PDA

View Full Version : Security Tool Virus



B.M.
04-01-2010, 09:56 AM
Guys Iíve just been hit by this Security Tool Virus. :mad:

Donít know where it came from but it just marched past all security, installed itself, and went about telling me about all the infections it had found on my computer. :crying

Great, I suppose thereís a first for everything.

Anyway, it completely took over and refused to let me do anything until Iíd agreed to tidy up my act. I picked it wanted to run another executable so I refused but I couldnít close it down. It didnít appear in Task Manager so I couldnít kill it from there. I then moved the windows around until I could open MalwareBytes and that got up to 5 infections before the computer crashed and restarted.

Back to square one.

So I restarted the computer in Safe Mode and ran MalwareBytes from there. Fortunately, Security Tool didnít start in Safe Mode. MalwareBytes found 14 infections which it says itís fixed and so far that appears to be the case because we appear to be back to normal.

However, reading about this pest via Google it appears it is a sod to completely eradicate and is likely to reappear. :groan:

Anyone had first had experience with this sod and a trusted fix? :thanks

Speedy Gonzales
04-01-2010, 10:00 AM
Run and update trojan remover as well. Then select all options under the utilities menu

wainuitech
04-01-2010, 10:30 AM
Run Super Antyispyware (full scan mode) & Spybot S&D as well, they sometimes pick up more infections that malwarebytes misses.

scottwww
04-01-2010, 04:31 PM
:badpc:

Startup in safe made
goto Start, then run, type "msconfig"
goto the start tab and disable all, only click your AV program

restart
google "combofix.exe" and download, and run - takes a bit of time :sleep
google "hijackthis.exe" and download, and run
remove anything that looks bad or copy and paste the info into this website to tell which is bad www.hijackthis.de

run Malwarebytes and SuperAntiSpyware - basic scan at the same time
If issues, run the full scan too for both

run CCleaner
run Spybot

goto www.eset.com and click on the right "online Scanner"

all this will remove all possible isures

Richard Scott

B.M.
04-01-2010, 08:41 PM
Jeeeez,, she’s a beauty this one.

12 f’n hours and I’ve finally got rid of all visible signs and get a clean bill of health from MalwareBytes, SuperAntiSpyware, HijackThis and AVG.

However, the Lan light on my modem is blinking flat out continuously.

So, something is still hidden that is trying to call home or somewhere.

Any suggestions how to trace the culprit?:thanks

I’m on my laptop at the moment.

Speedy Gonzales
04-01-2010, 08:45 PM
So did you run trojan remover. To see if that'll pick anything up as well? Something could updating why its flashing

B.M.
04-01-2010, 08:59 PM
So did you run trojan remover. To see if that'll pick anything up as well? Something could updating why its flashing

Sorry Speedy meant to say for a start it wouldn't let me install Trojan Remover, Then after I'd tidied up some of the mess with the other programmes, it installed, but advised that my trial period or whatever had expired. I seem to remember trying it years ago with a completely different version so it may not have been the Virus, but one of its own registry entries from yesteryear.

Pretty sure it's nothing updating as I've never seen it flash continuously without interruption ever before.

Speedy Gonzales
04-01-2010, 09:22 PM
Boot into safe mode / networking and post a log

B.M.
04-01-2010, 09:27 PM
Do I type something in the RUN box?

Speedy Gonzales
04-01-2010, 09:28 PM
With hijackthis

B.M.
04-01-2010, 09:33 PM
Ahhh Roger.

It's just doing yet another scan so I might call it a day and start again in the morning.

Thanks.

wainuitech
04-01-2010, 09:36 PM
With TR not running, try removing it with Revo uninstaller, get the portable version (http://www.revouninstaller.com/revo_uninstaller_free_download_other.html) that way you dont need to install it. Run it - click on Trojan Remover - Uninstall, Select Advanced Mode once TR does its own uninstall DONT reboot if it asks, click next and remove all the reg keys and folders it finds, reboot then try TR again - last time I did that it installed as if it was never there.

Some of the newer Versions of Security tool are tricky to remove, programs like Combofix even are stumped as there is a process thats hidden that has to be stopped first ( it doesn't show in process manager either).

Speedy Gonzales
04-01-2010, 09:37 PM
TR probably wont run because of its entries in the registry. You would have to remove everything. Wont tell you how, it'll be breaking the rules

B.M.
04-01-2010, 09:47 PM
TR probably wont run because of its entries in the registry. You would have to remove everything. Wont tell you how, it'll be breaking the rules

That's what I figured.

