TechSpot

Critical Security Error

Inactive
By zeropro11
Oct 29, 2011
  1. I opened my laptop (Win 7) and all the desktop programs are missing. There are no files in C: and Start Menu. This program called System Restore opened up and started to scan my program. In the notification tray this message pops up saying "critical error".

    I tried to download MWByte but it can't be installed. This message "Access is Denied" is displayed every time I try to install.

    I don't know what to do. Any help will be appreciated!

    Edit to add text from duplicate tread which has been deleted:
    Please keep all logs and information for this problem on this thread.
  2. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    Welcome to TechSpot! There are some malware program active now that 'hide'
    files, icons, programs, etc. They are not gone. They display popups like "Critical Security Error" in order to try and get you to click on there scareware to fix the problem- which doesn't actually exist!

    If you aren't able to download directly to the infected computer, you can download them to a flash drive, then install them on that system.

    I'm going to have you run a program that should restore at least some of what is 'missing.' NOTE: this does not remove the malware itself, only the attribute that is hiding the files. So it is important that you continue on with the cleaning:

    Download Unhide.exe and save to the desktop.
    • Double-click on Unhide.exe icon to run the program.
    • This program will remove the +H, or hidden, attribute from all the files on your hard drives.
    ==============================================
    This bothers me: "This program called System Restore opened......."
    First, because you don't realize that System Restore is a legitimate part of the Windows operating system and second, it is not 'normal' for this feature to 'popup as you describe.

    So will for now, consider it to be a part of the malware. The function System Restore can be set to begin on the next boot, but you would be the one to set it. Since you are not, it's more reason to think it's from the malware.
    =========================================
    I have to see what's running on the system, so try to run the following and leave the logs. Use the flash drive to download if you need to. If you encounter any problem, please let me know.

    Please follow the steps in the Preliminary Virus and Malware Removal thread HERE.

    NOTE: If you already have any of the scanning programs on the computer, please remove them and download the versions in these links.

    When you have finished, leave the logs for review in your next reply .
    NOTE: Logs must be pasted in the replies. Attached logs will not be reviewed.
    ==================================
    My Guidelines: please read and follow:
    • Be patient. Malware cleaning takes time and I am also working with other members while I am helping you.
    • Read my instructions carefully. If you don't understand or have a problem, ask me.
    • If you have questions, or if a program doesn't work, stop and tell me about it. Don't try to get around it yourself.
    • Follow the order of the tasks I give you. Order is crucial in cleaning process.
    • File sharing programs should be uninstalled or disabled during the cleaning process..
    • Observe these:
      [o] Don't use any other cleaning programs or scans while I'm helping you.
      [o] Don't use a Registry cleaner or make any changes in the Registry.
      [o] Don't download and install new programs- except those I give you.
    • Please let me know if there is any change in the system.

    If I don't get a reply from you in 5 days, the thread will be closed. If your problem persist, you can send a PM to reopen it.
    =====================================
  3. zeropro11

    zeropro11 TS Rookie Topic Starter

    Unhide.exe worked but when i restarted the laptop again after avira scan, the files disappeared again. Here is the log from Avira



    Avira Free Antivirus
    Report file date: Sunday, October 30, 2011 13:56

    Scanning for 3461452 virus strains and unwanted programs.

    The program is running as an unrestricted full version.
    Online services are available:

    Licensee : Avira AntiVir Personal - Free Antivirus
    Serial number : 0000149996-ADJIE-0000001
    Platform : Windows 7
    Windows version : (Service Pack 1) [6.1.7601]
    Boot mode : Normally booted
    Username : Administrator
    Computer name : MUSTAFA-PC

