SecurityTool and Security Tool Virus

23 September 2009 Rogue 61 Comments

SecurityTool with an alias “Security Tool virus” is another masterpiece of rogue program developer that will get into computer without escaping antivirus program’s detection. SecurityTool virus overruns computer when users visited malicious websites. You may not realize that it automatically downloads and execute threat on the system. This infection leads to browser hijacking and hook compromised system to remote server to bring in more files that are malicious.

Similar to other rogue posted previously, Security Tool affected computers may experience severe alert messages coming from all corners of desktop. By doing this frustrating procedure, it easily tricks users and makes them believe that computer is indeed infected. A pop-ups message mimics what used to be Windows layout to induce unwary victim to purchase the licensed version of Security Tool.

Since this bogus program is closely working with Trojan, it may give infected users a challenging removal process. Certainly, with its objective to stay resident, Security Tool virus does not include uninstall information and most of the files are hidden on various parts of the system. Certainly, using a confident solution like anti-malware will efficiently remove Security Tool, its files and configuration information completely.

Screen Shot Images:

Security Tool Virus

Technical Details and Additional Information:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Characteristics (Analysis)
SecurityTool is a fake security program that has no capability to replicate once it infects a computer. Its main payload is to devise misleading occurrences placing the entire system in danger. The malware stages a series of registry modification to load itself when Windows starts.

Malware Behavior
It produces numerous fake security warnings and runs virus scan as scare tactics. One false notice is this firewall alert.

Security Tool Alert Image

Added Registry Entries:

HKEY_CURRENT_USER\Software\Security Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "9863015261"

Associated Files and Folders:

%AppData%\9863015261
%AppData%\9863015261\9863015261.bat
%AppData%\9863015261\9863015261.cfg
%AppData%\9863015261\9863015261.exe
%UserProfile%\Desktop\Security Tool.lnk
%UserProfile%\Start Menu\Programs\Security Tool.lnk

How to Remove SecurityTool and Security Tool Virus

This guide requires a tool called Malwarebytes' Anti-Malware. It is a free tool designed to eradicate various computer infections. MBAM scanner is distributed for free.

Boot Windows in Safe Mode With Networking

1. First thing to do is to reboot the computer in Safe Mode with Networking to avoid SecurityTool from loading at start-up. You may want to print this procedure as we have to restart the computer to complete the removal process.
- Restart the computer.
- Before Windows begins to load, press F8 on your keyboard.
- It will display an Advanced Boot Options menu. Please select Safe Mode with Networking.
- Windows will now start in Safe Mode.

Remove SecurityTool with MalwareBytes' Anti-Malware

2. Download removal tool from this page and save it on your Desktop or any location on your PC.
3. When finish downloading, double-click on the file to install the application.
4. Follow the prompts and install with default configuration.
5. Before the installation completes, you need to update the database.

6. Click Finish. Program will run automatically and you will be prompt to update the program before doing a scan. Please update.
7. When finished updating, the tool will run. Select Perform full scan on main screen to check your computer thoroughly.
8. When scanning is finished click on Show Results.
9. Make sure that all detected threats are checked, click on Remove Selected. This will delete all files and registry entries that belongs to SecurityTool.
10. Restart your computer.

Note: If SecurityTool prevents mbam-setup.exe from downloading. Download the software from another computer. Renaming it to something like 'anything.exe' can help elude the malware.

What to do next...

Comments and Suggestions

On this area you can find Visitor's personal suggestions. We cannot control and evaluate each recommended procedure from visitors so please use it at your own risks. If your inquiry pertains to SecurityTool and Security Tool Virus payment refund or lost serial key, kindly check the FAQ for rogue program first.

