Member Avatar for kilegoty

Hey everyone and thanks for taking the time to check this post out...

This computer has been seriously affected by some sort of virus.

I have followed all instructions in the "Read first before posting" post and the virus will not allow me to install or run any of the suggested programs.

The program that is posing as a help rather than a virus is called "Security Tool" - it basically says that anything that we are trying to run is a virus itself.

I have tried running ccleaner in safe mode and a few other programs and basic stuff like that but it still will not help.

If any of you have any suggestions or can offer any help PLEEEEASE let me know - it will be greatly appreciated.

I have rid several computers of viruses but I have never come across anything like this.

Thanks again!

kilegoTy

  • 2 Contributors
  • 4 Replies
  • 131 Views
  • 5 Days Discussion Span
  • Latest Post Latest Post by jholland1964

Recommended Answers

All 4 Replies

Member Avatar for jholland1964

Hello kilegoty, Please do the following:
Before you can begin cleaning you must first end the processes that belong to Security Tool so that it does not interfere with the cleaning procedure. To do this, download the following file to your Desktop.

These instructions are from bleepingcomputer.
There are three versions of RKill - all identical except that each one uses a different extension in order to avoid being blocked by a trojan. If the first doesn't work then try the next until one of them works. This is what you will need to do:
http://download.bleepingcomputer.com/grinler/rkill.com
http://download.bleepingcomputer.com/grinler/rkill.exe
http://download.bleepingcomputer.com/grinler/rkill.scr
http://download.bleepingcomputer.com/grinler/eXplorer.exe - - This renamed copy may trigger an alert from MBAM. It can be ignored and is safe.
http://download.bleepingcomputer.com/grinler/iExplore.exe

When RKill is run it will display a black console screen
That console screen will continue to run until it RKill has finished. Once finished, the box will close and a log will be displayed showing all of the processes that were terminated by RKill and while RKill was running.

Depending on the malware that is installed on the computer, when you run RKill you may see a message from the malware stating that the program could not be run because it is a virus or is infected.
These warnings are just fake alerts by the malware that has hijacked your computer trying to protect itself. Two methods that you can try to get past this and allow RKill to run are:

1. When you receive the warning message, leave the message on the screen and try running RKill again.
2. If that does not work, just keep launching RKill until it catches and stays up long enough to kill the malware
On a final note, when you download and run RKill, certain anti-virus programs may state that the program is a security risk. This is because some of the tools used by RKill can be used for good or bad, though the programs themselves are perfectly harmless, and most anti-virus programs just lump them into the bad category. I assure you we are using them only for good purposes
Do not reboot your computer after running rkill as the malware programs will start again.

After it is complete then please do the following:
instructions from bleepingcomputer
download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

http://www.bleepingcomputer.com/download/anti-virus/malwarebytes-anti-malware (Download page will open in a new window)

When the file has finished downloading, look on your desktop for mbam-setup.exe and right-click on it and select Rename. The title of the program will now have a blinking cursor where you can edit the name. Please change the name of the program to Explorer.exe.
After you rename the mbam-setup.exe to Explorer.exe, close all your programs and Windows on your computer, including this one.

Double-click on the icon on your desktop named Explorer.exe. This will start the installation of MBAM onto your computer.

When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware check boxes. Then click on the Finish button. If Malwarebytes' prompts you to reboot, please do not do so.

If you receive a code 2 error while installing Malwarebytes's, please press the OK button to close these errors as we will resolve them in future steps.
As this infection deletes a core executable of Malwarebytes', or does not allow it to run, we will need to download a new copy of it and put it in the C:\program files\Malwarebytes' Anti-Malware\ folder. To download the file please click on the following link: http://malwarebytes.org/mbam-download-exe-random.php
When your browser prompts you where to save it to, please save it to the C:\program files\Malwarebytes' Anti-Malware\ folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
Once the file has been downloaded, open the C:\program files\Malwarebytes' Anti-Malware\ folder and double-click on the file you downloaded.
MBAM will now start and you will be at the main program screen

Before you can perform a scan, you must first update the program. To do this click on the Update tab, and that at the new screen click on the Check for Updates button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the OK button to continue.
Next do a Full Scan using MBA-M. This will take awhile so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When MBA-M finishes, Notepad will open with the log. Please save it where you can find it easily. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt.
You can now exit the MBAM program.

As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, SecurityTool changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:

Hostsperm.bat Download Link

When the file has finished downloading, double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.

We now need to delete the C:\Windows\System32\Drivers\etc\HOSTS file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the C:\Windows\System32\Drivers\etc folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select Save Target As..., if in Internet Explorer, or Save Link As.., if in Firefox, to download the file appropriate for your operating system.

Windows XP HOSTS File Download Link
Windows Vista HOSTS File Download Link
Windows 2003 Server HOSTS File Download Link
Windows 2008 Server HOSTS File Download Link
Windows 7 HOSTS File Download Link

Your Windows HOSTS file should now be back to the default one from when Windows was first installed.

You can also delete the Explorer.exe program from your desktop.
Once complete then reboot the computer. Come back here and post the log from MBA-M

Member Avatar for kilegoty

Hey man!
Thanks for all of your help... just got done with the RKill and the MWB scan and everything seems to be doing ok!

