Comments on: SecurityTool and Security Tool Virus

By: teamtempest

teamtempest — Wed, 01 Dec 2010 00:08:59 +0000

The Security Tool Virus infected my brother+sister-in-law’s WinXP computer last Saturday, 27th Nov 2010 around 5:40 PM, according to the timestamps I found. This computer was running Microsoft Security Essentials, and I noticed its history indicated it woke up for one of the few times since its installation right about then and got rid of several other viruses – but not this one.

Only my sister-in-law’s account was affected, of five or so on the machine. The others seemed normal.

Here are some things that did not work to get rid of Security Tool:

- access to “taskmgr” ([CTRL-ALT-DEL]) was blocked by Security Tool
- access to “regedit” (via RUN start menu entry) was blocked by Security Tool
- access to “control panel” (via start menu entry) was blocked by Security Tool
- access to the directory tree of the affected account (via the command prompt) was “denied”, presumably by Security Tool
- restoring the machine to an earlier time (via System Restore) was impossible because there was only one backup listed in the restore calendar – Saturday, 27th Nov 2010 6:30 PM
- a “full” scan by Microsoft Security Essentials, a process that took hours due to the number of files on the machine, found three more viruses but did not get rid of Security Tool

Another odd thing was the appearance in all accounts of “Whitesmoke Translator”, which made its presence known by altering the menu of Internet Explorer (version 8). Timestamps again showed this appeared on Saturday, 27th Nov 2010 around 5:40 PM. Internet Explorer’s default home page for this account was re-set from Yahoo! to Bing. Navigation became difficult because of random re-direction whenever any link was clicked.

No one admitted to downloading and/or installing this software. The download package was found in a “Whitesmoke” directory in a “temp” directory, and a file in that directory was named “Whitesmoke Silent Install”.

After finding this list of comments (thanks everyone!) I found this to be fairly effective (fingers are still crossed):

- after selecting the infected account, pressing [CTRL-ALT-DEL] while the account was initializing brought up Task Manager before Security Tool obtained control
- on the “Process” tab, sorting on “Image Name” brought up Security Tool’s random alias at the top of the list (in this case, “441287″). This didn’t actually happen right away, as there was still a slight wait after Task Manager began running before Security Tool began running and displaying its annoying messages
- using Task Manager to “End Task” stopped “441287″ running. Full control of the account appeared to return
- a slight detour: brought up “Control Panel” and then “Add/Delete Programs” to try to get rid of “Whitesmoke Translator”. Two entries found: one for “Whitesmoke Toolbar” and one for “Whitesmoke Translator”. The first was deleted easily with no fuss (IE’s menus returned to normal). Deleting the second caused a message to appear: “‘mfptray.exe’ is preventing access to Whitesmoke Translator. Please stop this process and try again”
- found “mfptray” in Task Manager and stopped it running (oops)
- attempting to delete “Whitesmoke Translator” again brought up a message: “‘rundll32.exe’ is preventing access to Whitesmoke Translator. Please stop this process and try again”
- yeah, well, by now it looks to me like Security Tool is taunting me. ‘Mfptray.exe’, a little too-late research shows, is part of the McAfee anti-virus suite that came with the machine
- gave up on that and began looking for “441287.exe”. Set “Folder Options” to show all hidden and system files. Found “441287.exe” in “C:\Documents and Settings\[UserName]\Local Settings\Appplication Data”. Deleted the file.
- went through the entire directory tree under “C:\Documents and Settings\[UserName]” and deleted every file and directory I could find, but not confirm harmless, dated 27 Nov 2010 or later (bye-bye “Whitesmoke” directory)
- used RegEdit’s search feature to look for “441287″ in the registry. Found only one occurance at “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce”. Note this was not the “Run” key, and nothing was found under “HKEY_CURRENT_USER”, so apparently Security Tool doesn’t always do things the same way
- deleted “Security Tool” from the Start Menu. There was no desktop icon for it that I could see
- used the Start Menu “Search” to look for all files with “441287″ in their names, including hidden and system files and all subdirectories. “441287.exe” was already deleted and the search did not find any with different extensions (“.bat”, “.ini”, “.cfg”, etc)

Then I did a soft reboot, ie., selected the restart option without turning off the machine. Got back into the infected account, but only saw the backround image. No icons, no menu, no nothing. No way to shut down the machine the “nice” way.

