'Security Tool' virus/trojan

[digitaldave007]

I just posted this in the Xp Forum but feel it is better suite here instead.

From searching the web it seems that lots of people have been infected with this particularly nasty piece of malware and I am beginning to reach the end of my tether!

I was online 2 nights ago, went to a website I visit quite often and had a pop up appear stating your system is infected etc. I've seen these type of things before. It seemed to be eating up all my CPU so re-started XP, and when got to desktop my background picture had gone blue and I lost all of the desktop icons. Tried opening task manager, a message appeared saying it was infected. The same thing happened when I tried to launch Malwarebytes and AVG.

Did some online research, located the random numerical .exe files in the Application data file deleted and restarted again. Made some modifications to the registry, restarted a few times in safe mode and tried to run Malwarebytes again. Sometimes it loads, other times get an error message saying it can't find the path name or something along those lines. I'm just not able to launch Malwarebytes and run the scan, like i said sometimes it loads and sometimes the scan starts for a few seconds and then closes down. I have been able to run an AVG scan but when it is complete it informs me that it couldn't remove some of the infected files. I tried running Hijack this to post a log here but getting the same message as Malwarebytes, there is obviously some process preventing me from doing this.

I would really appreciate your suggestions.
Thanks.

[bricat]

hit CNTRL + ALT + DEL to bring up task manager.
click on processes at the top, scroll down and look for a file called 25143562.exe (or a number similar)
click on it to highlite it and click on END PROCESS.

Do not reboot, try running malwarebytes anti malware again.

[digitaldave007]

Tried that, it's not appearing in the task manager list and the .exe isn't in the Appl Data folder either. It's obviously lurking in the background somewhere.

[bricat]

have you tried running MBAM in SAFE MODE

[digitaldave007]

Tried that as well with no luck, it keeps getting blocked. How do I identify which process is blocking it? I guess they have used the same file name as a legitimate file.

[bricat]

remove as many of these as you can find :-

How to manually remove Security Tool
Stop and remove SecurityTool processes:
Security Tool.exe
uninstall.exe

Locate and delete SecurityTool registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run “SecurityTool”
HKEY_CURRENT_USER\Software\Vista Antivirus 2010

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\
Uninstall\SecurityTool

HKEY_LOCAL_MACHINE\SOFTWARE\SecurityTool

Detect and delete other SecurityTool files:
%System Root%\Samples
%User Profile%\Local Settings\Temp
%Program Files%\SecurityTool
%Documents and Settings%\All Users\Start Menu\Programs\SecurityTool
%Documents and Settings%\All Users\Application Data\SecurityTool
Security Tool.exe
uninstall.exe

then :-

Please download and install SUPERAntiSpyware Home Edition (free)<ul type="square">[*]Once installed, update the program definitions when prompted.[*]Click the "Preferences" button and then the "Scanning Control" tab.[*]Under "Scanner Options" make sure the following are checked/selected:[*]1&gt;&gt; Close browsers before scanning.[*]2&gt;&gt; Scan for tracking cookies.[*]3&gt;&gt; Terminate memory threats before quarantining.[*]4&gt;&gt; Ignore System Restore/Volume Information on ME and XP.[*]Deselect all other scanning options.[*]Close SUPERAntiSpyware for use later.[/list]

<font color="blue">Then boot up in</font> SAFE MODE


Open SUPERAntiSpyware and click the "Scan your computer" button.<ul type="square">[*]On the left, select "C:\Fixed Drive".[*]On the right, under "Complete Scan", choose "Perform Complete Scan".[*]Click "Next" to start the scan. Please be patient while it scans your computer.[*]After the scan is complete a summary box will appear. Click "OK".[*]Make sure everything in the white box has a check next to it, then click "Next".[*]After quarantining anything found, you may be prompted to reboot, click "Yes".[*]Paste the scan log in your next reply (Preferences &gt; Statistics/Logs tab &gt; double-click SUPERAntiSpyware Scan Log)[/list]

[digitaldave007]

Ok, tried to find those files and couldn't find any to delete. Tried searching for 'Security Tool' and no results.

