Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool virus is shutting me down in safe mode


  • Please log in to reply
10 replies to this topic

#1 ColonelSDx

ColonelSDx

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 06 October 2009 - 10:45 AM

I'm on a computer at school that has this virus. I'm currently on Windows XP Professional in Safe Mode with Networking.
To start, I removed the Windows Police Pro Virus yesterday from this same computer. Ran NOD32 to find/quarantine the infected files that wouldn't leave. (If possible, point me in a direction that can truly get rid of these files.)
This morning I came in, and there was a few more pop-up virus "warnings" from an application called "Security Tool". I knew it was a fake, but I jumped onto Google quickly to see the details.

A BSOD soon popped up. Googled that on a different computer, seeing as I couldn't do diddly squat on this one, and found it was just a fake SPCMDCON.SYS failure screen that, I guessed, was just incorporated with this virus, or a trojan that leaked its way onto the computer. (Which many have.) BUT I knew it was fake due to poor spelling. :thumbsup:

After numerous failed attempts to close the screen, because it kept blocking task manager, I opted for shutting down. As it was shutting down, though, it came up with a few error messages. "Taskkill.exe" was the title of the screen and I didn't really remember much else from the box. Regardless, I closed them all and restarted to see what I could see.
And wouldn't you know it, nothing would work. So I rebooted in safe mode with networking and I somehow got MBAM to install, BUT, now this lovely infection is cutting it off whenever I try to open it now. Along with Autoruns, NOD32 and CCleaner. I checked the processes in task manager, and it's not showing anything that looks out of the ordinary for safe mode/networking.

I thought I could handle this, but at the point that things started acting up in safe mode, I realized this was WAY way out of my league, and thought to turn to the experts.
In saying this, I realize that from whatever I did yesterday to fight off Windows Police Pro, I could have actually damaged this computer more.
The ultimatum my college tech guy came to was just trashing the hard drive and putting a new one in. But I believe in being able to salvage computers from the wreckage caused by people who need a lot less free time on their hands.
So to further my computer experience, I want to fight! :flowers:

Please help me!

Edit: Moved topic from XP to the more appropriate forum. ~ Animal

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 PM

Posted 06 October 2009 - 02:10 PM

Hello and welcome please try the proceedure here... Remove Windows Police Pro (Removal Guide)
You can ask any questions here and post the scan log for review.
The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 ColonelSDx

ColonelSDx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 06 October 2009 - 02:27 PM

That's actually what I used yesterday to get rid of Windows Police Pro. Step by step.
I think it got rid of it. But I was told it might not have completely. But regardless, that's not what I have now. It's "Security Tool". And I can't even open MBAM in safemode anymore. Any other suggestions?

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 PM

Posted 06 October 2009 - 02:36 PM

Hi, I am suspecting a rootkit taking over here. This may not run either but we need to try.
We Need to check for Rootkits with RootRepeal
  • Download RootRepeal from the following location and save it to your desktop.
  • Extract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).
  • Open Posted Image on your desktop.
  • Click the Posted Image tab.
  • Click the Posted Image button.
  • Check all seven boxes: Posted Image
  • Push Ok
  • Check the box for your main system drive (Usually C:), and press Ok.
  • Allow RootRepeal to run a scan of your system. This may take some time.
  • Once the scan completes, push the Posted Image button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 ColonelSDx

ColonelSDx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 07 October 2009 - 07:37 AM

Well, I was hopeful there for a minute when I finally got it to download and open. BUT, in safe mode, yet again, it shut the program down. I thought it was just because of Safe Mode with Networking, so I restarted and threw it into normal Safe Mode. Now both MBAM and RootRepeal have been removed from my system. Should I try again to download and use? Because I have a really good feeling that it may just stop their use again. And again. And again.

Any other not-so-generalized-for-everyone advice you can give? Because I don't think that will work. :thumbsup:

EDIT: I got RootRepeal open and working. I'm sorry for my comment above. Just getting a little impatient with this computer, is all. I apologize.

I assume this is the report you wanted from it? If not, let me know.



ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/10/07 09:21
Program Version: Version 1.3.5.0
Windows Version: Windows XP SP3
==================================================

Drivers
-------------------
Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xF7067000 Size: 98304 File Visible: No Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xF7BA2000 Size: 8192 File Visible: No Signed: -
Status: -

Name: rootrepeal.sys
Image Path: C:\WINDOWS\system32\drivers\rootrepeal.sys
Address: 0xF6655000 Size: 49152 File Visible: No Signed: -
Status: -

Name: win32k.sys:1
Image Path: C:\WINDOWS\win32k.sys:1
Address: 0xF79C0000 Size: 20480 File Visible: No Signed: -
Status: -

Name: win32k.sys:2
Image Path: C:\WINDOWS\win32k.sys:2
Address: 0xF7790000 Size: 61440 File Visible: No Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: Volume C:\
Status: MBR Rootkit Detected!

Path: Volume C:\, Sector 1
Status: Sector mismatch

Path: Volume C:\, Sector 2
Status: Sector mismatch

Path: Volume C:\, Sector 3
Status: Sector mismatch

Path: Volume C:\, Sector 4
Status: Sector mismatch

Path: Volume C:\, Sector 5
Status: Sector mismatch

Path: Volume C:\, Sector 6
Status: Sector mismatch

Path: Volume C:\, Sector 7
Status: Sector mismatch

Path: Volume C:\, Sector 8
Status: Sector mismatch

Path: Volume C:\, Sector 9
Status: Sector mismatch

Path: Volume C:\, Sector 10
Status: Sector mismatch

Path: Volume C:\, Sector 11
Status: Sector mismatch

Path: Volume C:\, Sector 12
Status: Sector mismatch

Path: Volume C:\, Sector 13
Status: Sector mismatch

Path: Volume C:\, Sector 14
Status: Sector mismatch

Path: Volume C:\, Sector 15
Status: Sector mismatch

Path: Volume C:\, Sector 16
Status: Sector mismatch

Path: Volume C:\, Sector 17
Status: Sector mismatch

Path: Volume C:\, Sector 18
Status: Sector mismatch

Path: Volume C:\, Sector 19
Status: Sector mismatch

Path: Volume C:\, Sector 20
Status: Sector mismatch

Path: Volume C:\, Sector 21
Status: Sector mismatch

Path: Volume C:\, Sector 22
Status: Sector mismatch

Path: Volume C:\, Sector 23
Status: Sector mismatch

Path: Volume C:\, Sector 24
Status: Sector mismatch

Path: Volume C:\, Sector 25
Status: Sector mismatch

Path: Volume C:\, Sector 26
Status: Sector mismatch

Path: Volume C:\, Sector 27
Status: Sector mismatch

Path: Volume C:\, Sector 28
Status: Sector mismatch

Path: Volume C:\, Sector 29
Status: Sector mismatch

Path: Volume C:\, Sector 30
Status: Sector mismatch

Path: Volume C:\, Sector 31
Status: Sector mismatch

Path: Volume C:\, Sector 32
Status: Sector mismatch

Path: Volume C:\, Sector 33
Status: Sector mismatch

Path: Volume C:\, Sector 34
Status: Sector mismatch

Path: Volume C:\, Sector 35
Status: Sector mismatch

Path: Volume C:\, Sector 36
Status: Sector mismatch

Path: Volume C:\, Sector 37
Status: Sector mismatch

Path: Volume C:\, Sector 38
Status: Sector mismatch

Path: Volume C:\, Sector 39
Status: Sector mismatch

Path: Volume C:\, Sector 40
Status: Sector mismatch

Path: Volume C:\, Sector 41
Status: Sector mismatch

Path: Volume C:\, Sector 42
Status: Sector mismatch

Path: Volume C:\, Sector 43
Status: Sector mismatch

Path: Volume C:\, Sector 44
Status: Sector mismatch

Path: Volume C:\, Sector 45
Status: Sector mismatch

Path: Volume C:\, Sector 46
Status: Sector mismatch

Path: Volume C:\, Sector 47
Status: Sector mismatch

Path: Volume C:\, Sector 48
Status: Sector mismatch

Path: Volume C:\, Sector 49
Status: Sector mismatch

Path: Volume C:\, Sector 50
Status: Sector mismatch

Path: Volume C:\, Sector 51
Status: Sector mismatch

Path: Volume C:\, Sector 52
Status: Sector mismatch

Path: Volume C:\, Sector 53
Status: Sector mismatch

Path: Volume C:\, Sector 54
Status: Sector mismatch

Path: Volume C:\, Sector 55
Status: Sector mismatch

Path: Volume C:\, Sector 56
Status: Sector mismatch

Path: Volume C:\, Sector 57
Status: Sector mismatch

Path: Volume C:\, Sector 58
Status: Sector mismatch

Path: Volume C:\, Sector 59
Status: Sector mismatch

Path: Volume C:\, Sector 60
Status: Sector mismatch

Path: Volume C:\, Sector 61
Status: Sector mismatch

Path: Volume C:\, Sector 62
Status: Sector mismatch

Stealth Objects
-------------------
Object: Hidden Module [Name: gasfkymyltexrt.dll]
Process: svchost.exe (PID: 808) Address: 0x00900000 Size: 53248