    Version information:
    BUILD.DAT : 12.0.0.861 41826 Bytes 10/19/2011 19:24:00
    AVSCAN.EXE : 12.1.0.18 490448 Bytes 10/19/2011 20:56:25
    AVSCAN.DLL : 12.1.0.17 54224 Bytes 10/19/2011 20:56:46
    LUKE.DLL : 12.1.0.17 68304 Bytes 10/19/2011 20:56:34
    AVSCPLR.DLL : 12.1.0.19 99536 Bytes 10/19/2011 20:56:25
    AVREG.DLL : 12.1.0.22 226512 Bytes 10/19/2011 20:56:24
    VBASE000.VDF : 7.10.0.0 19875328 Bytes 11/6/2009 00:18:34
    VBASE001.VDF : 7.11.0.0 13342208 Bytes 12/14/2010 15:07:39
    VBASE002.VDF : 7.11.3.0 1950720 Bytes 2/9/2011 21:08:51
    VBASE003.VDF : 7.11.5.225 1980416 Bytes 4/7/2011 16:00:55
    VBASE004.VDF : 7.11.8.178 2354176 Bytes 5/31/2011 16:18:22
    VBASE005.VDF : 7.11.10.251 1788416 Bytes 7/7/2011 18:12:53
    VBASE006.VDF : 7.11.13.60 6411776 Bytes 8/16/2011 13:26:09
    VBASE007.VDF : 7.11.15.106 2389504 Bytes 10/5/2011 20:56:40
    VBASE008.VDF : 7.11.15.107 2048 Bytes 10/5/2011 20:56:40
    VBASE009.VDF : 7.11.15.108 2048 Bytes 10/5/2011 20:56:40
    VBASE010.VDF : 7.11.15.109 2048 Bytes 10/5/2011 20:56:40
    VBASE011.VDF : 7.11.15.110 2048 Bytes 10/5/2011 20:56:40
    VBASE012.VDF : 7.11.15.111 2048 Bytes 10/5/2011 20:56:40
    VBASE013.VDF : 7.11.15.144 161792 Bytes 10/7/2011 20:56:40
    VBASE014.VDF : 7.11.15.177 130048 Bytes 10/10/2011 20:56:41
    VBASE015.VDF : 7.11.15.213 113664 Bytes 10/11/2011 20:56:41
    VBASE016.VDF : 7.11.16.1 163328 Bytes 10/14/2011 20:56:41
    VBASE017.VDF : 7.11.16.34 187904 Bytes 10/18/2011 20:56:41
    VBASE018.VDF : 7.11.16.77 139264 Bytes 10/20/2011 17:27:25
    VBASE019.VDF : 7.11.16.112 162816 Bytes 10/24/2011 17:27:25
    VBASE020.VDF : 7.11.16.150 167424 Bytes 10/26/2011 17:27:26
    VBASE021.VDF : 7.11.16.187 171520 Bytes 10/28/2011 17:27:26
    VBASE022.VDF : 7.11.16.188 2048 Bytes 10/28/2011 17:27:26
    VBASE023.VDF : 7.11.16.189 2048 Bytes 10/28/2011 17:27:27
    VBASE024.VDF : 7.11.16.190 2048 Bytes 10/28/2011 17:27:27
    VBASE025.VDF : 7.11.16.191 2048 Bytes 10/28/2011 17:27:27
    VBASE026.VDF : 7.11.16.192 2048 Bytes 10/28/2011 17:27:27
    VBASE027.VDF : 7.11.16.193 2048 Bytes 10/28/2011 17:27:27
    VBASE028.VDF : 7.11.16.194 2048 Bytes 10/28/2011 17:27:28
    VBASE029.VDF : 7.11.16.195 2048 Bytes 10/28/2011 17:27:28
    VBASE030.VDF : 7.11.16.196 2048 Bytes 10/28/2011 17:27:28
    VBASE031.VDF : 7.11.16.202 175616 Bytes 10/30/2011 17:27:28
    Engineversion : 8.2.6.100
    AEVDF.DLL : 8.1.2.2 106868 Bytes 10/30/2011 17:27:35
    AESCRIPT.DLL : 8.1.3.84 467324 Bytes 10/30/2011 17:27:35
    AESCN.DLL : 8.1.7.2 127349 Bytes 9/2/2011 03:46:02
    AESBX.DLL : 8.2.1.34 323957 Bytes 9/2/2011 03:46:02
    AERDL.DLL : 8.1.9.15 639348 Bytes 9/9/2011 03:16:06
    AEPACK.DLL : 8.2.13.3 684407 Bytes 10/30/2011 17:27:34
    AEOFFICE.DLL : 8.1.2.18 201084 Bytes 10/30/2011 17:27:33
    AEHEUR.DLL : 8.1.2.186 3789177 Bytes 10/30/2011 17:27:33
    AEHELP.DLL : 8.1.18.0 254327 Bytes 10/30/2011 17:27:30
    AEGEN.DLL : 8.1.5.11 401781 Bytes 10/30/2011 17:27:29
    AEEMU.DLL : 8.1.3.0 393589 Bytes 9/2/2011 03:46:01
    AECORE.DLL : 8.1.24.0 196983 Bytes 10/30/2011 17:27:29
    AEBB.DLL : 8.1.1.0 53618 Bytes 9/2/2011 03:46:01
    AVWINLL.DLL : 12.1.0.17 27344 Bytes 10/19/2011 20:56:27
    AVPREF.DLL : 12.1.0.17 51920 Bytes 10/19/2011 20:56:24
    AVREP.DLL : 12.1.0.17 179408 Bytes 10/19/2011 20:56:24
    AVARKT.DLL : 12.1.0.17 223184 Bytes 10/19/2011 20:56:22
    AVEVTLOG.DLL : 12.1.0.17 169168 Bytes 10/19/2011 20:56:23
    SQLITE3.DLL : 3.7.0.0 398288 Bytes 10/19/2011 20:56:38
    AVSMTP.DLL : 12.1.0.17 62928 Bytes 10/19/2011 20:56:25
    NETNT.DLL : 12.1.0.17 17104 Bytes 10/19/2011 20:56:34
    RCIMAGE.DLL : 12.1.0.17 4450000 Bytes 10/19/2011 20:56:49
    RCTEXT.DLL : 12.1.0.16 96208 Bytes 10/19/2011 20:56:49

