TechSpot

Inactive: Spyware called "Security tool"

By sma06
Oct 10, 2009
  1. Hi everyone,

    I seem to have stumbled across a kind of spyware called "Security tool" that keeps popping up saying that I have been infected with other spyware. I can't even see my desktop since I have this problem.
    I tried using Spybot, AVG and Norton but none of them can successfully remove them because my computer automatically restarts whenever I run scans.
    I would appreciate your feedback very much.
     
  2. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

  3. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    sma06, if you are still having problems and have run the programs, please let me know.
     
  4. sma06

    sma06 TS Rookie Topic Starter

    Thanks, I will run all these programs first and let you know.
     
  5. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    After you run the three program, attach the logs from Malwarebytes and Superantispyware. Then paste the log for HijackThis in the reply. (Ctrl V)
     
  6. sma06

    sma06 TS Rookie Topic Starter

    Hello,

    I followed all the steps and I think the problem is resolved for now. Only thing is I can still see 'Security tool' and 'Windows Police Pro' (which is another problem I had) on my desktop. How can I complete get rid of them?

    Also, I am not sure of which files to delete from HijackThis.

    I have attached the log files with this post.
     
  7. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Did you run hijackthis before running Malwarebytes? If so, post a new hijackthis log. You have IE6 installed. Even if you don't use it run Windows Update manually and choose "custom" apply all critical and hardware updates, including IE8. Doing this will help your computers security
     
  8. sma06

    sma06 TS Rookie Topic Starter

    Dear Tmagic650,

    I ran the programmes in the exact same order as listed. Just in case, I just re-ran Hijackthis again. Here is the logfile.
    It says I have to be careful before deleting any registry files. Do u know which ones I should delete?
     
  9. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Tmagic, you can see the time and date each log was done. the order they are showing in attahments doe not matter. The time date and versdion appear at the top of each log:
    This member has SP3 onboard and does NOT need to update IE at this time.

    sma06, you still have malware. I did a quick check of the logs and it's evident in all 3. Give me a few hours please to review the thoroughly and I will get back to you.

    You do NOT need to do another HJT scan at this time.
     
  10. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Thanks for the tip Bobbye :) There is malware still on sma06's system. I don't like these hijackthis entries:

    "O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm"
    "O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm"


    Is symantec/norton exprired or is it running correctly? You should only have one antivirus program installed at a time. It looks like you have 3 installed. Adobe Reader needs to be updated from 7 to 9. IE6 needs to be updated to IE8. You have spyware doctor and spybot search & destroy installed. Remove them and install free CCleaner and Advanced SystemCare free and run them regularly
     
  11. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    I have reviewed you logs and don't have good news:

    The most significant infection is the PWS- password stealer TrojanSpy:Win32/Zbot.gen:

    1)TrojanSpy:Win32/Zbot.gen!C is a trojan that is used to steal sensitive information from an affected machine.
    2)TrojanSpy:Win32/Zbot.gen!C may inject malicious code into explorer.exe or winlogon.exe.
    3)This Trojan may try to prevent its removal from the affected system by blocking access to its files, and by recreating its registry entries should they be deleted.
    5)TrojanSpy:Win32/Zbot.gen!C may try to delete all cookies stored by Internet Explorer in the URL cache so that users are forced to retype their passwords (should they be cached).

    Manual removal - file by file-is not recommended for this threat because it's so pervasive.
    1. The first thing you need to do is change ALL of your passwords.
    2. Monitor any online financial transactions such as online banking.
    3. Disable the Real Time Protection for the scans:

    SYMANTEC ENDPOINT PROTECTION
    Right click on the icon in the taskbar notification area & select "Disable Symantec EndPoint Protection".
    [​IMG]

    TEA TIMER
    • Right click the TeaTimer icon in the system Tray [​IMG]
    • Then click Exit Spybot-S&D Resident
    • One you are clean you can restart TeaTimer by going to C:\Program Files\Spybot - Search & Destroy, and double clicking on TeaTimer.exe

    Run a full system Scan with the Norton Antivirus- update right before the scan. Save the log and include it in your next reply.

    Please download ComboFix HERE:
    • With ComboFix, at the download window, please rename it to Combo-Fix(.exe) before downloading it.
    • Please disable all security programs, such as antiviruses, antispywares, and firewalls. Also disable your internet connection.
    • Run Combo-Fix.exe and follow the prompts.
      (Understand that things like your system clock changing and your desktop disappearing might happen. Do not worry, because all will be restored later.)
    • Wait for the scan to be completed.
    • If it requires a reboot, please do it.
    • After the scan has completed entirely, please post the log here. The log will be located at C:\ComboFix(.txt)

    Notes:

    • 1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
      2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
      3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
      4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

    Rescan with HijackThis: PASTE the log into your next reply.
    Attach the Norton AV scan and the Combofix report.

    We'll see where we are after this.

    Please don't so any other download/install or install while we're cleaning, except what I am directing you to do. We will cover other parts of the system at the appropriate time.

    Note: You are using Download Accelerator - (DAP) This delivers popup/popunder ads, and tracks your internet usage. You can find safer alternatives here: http://www.spywareinfo.com/downloads.php?cat=dlman#dlman

    This is an optional removal. DAP is not malware. You do not have to do anything with this at this time. I just want to make you aware of it.
    I suggest you remove it. Go to Start > Settings > Control Panel > Add/Remove Programs and remove it.
     