61 Comments

Hayden
Oct 07, 2009 @ 16:11:27
Make sure Malware remover is updated, and run it in safemode. I wasn’t able to do crap outside of safemode. Couldn’t run regedit or open tasmanager or run any kind of remover tool….until I rebooted in safemode.
Jona
Oct 13, 2009 @ 14:53:47
I dowenload Malwarebytes’ Anti-Malware but I cant run it because of virus what should I do now:S
bruno90
Oct 13, 2009 @ 16:05:36
Note: Virus like SecurityTool may prevent mbam-setup.exe from downloading and running. You can download and rename this program from a different computer before running it on infected system.
dave
Oct 15, 2009 @ 15:29:55
Jona – run it in “Safe Mode” by pressing F8 when your computer restarts. “Safe Mode with networking” selection should be fine.
Tony
Oct 16, 2009 @ 18:38:25
PLEASE CAN ANYONE TELL ME HOW TO GET IN TOUCH WITH SECURITY TOOL TO HAVE THEM REMOVE THE CHARGE THEY CHARGE ME!!!!!!!!!!! THANK ANYONE WHO CAN GIVE ME THIS INFORMATION !!!!!!! THIS IS ONE OF THE BIGGEST SCAMS ON THE INTERNET RIGHT NOW!!!!!!!!!!!!!!!!
Ricky2
Oct 19, 2009 @ 04:24:31
I’ve cleaned a number of computers that have been infected with this virus (and the anti-virus 2009) I use a flash drive with Advanced System Care (The Geek Squad standby) and MalwareBytes (My old standby) installed on it. They are both FREE programs, and make sure you run the updates. I always use the safe mode and have had great success most of the time. Although I must say this is a tough one to get rid of … Watch i when using ASC, it’s a pretty powerful program .. don’t get carried away with all the ‘goodies’ if you don’t know what you’re doing. STICK WITH THE BASICS !!!
Jack
Oct 20, 2009 @ 11:25:12
Your instructions were right on! Thanks. I did have to bring up Task Mgr as soon as computer began logging on. I kept Task Mgr up and stopped running any Security Tool items I would see. It seem to help me get thru your directions easily.
mark bumenski
Oct 20, 2009 @ 19:47:04
Best way is to boot into safemode per above 1st and then try removing it. Make SURE you turn off System Restore. If you don’t the latest incarnation of this malware will not go away easily.
If you cannot boot into safe mode then upon bootup as soon as you see your desktop starting to load hit Control+Shift+Esc until the task manager runs and then close down the SecurityTool Program. It won’t be called SecurityTool.exe but will have a funny name that will be noticeable. Then turn off System Restore.
Then put in your thumb drive in that has malwarebytes and an antivirus program. A demo version Norton Internet Security is currently imho the best thing going but if you want something Free than Microsoft Security Essentials is OK but not as good as commercial software.
Contrary to what you see here Malwarebytes likely won’t get it all but will get most of it. That’s why you need a separate antivirus program to clean up the rest of the infection.
KT !
Oct 23, 2009 @ 08:23:14
Someone please please tell me how to get the money back security tool charged me i’m goin through a lot and i need it back i can’t believe they ripped me off
Bob
Oct 24, 2009 @ 16:53:17
I struggled quite a bit and found I could hit ctrl alt del several times during boot up and get the task manager to show up and stop the security tool. Then I downloaded the malware and ran it and my computer seems to work well since. It’s difficult at first without halting the security tool because it always hides evrything that you bring up on the screen. Good luck to all of you..
Treskov 2315
Oct 25, 2009 @ 05:15:33
I downloaded mbam from a different comp & had it renamed before using, it worked. Get the free version. Thanks a LOT Malwarebytes,…………
Jason
Nov 08, 2009 @ 19:00:02
I’ve tried running the Malware and I keep getting some kind of Code 0 when I try to run it, even with the .exe patch that’s available, and yes, I’m doing all of this in safe mode. Suggestions?
Koinna
Nov 10, 2009 @ 21:52:11
Very interesting site. Hope it will always be alive!, map198, map34, map167, map37, map149,
Mike
Nov 15, 2009 @ 16:32:18
I am suffering this virus, the computer is in a constant loop of starting and closing down, I do not have sufficient time to stop anything, I cannot get into safe mode eithere, can anyone help with getting rid of this virus?
Tina
Nov 18, 2009 @ 03:13:22
After running the virus scan, I had to delete the Security tool file from the c drive, which was named a series of numbers. Otherewise, everytime I restarted the computer it came back.
harry rosas
Nov 19, 2009 @ 20:30:37
I just purchased security tool, but i did not get an activation I.D. or number
Lardo
Nov 22, 2009 @ 06:51:33
If you have to do it, you might as well do it right., Trendnet Control Center Firewall, Symantec Antivirus Research Center, Tns Spyware, Spyware Remover For Macos 9 2 2, Symantec Antivirus Update Free Download,
