Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Security Tool is killing me


  • Please log in to reply
10 replies to this topic

#1 jfh2c

jfh2c

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 12 October 2009 - 10:39 PM

Somehow I got Security Tool on my computer, and it won't let me open any program that would have any chance of deleting it.

Even when I rename Malwarebytes it still won't let it open.

Any ideas on how I could fix this?

Thanks in advance.

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 13 October 2009 - 07:16 AM

Some rootkits can terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Further investigation is required to determine if this is the case with the issues you have described.

Please download Win32kDiag.exe by AD and save it to your desktop.
alternate download 1
alternate download 2
  • This tool will create a diagnostic report for me to review.
  • Double-click on Win32kDiag.exe to run and let it finish.
  • When it states Finished! Press any key to exit..., press any key on your keyboard to close the program.
  • A file called Win32kDiag.txt should be created on your Desktop.
  • Open that file in Notepad, then copy and paste the entire contents starting with Running from... to Finished!) in your next reply.
Then go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

-- Vista users can refer to these instructions to open a command prompt.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 nofomg

nofomg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:05:22 AM

Posted 13 October 2009 - 08:05 AM

I had this Security Tool virus. Here is how i got rid of it.

*i was unable to use Mbam or Win32KDiag* Im on a work computer and i didn't have the correct permissions.

1. Shut your computer down completely then restart

2. As soon as it comes back up to the desktop get the task manager up. (make sure you do it before everything starts loading.)

3. Let the computer load regularly and and everything will come up. (including security tool.)

4. Go to the task manager click the tab "Processes" then look for a process that is just a string of numbers.(It was 70843325.exe for me but it seems to be different for everyone) *WRITE THE NUMBER DOWN*

5. Right click the process and tell it to "End Process Tree"
This will shutdown the security tool program down.

6. Then you can go into the C drive and find the security tool folder C:\Documents and Settings\All Users\Application Data (if you can't see the file "Application data" you need to enable hidden files)

*If you cant see hidden files* go to the top of the the window and click tools, go to folder options, click the view tab and under hidden files and folders click show hidden folders

7. Then you will see a folder with the same name *number you saved* as the process you just ended. Inside will be security tool. Delete the whole folder.

8. Next go into search and type the *number you saved* and do a scan for all files and folders go into advance and check all system files, hidden files and sub folders. Let it scan. It should find a file, go and delete that as well.

9. restart computer. **Just to be sure to bring up the task manager on as soon as possible when the computer loads to make sure security tool doesnt start up**

Once you have finished all of the previous steps continue with the steps below

then download superantispyware


DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked/Uncheck them):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining.
Click the "Close" button to leave the control center screen and exit the program.


Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive. (if you have a back up drive scan that as well)
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally



Quotes taken from http://www.bleepingcomputer.com/forums/t/259578/total-security-2009-browser-bug/

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 13 October 2009 - 08:26 AM

nofomg, I already address this with you here:

There are various types of malware which can cause similar symptoms. Depending on the exact type of infection, that method may not work. Win32KDiag.exe was designed for a specific infection that affects a program's permissions and its log will confirm it. Once confirmed, there are other specialized tools which need to be utilized in order to completely remove it.

http://www.bleepingcomputer.com/forums/ind...t&p=1452790
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 jfh2c

jfh2c
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 13 October 2009 - 10:31 PM

Thanks, but when I try to run Win32kDiag.exe it just pops up a little black box really quick and it immediately closes. It doesn't leave any sort of log as I don't think the program ever actually runs.

I also can't get the command prompt to open. It just pops up really quick and then closes.

Are there any other possible solutions?

Thanks again.

Edited by jfh2c, 13 October 2009 - 10:42 PM.


#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 14 October 2009 - 08:35 AM

Go to Posted Image > Run..., and copy and paste this command into the open box: cmd
press OK.
At the command prompt C:\>, copy and paste the following command and press Enter:
DIR /a/s %windir%\scecli.dll %windir%\netlogon.dll %windir%\eventlog.dll >Log.txt & START notepad Log.txt
A file called log.txt should be created on your Desktop and open in Notepad.
Copy and paste the contents of that file in your next reply.

-- Vista users can refer to these instructions to open a command prompt.

Alternatively, you can do this:

Please download peek.bat and save it to your Desktop. Double-click on peek.bat to run it. A black Command Prompt window will appear indicating the program is running. Once it is finished, copy and paste the entire contents of the Log.txt file it creates in your next reply.

