Stubborn SecurityTool virus blocking explorer, taskmanager, msconfig etc.

Ksanti

Ksanti

Ksanti

Soldato
Joined
10 Feb 2010
Posts
3,248
Hey guys,

I’ve been trying to help a friend out with her pc, she’s got the SecurityTool virus and we’ve been trying to get rid of it for the past hour. Symptoms have only shown up over the past hour, although she doesn’t know when she got the virus. I’ve been looking around and found a couple of guides to getting rid of it, but none are working at the moment according to her.

The virus seems to have got into her system files, and while I originally got her to try the usual, check the application data, msconfig etc. but the virus is giving her this message when she tries to open any program, so task manager, msconfig, explorer, various programs and system restore:

"<insert programme here> has been blocked by Virus.something.something. (varies including “win32”, “trojanhorse”, but changes every time she tries to open a program, i.e. it doesn’t stay the same) etc._ This worm is trying to send your credit card details using <programme name>.exe to connect to its route host.'"

Not really sure how to handle this virus when she can’t get into msconfig, explorer, task manager or system restore… Does anyone know what to do? We tried malwarebytes but predictably that gave the virus message. She said she’s running Norton 360, I don’t personally run Norton, she’s offline now but there’s a chance the virus would block Norton as well, if not, would Norton be able to deal with it? Surprised such a big AV company wouldn’t be able to pick something as well known as SecurityTool up, but it evidently hasn’t. Is there anything she can do short of a clean install?

Thanks,
Ksanti
 
It's actually quite common for the big-name AV suites to be rubbish at detecting and preventing rogues/fake AVs unfortunately. Have you tried running malwarebytes (and all the similar usual tools) in safe mode? You didn't say. Try booting into safe mode and go from there. That should hopefully prevent the rogue from loading while you get started on the clean-up. Remove all un-necessary startup items and disable system restore before you do anything. If that doesn't work then you'll have to look at other options.
 
Tried that, safe mode doesn't really change anything. Everything that was blocked is still blocked, including malwarebytes.
 
As far as I can see, running a bootable CD is about your only hope now, short of a full format. That or hook the hdd up to a clean machine as a slave and scan that way, but that's not without risk unless you know what you're doing.

Dr Web CureIt! live CD
Kaspersky Rescue Disk 10
Avira AntiVir Rescue System

My preference would go pretty much in that order, but they're all pretty decent. Dr Web or Kaspersky should certainly at least make the PC usable again so you can get on with sorting any lingering malware (MalwareBytes scan etc). I've never tried the Avira one though.

Good luck. :)
 
JEL8 said:
I would D/load r.kill and run it. It will stop any malicious process from loading. Then boot into safe mode & run Malwarebytes. Here is a link to the removal instructions, go to section "Automated Removal Instructions " . > http://www.bleepingcomputer.com/virus-removal/remove-security-tool there is a link on that page for D/loading r.kill.
More on r.kill here http://www.bleepingcomputer.com/forums/topic308364.html
Click to expand...

The malware has locked up his system and he can't download or run any .exe files without the rogue hijacking them, so he won't be able to use r.kill. A boot CD as above would be the best/easiest way to solve this imho.
 
this one is easy to kill, you have to boot safe mode (not for the reason you think)

fire up task manager AS SOON AS YOU CAN...

you will see the fake av process running just kill it before its working proerly..

now you can delete the run reg keys run combofix

if you pc is too fast you may be better off booting in normal mode..

safe mode is a bit easier as there are not so many process' and you can see the fake av easier..

I have done a few of these recently
 
Rkill comes with several different extensions so if exe's are blocked try one of the other types.
I had this a couple of weeks ago on a laptop I was given. I'd already installed malwarebytes following a previous infection on this machine but of course it wouldn't run mbam with this new malware blocking almost all exe's. The trick was to rename the mbam exe to explorer exe, a process which wasn't immediately flagged as 'infected' by the rogue.
 
You must log in or register to reply here.
Back
Top Bottom