed during the detection process. Additionally, there are various types of malware infections which target the safeboot keyset so booting into safe mode is not always possible. For optimal removal, normal mode is recommended so it does not limit the abilities of MBAM but sometimes there is no alternative but to do a safe mode scan. If that is the case, after completing a safe mode scan, reboot normally and try rescanning again.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Armie Kim

Armie Kim
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 09 October 2009 - 03:59 PM

Dear quietman,

Thank you very much for responding!
Fortunately, I managed to install Malwarebytes again and it worked! It found nothing wrong, which I'm happy for.
But should I take any cautionary actions to completely get rid of Security Tool or virus traces?

I think my computer starts up slower than it had before...if that's a problem.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 09 October 2009 - 05:35 PM

Please perform an online scan with Kaspersky Online Virus Scanner.
(Requires free Java Runtime Environment (JRE) to be installed before scanning for malware as ActiveX is no longer being used.)
  • Click on the Posted Image ...button.
  • The program will launch and fill in the Information section ... on the left.
  • Read the "Requirements and Limitations" then press... the Posted Image ...button.
  • The program will begin downloading the latest program and definition files.
    It takes a while... please be patient and let it finish.
  • Once the files have been downloaded, click on the Posted Image ...button.
    In the scan settings make sure the following are selected:
    • Detect malicious programs of the following categories:
      Viruses, Worms, Trojan Horses, Rootkits
      Spyware, Adware, Dialers and other potentially dangerous programs
    • Scan compound files (doesn't apply to the File scan area):
      Archives
      Mail databases
      By default the above items should already be checked.
    • Click the Posted Image ...button, if you made any changes.
  • Now under the Scan section on the left:Select My Computer
  • The program will start and scan your system. This will run for a while, be patient... let it run.
    Once the scan is complete, it will display if your system has been infected.
  • Save the scan results as a Text file ... save it to your desktop.
  • Copy and paste the saved scan results file in your next reply.
If your computer/browser still seems to be slow, please refer to and try some of the suggestions provided in Slow Computer/Browser? Check here first; it may not be malware.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Armie Kim

Armie Kim
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 10 October 2009 - 10:20 AM

I went to the Kaspersky link you sent me, but it said that the scanner was currently unavailable and I couldn't do a scan. I tried to download the Kaspersky Online Scanner 7, but it failed and said the key was expired.

Is there a way to get the scanner? Or should I use another one?

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 10 October 2009 - 01:07 PM

Please perform a scan with Eset Online Antiivirus Scanner.
(Requires Internet Explorer to work. If given the option, choose "Quarantine" instead of delete.)
Vista users need to run Internet Explorer as Administrator. Right-click on the IE icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator from the context menu.
  • Click the green ESET Online Scanner button.
  • Read the End User License Agreement and check the box: YES, I accept the Terms of Use.
  • Click on the Start button next to it.
  • You may receive an alert on the address bar that "This site might require the following ActiveX control...Click here to install...". Click on that alert and then click Insall ActiveX component.
  • A new window will appear asking "Do you want to install this software?"".
  • Answer Yes to download and install the ActiveX controls that allows the scan to run.
  • Click Start.
  • Check Remove found threats and Scan potentially unwanted applications.
  • Click Scan to start. (please be patient as the scan could take some time to complete)
  • If offered the option to get information or buy software. Just close the window.
  • When the scan has finished, a log.txt file will be created and automatically saved in the C:\Program Files\EsetOnlineScanner\ folder.
  • Click Posted Image > Run..., then copy and paste this command into the open box: C:\Program Files\EsetOnlineScanner\log.txt
  • The scan results will open in Notepad. Copy and paste the contents of log.txt in your next reply.
Note: Some online scanners will detect existing anti-virus software and refuse to cooperate. You may have to disable the real-time protection components of your existing anti-virus and try running the scan again. If you do this, remember to turn them back on after you are finished.

Edited by quietman7, 10 October 2009 - 01:09 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Armie Kim

Armie Kim
  • Topic Starter

  • Members
  • 52 posts
  • OFFLINE
  •  
  • Local time:02:57 PM

Posted 11 October 2009 - 11:06 AM

The scanner did catch something, alright. Here it is:

C:\System Volume Information\_restore{85AC6508-4643-4FD7-BA09-A2615F0A9811}\RP123\A0032463.exe a variant of Win32/Kryptik.ATL trojan deleted - quarantined

It was one bug, but it sounded deadly!

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 52,082 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:01:57 PM

Posted 11 October 2009 - 02:43 PM

The detected _restore{GUID}\RP***\A00*****.xxx file(s) identified by your scan was in the System Volume Information Folder (SVI) which is a part of System Restore. The *** after RP represents a sequential number automatically assigned by the operating system. The ***** after A00 represents a sequential number where the original file was backed up and renamed except for its extension. To learn more about this, refer to:System Restore is the feature that protects your computer by creating backups (snapshots saved as restore points) of vital system configurations and files. These restore points can be used to "roll back" your computer to a clean working state in the event of a problem. This makes it possible to undo harmful changes to your system configurations including registry modifications made by software or malware by reverting the operating systems configuration to an earlier date. The SVI folder is protected by permissions that only allow the system to have access and is hidden by default on the root of every drive, partition or volume including most external drives, and some USB flash drives. For more detailed information, read System Restore Overview and How it works and How antivirus software and System Restore work together.

System Restore is enabled by default and will back up the good as well as malicious files, so when malware is present on the system it gets included in restore points as an A00***** file. When you scan your system with anti-virus or anti-malware tools, you may receive an alert that a malicious file was detected in the SVI folder (System Restore points) and moved into quarantine. When a security program quarantines a file, that file is essentially disabled and prevented from causing any harm to your system. The quarantined file is safely held there and no longer a threat. Thereafter, you can delete it at any time.

If your anti-virus or anti-malware tool cannot move the files to quarantine, they sometimes can reinfect your system if you accidentally use an old restore point. In order to avoid reinfection and remove these file(s) if your security tools cannot remove them, the easiest thing to do after disinfection is Create a New Restore Point to enable your computer to "roll-back" to a clean working state and use Disk Cleanup to remove all but the most recent restore point.
Vista users can refer to these links: Create a New Restore Point in Vista and Disk Cleanup in Vista.

If your anti-virus or anti-malware tool was able to move the file(s), I still recommend creating a new restore point and using disk cleanup as the last step after removing malware from an infected computer.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users