Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Need Major Virus Help

  • Please log in to reply
2 replies to this topic

#1 nickw2805


  • Members
  • 2 posts
  • Local time:08:41 PM

Posted 24 October 2009 - 12:22 PM

I was recently infected by some mean virus. I was visiting a website and my pc just froze up to where I had to shut it off by pressing the power button. Upon restart I had fake virus popups from what I saw were System Tool, Antivirus System PRO, and SWP 2009. First thing I tried was System Restore where I got the message "System Restore has been turned off by group policy. To turn on System Restore, contact your domain Administrator." Next I turned off the pc and tried to start it in safe mode. I got the message "Windows did not start successfully due to recent hardware or software changes." At this point when I logged onto pc I got all the pop ups, task manager would not open, and when I finally got them to go away my desktop was blank and the background had been changed to a gray-blue screen. Only thing I could see or use was the task bar. I used another pc to access the internet and look up the problems I was having. I first searched Security Tool virus which told me to stop the processes, delete the files, then remove the registry keys. So upon start up and log on I was able to open the task manager right away before the pop ups occured. I ended the process tree for Security Tool which was 81315826.exe which kept that from popping up. I then searched Security Tool on the pc and deleted the target files, desktop icon, and start icon. Then I went to delete the registry keys it said and I got the message "Registry editing has been disabled by your administrator." So I went back on another pc to search what had happened and the message I got. I also searched the other 2 virus names I had seen in the beginning. The reason I have to use another pc is because the internet will not load on my pc. It opens up internet explorer but just stays blank white and will not load any other web site I type. I had iolo System Mechanic previously on the pc but when I went to do a system analysis scan it closed the program out. I then realized the icon for System Mechanic was now blank and when I tried to open it I got the message "Windows cannot access the specified device, path, or file. You may not have the appropriate persmmissions to access the item." Upon another restart I opened task manager again and noticed a process that would run upon the Antivirus System PRO running. It was rxewysysguard.exe. I ended that process tree and it closed the pop up. I also have a bunch of processes I have no idea about. Out the the 3 virus names I saw System Tool was the only one that created a desktop and start icon and folder that I could find. The others I searched but couldn't find a thing. On the other pc I searched and downloaded Malwarebytes' to a cd and opened it on the other pc to install it. On the installation process it would stop near the end and message would say "Unable to execute file: C:\Program Files\Malwarebytes'...\mbam.exe Create Process failed; code 2. The sytem cannot find the file specified." So I did a search on that found if I had the install folder open while installing the mbam.exe would appear then disappear. So I copied and pasted it to the desktop as fast as I could then I pasted it back in the installation folder and Malwarebytes' was able to run. Unfortunately while starting to run it I get the message again "Windows cannot access the specified device, path, or file. You may not have the appropraite permissions to access the item." This virus has thrown me for a loop and I have to resort to posting my own experiences with it. I can't do anything on the other pc without the virus changing something. I would greatly appreciate all your help!!!

BC AdBot (Login to Remove)


#2 garmanma


    Computer Masochist

  • Members
  • 27,809 posts
  • Gender:Male
  • Location:Cleveland, Ohio
  • Local time:09:41 PM

Posted 25 October 2009 - 08:27 PM

Welcome to BC

Please download to your Desktop


When you double-click on the Desktop icon, a small DOS window will open and the application will run on it's own
It should only take a few minutes and it will close by itself

Do not reboot the machine


We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad and copy/paste the entire contents (from Starting up... to Finished! Press any key to exit...) in your next reply.

:trumpet: Go to Posted Image > Run..., then copy and paste this command into the open box: cmd
Click OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop.
Open that file and copy/paste the contents in your next reply.
Posted Image
why won't my laptop work?

Having grandkids is God's way of giving you a 2nd chance because you were too busy working your butt off the 1st time around
Do not send me PMs with problems that should be posted in the forums. Keep it in the forums, so everyone benefits
Become a BleepingComputer fan: Facebook and Twitter

#3 nickw2805

  • Topic Starter

  • Members
  • 2 posts
  • Local time:08:41 PM

Posted 01 November 2009 - 07:32 PM

I had to download those to a disk since the internet is not working on that pc. I put in the disk and copied Rkill.scr to my desktop. I had to right-click it and click configure or install it for the dos window to run. It ran and said terminating known malware processes, then it closed and the desktop refreshed. Then I copied the RootRepeal, Direct Download, Primary Mirror, to my desktop and opened that. I followed all steps then started the scan. Five entries popped up on the report then it just closed. I tried again and now the desktop icon went from the magnifying glass to blank window image. When I try to open it I get the error, Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item. I tried to run RootRepeal from the disk and it started scanning, same five popped up then it closed. I took a screen shot of the scan right before it closed, but I'm not sure how to insert it here. The first entry was C:\hiberfil.sys, then C:\Documents and Settings\NetworkService\ntuser.dll, then the next 3 were the same thing but instead of "NetworkService" it was the users, then C:\WINDOWS\Offline Web Pages\Offline Web Pages, and the last thing it was scanning before it closed was C:\WINDOWS\Prefetch. The status of the first entry was "Locked to the Windows API!", the next 4 were "Invisible to the Windows API!", and the last was "Allocation size mismatch (API...)". Also a new folder popped up on desktop for RootRepeal, with the words MS DOS picture. Came up after I had clicked properties on the, now blank, RootRepeal I put on desktop.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users