Removing Security Tool malware

[LC EFA]

The task manager supplied with windows is crap. It doesn't show "hidden" processes.

Try using either Process Explorer or AntiSpy.Info

[Chris_]

Yeah, Process Explorer is good.  Usually, the name of the running process matches the .exe file.  Once you have that, you should be able to run a basic search on that string.

[Texacon]

BSS ... Have you run a program called rkill?  This program is designed to kill KNOWN malware processes.  Nothing more nothing less.  You run it then, without rebooting the machine try to install and scan with Mbam or SAS.

Another thing you may need to do is run a rootkit unhooker program.  RKUnHooker is a good one.

Be patient. 

KC

[BlueStateSaint]

BSS ... Have you run a program called rkill?  This program is designed to kill KNOWN malware processes.  Nothing more nothing less.  You run it then, without rebooting the machine try to install and scan with Mbam or SAS.

Nope.  I'll try that one, too.

Another thing you may need to do is run a rootkit unhooker program.  RKUnHooker is a good one.

I'm about to try almost anything--including physical violence.

Be patient.

It's tough!  Eventually, it reverts to "The Blue Screen of Death."

[Chris_]

I tried rkill on the Security Tool infection and it didn't work.

[Texacon]

I tried rkill on the Security Tool infection and it didn't work.

Yeah, rkill didn't help me a lot on one of my infections but it did on another fake AV.  I'm thinking BSS has a rootkit infection but I'm no expert.  It just looks like some other stuff I've experienced.

KC

[Chris_]

Have you found an executable for the virus yet, BSS?

[BlueStateSaint]

Have you found an executable for the virus yet, BSS?

No, I haven't.  But, I did find "Automated Removal INstructions for System Tool using Malwarebytes' Anti-Malware" on Bleeping Computer.  I figure that, between the bad back and the two funerals I have to go to this week, I'll have enough down time to be able to fix this damned thing.

[Chris_]

No, I haven't.  But, I did find "Automated Removal INstructions for System Tool using Malwarebytes' Anti-Malware" on Bleeping Computer.  I figure that, between the bad back and the two funerals I have to go to this week, I'll have enough down time to be able to fix this damned thing.

oh

Sorry to hear about the funerals.

[BlueStateSaint]

Now I'm confused.  Yesterday, I tried to remove the System Tool 2.12 according to the directions on Bleeping Computer (again, Texacon, thank you for that!) but the process would seize up at around Step 4.  I tried it three times.  I was thoroughly distraught.  Not a good thing to be going into my wife's grandmother's wake.

I made it through the wake alright (back issues drove me nuts, though).  I didn't make it to the funeral, though, because of the back issues.  Anyway, I just went to turn on my PC, and accidentally signed in on my userid.  The System Tool 2.12 didn't show up.  Not sure why that was.  I just hope it stays off.

Thanks to all of you who helped me.  Even though you may not have suggested anything, knowing that someone was here to babble to means a lot.

I'll distribute H5s to all.

[Texacon]

Now I'm confused.  Yesterday, I tried to remove the System Tool 2.12 according to the directions on Bleeping Computer (again, Texacon, thank you for that!) but the process would seize up at around Step 4.  I tried it three times.  I was thoroughly distraught.  Not a good thing to be going into my wife's grandmother's wake.

I made it through the wake alright (back issues drove me nuts, though).  I didn't make it to the funeral, though, because of the back issues.  Anyway, I just went to turn on my PC, and accidentally signed in on my userid.  The System Tool 2.12 didn't show up.  Not sure why that was.  I just hope it stays off.

Thanks to all of you who helped me.  Even though you may not have suggested anything, knowing that someone was here to babble to means a lot.

I'll distribute H5s to all.

BSS please make sure you post those logs on BC to make sure your machine is clean.  I've cleaned a couple (I thought) only to have the damn thing come back in spades.  It won't hurt to have your post working through the steps at BC because it takes so long for them to get to you.

KC

[Chris_]

Argh!  Someone at work brought in their computer with this infection. 

Maybe I'll get lucky and I can just wipe everything out and start over again.

[Janice]

This particular infection is one of the worst. I "deal" with it all the time.

Its best to handle this by initially slaving this to another machine (preferably one with a decent processor and memory) and running a thoroughly udpated version of Malwarebytes on it from there. Then put it back into the native machine and run Malwarebytes on it from there. (If you have to, you can run rkill initially to "clear the path" for installing and running Malwarebytes.) Then scan with an updated version of Spybot.

There ... squeaky clean and all good to go.

[Thor]

This particular infection is one of the worst. I "deal" with it all the time.

Its best to handle this by initially slaving this to another machine (preferably one with a decent processor and memory) and running a thoroughly udpated version of Malwarebytes on it from there. Then put it back into the native machine and run Malwarebytes on it from there. (If you have to, you can run rkill initially to "clear the path" for installing and running Malwarebytes.) Then scan with an updated version of Spybot.

There ... squeaky clean and all good to go.

Most people don't have the knowledge to do that or the luxury of having multiple systems.

[Janice]

It could also be "handled" on the infected machine alone as well. It takes a bit of skill and a lot of time for that too. What I would do is this:

Have rkill on a flash drive or preferably on a cd handy before starting the infected machine. And while your at it have malwarebytes and spybot installers on their as well. Start the machine. As it is loading to the desktop insert the flash drive or cd. Its very important to open that flash drive or cd and run rkill before the virus has a chance to "start" its "madness" because thats what rkill does ... it kills the virus processes before the virus has a chance to stop you.

The "skill" part is getting rkill working before the virus has a chance to "cut you off". It may take a few tries (restarting the machine) to get it. But its well worth the effort. Its a bit of a foot race to get the rkill going before the nasty does its business.

Once the virus processes has been stopped you are free to install and run malwarebytes. I would recommend staying off the internet at first run. But after the first run go ahead and go online to update malwarebytes. Install and update spybot too. You may have to check that proxy server is unchecked and that automatically detect settings is checked in the internet option > connections box as suggested above to get back online.

Its a pain .. but it works.

[Thor]

On systems that I can put my hands on, I just slave the infected hard disk. If I'm feeling lazy, I'll burn Malwarebytes and whatever other programs are needed to CD and do a safe mode install from the CD. I have the luxury of a five PC home network, though. Three of them run off of a KVM switch and are at my fingertips. I haven't had a virus since I quit running AVG and switched to Avast.