Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool Virus (System Tool 2011)


  • This topic is locked This topic is locked
20 replies to this topic

#1 IrishO

IrishO

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 26 December 2010 - 11:14 AM

Hi there,

New to the forum and some challenge navigating topics, so please forgive if this has been covered.

I am trying to remove a virus titled Security Tool and any other problems from a XP system.

Following is a history of recent unsuccessful attempts


1. downloaded Malwarebytes, ran full scan, found three items, removed and rebooted. no appearance of Virus.

2. Next day, reappearance of virus

3. could not re-run Malwarebytes.

4. Renamed exe file to alternate on alternate computer with flash drive. Could not execute

5. downloaded again, and try to execute with random name from flash drive. Could not execute.

6. Cannot run, regedit; command.com; devmgmt.msc or cmd

7. separately downloaded dds; combofix and win32kdiag; "application cannot be executed." "notepad.exe is infected"


appreciate the support,
IrishO

BC AdBot (Login to Remove)

 


#2 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 27 December 2010 - 01:24 PM

Hello IrishO ,

Posted Image

Let's disable the main file manually so you can run some tools.

What I want you to look for is in Application Data (If using XP). There will be a folder, with a file in it of the same "name". This will appear random, but it has a pattern. Look for letters and numbers in this order: lower case, upper case, lower case, upper case, lower case, then 5 random numbers. For example:

Folder -----> pEeHl02508\pEeHl02508.exe <-----file inside

Delete the folder. Now, if you still have no access to the internet, download the following tool to a flash drive from a different computer, then put it on the infected one and run it.

This tool is not a toy. If used the wrong way you could trash your computer. Please use only under direction of a Helper. If you decide to do so anyway, please do not blame me or ComboFix.

* Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix. IF YOU USE AVG IT MUST BE UNINSTALLED OR THIS WILL NOT RUN.

1. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/ComboFix.exe

2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

If you have trouble running it the first time, then rename ComboFix.exe to IrishO.exe and try again.

Thanks,
tea

Edited by teacup61, 27 December 2010 - 01:25 PM.
typo

Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#3 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 10:28 AM

Dear Texan Teacup,

thanks for your reply. I may need some help navigating Application Data. I don't seem to have any AVG on the computer.

In XP, under Local Settings

Adobe
Microsoft
ApplicationHistory

Under the lattermost, I found explore.exe.3c2f65a1.ini.inuse

Otherwise, there was not much that I could find? Should I look elsewhere or delete this file?
thanks,
IrishO

#4 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 28 December 2010 - 11:25 AM

Hello,

No, don't delete that file.

For XP, the full path would be c:\documents and settings\allusers\application data\ :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#5 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 12:32 PM

Hi Tea,

the following, aBkHo06300 was found under the Application Data file. It has the Lock icon that corresponds with the Security Tool viral pop up.
However, after delete this file is attempted, I get "cannot deletea BkHo06300 access denied"

IO

#6 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 28 December 2010 - 01:08 PM

That should be a folder, with a file of the same name inside. See if the file will delete, and if not, try the folder. If neither will, see if you can delete the file in Safe Mode. :thumbup2:
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#7 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 01:30 PM

OK, looks like it deleted. The icon remains as do the pop ups.

"Ensure you have disabled all anti virus and anti malware programs"

Is there any easy way to determine the presence of anti -malware programs and does this include malbytes?

thanks- I will begin searching/disabling.

IO

#8 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 01:34 PM

Under remove programs, Malwarbytes....remove....Application cannot be executed, the file unins000.exe is infected...

#9 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 28 December 2010 - 01:48 PM

Don't worry about Malwarebytes. ComboFix will run anyway with it. :thumbup2: The popups will remain until you can run ComboFix and possibly one or two others. Deleting the main file simply made it possible to run these. :)

tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#10 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 02:30 PM

Thanks Tea, during Combofix it indicated deleting the aBkHo06300 file, folder and some other stuff.
Do you need me to post the Log?

#11 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 28 December 2010 - 02:36 PM

Yes, please. :)
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#12 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 02:42 PM

As requested, transferred from the previously infected computer....