Here is the log from MWB - if you think I should take anymore actions to ensure that this computer is running smooth, please let me know:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4438

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18928

8/17/2010 3:59:38 AM
mbam-log-2010-08-17 (03-59-38).txt

Scan type: Full scan (C:\|E:\|)
Objects scanned: 229289
Time elapsed: 51 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 31
Registry Values Infected: 3
Registry Data Items Infected: 0
Folders Infected: 11
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\Users\dell\AppData\Local\Temp\b0e26c27-9280-4409-9e71-e195aa224a98\wrkD307.tmp_46 (Backdoor.Bot) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\clickpotatoliteax.info (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{c55ca95c-324b-451c-b2d2-6e895aa75fec} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{30b15818-e110-4527-9c05-46ace5a3460d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{618aad04-921f-44c2-be38-c0818af69861} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5d2ed96-62f9-4c2c-956d-e425b1f67337} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d3a412e8-1e4b-47d2-9b12-f88291f5afbb} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1602f07d-8bf3-4c08-bdd6-dddb1c48aedc} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1602f07d-8bf3-4c08-bdd6-dddb1c48aedc} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ac6d819e-aa8f-4418-a3bb-d165c1b18bb5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{ac6d819e-aa8f-4418-a3bb-d165c1b18bb5} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.info.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.userprofiles (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\clickpotatoliteax.userprofiles.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\menubuttonie.buttonie (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\menubuttonie.buttonie.1 (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reporter (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\shopperreports.reporter.1 (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{0d82acd6-a652-4496-a298-2bde705f4227} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{11c27351-716b-4052-9361-e3b0a3f8221c} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{7025e484-d4b0-441a-9f0b-69063bd679ce} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{8258b35c-05b8-4c0e-9525-9bccc70f8f2d} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{a89256ad-ec17-4a83-bef5-4b8bc4f39306} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Settings\{100eb1fd-d03e-47fd-81f3-ee91287f9465} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{b58926d6-cfb0-45d2-9c28-4b5a0f0368ae} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a7cddcdc-beeb-4685-a062-978f5e07ceee} (Adware.ShopperReports) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{a078f691-9c07-4af2-bf43-35e79eecf8b7} (Adware.Softomate) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{b58926d6-cfb0-45d2-9c28-4b5a0f0368ae} (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{69725738-cd68-4f36-8d02-8c43722ee5da} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\MenuButtonIE.DLL (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\clickpotatolitesa (Adware.ClickPotato) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9ad4469f-bc7b-401f-8c57-3bf736213685_46 (Trojan.FakeAlert) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform\srs_it_e8790272b0765d5335a897 (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Firefox\extensions\clickpotatolite@clickpotatolite.com (Adware.ClickPotato) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\ProgramData\2ACA5CC3-0F83-453D-A079-1076FE1A8B65 (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Users\dell\AppData\Roaming\ClickPotatoLite (Adware.ClickPotato) -> Delete on reboot.
C:\Program Files\AV7.0 (Rogue.Antivirus7) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0 (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\firefox (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\firefox\extensions (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\firefox\extensions\plugins (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato (Adware.ClickPotato) -> Quarantined and deleted successfully.

Files Infected:
C:\Users\dell\AppData\Local\Temp\b0e26c27-9280-4409-9e71-e195aa224a98\wrkD307.tmp_46 (Backdoor.Bot) -> Delete on reboot.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\ClickPotatoLiteSAAX.dll (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\LaunchHelp.dll (Adware.Seekmo) -> Quarantined and deleted successfully.
C:\Users\dell\AppData\Local\Temp\b0e26c27-9280-4409-9e71-e195aa224a98\wrkC9E3.tmp_46 (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSA.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSAAbout.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSAau.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSAEULA.mht (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSA_hpk.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\ClickPotatoLiteSA\ClickPotatoLiteSA_kyf.dat (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\firefox\extensions\chrome.manifest (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Program Files\ClickPotatoLite\bin\10.0.511.0\firefox\extensions\install.rdf (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato\About Us.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Customer Support.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ClickPotato\ClickPotato Uninstall Instructions.lnk (Adware.ClickPotato) -> Quarantined and deleted successfully.
C:\Users\dell\AppData\Roaming\9ad4469f-bc7b-401f-8c57-3bf736213685_46.avi (Trojan.FakeAlert) -> Delete on reboot.
C:\Users\dell\Desktop\Explorer.exe (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.


Thanks again,
kilegoTy

Member Avatar for kilegoty

Hey man... I just wanted to let you know that I received some sort of error message upon the restart of the computer.

Haven't had any major problems yet but I did run another MWB scan and it turned 1 object up.

Here is the scan:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4438

Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18928

8/17/2010 4:12:02 AM
mbam-log-2010-08-17 (04-12-02).txt

Scan type: Quick scan
Objects scanned: 127295
Time elapsed: 7 minute(s), 7 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\9ad4469f-bc7b-401f-8c57-3bf736213685_46 (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


Thanks again,
kilegoTy

Member Avatar for jholland1964

We need to know the exact wording of the error message.
You need to do the following scan:
Please Run the ESET Online Scanner and attach the ScanLog with your post for assistance.
You will need to use Internet Explorer to to complete this scan.
You will need to temporarily Disable your current Anti-virus program.
Be sure the option to Remove found threats is checked and the option to Scan unwanted applications is Checked.
When you have completed that scan, a scanlog ought to have been created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please post that log for us after you reboot the computer.
Also please run a System Scan and save the log with HiJackThis 2.0.4 Post that log along with the ESET log.

Edited by jholland1964 because: n/a
Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.