Seveaviel
Nov 22, 2009 @ 15:10:28
Very interesting site. Hope it will always be alive!, What Is Spyware And Sniffers, Yahoo Beta Spyware, Windows Enhanced Firewall, Windows Defender Crack Program Fee Download, Remove Virus Win32 Vundo Generic,
Etie
Nov 23, 2009 @ 08:04:32
Great. Now i can say thank you!, Download Free Spyware Cleaning Software, Dyna Defender, Darpa Hardware Malware Detection, Download Crack Firewall Black Ice Defender, Defender Tdi 300 Speed,
tanya
Nov 26, 2009 @ 04:28:46
I now have this virus and am wondering which one of these methods would work the best if I am running Vista. Anyone have an idea? Would be appreciated. Thanks
Ray
Nov 26, 2009 @ 11:02:47
Thank you!, the Malwarebytes Anti-Malware seems to’ve worked, and thanks to those suggesting to using safemode! Much appreciated!!
Ken
Nov 29, 2009 @ 07:35:38
The “Security Tool” virus had shut down my task manager, program remove, in the control panel, system restore…and who knows what else. It even had shut down MBAM. I removed it by rebooting to safe, opening MBAM, running a complete scan. The MBAM did it’s job well. I then rebooted out of safe and ” POOF “, virus gone, that simple. Hope it works for you too.
charles darrigo
Dec 01, 2009 @ 06:12:01
hi on the day off 30.11.2009 this firewall.tool alert is giving me problems wath shud a do help please
Neil
Dec 04, 2009 @ 06:56:16
To everyone who tried to purchase this software, you better keep a close eye on all your accounts, credit statements, and any financial documents. Your identity was most likely stolen. For those that are new to this type of rogue program, this thing is not new, only new name. From what I can remember it started about 5 years ago maybe earlier than that I got it as XP Antivirus 2008, then it went to XP Antivirus 2009, Then Home Antivirus 2010, and so on. I wish they would catch these jerkoffs, throw them on a remote deserted island with no electricity.
lina mesina
Dec 08, 2009 @ 09:59:30
i already buy this security tool but i can notrecive my activation # plus this security tool charged me 99 dallars is there anyway you can check my file and send it to me or do something about it .
precisesecurity
Dec 08, 2009 @ 10:05:09
lina mesina,
First of all, you should NOT buy this fake program. Advise your credit card company and dispute the recent transactions immediately.
david alan
Dec 14, 2009 @ 04:37:12
I got it on my brand new computer. The virus is huge. Everyone and their brother seem to get it lately. If you are not “computer savy”, don’t take chances. I have removed viruses before, no big deal. But this one needs to be removed carefully or it attacks your registry. If your computer is old, ( I buy a new one every two years) give it a try. If you have a brand new computer (mine is 6 mos. old) Unplug everything and spend the 100.00 dollars to remove it. Any staples, Best Buys, Geek squad can do it. Remember, this is a very common virus right now. Thease guys are doing it every day like clockwork. I will admit that it’s pricey and they should lower the price for common virus removal, but when in doubt, let someone who is doing it every day handle it. It’s just piece of mind. Remember, A recovery disc could cost you 50.00 or so and then your computer is wiped clean. So is everything you wanted to save. If you have more than a few questions as to how to do this… don’t do it. That’s just my advice….. For what it’s worth. P.S. Don’t buy anything because a pop up window says you have to. Rule #1! Also, use Firefox as your browser and keep AVG running on the P.C. I learned it the hard way. I knew it but never got around to doing the right stuff. Fool me once, shame on you… fool me twice, same on me.
Akash
Dec 14, 2009 @ 07:02:06
All this is crap and an advertisement stunt! I dont know how these people answer to their own souls!
Just to sell their product they are sending these hoax mails themselves and then acclaiming to have capacity to remove it. I cant curse these guys here, but these guys are cheap and will face the horrors of hell for eternity!
.
.
As for my friends TO REMOVE THE ‘SECURITY TOOL’ you just have to clear your cookies, temporary files and then try removing the main culprit i.e. the main file of this tool.
Kim
Dec 14, 2009 @ 15:12:00
This was great – thanks to all who gave their help and suggestions.
Soccer Mom
Dec 18, 2009 @ 04:42:58