ComboFix 10-12-26.01 - Anthony 12/28/2010 14:20:51.1.2 - x86 NETWORK
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1015.792 [GMT -5:00]
Running from: E:\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\All Users\Application Data\aBkHo06300
c:\documents and settings\All Users\Application Data\aBkHo06300\aBkHo06300
c:\documents and settings\All Users\Application Data\aBkHo06300\aBkHo06300.exe
c:\documents and settings\Anthony\Start Menu\Programs\System Tool
c:\windows\system32\Oeminfo.ini
c:\windows\system32\Thumbs.db

.
((((((((((((((((((((((((( Files Created from 2010-11-28 to 2010-12-28 )))))))))))))))))))))))))))))))
.

2010-12-25 14:20 . 2010-12-25 14:20 -------- d-----w- c:\documents and settings\Anthony\Application Data\Malwarebytes
2010-12-25 14:19 . 2010-12-20 23:09 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2010-12-25 14:19 . 2010-12-25 14:19 -------- d-----w- c:\documents and settings\All Users\Application Data\Malwarebytes
2010-12-25 14:19 . 2010-12-28 19:11 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2010-12-25 14:19 . 2010-12-20 23:08 20952 ----a-w- c:\windows\system32\drivers\mbam.sys
2010-12-25 14:12 . 2010-12-25 14:12 -------- d-----w- c:\windows\system32\wbem\Repository
2010-12-25 14:00 . 2010-12-25 14:03 -------- d-s---w- c:\documents and settings\Administrator
2010-12-25 12:41 . 2010-12-25 14:03 -------- d-----w- c:\documents and settings\All Users\Application Data\eNpNk08200

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2010-11-18 18:12 . 2008-08-09 14:47 81920 ----a-w- c:\windows\system32\isign32.dll
2010-11-06 00:26 . 2008-08-09 14:32 916480 ----a-w- c:\windows\system32\wininet.dll
2010-11-06 00:26 . 2008-08-09 14:32 43520 ----a-w- c:\windows\system32\licmgr10.dll
2010-11-06 00:26 . 2008-08-09 14:32 1469440 ------w- c:\windows\system32\inetcpl.cpl
2010-11-03 12:25 . 2008-08-09 14:32 385024 ----a-w- c:\windows\system32\html.iec
2010-11-02 15:17 . 2008-08-09 14:32 40960 ----a-w- c:\windows\system32\drivers\ndproxy.sys
2010-10-28 13:13 . 2008-08-09 14:32 290048 ----a-w- c:\windows\system32\atmfd.dll
2010-10-26 13:25 . 2008-08-09 14:32 1853312 ----a-w- c:\windows\system32\win32k.sys
2008-05-07 08:34 . 2008-12-09 21:39 15523560 ----a-w- c:\program files\U1 Setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2009-10-12 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-12-20 135168]
"HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-12-20 159744]
"Persistence"="c:\windows\system32\igfxpers.exe" [2007-12-20 131072]
"AsusTray"="c:\program files\EeePC\ACPI\AsTray.exe" [2008-09-03 106496]
"AsusACPIServer"="c:\program files\EeePC\ACPI\AsAcpiSvr.exe" [2008-09-03 593920]
"AsusEPCMonitor"="c:\program files\EeePC\ACPI\AsEPCMon.exe" [2008-05-21 94208]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-10 136600]
"RTHDCPL"="RTHDCPL.EXE" [2008-07-31 16806912]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2010-04-02 40368]
"Adobe ARM"="c:\program files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" [2010-09-21 932288]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2010-03-19 421888]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2010-06-15 141624]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
SuperHybridEngine.lnk - c:\program files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe [2008-9-11 311296]
WDDMStatus.lnk - c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMStatus.exe [2009-10-14 2049344]
WDSmartWare.lnk - c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWare.exe [2009-10-14 9085760]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2010-04-02 18:05 40368 ----a-w- c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
2008-04-14 12:42 1695232 ------w- c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
2008-02-13 03:08 21898024 ----a-r- c:\program files\Skype\Phone\Skype.exe

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Microsoft Office\\Office12\\OUTLOOK.EXE"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=