Object: Hidden Module [Name: gasfkylqbrsbpf.dll]
Process: svchost.exe (PID: 808) Address: 0x00c40000 Size: 24576

Object: Hidden Module [Name: gasfkymrryowil.dll]
Process: Explorer.EXE (PID: 1496) Address: 0x00de0000 Size: 32768

Object: Hidden Module [Name: gasfkymrryowil.dll]
Process: firefox.exe (PID: 352) Address: 0x013e0000 Size: 32768

==EOF==

Edited by ColonelSDx, 07 October 2009 - 08:25 AM.


#6 DanCandy

DanCandy

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tampa, FL
  • Local time:12:01 AM

Posted 07 October 2009 - 09:11 AM

Looks like you're not the only one, you may be able to share useful information. Below is the link to the other thread on this topic:

http://www.bleepingcomputer.com/forums/t/262647/security-tool-cant-get-rid-of-it/

#7 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 PM

Posted 07 October 2009 - 09:26 AM

Hello your system is carrying a rootkit. gasfkymyltexrt.dll

The rootkit itself is a protection module used to terminate a variety of security tools by changing the permissions on targeted programs so that they cannot run or complete scans. There are some new variants of rootkits in the wild right now that will require custom scripts to remove the infection, the process must be completed by HJT team members or above.

Failure to follow the proper removal process can and will cause serious damage to a machine. Recovery of the machine may be difficult, if not impossible.


Download this Utility and save it to your Desktop.
Double-click the Utility to run it and and let it finish.
When it states Finished! Press any key to exit, press any key to close the program.
It will save a .txt file to your desktop automatically. Double-click on the Win32kDiag.txt file that is located on your Desktop and post the entire contents of that log as part of the reply in the topic you will create below..

Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the above Win32kDiag.exe log and your RootRepeal log..

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#8 ColonelSDx

ColonelSDx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 07 October 2009 - 10:23 AM

I downloaded the Utility and tried to run it. it came up with an error:

Posted Image

I may have done something wrong in the process. Help?

#9 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,573 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:01 PM

Posted 07 October 2009 - 10:52 AM

Is this a work or school PC?

System Repair Engineer
  • Please download System Repair Engineer from here
  • Unzip/extract sreng2.zip to a folder on your desktop
  • Double-click on SREngLdr.EXE to launch System Repair Engineer
  • Click the Smart Scan Icon
  • Click Scan
  • Wait for the scan to finish
  • Click on the Save Reports button
  • Save it to your desktop, using the recommended name of SREngLOG.log
  • Close System Repair Engineer
  • Use notepad to open the SREngLOG.log file
  • Copy & paste the contents of that file as a reply to this topic
  • Note: The log may be long, and you may need several posts to post all of it
  • If you are using a custom HOSTS file, please leave out the HOSTS File section, as it will make the log far too long
Next please go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post the Rootrepeal log and the above log.
Important: Be sure to mention that you tried to follow the Prep Guide but were unable to get DDS to run.

Let me know how that went.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#10 ColonelSDx

ColonelSDx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 07 October 2009 - 12:04 PM

Is this a work or school PC?

I'm on a school computer. I know it's not my place to be working on it, but the school tech gave me the go-ahead. So this is a side-project I decided to work on other than my schoolwork. I didn't want to give up, and I want to make it easier for my peers to work in the classroom. :thumbsup:

#11 ColonelSDx

ColonelSDx
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:11:01 PM

Posted 07 October 2009 - 01:28 PM

And again, Another failure. :thumbsup: This time, it would not let me extract the files.

Posted Image

A problem I will resolve with your help tomorrow at school.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users