First don’t panic!! Second keep clicking “no” you do not want to activate. Third, keep moving the pesky little boxes to the far right of your computer. Keep trying to get on the internet and when you do download what was instructed above: Malwarebytes and Advanced System Care saving them to your desktop. Then turn off your computer, restart pressing the F8 key to go into safe mode. Once in safe mode, click on “safe mode with networking”. This will bring you safely to your desktop. Run the step-up then the actual programs. It will clean out the trojan and restore order to your computer. THANKS TO ALL THE COMPUTER EXPERTS ABOVE FOR YOUR ASSISTANCE. I just thought I would give a step-by-step for us novice to somewhat dangerous with a computer. Merry Christmas!!
Soccer Mom
Dec 18, 2009 @ 04:49:42
Also the file that was added by this virus to my computer was in my c:\program data file and it was all numbers followed by .exe
Soccer Mom
Dec 18, 2009 @ 04:53:35
THANKS TO ALL THE COMPUTER EXPERTS WHO HAVE COMMENTED AS PROBLEM WAS RESOLVED WITHOUT PAYING SOMEONE TO DO IT. Steps I followed:
1. moved the pesky boxes as far right as I could. Clicking on “no” to activation. I then got on the internet
2. saved both the Malwarebytes and Advanced System Care downloads to my desktop.
3. restarted my computer and tapped F8 until in safe mode.
4. clicked on Safe Mode w/networking
5. saved the programs to my computer then started them.
6. virus was found and safely removed :)
donnovan g
Dec 19, 2009 @ 04:48:34
i need the activation code
Nick
Dec 25, 2009 @ 19:03:19
I believe I removed most of the virus, but Google is still affected as search results are not returned. Does anyone know how to remedy this issue? Or perhaps have instructions for manually removing the virus?
Jef
Dec 26, 2009 @ 06:34:32
Found this on another post:
Even after removing the malware I was unable to access Google &c. From another site I got a direction to look at C:\WINDOWS\system32\drivers\etc\Hosts.
Opening it in Notepad, I saw that it had listed just about every variety of Google & Yahoo against IP address 127.0.0.1. I copied this file (to be on the safe side!) and then deleted all the entries and, bingo, worked fine.
I tried this as well, and it worked!
Hope this is helpful!
Nick
Dec 26, 2009 @ 21:45:28
It worked – thanks!
Nick
Dec 26, 2009 @ 21:46:27
just needed to restart my computer after deleting the entries
Norman S. Rockwell
Dec 30, 2009 @ 05:40:49
According to B of A, who thankfully declined my credit card attempt to purchase “Security Tool”, the phone number for this scam is 800-835-5770. Call them and curse them out if it makes you feel better. A pro is coming tomorrow to remove this pain in the ass.
hank
Jan 01, 2010 @ 04:45:01
why deal with it? just reload your windows installation cd and your system is back like new. dont pay anyone anything. in the future make sure important files are backed up
lerie
Jan 02, 2010 @ 21:49:42
if you were scammed, please type in “security tool” on youtube for a tutorial to somewhat get rid of the problem. it helps!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Teagan K.
Jan 05, 2010 @ 16:17:32
Hi Everyone who is wondering about how to get your money back. Well I was previously scam from these dirt bags from some island they are from (baku). I was illiterate with computers and just bought my first brand new computer. So then on I “supposely” got a virus and then having them force me to pay them money for a ridiculous “security tool” scam!! I didn’t know at the time it was fake until I wanted to check on my status about viruses. It disappear like I never purchase it. It got me wondering about it so I google it and came upon this site. I was fricking piss off to hear what it did to people and myself. So what I did was call my bank and told them I was scam and was wondering how I can get my money back, because I didn’t know how to get ahold of these people. So they told if I wanted to file a claim which is done right then and there. I did that and I would be getting my money back by mid-night.
It is not call Security Tool on your statment purchase. It is call REALGOLDSOFT. I bought mine for 49.95. So check out your statment and goodluck with getting your money back.
I have questions to ask:
Does the security tool now have access throught out my computer?
What if I don’t have the security tool anymore, but I didn’t delete and can’t find it on my computer?
Where can I find a good protector for my computer?
Please take the time out to help me as I did for whoever needed their money back!!
Please and thank you!!!!!!
Joel
Jan 13, 2010 @ 21:10:38
Thank you!, the Malwarebytes Anti-Malware seems to’ve worked for me too and thanks to those suggesting to using safemode! Much appreciated!!
robbark
Jan 17, 2010 @ 21:41:43
