Security Tool - major problems

[mathilda]

Happily working on my computer when a Security Tool Warning appeared. Now I can't get rid of it, tried everything. Checked out your previous posts regarding security tool but can't get anything to open. If I go into help and support for example the window appears for a second then closes down again. If I try system restore and click on restore, the same thing happens. A window appears and then fades out.

I use Windows Security Essentials for my virus checking but it hasn't found anything.
I run Windows 7 upgraded from Vista.
I use a Toshiba Portege A600 notebook.

Any suggestions please - looks like I will be formatting a computer over the holiday rather than looking for Easter bunnies!!

[Broni]

Please, start with following these steps: http://www.bleepingcomputer.com/viru...-security-tool

[mathilda]

Thanks Broni, but unable to register with this site, http://www.bleepingcomputer.com/viru...-security-tool, says I am already registered etc. I am using my other computer at the moment, but looks like we have a major problem here. Have you any other suggestions please.
Thanks

[Broni]

Download following two programs to your desktop, but DO NOT run them yet.

1. Malwarebytes: http://download.bleepingcomputer.com...mbam-setup.exe

2. Please download and run the below tool named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

There are 4 different versions. If one of them won't run then download and try to run the other one.

Vista and Win7 users need to right click Rkill and choose Run as Administrator

You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.

* Rkill.com
* Rkill.scr
* Rkill.pif
* Rkill.exe

* Double-click on the Rkill desktop icon to run the tool.
* If using Vista or Windows 7 right-click on it and choose Run As Administrator.
* A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
* If not, delete the file, then download and use the one provided in Link 2.
* If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
* Do not reboot until instructed.
* If the tool does not run from any of the links provided, please let me know.


Now....
Click on the Start button and type %UserProfile%\desktop in the Search field at the bottom of the start menu. Then press Enter on your keyboard.

Now, you should be able to see your desktop.
Run rKill now.

When done, run Malwarebytes immediately.

[mathilda]

Broni - have downloaded malwarebytes and tried all four Rkill links - saw the black box but each one said that it was trying to get my creditcard details! None work unfortunately.

Thanks

[Broni]

Please download ComboFix from Here or Here and rename combofix.exe to broni.com BEFORE saving it to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
   
   • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
   • Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
   
   NOTE1. If Combofix asks you to install Recovery Console, please allow it.
   NOTE 2. If Combofix asks you to update the program, always do so.
   
   • Close any open browsers.
   • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
   • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
   • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
3. Double click on broni.com & follow the prompts.
4. When finished, it will produce a report for you.
5. Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Make sure, you re-enable your security programs, when you're done with Combofix.

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

[mathilda]

Thanks Broni - just got as far as renaming the file to broni.com and got a blue screen. I think it may be best to format as obviously this program has really infected the computer and I don't want to leave any traces of it to infect my networked computers.
Do you have any idea as to why I got this program, I was looking for a recipe for bread on google when I was hit?

Thanks again
Tilly

[Broni]

Let's see, if we can look at your computer booting from an external source.

You will need USB flash drive to move information from bad computer to a working computer.

You need to download two programs.

First

ISO Burner this will allow you to burn REATOGO-X-PE ISO to a cd and make it bootable. Just install the programm, from there on it's fairly automatic (Instructions)

Second

• Download OTLPE.iso and burn to a CD using ISO Burner. NOTE: This file is 270.3 MB in size so it may take some time to download.
• When downloaded double click and this will then open ISOBurner to burn the file to CD
• Reboot your system (Non working computer) using the boot CD you just created.
  
  
  • Note. If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users is checked and press OK
• OTL should now start. Change the following settings
  
  • Change Drivers to All
  • Change Registry to All
  • Under Custom Scan box paste this in:
    
    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    nvstor32.sys
    ahcix86s.sys
    nvrd32.sys
    symmpi.sys
    adp3132.sys
    mv61xx.sys
    userinit.exe
    explorer.exe
    /md5stop
    %systemroot%\*. /mp /s
    %systemroot%\system32\*.dll /lockedfiles
    %systemroot%\Tasks\*.job /lockedfiles
    %systemroot%\system32\drivers\*.sys /lockedfiles
    %systemroot%\System32\config\*.sav
    
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive.
• Please post the contents of the C:\OTL.txt file in your reply.

[mathilda]

Thanks Broni, up to my eyes in grandkids and chocolate today, hope to send you details tomorrow.

Tilly

[Broni]

No problem
Enjoy