SECURITY TOOL VIRUS


Copyright © 2010 by John Sherman



A client of mine called one day to complain about his computer. I told him to contact the computer expert who sold him the machine and set it up for him. All I do is make websites (like his). He said he did call him, but the expert was helpless in this case. I was called out of desperation. He said his computer had been running slow, so he ran an anti-virus scan a couple times. Each time Norton's found a virus it did not know was there, could not delete it, and so attempted to quarantine it. Both times it told my client the computer was now clean. Wrong!

I told my client what happens is that these malwares first upload all the data from his computer to their computer. Then they sit back and watch everything you do. They know every website you go to, every username and password, and everything else. Then they use your computer and connection to spam the world. When the ISP gets tired and blocks that, then the malware denies you your computer unless you give credit card info. I said I can clean the drive and reinstall Windows, but my client had never backed up his data, so he was really upset. That was not an acceptable option for him.

Security Tool is a horrible virus! Security Tool pretends to be an anti-virus program. But it causes a DOS attack (denial of service). Every time you try to do something, Security Tool says you have a virus, and you can't do it. In my client's case, Security Tool said a virus was trying to access the web and upload his credit card info using file such-and-such. It said the only cure was to send Security Tool money.

This virus actually over-rides Windows Add/Remove Programs, it over-rides the repair CD disc (which is supposed to be impossible), it even over-rides Ctrl+Alt+Delete (which is supposed to be impossible)!! My client had active Norton's AV when he got the virus, so it over-rides that too. This virus slaps Norton's AV aside and infects your computer anyway. Later, when he ran Norton's, Norton's found the virus and attempted to put it in quarantine, but was unsuccessful. It fed Norton's a fake file to play with! A simple Drive Format will not clean it, because you have to also clean the boot sector. This thing is vicious.

How to get rid of it? Good luck! I found information on Norton's website. They admitted being helpless to stop this thing. Their website says to uninstall Norton's completely, then manually delete the virus, then reinstall Norton's and go through the whole setup procedure again. Well, how are you going to do that when you do not have access to the drive, not even access to Windows?

After fighting with it, I discovered an easy way to get rid of it. First, physically disconnect your computer from the internet, so that Security Tool does not have support. It has probably already uploaded your entire computer to the bad guy's website, but you still need to isolate it so you can kill it. Turn your computer off, then turn it back on. You are waiting for the desktop to appear. If you have Windows XP and you have a password set up, you will enter the password and hit Enter. Immediately the desktop appears, so be ready! The instant you see the desktop, hit Ctrl+Alt+Delete.

What you are doing is hitting Ctrl+Alt+Delete before the virus program gets going. Immediately choose the Task Manager, and immediately choose the Applications tab. Now move the window down to the bottom left corner of your screen. Be quick about it, because you have very little time. If you are too slow, simply turn your computer off, then turn it on again, and start over.

In the Applications tab of the Task Manager, watch the programs start up as your computer gets going. Have your mouse poised and ready in the window. When the Security Tool opens in Task Manager, the Security Tool Window also opens up. The instant Security Tool starts running, click on it 'in the Task Manager' and choose End Task. Security Tool will probably flash you a couple bad things, but ignore them at first - you need to quickly hit End Task. The reason you moved the Task Manager window to the bottom left of the screen is because Security Tool rides above it, and that is supposed to be impossible, but it does. Did I say that this thing is vicious? Whoever created it is despicable!

Now, you will probably get a notice that Security Tool is not responding, that is a normal thing that happens when you shut down a program before it gets running. Once it gets running you won't be able to shut it down. So go ahead and hit the End Task button on the notice, and Windows will be able to shut it down temporarily. Also, now you can close out any notices that Security Tool gave you. Now, just sit and wait. Shortly, you should get a notice that "You chose to end a non-responsive program, do you want to notify Microsoft?" Do not close this notice, because it shows you the name of the program! Just shove the notice to the top left of your screen.

The name of the program will be a random group of numbers, 8 or 9 digits, followed by a .exe. The number is different on each computer. Now open a MyComputer window and place it in the top right quarter of your screen. Click the Search button, choose All Files and Folders, and enter the file name into the file name box (for example, the file name might be 127553388.exe). Then click on Advanced Options and make sure Hidden Files is checked, make sure System Folders is checked, and make sure Subfolders is checked. Then click Search.

In my client's case I found 4 files. One was the virus itself, and one seemed to be a file which reinstates the virus if you try to delete it. The other two were from Norton's two attempts to quarantine the virus. Some people will just select all the files it finds and delete them from that window. But I adhere to the old school which says you should delete them from a separate window.

So open another MyCompter window and place it in the bottom right quarter of your screen. Go to Tools/FolderOptions/View and be sure Show Hidden Files And Folders is checked. You might have to uncheck Hide Protected Operating System Files, and uncheck Hide Extensions For Known File Types, and then close that box. Navigate to the folder in which the Search found the virus. On the toolbar click Views/Thumbnails. Now scroll down and find the file. Don't click on the file to select it! Put your cursor in the whitespace next to the file, hold down the left mouse button, and drag the mouse over the file, then release the mouse button. See how it selects the file without touching it? Now hit the Delete key on your keyboard, and then Enter when it asks if you are sure. Now navigate to all the other files and delete them the same way. If you can't find the files, go ahead and try to delete them from the Search window.

Now you have to open your Recycle Bin, and delete the files from there. It is best to just hit the button which says Empty Recycle Bin.

Now, you really should go into the Registry and delete the entries from there. However, do not attempt it if you do not know how. In my case, I just left those entries there and there is no problem. Those entries are not files, they are just instructions to Windows to open the virus when the computer starts up. When it tries to open the virus it won't find it, and so it won't be able to open it. There shouldn't be a problem with that.

Now, looking in your Task Manager's Applications window, you should not see Security Tool running. Turn your computer off, and then turn it back on. Quickly start the Task Manager as before, and wait and see if the virus comes alive. If it does not show up, Yippee!!

Now you can re-connect your internet. You have to change all of your passwords, everywhere. And if there is any credit card or banking info on your computer, contact your bank and have them monitor the account(s). If you have any sensitive data on your computer, assume the bad guys now have it all.

You can contact me from my website, www.john-pix.com, if you have a problem or question or comment.

If you have Vista or Windows 7, I really feel sorry for you.