Help! I think I need a safe removal tool for “security tool”. Avastdidn’t pick up anything but i keep beingtold i have a virus. please hurry
If you haven’t already got this software (freeware), download, install, update and run it and report the findings (it should product a log file).
-
- MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later. - 2. SUPERantispyware On-Demand only in free version.
Don’t worry about reported tracking cookies they are a minor issue and not one of security, allow SAS to deal with them though. - See http://en.wikipedia.org/wiki/HTTP_cookie.
thank-you David. I have dowloaded and am running the malware link you gave me although I am still getting the warnings. is this fairly easy to get rid of?
okay… Phheeew! I have completed a smart scan and rebooted the computer and the warnings have gone. Just to make sure I am now doing a more thorough scan. Is this something that is easy to get rid of? Also, I had ad-aware on my computer all along. Should I uninstall one of thes malware programs. thanks
Post the content of the MBAM log file as requested so we can see what was found as that may indicate other actions need to be taken.
Post the content of the SAS log (less the cookie stuff) for the same reason.
I didn`t download the superantispyware link you gave me (I thought you were suggesting either 1 or 2 ; not both. Do you still think I should do this step…if so, what is it for? thanks
okay here is one file:
Malwarebytes’ Anti-Malware 1.44
Database version: 3772
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882
21/02/2010 10:06:20 PM
mbam-log-2010-02-21 (22-06-20).txt
Scan type: Quick Scan
Objects scanned: 104400
Time elapsed: 7 minute(s), 23 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 1
Folders Infected: 1
Files Infected: 3
Memory Processes Infected:
C:\ProgramData\83739535\83739535.exe (Rogue.Security.Tool) → Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\83739535 (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0) → Quarantined and deleted successfully.
Folders Infected:
C:\ProgramData\83739535 (Rogue.Multiple) → Quarantined and deleted successfully.
Files Infected:
C:\ProgramData\83739535\83739535.exe (Trojan.FakeAlert.H) → Quarantined and deleted successfully.
C:\Users\Gail\Desktop\Security Tool.LNK (Rogue.SecurityTool) → Quarantined and deleted successfully.
C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) → Quarantined and deleted successfully.
here is the other:
Malwarebytes’ Anti-Malware 1.44
Database version: 3772
Windows 6.0.6001 Service Pack 1
Internet Explorer 8.0.6001.18882
21/02/2010 10:55:06 PM
mbam-log-2010-02-21 (22-55-06).txt
Scan type: Full Scan (C:|D:|)
Objects scanned: 139820
Time elapsed: 40 minute(s), 2 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
Yes, SAS too is a free on-demand scanner, have you not looked at my signature (though I have the paid version of SAS) ;D
OK the MBAM log looks to have cleaned this up and no other action I can see is needed, though I would still do an SAS scan.
This detection by MBAM is one that can legitimately be set by the user:
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0)
Some people might want that, not to change or have active desktop settings. If you can’t recall making any such changes then it is probably OK.
I have no idea what you are saying about the active desktop settings so, trust me, I didn’t make any such changes.
any idea how long this superscan is going to take…I’m 12 minutes uinto it now and it has found:
3 adware tracking cookies
4 common name toolbar /browser help objects
1 Trojan.Agent/Gen
(sounds like a recipe for something)
what, of these, would you like to see the details on?
as requested here is the log from the SAS:
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 02/22/2010 at 00:10 AM
Application Version : 4.34.1000
Core Rules Database Version : 4605
Trace Rules Database Version: 2417
Scan type : Quick Scan
Total Scan Time : 00:50:53
Memory items scanned : 700
Memory threats detected : 0
Registry items scanned : 484
Registry threats detected : 5
File items scanned : 28385
File threats detected : 3
Adware.Tracking Cookie
C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Cookies\gail@doubleclick[2].txt
C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Cookies\gail@atdmt[1].txt
C:\Users\Gail\AppData\Roaming\Microsoft\Windows\Cookies\gail@ad.yieldmanager[2].txt
CommonName Toolbar/Browser Helper Object
HKCR\CLSID{00000000-0000-0000-0000-000000000000}
HKCR\CLSID{00000000-0000-0000-0000-000000000000}\Implemented Categories
HKCR\CLSID{00000000-0000-0000-0000-000000000000}\Implemented Categories{7DD95801-9882-11CF-9FA9-00AA006C42C4}
HKCR\CLSID{00000000-0000-0000-0000-000000000000}\Implemented Categories{7DD95802-9882-11CF-9FA9-00AA006C42C4}
Trojan.Agent/Gen
HKU\S-1-5-21-3694360128-1905243825-1870929668-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#284961391
One last thing… should I uninstall any of these spyware/malware programs… I hav ad-aware plus the two you I just downloaded?
Thanks David so much for helping me. I will sleep easier now.
The detections look fine, allow it to deal with them.
Leave them installed and periodically run scans, update just before scanning.
On Vista or Windows 7 systems:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) → Bad: (1) Good: (0)
It can be placed in Malwarebytes Ignore to prevent it appearing each scan.
I don’t use Ad-Adaware anymore as it has not kept up with the times.
quick (perhaps dumb) question to anyone…
why didn’t Avast pick up this “security tool” nuisance and/or why did it get past my windows firewall?
still hoping someone - anyone - can respond to my last question 
thanks
In a perfect world Security program would have 100% detection, and if they did the virusproblem would be gone
funny, that doesn’t make me feel overly confident about Avast, Pondus. It leaves me wondering if other security programs would have picked it up. My reason for using Avast in the past is that I have come to trust it (the forum help is fantastic too); not the fact that its free. I have recommended this program to people who are even less computer savy than I am (God help 'em) so I have to wonder how they would handle that particular virus - probably by paying the fee the “security tool” gimic was asking for the phoney security.
Pondus. It leaves me wondering if other security programs would have picked it up.Other security program may have detected it, but that Other security program may miss something that avast detect You just dont know who will detect the next bug you meet...... Recomended use avast and MBAM pro, a one time fee for a liftime license. Then you get the protection module Speciality detecting and removing rogue programs www.malwarebytes.org
And maybe avast is detecting it after the latest update today…?
Hi Student,
Another problem here is that malcreants have made a study of what unaware users would click for and so the social engineering bit has been taken to quite some level. There also is to be a lot of education left as to explain what users should click and to what not, the sad thing is most users download and install these rogues and fake malcious tools all by themselves out of sheer ignorance. This is big business and cybercrime and co is spreading all over the Internet with trusted reputable sites infected at an alarming rate. The best policy to tackle the problem you speak about is to have one resident av solution and some other non-resident programs like MBAM and SAS for instance to close the vulnerability window that is getter shorter and shorter between 0-day exploit and spreading the malcode in the wild and finding a reply from anti-malware software. Also we have to explain these issues in clear and simple wording so that users do not shy off and imply the appropiate measures to enjoy their Internet experience unhindered from malcode all sorts,
polonus
thanks Polonus. Hopefully I will regain some of the trust I had in Avast. I understand that Avast cannot be 100% effective but it is disappointing when you discover it’s weakness first hand especially since I would describe myself as a very cautious Internet surfer - certainly not one to take unnecessary risk.Fortunately, I updated SAS and did another scan since the infection and all is clear.
A question…since installing MBAM & SAS, I find that it takes considerably longer for my computer to start. The blue screen with “please wait” stays on much longer. I’m using Vista. Any idea why?