    Configuration settings for the scan:
    Jobname.............................: Local Drives
    Configuration file..................: C:\Program Files\Avira\AntiVir Desktop\alldrives.avp
    Logging.............................: default
    Primary action......................: interactive
    Secondary action....................: ignore
    Scan master boot sector.............: on
    Scan boot sector....................: on
    Boot sectors........................: C:, D:,
    Process scan........................: on
    Scan registry.......................: on
    Search for rootkits.................: off
    Integrity checking of system files..: off
    Scan all files......................: Intelligent file selection
    Scan archives.......................: on
    Recursion depth.....................: 20
    Smart extensions....................: on
    Macro heuristic.....................: on
    File heuristic......................: extended

    Start of the scan: Sunday, October 30, 2011 13:56

    Starting master boot sector scan:
    Master boot sector HD0
    [INFO] No virus was found!

    Start scanning boot sectors:
    Boot sector 'C:\'
    [INFO] No virus was found!

    The scan of running processes will be started
    Scan process 'avscan.exe' - '1' Module(s) have been scanned
    Scan process 'SearchFilterHost.exe' - '1' Module(s) have been scanned
    Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'avcenter.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'sppsvc.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'iexplore.exe' - '1' Module(s) have been scanned
    Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'wmpnetwk.exe' - '1' Module(s) have been scanned
    Scan process 'SearchProtocolHost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'SearchIndexer.exe' - '1' Module(s) have been scanned
    Scan process 'iPodService.exe' - '1' Module(s) have been scanned
    Scan process 'conhost.exe' - '1' Module(s) have been scanned
    Scan process 'attrib.exe' - '1' Module(s) have been scanned
    Scan process 'YahooAUService.exe' - '1' Module(s) have been scanned
    Scan process 'WLIDSvcM.exe' - '1' Module(s) have been scanned
    Scan process '1kAlMiG2Kb7FzP.exe' - '1' Module(s) have been scanned
    Scan process 'conhost.exe' - '1' Module(s) have been scanned
    Scan process 'avshadow.exe' - '1' Module(s) have been scanned
    Scan process 'WLIDSVC.EXE' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'APSDaemon.exe' - '1' Module(s) have been scanned
    Scan process 'STacSV.exe' - '1' Module(s) have been scanned
    Scan process 'rpcnet.exe' - '1' Module(s) have been scanned
    Scan process 'mdm.exe' - '1' Module(s) have been scanned
    Scan process 'BookmarkDAV_client.exe' - '1' Module(s) have been scanned
    Scan process 'ApplePhotoStreams.exe' - '1' Module(s) have been scanned
    Scan process 'iCloudServices.exe' - '1' Module(s) have been scanned
    Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned
    Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
    Scan process 'avgnt.exe' - '1' Module(s) have been scanned
    Scan process 'igfxsrvc.exe' - '1' Module(s) have been scanned
    Scan process 'uEbCDYfXYYdjrgc.exe' - '1' Module(s) have been scanned
    Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned
    Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned
    Scan process 'igfxpers.exe' - '1' Module(s) have been scanned
    Scan process 'hkcmd.exe' - '1' Module(s) have been scanned
    Scan process 'igfxtray.exe' - '1' Module(s) have been scanned
    Scan process 'avguard.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'Explorer.EXE' - '1' Module(s) have been scanned
    Scan process 'Dwm.exe' - '1' Module(s) have been scanned
    Scan process 'sched.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'WUDFHost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'svchost.exe' - '1' Module(s) have been scanned
    Scan process 'winlogon.exe' - '1' Module(s) have been scanned
    Scan process 'lsm.exe' - '1' Module(s) have been scanned
    Scan process 'lsass.exe' - '1' Module(s) have been scanned
    Scan process 'services.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'wininit.exe' - '1' Module(s) have been scanned
    Scan process 'csrss.exe' - '1' Module(s) have been scanned
    Scan process 'smss.exe' - '1' Module(s) have been scanned