If I can't get by without it I'll investigate myself. :lol:

Catch up tomorrow, it's been a long day. :crying

wainuitech
04-01-2010, 09:48 PM
Run Revo as I posted in #12 that will generally remove it.

B.M.
05-01-2010, 08:17 AM
Run Revo as I posted in #12 that will generally remove it.

Ok back on deck and on with case. :rolleyes:

Wainui, I have REVO installed and use it all the time to uninstall programmes. In this case it canít locate TR to remove it. I suspect that is because the original was removed years ago. I uninstalled the new version once I finally got it installed using REVO (because it said my trial had expired) However Search has come up with a couple of folders left behind.

The first is: Trojan Remover Logfiles: which is located in C:\Documents and Settings\mine\My Documents\Simply Super Software and is empty.

The second is: Trojan Remover: which is in C:\Documents and Settings\mine\Application Data\Simply Super Software and contains one file called gfx1.exe.

I guess these got left behind when the original version was uninstalled so it is my intention to delete them once Iíve had breakfast and a shower.

Iíll then have a poke around in the registry and see what I can find there.

Iíll file a progress report later complete with Hijack Log for Speedy.

Just before I go, I have never had this much problem with any other Virus/Trojan/Worm etc. Mind you this is the first Iíve had on my computer theyíve always been on mates.

My concern is even when I get rid of it, it may just waltz back. I note from an Internet link it marches straight through Nortonís Security Suite so that wonít please Symantic. It hasnít pleased one of their customers either by the look of a message posted on their website. Iíd be surprised if itís still there. :lol:

B.M.
05-01-2010, 09:41 AM
Here you go Speedy.

Logfile of HijackThis v1.99.1
Scan saved at 9:39:15 a.m., on 5/01/2010
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
C:\Program Files\ATnotes\ATnotes.exe
C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\wbsecsvc.exe
C:\WINDOWS\system32\Fast.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\PC Connectivity Solution\Transports\NclUSBSrv.exe
C:\Program Files\PC Connectivity Solution\Transports\NclRSSrv.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride = *.local
O1 - Hosts: 208.93.147.32 www.winmx.com
O2 - BHO: IE7Pro - {00011268-E188-40DF-A514-835FCD78B1BF} - C:\Program Files\IEPro\iepro.dll
O2 - BHO: btorbit.com - {000123B4-9B42-4900-B3F7-F4B073EFC214} - C:\Program Files\Orbitdownloader\orbitcth.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Grab Pro - {C55BBCD6-41AD-48AD-9953-3609C48EACC7} - C:\Program Files\Orbitdownloader\GrabPro.dll
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ATnotes.exe] C:\Program Files\ATnotes\ATnotes.exe
O4 - HKCU\..\Run: [PC Suite Tray] "C:\Program Files\Nokia\Nokia PC Suite 7\PCSuite.exe" -onlytray
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: GB-PVR Tray.lnk = C:\Program Files\Devnz\GBPVR\GBPVRTray.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &Download by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/201
O8 - Extra context menu item: &Grab video by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/204
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Do&wnload selected by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/203
O8 - Extra context menu item: Down&load all by Orbit - res://C:\Program Files\Orbitdownloader\orbitmxt.dll/202
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Grab and Drag - {000002a3-84fe-43f1-b958-f2c3ca804f1a} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra 'Tools' menuitem: IE7Pro Preferences - {0026439F-A980-4f18-8C95-4F1CBBF9C1D8} - C:\Program Files\IEPro\iepro.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O15 - Trusted Zone: http://www.nzracing.co.nz
O16 - DPF: {05317530-B882-449D-9421-18D94FA3ED34} (OSInfo Control) - http://www.sis.com/ocis/OSInfo.cab
O16 - DPF: {16095503-786F-4097-AED6-5D567A26D760} (SiS_OCX Control) - http://www.sis.com/ocis/SiSAutodetectNT.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{547037C7-49E8-48CA-A04F-821E4389FE1E}: NameServer = 123.100.71.1,123.100.71.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: avgrsstarter - C:\WINDOWS\SYSTEM32\avgrsstx.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: EPGService - Hauppauge Computer Works - C:\PROGRA~1\WinTV\EPG Services\System\EPGService.exe
O23 - Service: GB-PVR Recording Service - WelltonWay - C:\Program Files\Devnz\GBPVR\GBPVRRecordingService.exe
O23 - Service: HauppaugeTVServer - Unknown owner - C:\Program Files\WinTV\TVServer\HauppaugeTVServer.exe (file missing)
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: ServiceLayer - Nokia - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: TVService - Team MediaPortal - C:\Program Files\Team MediaPortal\MediaPortal TV Server\TVService.exe
O23 - Service: wbsecsvc - Integrated System Solution Corp. - C:\WINDOWS\system32\wbsecsvc.exe
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

mzee
05-01-2010, 05:06 PM
I am currently using Microsoft Security in Windows7 & it has swatted some really bad Trojans which were overlooked by Comodo, Avast & Spy Bot.

