Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

"Security Tool" Program Infected Computer


  • Please log in to reply
4 replies to this topic

#1 Flags Real Estate

Flags Real Estate

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 25 October 2010 - 04:17 PM

Operating system: Vista

Infected with "Security Tool" program.

Cannot stop with rkill nor can I scan with mbam.exe by following your directions. We tried all the versions of rkill including the renamed ones and gthe dos screen flashes quickly and quits, & the security tool program keeps on saying such & such file is infected with ____ virus, as it is trying to obtain credit card info. The mban program will not load or run at all. We also tried system restore but it would not work, and tried to go to symantec's site to scan computer but computer would not allow download of active x to start the scan. Some times we get a blue screen of death and have to reboot, which the stupid programs starts again saying 34 files are infected

Please help as our payroll needs to go out and it is only on the infected computer.

BC AdBot (Login to Remove)

 


#2 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,992 posts
  • ONLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:01:02 PM

Posted 25 October 2010 - 10:22 PM

Hello,

Because of the sensitive nature of the information on this computer, please disconnect it from the internet. Also, if it is networked to other computers, you need to isolate it to keep the infection from spreading to the other computers.

Please follow the instructions in ==>This Guide<==. If you cannot complete a step, skip it and continue.

Once the proper logs are created, then make a NEW TOPIC and post it ==>HERE<== Please include a description of your computer issues and what you have done to resolve them.

If you can produce at least some of the logs, then please create the new topic and explain what happens when you try to create the log(s) that you couldn't get. If you cannot produce any of the logs, then still post the topic and explain that you followed the Prep. Guide, were unable to create the logs, and describe what happens when you try to create the logs.

Orange Blossom :thumbsup:

Edited by Orange Blossom, 25 October 2010 - 10:32 PM.

Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#3 DoubleDB

DoubleDB

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:12:02 PM

Posted 26 October 2010 - 01:44 AM

Security Tool infection...
My system: Windows 7

I just cleaned this infection from one of the computers in our small office network (three computers) YESTERDAY. I had exactly the same problems you describe: "SECURITY TOOL" virus warnings and multitudes of pop-up warnings of a "worm trying to send my credit card details using...", the blue screen, restarts, pop-ups making it difficult to read anything behind it, etc. Like you, the infection would not allow me to run rkill at all, let alone get to the anti-malware application. Here's what I did:

Using another computer, I downloaded the following FIVE files to a USB flash-drive:

  • rkill.com MS-DOS Application file ... stops the SECURITY TOOL infection from interfering with cleaning procedure; that's what's happening when you see the rkill black box pop-up and then is immediately shut-off by infection
  • mbam-setup.exe Malwarebytes' Anti-Malware Application file ... will locate infected files and quarantine (remove) them
  • Malwarebytes Anti-Malware 2nd (replacement) Application file don't forget to write down the random filename ... will replace a core part of Malwarebytes the infection will destroy before Malwarebytes gets it
  • hostsperm.bat a Windows Batch File ... Security Tool infection changed your Windows "Hosts" file to keep you from going in and changing 'their' settings; this file changes the permission back to you!
  • appropriate hosts file for your operating system ... to replace the infected files you will have deleted with these new CLEAN files

Of course I was worried about downloading and introducing even more problems to that computer so was VERY cautious about copying the above five files. Fortunately, my new BEST FRIEND & SUPER HERO (he doesn't know it) Grinler had detailed instructions, including safe links to download the files I needed, in the forums of this web site: http://www.bleepingcomputer.com/virus-removal/remove-security-tool

NOW: The ONLY WAY I could use rkill was to open the computer in safe mode. I left the computer in safe mode all the way through the instructions detailed by Grinler and had no problems. Peace and quiet helps because there are a fair amount of details (sounds like you've been there though). It worked: malwarebytes found 5 files infected. That computer doesn't have a huge amount of information on it and took about 50-60 minutes to run the full scan.

After the infected files were removed, I regained permissions to change my hosts file, deleted the old hosts file and replaced it with the new hosts file for my version of Windows.

