“Security tool” trojan
Recently, my personal laptop succumbed to an infection by a new trojan called “Security Tool”. Masquerading as a PC security tool, this trojan will create executable files with random names, and display a sleek dialog box that appears to scan your PC and then warns you to clean up infections by buying the full version of this tool.
The UI this trojan shows is pretty good and convincing:
Security Tool trojan screenshot from pc1news.com
When your system boots up, this UI begins to scan your computer. The trojan also seemed to disable AVG antivirus from running and updating, and removed your desktop icons (only hiding them – not deleting them afaik). It will also prevent the Task manager from showing up and cause issues with browsing using IE or even Firefox, making it very difficult to do anything in order to remove it.
More info on the trojan is here and here (though I haven’t used the spyware removal tool on this second link and have no idea about it)
How I removed it:
Since the trojan will hijack your pc upon reboot, you need to take action before it can. If you are able to boot Windows in safe mode (with networking), then do that and try updating your antiviruses etc. I had issues with doing a safe mode bootup.
So when my laptop booted up, immediately as the desktop begins to show up, press Ctrl-Alt-Del to have the Task Manager show up. In task manager ‘processes’ tab, look for processes that have names like ’16501874.exe’ or ‘wpv42345234534.exe’ or ‘restorer_32a.exe’ (not sure about the last one, but it didn’t seem like a normal file). Click each of these processes immediately (select process, press Alt-E and click OK). New processes with names like these may continue to spring up – keep killing them.
After doing this until your Windows has completely started, if you have killed all such processes, you should now be OK for a while and be able to use your browser/antivirus etc.
I had AVG 8.5 free installed which I updated using its UI. I also downloaded free MalwareBytes’ Anti-Malware, and Trojan Killer (great little app) 30 day trial.
I performed a full scan using MalwareBytes first, then Trojan Killer. When I first installed and ran these two scanners, I had to reboot a couple of times, and each time I had to immediately bring up Task Mgr as described above and kill any trojan processes. After the scans were complete, subsequent reboots were clean and did not show the trojan again. The Security Tool trojan’s UI does not show up either, so I guess it is gone for good for now.
Currently I have all 3 (Malware, Trojan killer and AVG) to start along with Windows startup. Needless to say, all these softwares to update their virus definitions automatically and frequently.
Had the same problem with our family laptop.
There is an easier method than trying to launch task manager before security tool takes over your screen.
When you reboot your computer – press F8 when the computer first comes up, before windows boots up. This should bring up the safe mode selection. Select Startup with Command Prompt (option 8 under windows xp). Once windows finishes startup, you’ll see “safe mode” in all 4 corners of our screen and a command prompt window open. Close the command prompt window and press Ctrl-Alt-Del to launch task manager.
You will notice that there are no processes or trojan processes running in this mode.
Use File|New Process to run Malwarebytes or Trojan Killer (I used Malwarebytes). Run your scans and remove any virus files just like you would under windows running in full mode. Then reboot.
Comment by tjs — December 27, 2009 @ 7:24 am