    Starting to scan executable files (registry).
    The registry was scanned ( '1847' files ).


    Starting the file scan:

    Begin scan in 'C:\'
    C:\Users\Administrator\AppData\Local\ExplorerPTR.dll
    [DETECTION] Is the TR/Gendal.kdv.378478 Trojan
    C:\Users\Administrator\AppData\Local\ServicePTR.dll
    [DETECTION] Is the TR/Kazy.40252.5 Trojan
    C:\Users\Administrator\AppData\Local\temp\0.5125476674260351.exe
    [DETECTION] Is the TR/Drop.Sirefef.I.144 Trojan
    C:\Users\Administrator\AppData\Local\temp\E001.tmp
    [DETECTION] Is the TR/Kazy.40099.4 Trojan
    C:\Users\Administrator\AppData\Local\temp\E28A.tmp
    [DETECTION] Is the TR/Dldr.ktj.1 Trojan
    C:\Users\Administrator\AppData\Local\temp\thpm194900426972811146.tmp
    [DETECTION] Is the TR/Tracur.FS Trojan
    C:\Users\Administrator\AppData\Local\temp\thpm2514654238943806590.tmp
    [DETECTION] Is the TR/Dldr.Tracur.AA.15 Trojan
    C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4c951dfd-33aa02ad
    [DETECTION] Is the TR/Drop.Sirefef.I.144 Trojan
    C:\Users\Administrator\Downloads\Install.exe
    [0] Archive type: NETRSRC
    --> Object
    [DETECTION] Is the TR/Dropper.Gen Trojan
    C:\Windows\System32\sysprep\cryptbase.dll
    [DETECTION] Is the TR/Dldr.ktj.1 Trojan
    Begin scan in 'D:\'
    Search path D:\ could not be opened!
    System error [21]: The device is not ready.

    Beginning disinfection:
    C:\Windows\System32\sysprep\cryptbase.dll
    [DETECTION] Is the TR/Dldr.ktj.1 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '4bec35ab.qua'.
    C:\Users\Administrator\Downloads\Install.exe
    [DETECTION] Is the TR/Dropper.Gen Trojan
    [NOTE] The file was moved to the quarantine directory under the name '537d1a00.qua'.
    C:\Users\Administrator\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\61\4c951dfd-33aa02ad
    [DETECTION] Is the TR/Drop.Sirefef.I.144 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '00e440d5.qua'.
    C:\Users\Administrator\AppData\Local\temp\thpm2514654238943806590.tmp
    [DETECTION] Is the TR/Dldr.Tracur.AA.15 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '67280f10.qua'.
    C:\Users\Administrator\AppData\Local\temp\thpm194900426972811146.tmp
    [DETECTION] Is the TR/Tracur.FS Trojan
    [NOTE] The file was moved to the quarantine directory under the name '22ac222e.qua'.
    C:\Users\Administrator\AppData\Local\temp\E28A.tmp
    [DETECTION] Is the TR/Dldr.ktj.1 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '5c4f11b9.qua'.
    C:\Users\Administrator\AppData\Local\temp\E001.tmp
    [DETECTION] Is the TR/Kazy.40099.4 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '10cf3dfd.qua'.
    C:\Users\Administrator\AppData\Local\temp\0.5125476674260351.exe
    [DETECTION] Is the TR/Drop.Sirefef.I.144 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '6ce87daf.qua'.
    C:\Users\Administrator\AppData\Local\ServicePTR.dll
    [DETECTION] Is the TR/Kazy.40252.5 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '404f531d.qua'.
    C:\Users\Administrator\AppData\Local\ExplorerPTR.dll
    [DETECTION] Is the TR/Gendal.kdv.378478 Trojan
    [NOTE] The file was moved to the quarantine directory under the name '592568b2.qua'.


