Author Topic: Removing Security Tool malware (Read 8928 times)

Chris_ · « **on:** August 27, 2010, 01:05:34 PM »

Someone brought in a computer a couple days ago with an impossible-to-remove malware infection. I tried all the usual stuff... MalwareBytes, ComboFix, AdAware. In most cases, the malware will immediately recognize the program and shut it down. Same for Task Manager. It will NOT let you open it. It's impossible to fix in Safe Mode because the malware will not show up. What I did find online was either outdated or incomplete. After a couple days of scanning, searching, and trying different things, I was finally able to remove this damn thing.

DO NOT REBOOT YOUR COMPUTER UNTIL YOU COMPLETE THIS PROCESS

Open My Computer. Select Folder Options from the Tools menu (this may be in a different location for Windows 7/Vista users). Disable 'Hide known file extensions' and 'Hide system files'.

Download HijackThis!

Download MalwareBytes.

Rename HijackThis! executable to iexplore.exe.

Run HijackThis! to kill process 12345678.exe. You will see the Security Tool process listed as an executable file that is a random 8-digit string of numbers. I used 12345678 as an example.

Locate 12345678.exe in the Start menu. It should have created a new entry in the folder 'Security Tool'

Copy the filename 12345678 to notepad (you will need to know the name of the file later).

Follow the link to the installation folder and rename 12345789.exe to 12345678virus.exe. This will prevent the program from running automatically when Windows starts.

Open Regedit and search for '12345678'.

Delete all entries containing 12345678.exe (there should be at least two of them).

Install MalwareBytes, check for updates, and run a full scan. You will need to re-install MalwareBytes if you already have it on your system. This virus corrupts core files in MalwareBytes and will prevent it from running.

Once the MalwareBytes scan is complete (I found four entries for this program) and the infection is removed, you should be able to reboot your computer and get on with your life.

Godot showed up · « **Reply #1 on:** August 27, 2010, 01:21:08 PM »

I really HATE these buggers, these malwares that fake being anti-spyware. Lesson: never download anything that hasn't been cleared at CNET.

I never told you guys--2 weeks ago, I FINALLY had my computer all cleaned up and running as I wanted it after the Google redirect virus. The next night, I came home, and I found that Mrs. Godot had done a cold shut-down. I tried to restart--no good. All kinds of rigamarole--weird screens, you name it. Couldn't restart from last known good startup, couldn't do a system resore to an erlier date, or rather, I could, but it didn't help...

Long story short, I couldn't even reformat the hard disk (and I was willing to), not even from a command prompt. Kept getting a message about missing volume information and possible corruption. I think so much shutting down, restarting, installing and uninstalling, and registry fixes in one month was just too much for the disk, which was 4 years old anyway. So I lost all my data, but really didn't care much; all my important files were on flash drives. Took it in and yes, it definitely needed a new hard disk. Took the opportunity to get some more RAM. A friend at the office let me have the Win 7 disk and Office 2007, so at least I didn't have to pay for the software (I'd been running Vista, and they didn't give me a disk when I bought the laptop years ago). If I'd had to do that, it wouldn't have been worth the fixc and I'd have bought a new laptop.

Chris, I now use Mbam, Avast, Comodo firewall, Win Patrol Plus, and Web of Trust, on top of whatever security Win 7 is running. Oh, and some program they recommended at Geekstogo that protects the Hosts file, forgot the name. Is there anything else you'd recommend?

Chris_ · « **Reply #2 on:** August 27, 2010, 01:23:33 PM »

No, that's about it. I switched to Avast the other week and I'm liking it.

This was a customer's computer -- I doubt he was as serious about security as you or I would have been.

Chris_ · « **Reply #3 on:** August 27, 2010, 02:18:11 PM »

After doing all this, I ran MalwareBytes a second time and found another instance of Security Tool. Deleted that and rebooted -- I'm running another full scan again to make sure it's completely gone.

Thor · « **Reply #4 on:** August 27, 2010, 02:25:17 PM »

Some Trojans like to hide in HKLM/ Software/ Microsoft/ Windows/ Current Version/ Run (or Run Once). If there is anything suspicious there, then it's probably installed in many other places.

Texacon · « **Reply #5 on:** August 27, 2010, 02:30:43 PM »

chris, did you make sure the 'Use Proxy Server' box was unchecked? That's one of the things that particular virus does.

I just got rid of that one on my secretary's computer and it took me almost 2 full days. That one was a booger.

KC

Chris_ · « **Reply #6 on:** August 27, 2010, 02:34:14 PM »

Yes, it was unchecked.

Texacon · « **Reply #7 on:** August 27, 2010, 02:39:24 PM »

Did you run the rootkill tool?

KC

Texacon · « **Reply #8 on:** August 27, 2010, 02:41:12 PM »

Actually you won't need rootkill if you are able to run Malware bytes. I will tell you this; After I got rid of the virus I had to run malware bytes, Ccleaner and Superanti Spyware SEVERAL times before it finally started coming up clean.

