Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Malwarebytes won't run, rkill not working for removing Security Tool


  • Please log in to reply
8 replies to this topic

#1 doodlebot

doodlebot

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:05:30 PM

Posted 18 December 2009 - 11:31 PM

I'm helping my mother remove Security Tool off her work computer, which she needs asap.

I've read the tutorials on here (this one), but this malware ( or virus?) seems pretty defensive.


Once it is downloaded, double-click on the rkill.com in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Tool when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Tool . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again.


So I downloaded rkill.exe, acutally, twice... it ran, the black box came up as described and stayed blankly black. It closed by itself as described in the tutorial.
I ran the .exe multiple times but it Security Tool stayed in place. Notttt budging.

I tried ran MBAM but that wouldn't run. Doubleclicked from its folder and from the start window; no window comes up.
I downloaded MBAM again &renamed it but nope, still won't run.

Task manager won't work either as well as MSPaint or WordPad, but IE works perfectly;
it seems like Security Tool affects each victim differently?

also the desktop is blank and no icons can be dropped on it, however after startup before the malware loads up I can see my mother's icons.

I'm not sure if she can use her computer, she uses some programs on it for a travel agency that reqs. internet. But internet works fine...
Also she doesn't want to reinstall her computer and we don't have the orig. CD.
any advice or help is greatlygreatly appriciated... though it seems like we are doomed. ;-;

BC AdBot (Login to Remove)

 


#2 tobz

tobz

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:07:30 PM

Posted 30 December 2009 - 07:02 PM

I have the same problem. I am unable to run the rkill.exe, rkill.com or any other associated processes.

I am unable to boot into safe mode, as my computer BSOD's in safe mode.

Any thoughts?

#3 MallPrincess

MallPrincess

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 21 January 2010 - 08:55 PM

How did you end up getting this resolved? I can get into Safe Mode but I still can not get RKill to work. thanks

#4 katie s

katie s

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 19 April 2010 - 01:03 PM

hi i was having same problems nothing work but by pure chance comp crashed and as i restarted and logged in i clicked on rkill at wat i thought was 2 early but gud job i did as it loaded b4 secruity tools and cancelled the process b4 it started i ran malware bytes and the comp is now security tools free thought i give u heads up and hope it will work for u

#5 whowantspants

whowantspants

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:08:30 PM

Posted 24 April 2010 - 11:51 AM

I can verify katie's solution: try to open rkill.com (or .exe, etc) before Security Tool starts. I started my comp, logged in, then opened rkill.com while other services were starting. In fact, I started it a couple times. It found and terminated 'imapi.exe' and 'wscntfy.exe'. Cheers!

#6 certifiedgeek

certifiedgeek

  • Members
  • 172 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 24 April 2010 - 01:37 PM

I am assuming that everybody has tried all different versions of rkill such as com, exe, etc? Have either of you tried using SUPERAntispyware or maybe Hitman Pro?

#7 aeronaut

aeronaut

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:09:30 PM

Posted 10 July 2010 - 01:22 PM

I used Bleepingcomputers' method to remove AV Security Suite last night. I also had a problem with AV shutting down rkill before it could do its job. I did notice that each time I clicked on the rkill icon, it seemed to get a bit further before AV stopped it. So I moved the rkill icon to the far corner of the screen (so that as the "security" windows and rkill's black windows would not block the rkill icon.) Then I proceeded to just click away on the rkill icon as fast as I could. I must have started it more than a dozen times in quick succession, but it worked. Finally I got a white window with text from the rkill program, and the game was over. Evidently, AV can't keep up with multiple starts of rkill in quick succession. The rest went exactly as the procedure showed.

Last time I had this malware, I had to pay someone $100 to clean it up for me. This time I will spend that money instead to upgrade the Malwarebyte's Anti-Malware to the pro version and keep AV Security Suite out of my computer, and my life, forever.

(I'll keep rkill on my desktop, just in case!)

#8 wildcat10

wildcat10

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:30 PM

Posted 08 September 2010 - 01:51 AM

I just used the the guide to uninstall Security Tool on my laptop (with Windows XP). When I rebooted the system after the MBAM scan, there appears to be no sign of the pop-up messages. (yay!!!!) Do I need to "empty" or delete the folder marked "Quarantine" to rid my computer of the infected files? Or does MBAM essentially do that for me?

Also, once I finished deleting and re-installing my HOST files, I was no longer able to gain access to my wireless internet due to a proxy that was not responding. Could this be related? I'm guessing not. Any help is much appreciated.

-wildcat10

#9 Christopher A. McKay

Christopher A. McKay

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:30 PM

Posted 13 September 2010 - 06:52 PM

I just used the the guide to uninstall Security Tool on my laptop (with Windows XP). When I rebooted the system after the MBAM scan, there appears to be no sign of the pop-up messages. (yay!!!!) Do I need to "empty" or delete the folder marked "Quarantine" to rid my computer of the infected files? Or does MBAM essentially do that for me?

Also, once I finished deleting and re-installing my HOST files, I was no longer able to gain access to my wireless internet due to a proxy that was not responding. Could this be related? I'm guessing not. Any help is much appreciated.

-wildcat10


Erk. Should have checked your hosts file before deleting it. It's easier to just edit any potentially offensive lines out.

For those who can't get RKILL to run (or any other .exe file), I've made the following notes:

IF THE VIRUS PREVENTS RKILL FROM RUNNING... rename it temporarily to iexplore.exe since the virus this fights will typically allow only Internet Explorer to run, and this will trick it into letting you run rkill. It's ability to block executables is based on the .exe name, rather than the window name. A surprising miss for a hacker, who should be able to use common Windows hooks to prevent this from bypassing their virus...).

Additionally, sometimes the virus will have an icon in the task bar on the lower right corner of your Windows screen, which will continue to hijack the browser and prevent .exe files from running. Renaming c:\windows\system32\taskmgr.exe to iexplore.exe temporarily will allow you to fire up the task manager and kill this process. Look for a user-owned process that has a jibberish .exe name, or is not recognised as a bening or require process. When you kill it, the tray icon should go away. Then run rkill.

After running rkill, open up Internet Explorer, then click Tools > Internet Options > COnnection > LAN Settings, and disable the proxy settings that are hijacking the browser by removing the X from the box next to Use Proxy Settings.

Now remove the virus with your AV program, MalWareBytes, etc. You may also wish to manually locate the file that was running in taskman. This is typically located by right-clicking the Start Menu, then clicking Browse All Users. Look in Local Settings > Application Data (which is a hidden folder). There will be some .exe files and at least one directory with a jibberish name that also contains .exe files. Delete them all, then clean your trash bin. It may also be under [user name]\Application Date\ as well.

For the really intrepid, a quick check of your registry will also locate potentially dangerous startup programs that are infected. If you run regedit from a command prompt, then check the following locations for suspicous files:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CrrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CrrentVersion\RunOnce


and

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CrrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CrrentVersion\RunOnce


Lastly, a manual check in services.msc for any non-microsoft, suspicious services may be warranted.

In my experience, there are about 8 generations of this virus, with variants of each generation. There's no such thing as being too thorough with this one.

Chris.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users