S2 WDDMService;WD SmartWare Drive Manager;c:\program files\Western Digital\WD SmartWare\WD Drive Manager\WDDMService.exe [10/14/2009 2:31 PM 98304]
S2 WDSmartWareBackgroundService;WD SmartWare Background Service;c:\program files\Western Digital\WD SmartWare\Front Parlor\WDSmartWareBackgroundService.exe [6/16/2009 9:58 AM 20480]
S3 ETD;ELAN PS/2 Port Input Device;c:\windows\system32\drivers\ETD.sys [9/11/2008 5:18 PM 94208]
S3 RT80x86;Ralink 802.11n Wireless Driver;c:\windows\system32\drivers\rt2860.sys [9/11/2008 9:42 PM 625024]
S3 WDC_SAM;WD SCSI Pass Thru driver;c:\windows\system32\drivers\wdcsam.sys [12/27/2009 8:15 PM 11520]
.
Contents of the 'Scheduled Tasks' folder

2010-12-24 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2009-10-22 15:50]

2010-12-28 c:\windows\Tasks\Check Updates for Windows Live Toolbar.job
- c:\program files\Windows Live Toolbar\MSNTBUP.EXE [2007-10-19 18:20]

2010-12-28 c:\windows\Tasks\User_Feed_Synchronization-{3F9B1305-0257-48E3-B18E-1943ECCE2F01}.job
- c:\windows\system32\msfeedssync.exe [2009-03-08 09:31]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.theglobeandmail.com/
uInternet Settings,ProxyOverride = *.local
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
.
- - - - ORPHANS REMOVED - - - -

Toolbar-Locked - (no file)
HKCU-Run-msnmsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe
HKLM-Run-ETDWareDetect - c:\program files\Elantech\ETDDect.exe
MSConfigStartUp-MsnMsgr - c:\program files\Windows Live\Messenger\msnmsgr.exe



**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2010-12-28 14:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- LOCKED REGISTRY KEYS ---------------------

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}]
@Denied: (A 2) (Everyone)
@="FlashBroker"
"LocalizedString"="@c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe,-101"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\Elevation]
"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\LocalServer32]
@="c:\\WINDOWS\\system32\\Macromed\\Flash\\FlashUtil10h_ActiveX.exe"

[HKEY_LOCAL_MACHINE\software\Classes\CLSID\{A483C63A-CDBC-426E-BF93-872502E8144E}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}]
@Denied: (A 2) (Everyone)
@="IFlashBroker4"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\ProxyStubClsid32]
@="{00020424-0000-0000-C000-000000000046}"

[HKEY_LOCAL_MACHINE\software\Classes\Interface\{E3F2C3CB-5EB8-4A04-B22C-7E3B4B6AF30F}\TypeLib]
@="{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"
"Version"="1.0"
.
Completion time: 2010-12-28 14:28:18
ComboFix-quarantined-files.txt 2010-12-28 19:28

Pre-Run: 61,801,615,360 bytes free
Post-Run: 62,590,607,360 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
UnsupportedDebug="do not select this" /debug
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect

- - End Of File - - A439D9D5B6D41A9FE801214345EA62AE

#13 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 28 December 2010 - 02:57 PM

Thank you :)

How is it running now please?

Have a scan with MBAM now and let me know if it finds anything.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?

#14 IrishO

IrishO
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:11:27 PM

Posted 28 December 2010 - 03:03 PM

Dear Tea,

it is running famously, thanks to you, B.C. & combofix!

A quick scan by malwarebyes reveals zero objects infected.


Thank you for all your support.

IrishO

#15 teacup61

teacup61

    Bleepin' Texan!


  • Malware Response Team
  • 17,075 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Wills Point, Texas
  • Local time:11:27 PM

Posted 28 December 2010 - 03:13 PM

Hello,

You're welcome. :)

* Open notepad - don't use any other text editor than notepad or the script will fail.
Copy/paste the text in the quote box below into notepad:

Folder::
c:\documents and settings\All Users\Application Data\eNpNk08200


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply.

Thanks,
tea
Please make a donation so I can keep helping people just like you.
Every little bit helps! :)
You can even use your credit card! Thank you!

Posted Image


Error reading poptart in Drive A: Delete kids y/n?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users