  12. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    Hey Bobbye,
    is this the TrojanSpy:Win32/Zbot.gen indicator:
    "C:\WINDOWS\system32\wuauclt.exe"
     
  13. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    No- it's the WindowsUpdate process.
     
  14. Tmagic650

    Tmagic650 TS Ambassador Posts: 17,244   +234

    "Tmagic, you can see the time and date each log was done. The order they are showing in attachments does not matter"...

    I thought a rescan with Malwarebytes might change the hijackthis logs contents

    "No- it's the WindowsUpdate process"...

    WindowsUdate process in the hijackthis log? I can't seem to find "windowsupdate process in the log
     
  15. WinXPert

    WinXPert TS Guru Posts: 445

    Post your registry specifically these keys

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce


    Do have Security Tool entry or something that starts with 494*******(some random digits).

    Search for files (exe) that starts with 494.

    Post the content of your autorun.inf too.
     
  16. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    WinXPert, I would appreciate it if you would allow me to finish helping this member. Sending someone on a different track in the middle of a cleaning is a bad idea.
     
  17. sma06

    sma06 TS Rookie Topic Starter

    Dear Bobeye,

    I ran the programs as requested and these are the resulting logs. I noticed when I ran Norton a few days ago it said my computer was clean, but today it seemed to detect a lot of trojan viruses. I hope Combo-fix got rid of them.
    Please have a look and let me know.
     
  18. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    Okay, some questions and some housekeeping:

    1. Do you have a security suite from Symantec/Norton? Most have a firewall included. I see you are also running Comodo. so if Norton is current, you need to remove the Comodo firewall.

    2. Did you miss my instructions to temporarily disable the Real Time Protection of TeaTimer and Symantec Endpoint Protection in Post #11? Having this kind of protection running can affect the scans. And in the Combofix program, you were also instructed to shut dow all security programs.

    3. Did you delete the entries Norton put in quaranting? If not, please do that, then the following:

    4. TFC (Temp File Cleaner)
    Download TFC to your desktop
    • Open the file and close any other windows.
    • It will close all programs itself when run, make sure to let it run uninterrupted.
    • Click the Start button to begin the process. The program should not take long to finish its job
    • Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

    TFC only cleans temp folders. TFC will not clean URL history, prefetch, or cookies. Depending on how often someone cleans their temp folders, their system hardware, and how many accounts are present, it can take anywhere from a few seconds to a minute or more. TFC will completely clear all temp files where other temp file cleaners may fail. TFC requires a reboot immediately after running. Be sure to save any unsaved work before running TFC.

    TFC (Temp File Cleaner) will clear out all temp folders for all user accounts (temp, IE temp, java, FF, Opera, Chrome, Safari), including Administrator, All Users, LocalService, NetworkService, and any other accounts in the user folder.

    When through, please Empty the Recycle Bin

    5. Old versions of Java and Adobe Reader present another vulnerability and they should be updated:
    • Visit this site[Adobe Reader often and make sure you have the most current update. Uninstall any earlier updates as they are vulnerabilities.
    • Check this site often.Java Updates Stay current as most updates are for security. Uninstall any earlier versions in Add/Remove Programs.

    It is important the you uninstall the outdated versions of Adobe v7 and Java v1.5.11.

    6. Please reopen HijcackThis to 'do system scan only'. Check the following entry:


    O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_SG&c=Q106&bd=pavilion&pf=laptop


    Close all Windows except hijackThis cna click on "Fix Checked."

    Do you have any ide what 'Promo' is here? It's a particular port open in the firewall.
    53:UDP"= 53:UDP:promo

    When you get this done- including deleting all the entries Norton has quarantined, please do this:
    Run Eset NOD32 Online AntiVirus Scanner HERE

    Note: You will need to use Internet Explorer for this scan.
    • Tick the box next to YES, I accept the Terms of Use.
    • Click Start
    • When asked, allow the Active X control to install
    • Disable your current Antivirus software. You can usually do this with its Notification Tray icon near the clock.
    • Click Start
    • Make sure that the option "Remove found threats" is Unchecked, and the option "Scan unwanted applications" is checked
    • Click Scan
    • Wait for the scan to finish
    • Re-enable your Antivirus software.
    • A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

    Save the log and attach it in next reply.

    Rescan with HijackThis and paste the new log in next reply.

    A NOTE: Please do not use the System Restore feature. There is malware in the restore points. I will have you dropp the old restore points and create a new clean on when we finish.
     
  19. Seipher

    Seipher TS Rookie

    Just wanted to mention that I just got done resolving this myself. bleepingcomputer.com has given a step by step procedure to fix this including a couple small files specificaly created to remove this issue that you can download and install. Follow their steps exactly and it should clear you right up plus fix files that were corrupted by this nasty fake system cleaner.

    Here is the link below and good luck :)
    http://www.bleepingcomputer.com/virus-removal/remove-security-tool
     
  20. Bobbye

    Bobbye Helper on the Fringe Posts: 16,335   +36

    4 month old thread closed due to inactivity.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...