The Conservative Cave
The Help Desk => Computer Related Discussions & Questions => Topic started by: Chris_ on August 27, 2010, 01:05:34 PM
-
Someone brought in a computer a couple days ago with an impossible-to-remove malware infection. I tried all the usual stuff... MalwareBytes, ComboFix, AdAware. In most cases, the malware will immediately recognize the program and shut it down. Same for Task Manager. It will NOT let you open it. It's impossible to fix in Safe Mode because the malware will not show up. What I did find online was either outdated or incomplete. After a couple days of scanning, searching, and trying different things, I was finally able to remove this damn thing.
(http://a.imageshack.us/img638/6589/image110h.png)
(http://a.imageshack.us/img638/5990/sshot201001210028011.png)
(http://a.imageshack.us/img638/3262/sshot201001210030291.png)
DO NOT REBOOT YOUR COMPUTER UNTIL YOU COMPLETE THIS PROCESS
Open My Computer. Select Folder Options from the Tools menu (this may be in a different location for Windows 7/Vista users). Disable 'Hide known file extensions' and 'Hide system files'.
Download HijackThis!
Download MalwareBytes.
Rename HijackThis! executable to iexplore.exe.
Run HijackThis! to kill process 12345678.exe. You will see the Security Tool process listed as an executable file that is a random 8-digit string of numbers. I used 12345678 as an example.
Locate 12345678.exe in the Start menu. It should have created a new entry in the folder 'Security Tool'
Copy the filename 12345678 to notepad (you will need to know the name of the file later).
Follow the link to the installation folder and rename 12345789.exe to 12345678virus.exe. This will prevent the program from running automatically when Windows starts.
Open Regedit and search for '12345678'.
Delete all entries containing 12345678.exe (there should be at least two of them).
Install MalwareBytes, check for updates, and run a full scan. You will need to re-install MalwareBytes if you already have it on your system. This virus corrupts core files in MalwareBytes and will prevent it from running.
Once the MalwareBytes scan is complete (I found four entries for this program) and the infection is removed, you should be able to reboot your computer and get on with your life.
-
I really HATE these buggers, these malwares that fake being anti-spyware. Lesson: never download anything that hasn't been cleared at CNET.
I never told you guys--2 weeks ago, I FINALLY had my computer all cleaned up and running as I wanted it after the Google redirect virus. The next night, I came home, and I found that Mrs. Godot had done a cold shut-down. I tried to restart--no good. All kinds of rigamarole--weird screens, you name it. Couldn't restart from last known good startup, couldn't do a system resore to an erlier date, or rather, I could, but it didn't help...
Long story short, I couldn't even reformat the hard disk (and I was willing to), not even from a command prompt. Kept getting a message about missing volume information and possible corruption. I think so much shutting down, restarting, installing and uninstalling, and registry fixes in one month was just too much for the disk, which was 4 years old anyway. So I lost all my data, but really didn't care much; all my important files were on flash drives. Took it in and yes, it definitely needed a new hard disk. Took the opportunity to get some more RAM. A friend at the office let me have the Win 7 disk and Office 2007, so at least I didn't have to pay for the software (I'd been running Vista, and they didn't give me a disk when I bought the laptop years ago). If I'd had to do that, it wouldn't have been worth the fixc and I'd have bought a new laptop.
Chris, I now use Mbam, Avast, Comodo firewall, Win Patrol Plus, and Web of Trust, on top of whatever security Win 7 is running. Oh, and some program they recommended at Geekstogo that protects the Hosts file, forgot the name. Is there anything else you'd recommend?
-
No, that's about it. I switched to Avast the other week and I'm liking it.
This was a customer's computer -- I doubt he was as serious about security as you or I would have been.
-
After doing all this, I ran MalwareBytes a second time and found another instance of Security Tool. Deleted that and rebooted -- I'm running another full scan again to make sure it's completely gone.
-
Some Trojans like to hide in HKLM/ Software/ Microsoft/ Windows/ Current Version/ Run (or Run Once). If there is anything suspicious there, then it's probably installed in many other places.
-
chris, did you make sure the 'Use Proxy Server' box was unchecked? That's one of the things that particular virus does.
I just got rid of that one on my secretary's computer and it took me almost 2 full days. That one was a booger.
KC
-
Yes, it was unchecked.
-
Did you run the rootkill tool?
KC
-
Actually you won't need rootkill if you are able to run Malware bytes. I will tell you this; After I got rid of the virus I had to run malware bytes, Ccleaner and Superanti Spyware SEVERAL times before it finally started coming up clean.