Installed Super Anti Spyware as instructed, changed the preferences, re-started in Safe Mode, tried to launch the program and get the following error message:

"Windows cannot access the specified device, path or file.You may not have the appropriate permissions to access the item."

[digitaldave007]

Since my above post in which I was unable to run the scan, I re-started normally and ran the online scan which has produced the following;

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/25/2009 at 01:35 PM

Application Version : 4.29.1002

Core Rules Database Version : 4189
Trace Rules Database Version: 2103

Scan type : Quick Scan
Total Scan Time : 00:58:02

Memory items scanned : 510
Memory threats detected : 0
Registry items scanned : 554
Registry threats detected : 13
File items scanned : 9785
File threats detected : 22

Unclassified.Unknown Origin
HKU\S-1-5-21-2667485867-234716120-416538077-1006\Software\Microsoft\Windows\CurrentVersion\Ext \Stats\{598F4775-6FB6-477B-9842-E0426824E077}

Adware.Tracking Cookie
C:\Documents and Settings\David\Cookies\david@media.mtvnservices[1].txt
C:\Documents and Settings\David\Cookies\david@invitemedia[2].txt
C:\Documents and Settings\David\Cookies\david@imrworldwide[2].txt
C:\Documents and Settings\David\Cookies\david@admarketplace[1].txt
C:\Documents and Settings\David\Cookies\david@doubleclick[2].txt
C:\Documents and Settings\David\Cookies\david@lucidmedia[1].txt
C:\Documents and Settings\David\Cookies\david@media6degrees[2].txt
C:\Documents and Settings\David\Cookies\david@www.icityfind[1].txt
C:\Documents and Settings\David\Cookies\david@bridge1.admarketplace[1].txt
C:\Documents and Settings\David\Cookies\david@clicksor[2].txt
C:\Documents and Settings\David\Cookies\david@icityfind[1].txt
C:\Documents and Settings\Lara\Cookies\lara@adserver.aol[1].txt
C:\Documents and Settings\Lara\Cookies\lara@ww57.smartadserver[2].txt
C:\Documents and Settings\Lara\Cookies\lara@advertstream[1].txt
C:\Documents and Settings\Lara\Cookies\lara@www.smartadserver[2].txt
C:\Documents and Settings\Lara\Cookies\lara@ads.pointroll[1].txt
C:\Documents and Settings\Lara\Cookies\lara@content.yieldmanager[1].txt
C:\Documents and Settings\Lara\Cookies\lara@uk.at.atwola[1].txt
C:\Documents and Settings\Lara\Cookies\lara@www3.smartadserver[1].txt

Rootkit.Agent/Gen
HKLM\SOFTWARE\UAC
HKLM\SOFTWARE\UAC#EPROCESS_LEOffset
HKLM\SOFTWARE\UAC#EPROCESS_NameOffset
HKLM\SOFTWARE\UAC#affid
HKLM\SOFTWARE\UAC#type
HKLM\SOFTWARE\UAC#build
HKLM\SOFTWARE\UAC#subid
HKLM\SOFTWARE\UAC#cmddelay
HKLM\SOFTWARE\UAC\connections
HKLM\SOFTWARE\UAC\connections#a2674c18
HKLM\SOFTWARE\UAC\versions

Trojan.Agent/Gen
HKU\S-1-5-21-2667485867-234716120-416538077-1006\Software\PopRock

Trojan.Dropper/Win-NV
C:\WINDOWS\MSD.EXE
C:\WINDOWS\Prefetch\MSD.EXE-25EB529B.pf

[bobnemesis]

You could try the following :-If MBAM will not run, go to the program directory of MBAM (e.g. C:\Program FIles\Malwarebytes Antimalware\) then rename mbam.exe to newtool.exe, double click newtool.exe to proceed in running a full scan.
What website were you visiting when this started, was it by chance Facebook??.

[bricat]

did you tell SAS to remove all of those files ?

if so ,how is it running now ?