Renaming MBAM didnt work for me. Renaming didnt fool SecurityTools
Here is how I removed "Security Tools". It ddtnt cost me anything. took me a couple of hours to figure it out and 15 minutes to fix it.
My sons laptop got the nasty rogue called Security Tools. It was very slow as it was constantly being bombarded with pop-ups telling us that his laptop was infected and that we needed to purchase their product. He kept getting Security tool warnings. Security tool made the desktop icons disapear. It actually just hid his desktop icons.
This nasty rogue would not allow his computer to open in safe mode, nor would it allow him to download Spybot, Adware Se or Malwarebytes.
So from my clean computer I downloaded Spybot, Adware Se or Malwarebytes, all of them (saved them) to a thumbdrive and tried to sneak it on his infected computer via a thumbdrive,…no luck.
I download them again, this time renaming them before I download (a trick that sometimes work) ….still ….no luck. If you rename your anti-spyware or ante-malware the rogue spyware might not recognize the new name and let you run it. Unfortunately this spyware (System Tools) was to smart for that.
Here is what finally worked
From my clean computer I downloaded "HijackThis" to a thumb drive but before saving HijackThis.exe, I renamed it as explorer.exe.
I stuck the thumb drive into the infected computer, and sent (HijackThis.exe) disguised as explorer.exe to the infected computers desktop.
Even though the computer infected with SecurityTools wouldn’t allow us to download SpyBot or AdwareSe or Malwarebytes, it allowed us to download HijackThis.exe.
Since this bad spyware Security Tool hid our desktop icons, I had to right click on the Windows task bar, and then click Show Desktop so that the desktop icons would appear. (hint) right click on the Windows task bar and in the pop-up you will see "show desktop icons"
Now that I could see the desktop icons I saw the icon for the spyware SecurityTools. Of course deleting the icon would do nothing but delete the shortcut. But when I right clicked on it and I found clues in the properties: The nasty booger was….. C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe So now I knew where the spyware was and the important number 94345126 (note this number varies….your number will probably be an 8 digit number, just right click on the securitytools icon and write down your number.
As the desktop icons were now visible I clicked on the desk top icon for HijackThis.exe that I had falsely named explorer.exe and ran it. I did a system scan only. I looked at the log and found O4 – HKLM\..\Run:  C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe.
I put a checkmark in this and pressed the “fix checked” button”
After HijackThis.exe did its magic on O4 – HKLM\..\Run:  C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe. I could now run the Malwarebytes that I had previously downlowaded to a thumbdrive.
Malwarebytes found (4) problems which I fixed with malwarebytes. I then cleaned out my sons recycle bin.
His laptop is now free from this menace SecurityTools.
I dont think Security tool is a virus, just a really bad spyware. So far (since I have removed it) it doesnt appear to have caused any damage.
I had never heard of "HijackThis" until today. (see Go.TrendMicro.com) I had used Malwarebytes a few years ago. I recommend downloading this from CNET, because you never know what you are getting anywhere else.
Edited by LollieOllie, 13 October 2009 - 07:28 PM.