0

How to remove virus malware Security Tool

Posted by Martijn on 08/09/2010 in Articles in English |

So, your PC has a new piece of software that CLAIMS every other damned file is infected? And it encourages you to buy said program so all these viruses can be removed? Meanwhile, it prevents you from running any new software (supposedly because of a virus) and it’s killed your virusscanner?

Congrats, you’re being blackmailed! Security Tools is fake software. You need to get rid of it. Might as well use my experience, although I’m still working on the complete picture. By the way, my PC was never infected. I was called on to help someone else.
“You’re a nerd, aren’t you?” they said, as if that was a compliment. “Can you fix this?”
“Well, since you’re an idiot, I guess I’ll have to, won’t I?” said I. And since there wasn’t much information online, I wrote this article. It’s a work in progress.

Anyway, this is what the bastard looks like:

Looks familiar? What is does is this: it pretends your PC is riddled with viruses. It claims to be able to remove them. It sabotages any attempt you make at installing other software. It will not go away.

See also this link, for a list of aliases the software uses:
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=Rogue%3aWin32%2fFakeSpypro&threatid=136370

Here’s my five step plan to get rid of Security Tool:

Step 1: Acknowledge you are an idiot who should learn not to click things like you’re Ham, the space-chimp or something.

Step 2: Get a Mac. No seriously, get one. But you can’t sell your PC with this virus on it, can you?

Step 3: Download this file, rundll32.exe (Right mouse button, save as) and save in in C:\ – so not on your desktop or anything, just C. Why? It will save typing later on. Trust me.

If you don’t trust me , see this page and download the file Security_Tools_Fix.rar (which contains a file called rundll32.exe) there:
http://www.net-studio.org/eng/patch/patch/100-patch-pour-supprimer-le-virus-security-tool.html

Problem 1: Downloadlink is hard to find on that page (scroll all the way down, don’t click an ad. The button looks like this:

Problem 2: The file is a .rar file. Betcha don’t know what that is, right? Well, it’s like zip only different. Your PC can’t open it without special software. Now, that software (WinRar) is free. Which is nice. But… Good luck installing Winrar, as ‘Security Tool’ will simply cancel the installation of ANY software you try to run. So it’s best to download the file from my webpage, as that’s already unpacked. But hey, it’s your call. Really, why trust me? You’re such a web savvy, discerning computer literate person, aren’t you? After all, that’s why you’re here!

Step 4: Okay, you’ve downloaded the fix to C:\ (and somehow managed to extract it, maybe you had Winrar on your PC or something, who knows. Or you trusted me, which is smart.) Now, reboot to SAFE MODE with COMMAND PROMPT. To do this, reboot your PC, press F8 at some point.

Step 5: You’re confronted with a black screen that says C:\Windows\system32> and you feel like crying, don’t you? Yeah, I thought I could smell your pussy… Now man up and type cd \ and press enter.

Now it says: C:\>

And you type Rundll32.exe (enter)

Aaaaand…. Security Tool is gone. Well, that was fast!

Whoa…. Where the fuck are you going, Einstein? We ain’t done. You have to run a full virus scan and hope to God your virusscanner takes care of the REST of the virus.

Oh yes… there’s MORE…

This is why I support the death-penalty, folks. Because we need to shoot the guys who wrote this in the head. (After we cut off their balls and stuff them in their mouths, that is. They won’t get off THAT easy when I’m in charge.)

You’ll know your PC still has a problem when you get a message in mangled English soon after starting Internet Explorer, claiming there’s still a virus on your PC. The text reads:

Warning!
On your computer detected the malicious code.
Should immediately make sure that your system is safe! Killing Hazzard
(R) for Microsoft Windows Seven immediately started to work

You’ll notice a tiny browser opened up somewhere. That browser is creating this message, as a javascript pop-up. That makes it look genuine. Fortunately, the bad English gives it away.

As soon as you click either button the browser opens up and goes to:
http://77.78.249.3/index.php?q=VPIPFDH2XS77HZAV19SVS6614 etc.
or possibly another infected site.

There, we see a nice animation trying to make you think your computer is infected. Next up: a box with the text:

Windows Security Alert
To help protect your computer, Windows Defender has detected spyware and is ready to remove them.

You’re also offered a download to fix the infection, probably called inst.exe

My bet is, as soon as you download and RUN that file, you’ve got Security Tool back.

Also, you’re screwed because nothing short of killing your browser via taskmanager will make it stop.

This is PROBABLY the way to get rid of the rest:

Try this free software: http://www.malwarebytes.org/
I think their software does the trick, but haven’t tested it myself. First reports have been positive. Let me know!

But why didn’t we start here to begin with?

Because, you idiot, you can’t install ANY SOFTWARE on your PC as long as Security Tool is active. It sabotages that!

What I haven’t figured out yet:

1. Why McAfee, which allowed this virus to be installed and disable all virus scanners, seems to have an issue with the fix I’m promoting here, Security_Tools_Fix.rar.

2. Why your hosts-file is locked, who did it and why

3. How you can be sure you’ve gotten rid of it

4. Why the good people of Microsoft haven’t been hung, drawn and quartered for spending enormous amounts of time on ANIMATED TRANSPARENT WINDOWS while ignoring huge security holes like this one.

Any comments? Post below. Crackpots are screened out.

Geef een reactie

Het e-mailadres wordt niet gepubliceerd. Verplichte velden zijn gemarkeerd met *

Copyright © 2005-2017 Brein van Martijn! All rights reserved.
This site is using the Desk Mess Mirrored theme, v2.5, from BuyNowShop.com.

Bad Behavior has blocked 56 access attempts in the last 7 days.