I even rebooted her comp several times just to run those scans over and it was STILL finding the nasty thing.

KC

Chris_ · « **Reply #9 on:** August 27, 2010, 02:43:17 PM »

Quote from: Texacon on August 27, 2010, 02:39:24 PM

Did you run the rootkill tool?

KC

No, I did not. Thanks for reminding me.

zeitgeist · « **Reply #10 on:** August 27, 2010, 04:09:00 PM »

One of the house computers had this some time back. It is a royal pain. I won't detail what should be done to the perps, lets just say Chuck Norris em x 2.

Chris_ · « **Reply #11 on:** August 27, 2010, 04:28:56 PM »

Finished a third (?) MalwareBytes scan and it came up clean. I'm running SuperAntiSpyware again just to be sure, but I think I got it.

SUCCESS!

Texacon · « **Reply #12 on:** August 27, 2010, 05:51:12 PM »

Quote from: chris_ on August 27, 2010, 04:28:56 PM

Finished a third (?) MalwareBytes scan and it came up clean. I'm running SuperAntiSpyware again just to be sure, but I think I got it.

SUCCESS!

Good job!

KC

Chris_ · « **Reply #13 on:** August 27, 2010, 06:10:29 PM »

Thanks. Now to collect the rest of my money.

Quote from: Thor on August 27, 2010, 02:25:17 PM

Some Trojans like to hide in HKLM/ Software/ Microsoft/ Windows/ Current Version/ Run (or Run Once). If there is anything suspicious there, then it's probably installed in many other places.

I did a registry scan using the application name and the name of the executable. I found four or five entries and removed them.

Thor · « **Reply #14 on:** August 27, 2010, 11:32:29 PM »

Quote from: chris_ on August 27, 2010, 06:10:29 PM

Thanks. Now to collect the rest of my money.

I did a registry scan using the application name and the name of the executable. I found four or five entries and removed them.

Only four or five?? Damn. Some viruses and trojans, I've found as many as 100 registry entries........

LC EFA · « **Reply #15 on:** August 28, 2010, 07:02:54 PM »

Quote

Download HijackThis!

HijackThis is capable of dealing with most viri and adware/spyware all on its lonesome.

Texacon · « **Reply #16 on:** November 25, 2010, 06:58:48 PM »

One of the nastier aspects of some of these viruses, I've just recently learned, is when they get a rootkit involved in the infection. There isn't any software that will remove it and you have to have a rootkit 'unhooker' to even be able to see the dang thing. After you get that done then you can see the rest of the infections.

KC

BlueStateSaint · « **Reply #17 on:** November 26, 2010, 12:44:18 PM »

I had to go on the PC using my wife's preferences. The damned System Tool was blocking every attempt by me to get HijackThis! and MalwareBytes on. Right now, I'm running MB on scan. It's driving me up a wall, with my wife alternately wanting to know what's going on, and getting updates about her 99-year-old grandmother (who probably won't see Monday); and our daughter wanting attention from both of us--our undivided attention.

Chris_ · « **Reply #18 on:** November 26, 2010, 12:52:03 PM »

I guarantee the MB scans will not remove it. They'll just keep showing up. You did rename the Hijack This! .exe to something else, right?

BlueStateSaint · « **Reply #19 on:** November 26, 2010, 01:20:42 PM »

I'm going to have to reinstall the Hijack This! I'm not too sure that it took the first time.

While I'm at it, how do I rename the .exe file? I can't seem to be able to fiugre it out.

Thor · « **Reply #20 on:** November 26, 2010, 01:42:18 PM »

Quote from: BlueStateSaint on November 26, 2010, 01:20:42 PM

I'm going to have to reinstall the Hijack This! I'm not too sure that it took the first time.

While I'm at it, how do I rename the .exe file? I can't seem to be able to fiugre it out.

Locate the file, right click, properties and rename

BlueStateSaint · « **Reply #21 on:** November 26, 2010, 03:00:48 PM »

Quote from: Thor on November 26, 2010, 01:42:18 PM

Locate the file, right click, properties and rename

Now all I've got to do is to find the ****ing System Tool file.

Chris_ · « **Reply #22 on:** November 26, 2010, 03:03:31 PM »

Check your Start/Program menu or Registry. It may have created a new entry under 'System Tool'. Follow the path to the program's .exe file.

BlueStateSaint · « **Reply #23 on:** November 26, 2010, 04:06:23 PM »

Quote from: chris_ on November 26, 2010, 03:03:31 PM

Check your Start/Program menu or Registry. It may have created a new entry under 'System Tool'. Follow the path to the program's .exe file.

Chris, I can't find it. It's depressing.

Chris_ · « **Reply #24 on:** November 26, 2010, 04:10:16 PM »

Any running processes in Task Manager that look like a string of numbers?

News:

Author Topic: Removing Security Tool malware (Read 8928 times)