I even rebooted her comp several times just to run those scans over and it was STILL finding the nasty thing.
KC
-
Did you run the rootkill tool?
KC
No, I did not. Thanks for reminding me.
-
One of the house computers had this some time back. It is a royal pain. I won't detail what should be done to the perps, lets just say Chuck Norris em x 2.
-
Finished a third (?) MalwareBytes scan and it came up clean. I'm running SuperAntiSpyware again just to be sure, but I think I got it.
SUCCESS!
-
Finished a third (?) MalwareBytes scan and it came up clean. I'm running SuperAntiSpyware again just to be sure, but I think I got it.
SUCCESS!
Good job!
KC
-
Thanks. Now to collect the rest of my money.
Some Trojans like to hide in HKLM/ Software/ Microsoft/ Windows/ Current Version/ Run (or Run Once). If there is anything suspicious there, then it's probably installed in many other places.
I did a registry scan using the application name and the name of the executable. I found four or five entries and removed them.
-
Thanks. Now to collect the rest of my money.
I did a registry scan using the application name and the name of the executable. I found four or five entries and removed them.
Only four or five?? Damn. Some viruses and trojans, I've found as many as 100 registry entries........
-
Download HijackThis!
HijackThis is capable of dealing with most viri and adware/spyware all on its lonesome.
-
One of the nastier aspects of some of these viruses, I've just recently learned, is when they get a rootkit involved in the infection. There isn't any software that will remove it and you have to have a rootkit 'unhooker' to even be able to see the dang thing. After you get that done then you can see the rest of the infections.
KC
-
I had to go on the PC using my wife's preferences. The damned System Tool was blocking every attempt by me to get HijackThis! and MalwareBytes on. Right now, I'm running MB on scan. It's driving me up a wall, with my wife alternately wanting to know what's going on, and getting updates about her 99-year-old grandmother (who probably won't see Monday); and our daughter wanting attention from both of us--our undivided attention.
-
:(
I guarantee the MB scans will not remove it. They'll just keep showing up. You did rename the Hijack This! .exe to something else, right?
-
I'm going to have to reinstall the Hijack This! I'm not too sure that it took the first time.
While I'm at it, how do I rename the .exe file? I can't seem to be able to fiugre it out.
-
I'm going to have to reinstall the Hijack This! I'm not too sure that it took the first time.
While I'm at it, how do I rename the .exe file? I can't seem to be able to fiugre it out.
Locate the file, right click, properties and rename
-
Locate the file, right click, properties and rename
Now all I've got to do is to find the ****ing System Tool file. :banghead:
-
Check your Start/Program menu or Registry. It may have created a new entry under 'System Tool'. Follow the path to the program's .exe file.
-
Check your Start/Program menu or Registry. It may have created a new entry under 'System Tool'. Follow the path to the program's .exe file.
Chris, I can't find it. It's depressing.
-
Any running processes in Task Manager that look like a string of numbers?
-
The task manager supplied with windows is crap. It doesn't show "hidden" processes.
Try using either Process Explorer (http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx) or AntiSpy.Info (http://www.anti-spy.info/)
-
Yeah, Process Explorer is good. Usually, the name of the running process matches the .exe file. Once you have that, you should be able to run a basic search on that string.
-
BSS ... Have you run a program called rkill? This program is designed to kill KNOWN malware processes. Nothing more nothing less. You run it then, without rebooting the machine try to install and scan with Mbam or SAS.
Another thing you may need to do is run a rootkit unhooker program. RKUnHooker is a good one.
Be patient.
KC
-
BSS ... Have you run a program called rkill? This program is designed to kill KNOWN malware processes. Nothing more nothing less. You run it then, without rebooting the machine try to install and scan with Mbam or SAS.
Nope. I'll try that one, too.
Another thing you may need to do is run a rootkit unhooker program. RKUnHooker is a good one.
I'm about to try almost anything--including physical violence.
Be patient.
It's tough! Eventually, it reverts to "The Blue Screen of Death."
-
I tried rkill on the Security Tool infection and it didn't work.
-
I tried rkill on the Security Tool infection and it didn't work.
Yeah, rkill didn't help me a lot on one of my infections but it did on another fake AV. I'm thinking BSS has a rootkit infection but I'm no expert. It just looks like some other stuff I've experienced.
KC
-
Have you found an executable for the virus yet, BSS?
-
Have you found an executable for the virus yet, BSS?
