Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

RKILL not stopping Security Tool processes


  • Please log in to reply
6 replies to this topic

#1 glenvee

glenvee

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 24 February 2010 - 03:58 PM

Working today on a Window 7 Starter Acer Netbook that became infected with Security Tool. I've followed your tutorials before, and am familiar with using RKILL to end the malware processes. I attempted to follow the procedure in your tutorial for this malware:

Remove Security Tool and SecurityTool (Uninstall Guide)
http://www.bleepingcomputer.com/virus-remo...e-security-tool

However, RKILL could not run. Even leaving the malware's messages on-screen did not allow RKILL to complete. A "DOS box" would appear momentarily, then close. The Security Tool pop-ups would continue, regardless, and renaming mbam setup to explorer still would not allow the installer to run because the malware process was still running. Task Manager would not open.

I had to start in Safe Mode. When I ran RKILL there, it did not find any malware processes running, and I was able to remove Security Tool. I can now continue repair in normal mode.

Just passing this along....the RKILL tool may need to be updated again, or the removal instructions appended to include removal in Safe Mode.

Thanks for you great guides and tools.

Edited by glenvee, 25 February 2010 - 02:51 PM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:18 PM

Posted 24 February 2010 - 04:25 PM

As no logs have been posted, I am shifting this topic from the specialized Malware Removal forum to the Am I Infected forum.

==>PLEASE DO NOT NOW POST LOGS<== unless a log is specifically requested.

Please describe the issues you are experiencing with your computer.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 glenvee

glenvee
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 24 February 2010 - 04:54 PM

Huh? I'm not asking for any help here...I am reporting a discrepancy in the online tutorial. This is the group the notice on the web page stated to use to report such things...go look at the bottom of the tutorial web page.

"If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you."
The embedded link in that line on the web page is:
http://www.bleepingcomputer.com/forums/f/25/antivirus-firewall-and-privacy-products-and-protection-methods/

I clicked the link in the bottom of the tutorial to come here and report the discrepancy.

As I stated, I am cleaning a client's netbook, which has Security Tool "fake AV" malware on it. I am following your tutorial to do the immediate cleaning, and wanted to let you know RKILL could not run, so apparently this malware has learned a way around it since the tutorial was written. That is not unusual.

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:18 PM

Posted 25 February 2010 - 03:04 AM

Hello,

Yes, I see, strange that the topic ended up in the wrong forum :thumbsup:

I'll notify Grinler of this issue. However, often malware invites friends. Those "friends" might very well prevent tools like RKill from running.

Anyway, I'm glad to hear you got it fixed in the end. Please let me know if you have any more questions!

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 glenvee

glenvee
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 25 February 2010 - 11:53 AM

Yes, that was my first thought, but no friends were found...just Security Tool. No matter what I did, leaving the messages on-screen still did not allow RKILL to run and the processes were never killed. I don't know how Grinler keeps up with these nasties!

Note that running a FULL scan with MBAM in Safe Mode took only 15 or 20 minutes, and removed Security Tool. When I booted into normal mode, I ran an MBAM full scan again and it took an hour and a half, and found nothing else.

Apparently though, it's a good idea to run it again in normal mode, as it must have scanned more files and processes than in Safe Mode.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:10:18 PM

Posted 25 February 2010 - 12:23 PM

MBAM is designed to be run in normal mode. It does not just scan files, it also scans processes, services and so on. There are a lot more of those running in Normal mode, so thats why the scan takes a longer time in normal mode.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 glenvee

glenvee
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:03:18 PM

Posted 25 February 2010 - 02:56 PM

Ahhh...thank you.

<aside>
I see, looking at my forum info, that it has me as joining yesterday. I actually joined nearly 2 years ago....yesterday I changed my email address here and the date info changed. I wish I could do that with my age also!
:thumbsup:
</aside>




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users