I was feeling pretty confident in fixes but was still super-relieved when I restarted computer in regular mode and did NOT have pop-ups: Hallelujah!

I DID have one problem that gave me additional worry: when I tried to connect to internet (we use a wireless router connected to satellite) I kept getting this message:
The remote device or resource won't accept the connection. The device or resource (www.microsoft.com) is not set up to accept connections on port "The World Wide Web service (HTTP)".
It was late and I was exhausted so stressed about it most of the night. After an online search, I found that security fixes or updates can change the way your computer connects to the internet and located this wonderfully simple fix:

•ie > tools > internet options > connections > click on lan > uncheck the proxy server settings > make sure auto detect is checked > ok
•refresh

Everything appeared to be working great but I decided to follow the advice I'd read on another site to run the malwarebytes one more time to be sure there were no more infected files: I just ran the mbam-setup.exe file and found no other infected files.

The forums on this site have helped me NUMEROUS times and though I had never registered, when I saw your post I knew it was pay-back time! :thumbsup: I truly hope this helps you.

#4 Flags Real Estate

Flags Real Estate
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:11:02 AM

Posted 26 October 2010 - 11:45 AM

Thank you both for your help. I downloaded to a flash drive all of the rkill name variations and the mbam program from a noninfected computer and then used the flash drive on the infected computer. I ran all name variations or rkill as administrator, and the security tool virus continued doing its thing, by scanning and pop-up windows, etc. I also tried to run mbam setup but it would not install. Finally decided to see if I could do a comprehensive scan with Norton. As it was scanning, it quit somewhere in the middle and the blue screen of death popped up and before we could see what it said the computer restarted itself. Well, believe it or not, frustration levels were very high, so decided to log off, and this morning when we started it, security tool virus was gone. We are in the process of scanning it from the Norton/Symantec website to see if it finds any infected files. Quite strange, huh? Do we assume that the virus is gone if Norton scan from internet shows no infections? Should we try installing Malware Antispyware (mbam) again?

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:01:02 PM

Posted 26 October 2010 - 12:28 PM

I think you (both) should still run these.

Next run ATF and SAS: If you cannot access Safe Mode,run in normal ,but let me know.

Note: On Vista, "Windows Temp" is disabled. To empty "Windows Temp" ATF-Cleaner must be "Run as an Administrator".

From your regular user account..
Download Attribune's ATF Cleaner and then SUPERAntiSpyware , Free Home Version. Save both to desktop ..
DO NOT run yet.
Open SUPER from icon and install and Update it
Under Scanner Options make sure the following are checked (leave all others unchecked):
Close browsers before scanning.
Scan for tracking cookies.
Terminate memory threats before quarantining
.
Click the "Close" button to leave the control center screen and exit the program. DO NOT run yet.

Now reboot into Safe Mode: How to enter safe mode(XP)
Using the F8 Method
Restart your computer.
When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
Select the option for Safe Mode using the arrow keys.
Then press enter on your keyboard to boot into Safe Mode
.

Double-click ATF-Cleaner.exe to run the program.
Under Main "Select Files to Delete" choose: Select All.
Click the Empty Selected button.

If you use Firefox or Opera browser click that browser at the top and choose: Select All
Click the Empty Selected button.
If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program
.

NOW Scan with SUPER
Open from the desktop icon or the program Files list
On the left, make sure you check C:\Fixed Drive.
Perform a Complete scan. After scan,Verify they are all checked.
Click OK on the summary screen to quarantine all found items.
If asked if you want to reboot, click "Yes" and reboot normally.

To retrieve the removal information after reboot, launch SUPERAntispyware again.
Click Preferences, then click the Statistics/Logs tab.
Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
If there are several logs, click the current dated log and press View log.
A text file will open in your default text editor.
Please copy and paste the Scan Log results in your next reply.
Click Close to exit the program.


Please ask any needed questions,post logs and Let us know how the PC is running now.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users