System Tool Virus

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

KeenanCahillRI

Thread Starter
Joined
Jan 19, 2011
Messages
6
Right, got this virus a few days ago and have been told a few different ways of trying to get rid of it, however, none have worked.

I start my Laptop up in Safe Mode, with networking, and try to download RKill which I have been told I will need, however, whenever I try to run it, my screen goes blue, with the message from Windows about having to **** it down to prevent damage.

When I try to d'load/run it with Windows in normal mode, I get the message 'The dependency service or group, failed to start'


As you can tell, I'm useless with things like this, but my mate who has had the same virus (and got rid of it) told me what he did, but none of it has worked for me so he pointed me in this direction.

Any help will be appreciated.

KCRI
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Hiya KeenanCahillRI

Proceed as follows :-

Boot into Safe mode with networking then proceed as follows :-

Step 1

Check for proxy server settings in your browser, the following are the most common used.

Internet Explorer:
Tools Menu -> Internet Options -> Connections Tab ->Lan Settings > uncheck "use a proxy server" and check to "Automatically detect settings". ok, apply (only if applicable), ok.

Firefox:
Tools Menu -> Options... -> Advanced Tab -> Network Tab -> "Settings" under Connection. "No Proxy" should be selected, unless you have one set up yourself.

Chrome:
Select -> Tools menu -> then "Options", then go to "Change Proxy Settings", then "LAN Settings" , then take out the check mark for "Use a proxy server for your LAN" if set, unless you set this up yourself.

Safari
  • Launch Safari
  • Go to general settings menu
  • Then in Preferences/ Advanced
  • Then on line click Proxies change settings ...
  • Click Internet Options, then click the Connections tab, click Network Settings.
  • Disable option (uncheck) for the use of proxy server ...

Step 2

Please download Rkill and save to your Desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If not, delete the file, then download and use Link 1 from the following list and so on in sequencial order until one runs successfully.
Link 1

Link 2

Link 3

Link 4

Link 5

Link 6
  • A log pops up at the end of the run. This log file is also located at C:\rkill.log. Please post this log in your reply.
  • If you get an alert from your own Security Program, accept it and allow Rkill to run, it is very safe and will not harm your system.
    If the alert is from the Infection Malware program (you`ll know by the name) leave the alert open and run the same Rkill version again. You may have to run it several times, it may take upto 9 to work.
  • If the tool does not run from any of the links provided, please let me know.

Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

If that fix was successful boot into Normal mode, re-run Malwarebytes again as instructed above.

Post all logs in reply please,

Kevin
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Are you running from Safe mode with networking? Did you check and reset (if required) the LAN settings in your browser?
Which links are you referring to, the ones for RKill, if none of them work try Malwarebytes from Safe mode with networking
 

KeenanCahillRI

Thread Starter
Joined
Jan 19, 2011
Messages
6
Checked all the settings, they were as you said they should be.

Then I downloaded all of the links, none worked, whenever I tried running one (as administrator as I'm on Vista) the laptop'd go onto a blue screen, telling me it's shutting down 'cause it's detected a problem, or something along those lines.

I've got Malwarebytes on my comp already, do a scan, but it finds nothing...

:(
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Hiya KCRI,

In steps 1 and 2, download the tools on a clean PC and save to a USB stick or CD then transfer to the Desktop of the infected system.

Step 1
  • Please download exeHelper to your desktop.
  • Double-click on exeHelper.com to run the fix. Vista or Windows 7 users right click and select “Run as Administrator”
  • A black window should pop up, press any key to close once the fix is completed.
  • Post the contents of exehelperlog.txt (Will be created in the directory where you ran exeHelper.com, and should open at the end of the scan)
Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Note: If the window shows a message that says "Error deleting file", please re-run the program before posting a log - and post the two logs together (they will both be in the one file).

Step 2

Please download Rkill and save to your Desktop.
  • Double-click on the Rkill desktop icon to run the tool.
  • If using Vista or Windows 7 right-click on it and Run As Administrator.
  • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
  • If you get an alert from HDD that RKill is a threat, leave that alert open and re-run RKill again.

Do not re-boot your system after steps 1 or 2.

Step 3

Please download Malwarebytes Anti-Malware and save it to your desktop.
Alernative D/L mirror
Alternative D/L mirror

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Extra Note)
  • Please save the log to a location you will remember.
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply.

Extra Note:

If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post logs in reply if applicable...

Kevin
 

KeenanCahillRI

Thread Starter
Joined
Jan 19, 2011
Messages
6
Just ran malwarebytes and it found an infection, here's (what I think is) the log, that you asked for

Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org
Database version: 5591
Windows 6.0.6000
Internet Explorer 7.0.6000.16982
24/01/2011 21:46:50
mbam-log-2011-01-24 (21-46-28).txt
Scan type: Full scan (C:\|D:\|)
Objects scanned: 237971
Time elapsed: 1 hour(s), 17 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
c:\Users\Username\Desktop\WiNlOgOn.exe (Heuristics.Reserved.Word.Exploit) -> No action taken.
 

kevinf80

Kevin
Malware Specialist
Joined
Mar 21, 2006
Messages
11,467
Your version of Malwarebytes has been updated and is current, it also ran without incident so lets give Combofix a try.

Please visit this webpage for download links, and instructions for running the tool:

Combofix

Don`t forget Combofix must be saved to your desktop. <--Very important, do not run it from anywhere else

Before saving Combofix to your Desktop rename it to Gotcha.exe as below:



Ensure you have disabledyour Firewall and all anti virus and anti malware programs so they do not interfere with the running of ComboFix. <---Very important

Please include the C:\ComboFix.txt in your next reply for further review.

Examples of how to disable realtime protection available at the following link :-

Disable realtime protection

Note: Do not click combofix's window with your mouse while it's running. That action may cause it to stall.

*EXTRA NOTES*
  • If Combofix detects any Rootkit/Bootkit activity on your system it will give a warning and prompt for a reboot, you must allow it to do so.
  • If Combofix reboot's due to a rootkit, the screen may stay black for several minutes on reboot, this is normal
  • If after running Combofix you receive any type of warning message about registry key's being listed for deletion when trying to open certain items, reboot the system and this will fix the issue (Those items will not be deleted)

Post the log in your reply

Kevin
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top