If you encounter a problem downloading or getting peek.bat to run, go to Posted Image > Run..., and in the open box, type: Notepad
  • Click OK.
  • Copy and paste everything in the code box below into the Untitled - Notepad.
@ECHO OFF
DIR /a/s C:\WINDOWS\scecli.dll C:\WINDOWS\netlogon.dll C:\WINDOWS\eventlog.dll C:\Windows\cngaudit.dll >Log.txt
START Log.txt
DEL %0
  • Go to File > Save As, click the drop-down box to change the Save As Type to *All Files and save it as "peek.bat" on your desktop.
  • Double-click peek.bat to run the script.
  • A window will open and close quickly, this is normal.
  • A file called log.txt should be created on your Desktop.
  • Open that file and copy/paste the contents in your next reply.
-- Vista users, users can refer to these instructions to Run a Batch File as an Administrator.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 LollieOllie

LollieOllie

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 14 October 2009 - 09:26 AM

Somehow I got Security Tool on my computer, and it won't let me open any program that would have any chance of deleting it. Even when I rename Malwarebytes it still won't let it open. Any ideas on how I could fix this? Thanks in advance.



Renaming MBAM didnt work for me either. Renaming didnt fool SecurityTools.

I download HijackThis to a thumbdrive on a clean computer. Before I downloaded it though I changed the name to explore.exe. Running HjackThis and making the correction it suggested allowed me to later use malwarebytes

Here is what finally worked:
From my clean computer I downloaded "HijackThis" to a thumb drive but before saving HijackThis.exe, I renamed it as explorer.exe.

I stuck the thumb drive into the infected computer, and sent (HijackThis.exe) disguised as explorer.exe to the infected computers desktop.


Since this bad spyware Security Tool hid our desktop icons, I had to right click on the Windows task bar, and then click Show Desktop so that the desktop icons would appear. (hint) right click on the Windows task bar and in the pop-up you will see "show desktop icons"

Now that I could see the desktop icons I saw the icon for the spyware SecurityTools. Of course deleting the icon would do nothing but delete the shortcut. But when I right clicked on it and I found clues in the properties: The nasty booger was….. C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe So now I knew where the spyware was and the important number 94345126 (note this number varies….your number will probably be an 8 digit number, just right click on the securitytools icon and write down your number.

As the desktop icons were now visible I clicked on the desk top icon for HijackThis.exe that I had falsely named explorer.exe and ran it. I did a system scan only. I looked at the log and found O4 – HKLM\..\Run: [94345126] C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe.
I put a checkmark in this and pressed the “fix checked” button”

After HijackThis.exe did its magic on O4 – HKLM\..\Run: [94345126] C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe. I could now run the Malwarebytes that I had previously downlowaded to a thumbdrive.

Malwarebytes found (4) problems which I fixed with malwarebytes. I then cleaned out my sons recycle bin.

His laptop is now free from this menace SecurityTools.

I dont think Security tool is a virus, just a really bad spyware. So far (since I have removed it) it doesnt appear to have caused any damage.

I had never heard of "HijackThis" until today. (see Go.TrendMicro.com) I had used Malwarebytes a few years ago. I recommend downloading this from CNET, because you never know what you are getting anywhere else.

#8 jfh2c

jfh2c
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 14 October 2009 - 01:10 PM

Any time I try to open the command prompt or any of the programs that use the command prompt it will not open all the way.

I get the feeling security tool is closing the command prompt window before anything else will get started. It won't let me boot into safemode or open any program that could clean my PC.

I am going to give LollieOllies suggestion a try, but I have to get access to another computer. Are there any other ideas that I would be able to work using only the infected computer?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 14 October 2009 - 01:43 PM

Does that include peek.bat ?
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 jfh2c

jfh2c
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:22 AM

Posted 14 October 2009 - 04:39 PM

Even peek.bat won't work. It will open, but as soon as it opens it closes again.

#11 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 50,964 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:06:22 AM

Posted 14 October 2009 - 09:33 PM

Some infections are difficult to remove completely because of their morphing characteristics which allows the malware to regenerate itself. Sometimes there is hidden piece of malware (i.e. rootkit) which has not been detected by your security tools that protects malicious files and registry keys so they cannot be permanently deleted. Other rootkits can even terminate your security tools by changing the permissions on targeted programs so that they cannot run or complete scans. Disinfection will probably require the use of more powerful tools than we recommend in this forum. Before that can be done you will need you to create and post a DDS/HijackThis log for further investigation.

Please read the pinned topic titled "Preparation Guide For Use Before Posting A Hijackthis Log". If you cannot complete a step, then skip it and continue with the next. In Step 6 there are instructions for downloading and running DDS which will create a Pseudo HJT Report as part of its log.

When you have done that, post your log in the HijackThis Logs and Malware Removal forum, NOT here, for assistance by the HJT Team Experts. A member of the Team will walk you through, step by step, on how to clean your computer. If you post your log back in this thread, the response from the HJT Team will be delayed because your post will have to be moved. This means it will fall in line behind any others posted that same day.

Start a new topic, give it a relevant title and post your log along with a brief description of your problem, a summary of any anti-malware tools you have used and a summary of any steps that you have performed on your own. An expert will analyze your log and reply with instructions advising you what to fix. After doing this, we would appreciate if you post a link to your log back here so we know that your getting help from the HJT Team.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT "bump" your post or make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users