Removing "Security Tools" virus/trojan/malware

Don't believe anything this trojan says. It's a dirty, filthy little piece of scamware and every threat its reporting is a lie. Security Tools should just report itself and get it over and done with.

It will block most applications from running, so you'll need to somehow get Task Manager up and running before it starts.

Some people use safe mode, others have reported that "CTRL + ALT + DEL" works and can open up the Task Manager without it complaining. If not, try "CTRL + SHIFT + ESC", which does the same thing.

If that doesn't work, you'll have to create a shortcut to "taskmgr.exe" and move it into your "Start Menu > Startup" folder by dragging it with the mouse. Reboot your computer to get access to Task Manager.

Once you have Task Manager up and running, look under "Processes" and close off any program which has all numbers for the filename.

After killing off the pesky little bugger, we're now able to run new programs without any problems.

Run "services.msc" from "Start > Run". Find the following services and then stop and disable each one:

• Browser Defender Update Service
• PC Tools Auxiliary Service
• PC Tools Security Service

Download MalwareBytes Anti-Malware to scan, unlock the files in use and remove the Security Tool Virus. While it scans, we can do some manual removal.

Now go to "Start > Run" again to load up "msconfig". Go to "Startup" tab and disable anything that is within the "Spyware Doctor" folder (or anything that looks suspicious). For me it was "ISTray".

Now open up the following folders and move as much junk out of there as you can. Skip the files that are locked.

• C:\Program Files\Spyware Doctor
• C:\Program Files\Common Files\PC Tools
• C:\ProgramData\PC Tools

Open up "Start > Run" and fire up "regedit". Go to and delete the following registry keys:

• HKEY_CURRENT_USER\Software\Security Tool
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Defender_is1
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Doctor

Now the easier part. Search through the registry for anything containing "Spyware Doctor". I've made a list of the items I've found but they may vary from computer to computer.

Best bet is to just do the scan manually.

• HKEY_CLASSES_ROOT\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}
• HKEY_CLASSES_ROOT\CLSID\{70F8E90E-353A-47AB-B297-C576345EE693}
• (there was another one here that I forgot to copy before deleting)
• HKEY_CLASSES_ROOT\CLSID\{F94D9C45-A227-4173-8AC3-6D276B288D9A}
• HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}
• HKEY_LOCAL_MACHINE\SOFTWARE\PCTools
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Browser Defender Update Service
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sdAuxService
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sdCoreService
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Browser Defender Update Service
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sdAuxService
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sdCoreService

Now hopefully you've learnt your lesson and started to use a proper antivirus.

Every infected machine I look at is running one of the following 3 security suites; McAfee, Norton or Sophos. Goes to show (again) that they're fucking shit and not worth paying for.

WinXP: Windows logs out straight after entering user details

When upon fixing a computer, I had trouble getting back into Windows after deleting the malware files.

The reason was that the malware had slipped itself into the login process by changing the file which Windows expects, redirecting the initialisation process to a dirty file.

When the file is removed, Windows doesn't know what to do with the login process and boots you back to the login screen.

Many places suggest this solution:

cd %WINDOWS%\system32
copy userinit.exe wsaupdater.exe

Personally, I don't like this. Although it solves the problem, this solution will not work if Windows is expecting a file other than "wsaupdater.exe".

To fix it properly, boot up the computer using the Windows XP setup disc or BartPE. (See this guide)

Once you've got the Registry Editor open:

• Select "HKEY_USERS"
• Click File > Load Hive
• Open up "C:\Windows\System32\Config\SOFTWARE" (SOFTWARE is the filename)
• Give it a name. For this example I'll call it "LOGOUT"
• Now navigate to: HKEY_USERS\LOGOUT\Microsoft\Windows NT\CurrentVersion\Winlogon
• Now find "Userinit" on the right panel and double click to edit.
• It should point to: "C:\Windows\System32\userinit.exe,"
  
  Note: that red comma it HAS to be there or else this fix wont work.
• Navigate back and select "HKEY_USERS\LOGOUT"
• Click on File > Unload Hive.

Now it is pointing back to "userinit.exe", the correct file.

[ Source ]

WinXP: Fix Mixa trojan/virus

I have no idea how people do it, but yet another relative has managed to break their computer by doing something stupid and has brought the computer over, asking me to spend a day fixing their computer. "Sure, I'd love to waste a nice sunny day off to do that!"

