Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


Security Tool Virus - fake antivirus program

  • Please log in to reply
2 replies to this topic

#1 blz13


  • Members
  • 2 posts
  • Local time:09:14 AM

Posted 12 October 2009 - 07:07 PM

The first noticeable change to my system from this problem was my desktop is hidden, in its place a blank screen.

Another change, continuous pop-ups warning of scans performed claiming 'Infections found!!!', 'Firewall Alert!!!', 'We have intercepted harmful programs!'.....and advising Security Tools software purchase to remedy.

If I try to start-up in safe-mode my system crashes.

If I try to run any program except Internet Explorer I get the message 'taskmgr.exe is infected with worm.Lsas.blaster.keyloger. This worm is trying to send your credit card details using taskmgr.exe to connect to remote host'.

My operating system is Windows XP.

Any help you can provide is very much appreciated - Dave

Attached Files

BC AdBot (Login to Remove)


#2 boopme


    To Insanity and Beyond

  • Global Moderator
  • 73,490 posts
  • Gender:Male
  • Location:NJ USA
  • Local time:10:14 AM

Posted 12 October 2009 - 08:07 PM

Hello. I have moved your topic from the HJT forum to Am I Infected. You need to have post an HJT log to remain there.

As you have an info stealer.we have 3 options here. :trumpet: Start a new topic there and include an HJT log. Instructions for that are here.
Preparation Guide For Use Before Using HijackThis
I you do that let me know here.


:flowers: We try to fix it here after you read this advice...

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.

:thumbsup: Full Format and reinstall. I can give you instuctions for this also.

Now if you decide to clean it here... Do this next.
Next run MBAM (MalwareBytes):

NOTE: Before saving MBAM please rename it to zztoy.exe....now save it to your desktop.

Please download Malwarebytes Anti-Malware and save it to your desktop.

alternate download link

MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 LollieOllie


  • Members
  • 15 posts
  • Local time:09:14 AM

Posted 13 October 2009 - 07:25 PM

Renaming MBAM didnt work for me. Renaming didnt fool SecurityTools

Here is how I removed "Security Tools". It ddtnt cost me anything. took me a couple of hours to figure it out and 15 minutes to fix it.

My sons laptop got the nasty rogue called Security Tools. It was very slow as it was constantly being bombarded with pop-ups telling us that his laptop was infected and that we needed to purchase their product. He kept getting Security tool warnings. Security tool made the desktop icons disapear. It actually just hid his desktop icons.

This nasty rogue would not allow his computer to open in safe mode, nor would it allow him to download Spybot, Adware Se or Malwarebytes.

So from my clean computer I downloaded Spybot, Adware Se or Malwarebytes, all of them (saved them) to a thumbdrive and tried to sneak it on his infected computer via a thumbdrive,…no luck.

I download them again, this time renaming them before I download (a trick that sometimes work) ….still ….no luck. If you rename your anti-spyware or ante-malware the rogue spyware might not recognize the new name and let you run it. Unfortunately this spyware (System Tools) was to smart for that.

Here is what finally worked
From my clean computer I downloaded "HijackThis" to a thumb drive but before saving HijackThis.exe, I renamed it as explorer.exe.

I stuck the thumb drive into the infected computer, and sent (HijackThis.exe) disguised as explorer.exe to the infected computers desktop.

Even though the computer infected with SecurityTools wouldn’t allow us to download SpyBot or AdwareSe or Malwarebytes, it allowed us to download HijackThis.exe.

Since this bad spyware Security Tool hid our desktop icons, I had to right click on the Windows task bar, and then click Show Desktop so that the desktop icons would appear. (hint) right click on the Windows task bar and in the pop-up you will see "show desktop icons"

Now that I could see the desktop icons I saw the icon for the spyware SecurityTools. Of course deleting the icon would do nothing but delete the shortcut. But when I right clicked on it and I found clues in the properties: The nasty booger was….. C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe So now I knew where the spyware was and the important number 94345126 (note this number varies….your number will probably be an 8 digit number, just right click on the securitytools icon and write down your number.

As the desktop icons were now visible I clicked on the desk top icon for HijackThis.exe that I had falsely named explorer.exe and ran it. I did a system scan only. I looked at the log and found O4 – HKLM\..\Run: [94345126] C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe.
I put a checkmark in this and pressed the “fix checked” button”

After HijackThis.exe did its magic on O4 – HKLM\..\Run: [94345126] C:\Documents and Settings\All Users\Application Data\94345126\94345126.exe. I could now run the Malwarebytes that I had previously downlowaded to a thumbdrive.

Malwarebytes found (4) problems which I fixed with malwarebytes. I then cleaned out my sons recycle bin.

His laptop is now free from this menace SecurityTools.

I dont think Security tool is a virus, just a really bad spyware. So far (since I have removed it) it doesnt appear to have caused any damage.

I had never heard of "HijackThis" until today. (see Go.TrendMicro.com) I had used Malwarebytes a few years ago. I recommend downloading this from CNET, because you never know what you are getting anywhere else.

Edited by LollieOllie, 13 October 2009 - 07:28 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users