Speedy Gonzales
05-01-2010, 05:21 PM
I would update the service pack, coz support for SP2 will die soon. And I would definitely update IE to 7 or 8. The only thing is with IE 8, IEPro doesnt work properly

Uninstall ALL versions of Java, then update it. Its out of date. Hmm everything else looks OK. I wouldnt rely on Comodo's AV Mzee. If its installed. And if it is, I would uninstall it, if Avast is installed

B.M.
05-01-2010, 06:00 PM
I am currently using Microsoft Security in Windows7 & it has swatted some really bad Trojans which were overlooked by Comodo, Avast & Spy Bot.

Well thatís good news, but I wonder if this "Security Tools" was one of them?

It would be interesting to know because it seems we had about half a dozen infections reported on this site in just one day.

I wonder what we were all using.

Reading various threads on the internet from other sites its wrecked havoc around the world, obviously designed to disable any protection before it goes about its business.

Anyway, Iím back to normal it would seem, but what a mission.

But just to tidy up. Back in post #5 I reported the various programmes used were reporting a clean bill of health, however the LAN light on my modem was flashing continuously.

Well, I couldnít find the culprit, but I had a brainwave. I remembered that this Virus/Trojan whatever had disabled System Restore Ė Task Manager Ė Control Panel just about everything, but as I cleaned up the infections from Safe Mode the various facilities started to return.

So, I took a punt. I went to System Restore (remember I couldnít turn it off) and elected to restore to a couple of days earlier when I knew the machine was clean.

Whoopy dooo, the restore went beautifully and when the LAN light came on it was perfectly normal.

All of which leaves me pondering the merit of turning off System Restore before cleaning out a Virus, because it just could be the restore files havenít been infected, or a new Restore Point made and you may be destroying your last chance, as in this case.

Anyway, thatís about it on this one, thank you all for your input. :thanks

B.M.
05-01-2010, 07:00 PM
I would update the service pack, coz support for SP2 will die soon. And I would definitely update IE to 7 or 8. The only thing is with IE 8, IEPro doesnt work properly

Uninstall ALL versions of Java, then update it. Its out of date. Hmm everything else looks OK. I wouldnt rely on Comodo's AV Mzee. If its installed. And if it is, I would uninstall it, if Avast is installed

I think you might have two peoples posts connected here Speedy. :confused:

Yes, Iím still on SP2 and will stay that way until it runs out. :)

Iíve seen first hand on a couple of machines how SP3 and IE8 can bring a computer to its knees. SP3 also has the benefit of installing WGA :rolleyes: and that nearly drove me nuts. So Iím afraid I did a clean install, loaded SP2 and turned off updates. Life has been bliss since. (Well until the Virus) :D

I donít use IE although its there, firefox is my Browser of choice and I donít have Comondo or Avast, as Iím still running AVG, so I think that reference may be to mzeeís post.

Anyway, thanks again for your input Speedy. :thumbs:

Speedy Gonzales
05-01-2010, 07:06 PM
Ah wrong. SP3 doesnt install WGA. Windowsupdates will, if you leave it on AUTO. Fix, put it on something else, then it wont automatically install everything. SP3 may screw things up, if you're using an HP system

I've slipstreamed SP3, and it has never installed WGA on the system. And yup I was replying to Mzee about Comodo's AV

B.M.
05-01-2010, 07:30 PM
Ah wrong. SP3 doesnt install WGA. Windowsupdates will, if you leave it on AUTO. Fix, put it on something else, then it wont automatically install everything. SP3 may screw things up, if you're using an HP system

I've slipstreamed SP3, and it has never installed WGA on the system. And yup I was replying to Mzee about Comodo's AV

Dead right Speedy. That dreaded WGA would have been in one of the updates.

Took some getting rid of though, almost as bad as the virus. :lol:

Speedy Gonzales
05-01-2010, 07:41 PM
lol well there is a tool, to remove it. Run it it finds whatever, reboot, its gone