DON’T PANIC. THIS IS SIMPLE TO REMOVE AND ANYONE CAN DO IT. DO NOT PAY SOMEONE TO DO WHAT YOU HAVE THE ABILITY TO DO YOURSELF. The Malwarebytes file works perfect. As some suggested, you do have to press Ctrl+Alt+Del as soon as Windows starts up. This will prevent the virus from stopping the Task manager from running (along with any other program you may need), therefore when the “Security Tool” program runs you can simply choose “End Task”. Once this is complete follow the instructions above and presto, it gone!! If you try to press Ctrl+Alt+Del once the “Security Tool” is loaded, it will give you some crap that the file is infected.
xtrathankfull
Jan 22, 2010 @ 23:32:33
THANK YOU GUYS SO MUCH!!!!!
It completely got rid of security tool. My computer is working as normal but a little bit slower.
Thanks
Corrections: Tag Along Virus: WINCAP along with DNA - Security Tool Virus
Feb 08, 2010 @ 18:40:06
COMPLETE REMOVAL INSTRUCTIONS
Removal instructions from XP (& probably 2000 & maybe Vista)
1. After rebooting, ASAP, before the tool loads, press [CTL-ATL-DEL] you may have to try a couple of times.
2. Select “Task Manager”,”Processes” tab,
3. Click on “Image Name” (to sort in ascending order)
4. There should be a process running that is 8 numbers and only numbers… Mine was 808561
5. Kill the process as noted above, and you now should have control of your system again.
6. Open control panel, “Add, Remove Programs”
7. Find and uninstall “DNA” (1 of 3 to be uninstalled and deleted)
8. Open windows explorer (show all files & folders)
9 Navigate to C:\Program files\
10. You need to have your “explorer”, “view” “detail” selected to see the time stamps. Then sort by modified date (Desc) (click on the date column to sort and again to reverse the sort order). Order the sort so that the most recently modified appear at the top for you.
11. 1 or 2 folders should appear on the top with the current dates of your infection. “DNA” with and “WINCAP..(something along these lines) Also look for any other added folders since the day and time of the infection. You can tell by the date stamp on them. If you know you didn’t install any programs on these recent dates:
delete them.
I found DNA (Security Tool Virus, with an executable file called BTDNA.exe, this is the virus program — and WINCAP (RPCAPD.exe). DNA is the Security Tool Virus and WINCAP is a trojan came along as a package deal with the DNA. You need to be sure to remove all the bad stuff. If you aren’t sure, look them both up
12. Be sure to have your “Explorer”, “Tools”,”Folder Options” “view” “Show Hidden Files & Folders” ON). Then go to c:/documents & settings/all users/application data as noted in other posts above and delete the folder with the 8 numbers for the name. Note: It will match the process that you killed to get here)
13. reboot … and you should be home free.
14. Delete all the files in your folders C:/Document & Settings//Local Settings/Temp
Find and delete: GDIPFONTCACHEV1.DAT
Scan your computer for all files dated at with time stamp from your infection date. Use
your judgement to delete them or not. If you are not comfortable with WINDOWS OS better
to not delete.
15. And if you are comfortable with checking your registry file.
Scan your registry file for BTDNA, the eight digit numerical name, WINCAP, and RPCAPD.
I found a bunch with the eight digit numerical name & BTDNA and deleted them. DNA appears
to be used for more than just a virus, so BE CAREFUL.
16. Empty your recycle bin. Run your antivirus.
17. If this doesn’t work, try booting in safe mode and restoring it.
Vanessa
Feb 12, 2010 @ 00:59:32
I payed for security tool. What do I do now?
becky
Feb 14, 2010 @ 21:44:09
thank you, thank you, thank you. spent hours trying to figure this virus out and finally read a couple of posts here and got the last bit of info to figure it out. Only took a few minutes – best info/site out there. thank you, thank you, thank you!!
julie
Mar 07, 2010 @ 00:13:49
Hi everyone, i just very recently have been infected by this security tool thing. At first i panicked and thought my computer was a gonner but then i quite luckily discovered how to get rid of it yourself without help form anything else. As soon as you turn your computer on right click on the security tool icon on your desktop and click properties, if you look at the target file location you will see the file name security tool is using to hide in your computer it will usualy contain a few numbers. Copy the target file location then paste it in the search box on your windows taskbar and search. This will bring up the actual security tool file which will be a few numbers. Simply right click and delete. Then delete security tool icon from your desktop. Now empty your recycling bin and restart your computer. This really works. I hope i could be of help. Good Luck !!!
Justin
Mar 31, 2010 @ 21:58:19
its a good thing that a friend of mine suggested this removal program. if it wasnt for him, i’d probably lose my windows 7!
nasya
Apr 05, 2010 @ 23:25:44
It deleted some important files but thanx to ur info I got rid of that stupid security tool