    End of the scan: Sunday, October 30, 2011 14:43
    Used time: 45:18 Minute(s)

    The scan has been done completely.

    20648 Scanned directories
    416482 Files were scanned
    10 Viruses and/or unwanted programs were found
    0 Files were classified as suspicious
    0 Files were deleted
    0 Viruses and unwanted programs were repaired
    10 Files were moved to quarantine
    0 Files were renamed
    0 Files cannot be scanned
    416472 Files not concerned
    2877 Archives were scanned
    0 Warnings
    10 Notes
  4. zeropro11

    zeropro11 TS Rookie Topic Starter

    I still can't install MalwareByte. It says "Access is Denied"
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,392   +36

    This infection is classified as a rogue anti-spyware program because it uses false security alerts and fake scan results to try and trick you into thinking that your computer is infected so that you will then purchase it. It scans then goes on to display a variety of fake security alerts and warnings that are designed to make you think your computer has a serious security problem.
    ==============================================
    Please do the following to help you run other programs:

    Boot into Safe Mode
    • Restart your computer and start pressing the F8 key on your keyboard.
    • Select the Safe Mode with Networking option when the Windows Advanced Options menu appears, using your up/down arrows to reach it and then press ENTER.

    This infection may change your Windows settings to use a proxy server that will not allow you to browse any pages on the Internet with Internet Explorer or update security software, we will first need need to fix this: Launch Internet Explorer
    • Access Internet Options through Tools> Connections tab
    • Click on the Lan Settings at the bottom
    • Proxy Server section> uncheck the box labeled 'Use a proxy server for your LAN.
    • Then click on OK> and OK again to close Internet Options.
    ===============================
    This malware frequently comes with the TDSS rootkit, so do the following:
    • Download the file TDSSKiller.zip and save to the desktop.
      (If you are unable to download the file for some reason, then TDSS may be blocking it. You would then need to download it first to a clean computer and then transfer it to the infected one using an external drive or USB flash drive.)
    • Right-click the tdsskiller.zip file> Select Extract All into a folder on the infected (or potentially infected) PC.
    • Double click on TDSSKiller.exe. to run the scan
    • When the scan is over, the utility outputs a list of detected objects with description.
      The utility automatically selects an action (Cure or Delete) for malicious objects.
      The utility prompts the user to select an action to apply to suspicious objects (Skip, by default).
    • Select the action Quarantine to quarantine detected objects.
      The default quarantine folder is in the system disk root folder, e.g.: C:\TDSSKiller_Quarantine\23.07.2010_15.31.43
    • After clicking Next, the utility applies selected actions and outputs the result.
    • A reboot is required after disinfection.
    ====================================
    If TDSSKiller requires you to reboot, please allow it to do so. After you reboot, reboot back into Safe Mode with Networking again
    ====================================
    To end the processes that belongs to the malware program, Please download and run the tool below named Rkill (courtesy of BleepingComputer.com) which may help allow other programs to run.

    There are 3 different versions. If one of them won't run then download and try to run the other one. (Vista and Win7 users need to right click Rkill and choose Run as Administrator)

    You only need to get one of these to run, not all of them. You may get warnings from your antivirus about this tool, ignore them or shutdown your antivirus.
    • Rkill.com
    • Rkill.scr
    • Rkill.exe
    • Double-click on the Rkill desktop icon to run the tool.
    • If using Vista or Windows 7 right-click on it and choose Run As Administrator.
    • A black DOS box will briefly flash and then disappear. This is normal and indicates the tool ran successfully.
    • If not, delete the file, then download and use the one provided in Link 2.
    • If it does not work, repeat the process and attempt to use one of the remaining links until the tool runs.
    • If the tool does not run from any of the links provided, please let me know.
    Do not reboot until instructed. as it will start the malware again
    ==================================
    Try another scan with Mbam, after it updates, but on the Scanner tab, make sure the the Perform Full Scan option is selected and then click on the Scan button.

    When scan has finished, you will see this image:
    [​IMG]
    • Click on OK to close box and continue.
    • Click on the Show Results button.
    • Click on the Remove Selected button to remove all the listed malware.
    • At end of malware removal, the scan log opens and displays in Notepad. Be sure to click on Format> Uncheck Word Wrap before copying the log to paste in your next reply.
    ========================================
    TDSSKiller
    RKill
    New Malwarebytes
    2 logs from DDS
    =======================================
    Please don't run any other scans or leave any other logs unless I request them.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.