Anyway, before I become bitter and hateful, I quickly discovered that one of their many problems was that they were infected with a trojan called "Trojan.Mixa.A" or "W32/Autorun-DH".

It probably goes by a few other names, but the following information should be enough to identify it.

It's located at:

• %WINDOWS%\Mixa.exe
• C:\Mixa_i.exe (And the root path of any other writable drives or USB devices)
• %WINDOWS%\System32\mixa.exe
• %WINDOWS%\System32\systemio.exe

File information:

• Mixa_i.exe
• Filesize: 988kb
• Version: v1.0.0.2
• Company: Puppy
• Product Name: Milk DHA
• 

It is fairly difficult to remove using normal means, as you can't delete the files as they're in use. Trying to kill the task using the task manager will not work because it will log you out whenever it detects the Task Manager.

It also slips itself in as a fake system shell application, which makes Windows load it everytime you log in. To remove it, you will have to do it before Windows loads.

Using the Windows XP setup disc

Use this method if you have access to the Administrator account. If not, use the other method.

Load up the computer with the setup disc and select "Recovery Console" by pressing R once its ready.

Navigate around the console and delete the files if they exist in the given locations. Use the "delete" command to delete files.

delete %WINDOWS%\Mixa.exe

delete C:\Mixa_i.exe

delete %WINDOWS%\System32\mixa.exe

delete %WINDOWS%\System32\systemio.exe

See link below for the next step.

Set up a BartPE startup disc

This will give you access to the harddrive so you can remove the files. See this guide to create the BartPE disc.

Once you've loaded up the computer with BartPE:

• Click "Go"
• Command Prompt (CMD)
• Use the Recovery Console steps above

OR

• Click "Go"
• Programs
• A43 File Management Utility
• Use the program to delete the files

See next step below.

Fix login screen

Since we've deleted the files, this ensures that the malware can't reinstall itself after we log in.

At this point, I thought it was all fixed and rebooted the machine. However, you should not reboot it yet! The system is still in a broken state!

Windows still expects the missing files to be there and you will not be able to log in properly. To fix the login screen, stay in the command prompt and type "regedit". This will being up the Registry Editor.

I've written the tutorial in another post as it is a common problem when fixing virus/trojan related issues.

Once you've reverted the "Userinit" filename you can reboot and log in as usual.

[ Source, Microsoft KB 892893 More information about the trojan ]

Spyware: My Web Search (MWSOEMON.EXE)

My dad's been installing random stuff again.
It seems some spyware has gotten through.

Luckily, its pretty straight forward to get rid of.

Just go to the "Control Panel" and then "Add/Remove Programs" and uninstall "MyWebSearch".

[ Source ]

Typical Infected folders:

• c:\program files\mywebsearch

Uninstall Myway MySpeedbar. It might be called 'My Search Bar', 'MyWay Speed Bar' or 'My Web Search Bar'. Remove what you find. Also remove 'Fun Web Products Easy Installer' if it is present.

Reboot and scan using SpyBot to ensure that it is gone.

Spyware: Remove Infostealer.Avisa

Since the download off the official site wasn't running at full speed, I decided to grab the demo off bit torrent instead. After (stupidly) installing a program from bit torrent, without first checking the comments, I had trouble moving the setup files after I was done.
Doing a little snooping, I was surprised to find a few extra executables in my Task Manager with somewhat suspicious filenames.

There were 2 instances of "rundii32.exe", as opposed to the usual "rundLL32.exe".

Great! Less than 2 weeks ago I got another virus, wasting another day off.
What a way to kill time.
I'm setting a new record here folks!

The culprit (File properties):

Filename:	rundii32.exe
Size:	1.30 MB (1,372,160 bytes)

How it got there:
Stupidly I didnt check the comments on the torrent before downloading and installing.

The installer was bundled with a trojan which extracted itself upon execution, making it seem authentic as the application actually installed properly.

The damage:
I'm still not quite sure which strand it was, but it created a file called "rundii32.exe" within the temporary folders "%TEMP%\IXP000.TMP" and "%TEMP%\IXP001.TMP" (where "%TEMP%" is your system temporary folder).