Vantrell
Apr 11, 2010 @ 04:44:02
I try everything and nothing work for me
murad
Apr 18, 2010 @ 03:03:16
help my coputer from security tool virus
ian
Apr 18, 2010 @ 16:37:41
how do i shut it down
Rog
May 13, 2010 @ 17:07:04
What does this virus do, i just got it the other day and norton quarantined it and is no longer there I also did a system restore to earlier that day just in case, is there anything else i should do? thanks.
Ferdi
Jul 26, 2010 @ 21:42:07
We have just successfully removed Security tool virus from my mates pc- running windows 7 Here is a step by step. Try it, I hope it works for you.
1.restart pc in normal mode.
2.The moment you log into your account(If you have one)Key cont.Alt.Del in order to start task manager before the malicious virus program has a chance to start running, because when given time to start it blocks access to task manager.
3.We got task manager started this way and it reveled to us where the location of the .exe file was.(look for a 10 digit numbered.exe file)
4.Now make a note of where the file is and stop the process in task manager.
5. The file will be hidden so you need to go to folder view and choose option tick show hidden files,folders and drives and un-tick hide protected operating system files.
6.Now, from the location note you have made, find the file (normaly a 10 digit number.exe) and delete it. Also empty your recycle bin.
And we hope you have done it!!! Good luck when restarting your PC.
Greg
Aug 04, 2010 @ 11:18:38
SuperAntiSpyware will get rid of this, make sure system restore is off, this is a TSR program that will keep coming back if you don’t have System Restore turned off, which isn’t a big deal as long as you’re backing your system up anyway, which is what you shold be doing. Took me two times running it but it’s gone now. Good luck.
Kathryn
Aug 16, 2010 @ 12:56:44
Have just had the world’s worst weekend trying to get rid of the Security Tool virus program. Have run Malwarebyte’s Antimalware program repeatedly and Advanced SystemCare. It works but I have some queries. The malware program is no longer recognising any threats, however ASC is still finding threats. Have run ASC several times today with it repairing each time, and rebooted following same. Have I got rid of this horrible virus completely? Can I trust Google or Internet Explorer ever again? Found virus as 730845 (didn’t start with 8)hiding in/via Internet Explorer shortcut. How do I know if I got it all?
Monica
Aug 29, 2010 @ 23:57:39
It took me all day to get rid of it with no extra fees what-so-ever. The virus attached to my task bar and when I put my mouse over it the number was there. I suggest highly that you follow youtube’s video on removing security tool to remove this virus. Also, the program wasn’t under all users, it was hiding under documents and settings, my name, and local. Weird….
Pavel
Aug 31, 2010 @ 06:58:33
Thanks a lot! It worked. Had to download the program on the other computer since the virus was blocking my browser. Did a scan found a lot of things, restarted the computer in normal mode (before was in safe mode), browser still not working, turned off proxy and it worked. Did another virus scan with avg, found more stuff. All good now. Thanks for posting this.
mega
Nov 22, 2010 @ 10:35:26
this is”Maged” method:-
go to:tools > view >show hidden files
go to:start>programs>security tool to determine virus location
its usual path is:
Documents And Settings>[UserName]>Local Setting>Application Data.
u will find the virus icon named with some numbers, rename virus file with my name: maged
restart pc then go back to virus file and delete it manually
use registery crawler program to delete any keys left in registery..good luck
teamtempest
Dec 01, 2010 @ 00:08:59
The Security Tool Virus infected my brother+sister-in-law’s WinXP computer last Saturday, 27th Nov 2010 around 5:40 PM, according to the timestamps I found. This computer was running Microsoft Security Essentials, and I noticed its history indicated it woke up for one of the few times since its installation right about then and got rid of several other viruses – but not this one.
Only my sister-in-law’s account was affected, of five or so on the machine. The others seemed normal.
Here are some things that did not work to get rid of Security Tool:
- access to “taskmgr” ([CTRL-ALT-DEL]) was blocked by Security Tool
- access to “regedit” (via RUN start menu entry) was blocked by Security Tool
- access to “control panel” (via start menu entry) was blocked by Security Tool
- access to the directory tree of the affected account (via the command prompt) was “denied”, presumably by Security Tool
