Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool....


  • Please log in to reply
23 replies to this topic

#1 YesImOtto

YesImOtto

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 07:04 AM

Hi all...

Well, I was (still am) surprised, or maybe shocked...I was basically doing nothing!!!! I was going to wikipedia, ehow, facebook, and goal.com, when suddenly a Java-like image popped-up saying its installing something....then I noticed the computer was working harder. After a while, a message box appeared saying "Installation complete". Of course I was scared straight away.

So, it was quick and I was a bit nervous so I could not remember all, but it was blue scree box and something saying Security Tools.

Then I quickly went to task manager and stopped all weird processes.....

So Im just concerned if there's still virus in my comp...hopefully someone can help me here..Thanks!

BC AdBot (Login to Remove)

 


#2 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 07:16 AM

Please help....It wont help me open task manager..Im scared =(

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:25 AM

Posted 14 November 2010 - 07:25 AM

Have a look at the removal guide linked below. Is this what you have on your system? If it is, please follow the removal guide closely, and then post the MBAM log in this thread when you have completed the instructions, and let us know how your computer is running then.

Remove Security Tool and SecurityTool (Uninstall Guide)
Posted by Grinler on September 25, 2009
http://www.bleepingcomputer.com/virus-removal/remove-security-tool

Note: Step #13
"Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded in step 14."

This should read "you downloaded in step 12."

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 08:19 PM

Hi, I have done exactly that, but still no help. I hope you are here to reply my question, I am scared.

Thanks

#5 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:25 AM

Posted 14 November 2010 - 08:22 PM

Will do my best.

Please post the MBAM log

Open MBAM > Logs

Copy and paste the entire log in your next post.

Thank you.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#6 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 08:31 PM

Thanks for the super quick reply.

By the way I tried going to appdata and deleting security tool, but it wont help me because it says the file is in use. So I restarted in safe mode, went to my username, then went to appdata, deleted the security tool itself, and I was successful. Now I am here , in normal mode, and so far its been good! no virus etc! I can even open task manager!

But my question it....is it really that simple to get rid of security tool? Id like to know if theres still "bad" stuff in my commp?

here you go

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4281

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18813

15/11/2010 9:08:22 AM
mbam-log-2010-11-15 (09-08-22).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 302319
Time elapsed: 1 hour(s), 0 minute(s), 21 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2

Memory Processes Infected:
C:\Users\Eddie\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Backdoor.Bot) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Eddie\AppData\Roaming\Microsoft\svchost.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\Users\Eddie\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.

#7 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:25 AM

Posted 14 November 2010 - 08:43 PM

Malwarebytes' Anti-Malware 1.46
Database version: 4281

The latest database version for MBAM is well over 5100 now.

Please update the database definitions. <<< Important

Please start the removal guide, and work through it again.

There is no need to re-install MBAM: Simply open MBAM > Updates > Check for Updates and wait until the database version is updated. (Let us know if you have trouble updating the database.) <<< Important.

Post the log when completed and let me know how the system is running. We can then run some more scans to ensure that your system is indeed clean.

Edited by AustrAlien, 14 November 2010 - 08:44 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#8 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 08:45 PM

Ok I will try update MBAM.

But I am a bit happy now coz I deleted the stupid blue-icon security tool. I hope it helps a lot.

#9 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 09:59 PM

here you go!!!




Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 5117

Windows 6.0.6001 Service Pack 1 (Safe Mode)
Internet Explorer 8.0.6001.18813

15/11/2010 10:55:38 AM
mbam-log-2010-11-15 (10-55-38).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 318593
Time elapsed: 1 hour(s), 0 minute(s), 59 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 4

Memory Processes Infected:
C:\Users\Eddie\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> Unloaded process successfully.
C:\Users\Eddie\AppData\Local\Temp\dwm.exe (Trojan.Agent) -> Unloaded process successfully.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\AVSolution (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\wnxmal (Rogue.SecuritySuite) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Agent) -> Data: c:\users\eddie\appdata\local\temp\dwm.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (explorer.exe,C:\Users\Eddie\AppData\Roaming\Microsoft\Windows\shell.exe) Good: (Explorer.exe) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Users\Eddie\AppData\Roaming\Microsoft\stor.cfg (Malware.Trace) -> Quarantined and deleted successfully.
C:\Users\Eddie\AppData\Roaming\Microsoft\Windows\shell.exe (Trojan.Shell) -> Quarantined and deleted successfully.
C:\Users\Eddie\AppData\Local\Temp\dwm.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Users\Budy\Local Settings\Application Data\Windows Server\admin.txt (Malware.Trace) -> Delete on reboot.


----------------

By the way, I use firefox and when I tried connecting to internet, I could not. So I changed the proxy setting, which I learned from bleeping computer :D thanks!