Turned off the machine by holding the power button down long enough. Re-booted into the affected account. This time the icons and menus came up as expected. No Security Tool messages, no problem accessing anything.

So things appear mostly cleaned up. However…IE8 still shows signs of random re-direction. Whethere this is a remnant of Security Tool or some other “opportunitic” virus is not apparent. Microsoft Security Essentials reports failure to update to the latest definitions even when manually told to (definitions remained at “.654.”, 25 Nov 2010, before the infection, when latest were “.808.”). Another little present left behind by unwelcome visitors…?

The long term solution may be to wipe the drive and install Win7 – once my sister-in-law transfers off of it thousands of “must have” photos (the drive is almost full; no wonder Microsoft Security Essentials took so long to do a full scan).

Hope this helps someone!

By: mega

mega — Mon, 22 Nov 2010 10:35:26 +0000

this is”Maged” method:-
go to:tools > view >show hidden files
go to:start>programs>security tool to determine virus location
its usual path is:
Documents And Settings>[UserName]>Local Setting>Application Data.
u will find the virus icon named with some numbers, rename virus file with my name: maged
restart pc then go back to virus file and delete it manually
use registery crawler program to delete any keys left in registery..good luck

By: Pavel

Pavel — Tue, 31 Aug 2010 06:58:33 +0000

Thanks a lot! It worked. Had to download the program on the other computer since the virus was blocking my browser. Did a scan found a lot of things, restarted the computer in normal mode (before was in safe mode), browser still not working, turned off proxy and it worked. Did another virus scan with avg, found more stuff. All good now. Thanks for posting this.

By: Monica

Monica — Sun, 29 Aug 2010 23:57:39 +0000

It took me all day to get rid of it with no extra fees what-so-ever. The virus attached to my task bar and when I put my mouse over it the number was there. I suggest highly that you follow youtube’s video on removing security tool to remove this virus. Also, the program wasn’t under all users, it was hiding under documents and settings, my name, and local. Weird….

By: Kathryn

Kathryn — Mon, 16 Aug 2010 12:56:44 +0000

Have just had the world’s worst weekend trying to get rid of the Security Tool virus program. Have run Malwarebyte’s Antimalware program repeatedly and Advanced SystemCare. It works but I have some queries. The malware program is no longer recognising any threats, however ASC is still finding threats. Have run ASC several times today with it repairing each time, and rebooted following same. Have I got rid of this horrible virus completely? Can I trust Google or Internet Explorer ever again? Found virus as 730845 (didn’t start with 8)hiding in/via Internet Explorer shortcut. How do I know if I got it all?

By: Greg

Greg — Wed, 04 Aug 2010 11:18:38 +0000

SuperAntiSpyware will get rid of this, make sure system restore is off, this is a TSR program that will keep coming back if you don’t have System Restore turned off, which isn’t a big deal as long as you’re backing your system up anyway, which is what you shold be doing. Took me two times running it but it’s gone now. Good luck.

By: Ferdi

Ferdi — Mon, 26 Jul 2010 21:42:07 +0000

We have just successfully removed Security tool virus from my mates pc- running windows 7 Here is a step by step. Try it, I hope it works for you.
1.restart pc in normal mode.
2.The moment you log into your account(If you have one)Key cont.Alt.Del in order to start task manager before the malicious virus program has a chance to start running, because when given time to start it blocks access to task manager.
3.We got task manager started this way and it reveled to us where the location of the .exe file was.(look for a 10 digit numbered.exe file)
4.Now make a note of where the file is and stop the process in task manager.
5. The file will be hidden so you need to go to folder view and choose option tick show hidden files,folders and drives and un-tick hide protected operating system files.
6.Now, from the location note you have made, find the file (normaly a 10 digit number.exe) and delete it. Also empty your recycle bin.
And we hope you have done it!!! Good luck when restarting your PC.

By: Rog

Rog — Thu, 13 May 2010 17:07:04 +0000

What does this virus do, i just got it the other day and norton quarantined it and is no longer there I also did a system restore to earlier that day just in case, is there anything else i should do? thanks.

By: ian

ian — Sun, 18 Apr 2010 16:37:41 +0000

how do i shut it down

By: murad

murad — Sun, 18 Apr 2010 03:03:16 +0000

help my coputer from security tool virus