No, I haven't. But, I did find "Automated Removal INstructions for System Tool using Malwarebytes' Anti-Malware" on Bleeping Computer. I figure that, between the bad back and the two funerals I have to go to this week, I'll have enough down time to be able to fix this damned thing.
-
No, I haven't. But, I did find "Automated Removal INstructions for System Tool using Malwarebytes' Anti-Malware" on Bleeping Computer. I figure that, between the bad back and the two funerals I have to go to this week, I'll have enough down time to be able to fix this damned thing.
oh :(
Sorry to hear about the funerals.
-
Now I'm confused. Yesterday, I tried to remove the System Tool 2.12 according to the directions on Bleeping Computer (again, Texacon, thank you for that!) but the process would seize up at around Step 4. I tried it three times. I was thoroughly distraught. Not a good thing to be going into my wife's grandmother's wake.
I made it through the wake alright (back issues drove me nuts, though). I didn't make it to the funeral, though, because of the back issues. Anyway, I just went to turn on my PC, and accidentally signed in on my userid. The System Tool 2.12 didn't show up. Not sure why that was. I just hope it stays off.
Thanks to all of you who helped me. Even though you may not have suggested anything, knowing that someone was here to babble to means a lot.
I'll distribute H5s to all.
-
Now I'm confused. Yesterday, I tried to remove the System Tool 2.12 according to the directions on Bleeping Computer (again, Texacon, thank you for that!) but the process would seize up at around Step 4. I tried it three times. I was thoroughly distraught. Not a good thing to be going into my wife's grandmother's wake.
I made it through the wake alright (back issues drove me nuts, though). I didn't make it to the funeral, though, because of the back issues. Anyway, I just went to turn on my PC, and accidentally signed in on my userid. The System Tool 2.12 didn't show up. Not sure why that was. I just hope it stays off.
Thanks to all of you who helped me. Even though you may not have suggested anything, knowing that someone was here to babble to means a lot.
I'll distribute H5s to all.
BSS please make sure you post those logs on BC to make sure your machine is clean. I've cleaned a couple (I thought) only to have the damn thing come back in spades. It won't hurt to have your post working through the steps at BC because it takes so long for them to get to you.
KC
-
Argh! Someone at work brought in their computer with this infection.
Maybe I'll get lucky and I can just wipe everything out and start over again.
-
This particular infection is one of the worst. I "deal" with it all the time.
Its best to handle this by initially slaving this to another machine (preferably one with a decent processor and memory) and running a thoroughly udpated version of Malwarebytes on it from there. Then put it back into the native machine and run Malwarebytes on it from there. (If you have to, you can run rkill initially to "clear the path" for installing and running Malwarebytes.) Then scan with an updated version of Spybot.
There ... squeaky clean and all good to go. :)
-
This particular infection is one of the worst. I "deal" with it all the time.
Its best to handle this by initially slaving this to another machine (preferably one with a decent processor and memory) and running a thoroughly udpated version of Malwarebytes on it from there. Then put it back into the native machine and run Malwarebytes on it from there. (If you have to, you can run rkill initially to "clear the path" for installing and running Malwarebytes.) Then scan with an updated version of Spybot.
There ... squeaky clean and all good to go. :)
Most people don't have the knowledge to do that or the luxury of having multiple systems.
-
It could also be "handled" on the infected machine alone as well. It takes a bit of skill and a lot of time for that too. What I would do is this:
Have rkill on a flash drive or preferably on a cd handy before starting the infected machine. And while your at it have malwarebytes and spybot installers on their as well. Start the machine. As it is loading to the desktop insert the flash drive or cd. Its very important to open that flash drive or cd and run rkill before the virus has a chance to "start" its "madness" because thats what rkill does ... it kills the virus processes before the virus has a chance to stop you.
The "skill" part is getting rkill working before the virus has a chance to "cut you off". It may take a few tries (restarting the machine) to get it. But its well worth the effort. Its a bit of a foot race to get the rkill going before the nasty does its business.
Once the virus processes has been stopped you are free to install and run malwarebytes. I would recommend staying off the internet at first run. But after the first run go ahead and go online to update malwarebytes. Install and update spybot too. You may have to check that proxy server is unchecked and that automatically detect settings is checked in the internet option > connections box as suggested above to get back online.
Its a pain .. but it works.
-
On systems that I can put my hands on, I just slave the infected hard disk. If I'm feeling lazy, I'll burn Malwarebytes and whatever other programs are needed to CD and do a safe mode install from the CD. I have the luxury of a five PC home network, though. Three of them run off of a KVM switch and are at my fingertips. I haven't had a virus since I quit running AVG and switched to Avast.