#10 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 14 November 2010 - 10:02 PM

I just noticed you are offline >_< By the way I live in Perth, so we are close :)

Hopefully you are back soon! Cya

EDIT: By the way, my computer seems to be working.....fine now (hopefully). The only weird thing was that the proxy was changed so like I said above I had to manually change it.

Other than that its good......i hope

Edited by sumosalad, 14 November 2010 - 10:06 PM.


#11 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:25 AM

Posted 14 November 2010 - 10:34 PM

We are practically neighbours! An old fella needs his afternoon siesta ...

Re: unchecking "Use proxy .... " box
Good thinking 99! Malware commonly changes that setting, selecting to use the proxy.


:step1: Please download ATF Cleaner by Atribune & save it to your desktop. alternate download link
  • Close all open browsers before using, especially FireFox. <-Important!!!
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main "Select Files to Delete" choose: Select All.
  • Click the Empty Selected button.
  • If you use Firefox browser click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • If you use Opera browser click Opera at the top and choose: Select All
  • Click the Empty Selected button.
    If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
Notes: On Vista, "Windows Temp" is disabled. To empty Temp, ATF-Cleaner must be Run As Administrator.
The Prefetch cleaning feature has been disabled for Vista Users. Tabs for applications that are not installed are grayed out.



:step2: Please download and scan with SUPERAntiSpyware Free
  • Double-click SUPERAntiSypware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If it will not start, go to Start > All Prgrams > SUPERAntiSpyware and click on Alternate Start.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from here. Double-click on the hyperlink for Download Installer and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the "General and Startup" tab, and under Start-up Options, make sure "Start SUPERAntiSpyware when Windows starts" box is unchecked.
  • Click the "Scanning Control" tab, and under Scanner Options, make sure the following are checked (leave all others unchecked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Close" button to leave the control center screen and exit the program.
  • Do not run a scan just yet.
Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with SUPERAntiSpyware as follows:
  • Launch the program and back on the main screen, under "Scan for Harmful Software" click Scan your computer.
  • On the left, make sure you check C:\Fixed Drive.
  • On the right, under "Complete Scan", choose Perform Complete Scan and click "Next".
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes" and reboot normally.
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a usb drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

Edited by AustrAlien, 14 November 2010 - 10:45 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#12 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 15 November 2010 - 12:41 AM

Here you go mate

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/15/2010 at 01:31 PM

Application Version : 4.40.1002

Core Rules Database Version : 5134
Trace Rules Database Version: 2946

Scan type : Complete Scan
Total Scan Time : 01:39:03

Memory items scanned : 231
Memory threats detected : 0
Registry items scanned : 12399
Registry threats detected : 0
File items scanned : 195495
File threats detected : 39

Adware.Tracking Cookie
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Cookies\andrew@atdmt[1].txt
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Cookies\andrew@bs.serving-sys[1].txt
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Cookies\andrew@doubleclick[1].txt
C:\Users\Andrew\AppData\Roaming\Microsoft\Windows\Cookies\andrew@msnportal.112.2o7[2].txt
.bs.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.serving-sys.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.doubleclick.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.bizzclick.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.kontera.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.hitbox.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.eset.122.2o7.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.ehg-eset.hitbox.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.hitbox.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.clickfuse.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.tribalfusion.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.apmebf.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.fastclick.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.mediafire.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.mediafire.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.mediafire.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.mediafire.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.imrworldwide.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.atdmt.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.worldvisionaustralia.122.2o7.net [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.questionmarket.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]
.questionmarket.com [ C:\Users\Eddie\AppData\Roaming\Mozilla\Firefox\Profiles\gqdwbhgz.default\cookies.sqlite ]

#13 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:25 AM

Posted 15 November 2010 - 12:45 AM

Nothing of interest in the SAS log, so that is good.

One more and we should be done ...

I'd like us to scan your machine with ESET OnlineScan
  • Hold down Control and click on the following link to open ESET OnlineScan in a new window.
    ESET OnlineScan
  • Click the Posted Image button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on Posted Image to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the Posted Image icon on your desktop.
  • Check Posted Image
  • Click the Posted Image button.
  • Accept any security warnings from your browser.
  • Check Posted Image
  • Push the Start button.
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, push Posted Image
  • Push Posted Image, and save the file to your desktop using a unique name, such as ESETScan. Include the contents of this report in your next reply.
  • Push the Posted Image button.
  • Push Posted Image

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#14 YesImOtto

YesImOtto
  • Topic Starter

  • Members
  • 284 posts
  • OFFLINE
  •  
  • Local time:02:25 PM

Posted 15 November 2010 - 12:59 AM

Im foolowing your exact instruction, so when its asking for scan archives, theres also a tick box for remove foudn threats, but I unticked it since you didnt tell me to tick it.

#15 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:25 AM

Posted 15 November 2010 - 01:02 AM

I unticked it since you didnt tell me to tick it.

Leave it ticked, so that it will remove anything that it finds.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users