This may just be in my case, as it is a common trait of installer packagers to put files into directories with that naming convention.

I suppose these executables sit around and steal info.

Also, it adds itself into the startup.

The fix:
A nifty program that scans your running tasks (and startup) is Trend Micro HijackThis.
(Yes, I was surprised to find that Trend bought them out too!)

A quick scan showed that it had added itself to RunOnce, so to remove it...
I fired up TuneUp Utilities Registry Editor again.

Locating the keys within "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce", delete the 2 entries which refer to "IXP000.TMP" and "IXP001.TMP".

Now type in "%TEMP%\IXP000.TMP" and "%TEMP%\IXP001.TMP" into explorer to locate the "rundii32.exe" files and delete them.

That should be enough to clear it.
A through scan with an updated antivirus afterwards should do the trick.

W32.Harakit

Being a lazy Sunday, I decided to clean up some folders on my computer.
I noticed in my Shared folder that there was a file named "gfvjfe.exe" with the folder icon.
Stupidly, I double-clicked it and executed it thinking it'd browse into it.
When nothing happened, I instantly realised I've been had and disabled my internet connection.

Quickly skimming through task manager processes, nothing seemed out of place.
My Windows Explorer options were changed though, hidden files were now hidden and system folders/files arent showing.

Something is up.

The culprit (File properties):

Filename:	gfvjfe.exe
File version:	5.0.0.2
Language:	Russian
Size:	497kb

How it got there:
It spreads itself via the network through share folders which have write access or removable drives. Luckily, its fairly simple to fix and doesnt do much damage.

The damage:
It creates a file called "csrcs.exe" in the System32 folder under Windows.

First notable change, as already mentioned, is that it hides hidden/system folders and files.

Second noticable change was that csrcs.exe attempts to create "autorun.inf" in system32, triggering my NOD32 to display a giant red screen.

The fix:
Using task manager to kill off csrcs.exe, I then deleted it and scanned my registry.

It links itself in the registry in the following locations:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Edit the "Shell" key from "Explorer.exe csrcs.exe" to "Explorer.exe"

Lastly, clean up multiple 0 byte "khq" files found at the root of your drives (ie. C:\khq, D:\khq, etc)

If you have a more severe infection of this trojan, check out this link for more information.

 

Update: 05/04/2010

I forgot to mention, I had all ports forwarded to my computer and there were some unprotected shared folders which had write access.

 

Block off public access to those ports and you should be fine. To figure out which ports it is, see here.

malware: driver detective claims another victim

A friend pasted a chat log to me, which was between him and another friend.
Worth keeping for entertainment value =)

James:

check this out

mindogg: hey how do i watch movies on my windows media player?
do i need to dl a codec?

me: ye

mindogg: can u find me a link to do this
a safe website

me: lol
http://www.divx-digest.com/software/nimo_pack.html
has all the codecs ull need

mindogg: thanx

mindogg: don't know how to dl it with this website
wait i think i figure it out

me: gp ot
got it?

mindogg: downloaded it

mindogg: it asked me about 1.Manufacturer
2. family
3. model

me: wtf

mindogg: ye
ok what is after driver detective

me: detected?
lol
are u going full or custom installation

mindogg: i just want the codec so i can watch stuff on media plaer

me: lol
i cant direct u like this
sounds like ur doing something else

mindogg: isn't there just a file u can dl a codec

me: lol
ur install it now
i dunno what u roding
its just str8 forward

mindogg: fuck
so the detective is the codec?

me: wtf detective man
there is no detective rofl

detected?
dirvers?
i dunno wtf ur goin about

mindogg: driver dectective

me: lemme try
ill dl and see
did u dl
lite?

mindogg: whats that?

me: dude
wtf
i just installed it
its like 3 next buttons
and thast it
lol

mindogg: the detective just scan! he doesn't give me the codec does he?

me: i dunno
WTF u dld

mindogg: driver detective

me: ive been doing comps an dshit since primary
dunno WTF that is
lol

mindogg: LOL fu
help me!

me: rofl
WTF
is driver detective dude

mindogg: oh shit now my comp said it found some virus!
oh shit im gone!

HAHAHA
ahh gotta love malware... when it doesnt happen to you.

Some software thats helped me in the past are:
- Spybot - Search and destroy
- HijackThis
- TuneUpUtilities