- restoring the machine to an earlier time (via System Restore) was impossible because there was only one backup listed in the restore calendar – Saturday, 27th Nov 2010 6:30 PM
- a “full” scan by Microsoft Security Essentials, a process that took hours due to the number of files on the machine, found three more viruses but did not get rid of Security Tool
Another odd thing was the appearance in all accounts of “Whitesmoke Translator”, which made its presence known by altering the menu of Internet Explorer (version 8). Timestamps again showed this appeared on Saturday, 27th Nov 2010 around 5:40 PM. Internet Explorer’s default home page for this account was re-set from Yahoo! to Bing. Navigation became difficult because of random re-direction whenever any link was clicked.
No one admitted to downloading and/or installing this software. The download package was found in a “Whitesmoke” directory in a “temp” directory, and a file in that directory was named “Whitesmoke Silent Install”.
After finding this list of comments (thanks everyone!) I found this to be fairly effective (fingers are still crossed):
- after selecting the infected account, pressing [CTRL-ALT-DEL] while the account was initializing brought up Task Manager before Security Tool obtained control
- on the “Process” tab, sorting on “Image Name” brought up Security Tool’s random alias at the top of the list (in this case, “441287″). This didn’t actually happen right away, as there was still a slight wait after Task Manager began running before Security Tool began running and displaying its annoying messages
- using Task Manager to “End Task” stopped “441287″ running. Full control of the account appeared to return
- a slight detour: brought up “Control Panel” and then “Add/Delete Programs” to try to get rid of “Whitesmoke Translator”. Two entries found: one for “Whitesmoke Toolbar” and one for “Whitesmoke Translator”. The first was deleted easily with no fuss (IE’s menus returned to normal). Deleting the second caused a message to appear: “‘mfptray.exe’ is preventing access to Whitesmoke Translator. Please stop this process and try again”
- found “mfptray” in Task Manager and stopped it running (oops)
- attempting to delete “Whitesmoke Translator” again brought up a message: “‘rundll32.exe’ is preventing access to Whitesmoke Translator. Please stop this process and try again”
- yeah, well, by now it looks to me like Security Tool is taunting me. ‘Mfptray.exe’, a little too-late research shows, is part of the McAfee anti-virus suite that came with the machine
- gave up on that and began looking for “441287.exe”. Set “Folder Options” to show all hidden and system files. Found “441287.exe” in “C:\Documents and Settings\[UserName]\Local Settings\Appplication Data”. Deleted the file.
- went through the entire directory tree under “C:\Documents and Settings\[UserName]” and deleted every file and directory I could find, but not confirm harmless, dated 27 Nov 2010 or later (bye-bye “Whitesmoke” directory)
- used RegEdit’s search feature to look for “441287″ in the registry. Found only one occurance at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce”. Note this was not the “Run” key, and nothing was found under “HKEY_CURRENT_USER”, so apparently Security Tool doesn’t always do things the same way
- deleted “Security Tool” from the Start Menu. There was no desktop icon for it that I could see
- used the Start Menu “Search” to look for all files with “441287″ in their names, including hidden and system files and all subdirectories. “441287.exe” was already deleted and the search did not find any with different extensions (“.bat”, “.ini”, “.cfg”, etc)
Then I did a soft reboot, ie., selected the restart option without turning off the machine. Got back into the infected account, but only saw the backround image. No icons, no menu, no nothing. No way to shut down the machine the “nice” way.
Turned off the machine by holding the power button down long enough. Re-booted into the affected account. This time the icons and menus came up as expected. No Security Tool messages, no problem accessing anything.
So things appear mostly cleaned up. However…IE8 still shows signs of random re-direction. Whethere this is a remnant of Security Tool or some other “opportunitic” virus is not apparent. Microsoft Security Essentials reports failure to update to the latest definitions even when manually told to (definitions remained at “.654.”, 25 Nov 2010, before the infection, when latest were “.808.”). Another little present left behind by unwelcome visitors…?
The long term solution may be to wipe the drive and install Win7 – once my sister-in-law transfers off of it thousands of “must have” photos (the drive is almost full; no wonder Microsoft Security Essentials took so long to do a full scan).
Hope this helps someone!