Dear Lazywebs...
Oct. 20th, 2009 12:05 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
fr_defenestratoAs of this morning, my computer is made entirely of SUCK. I've somehow come down with chronic 'Security Tool' syndrome. Has anyone dealt with this malware? Can anyone offer advice?
Here's what it's doing:
Here's the Malwarebytes' Anti-Malware report:
Here's what it's doing:
- Showing up with not-one-but-two icons in my system tray, resembling Symantec or Windows security shields, all red and alarmist and with x's to say how unsafe my system is. These icons throw up false warnings pretty much constantly (e.g., 'AdAware is attempting to give your credit card information to...'). When I click on either of the icons, I get evil 'Please buy this software' screens and multiple 'Are you SURE you want to continue unprotected?' screens.
- Fucking with my browsers (both IE and Firefox) such that clicked links (e.g., from Google search on 'remove security tool') are forcibly rerouted to random commercial pages.
- Effectively disabling anti-popup software.
- Hiding all icons on my desktop
- Who knows what the fuck else.
- Tried Control Panel > Add/Remove Programs. Obviously, not there. Ok, it's really really malware.
- Run Lavasoft's AdAware (upgraded first to latest version). Didn't help. Didn't find a single thing wrong.
- Searched madly for a valid removal/cleanup mechanism. Most of the links were for a piece of cleanup software that seemed just as pernicious as Security Tool itself and may be part of one big fraud. Searches Snopes, which has NOTHING on this asshole software.
- It can't be new, because I did find one removal article... followed instructions (including Process Explorer and killing the rogue process)... article then referred me to Malwarebytes' Anti-Malware, which I downloaded and ran; it found several files and labeled them 'rogue.SecurityTool...' and SAID it deleted them; but the fucker has come back after reboot—twice so far.
- Searched Symantec's fora for other info/options... found a lot of people complaining of the same problems and a few saying 'I did this and so far so good...' but they haven't described anything I haven't tried.
Here's the Malwarebytes' Anti-Malware report:
Malwarebytes' Anti-Malware 1.41
Database version: 2997
Windows 5.1.2600 Service Pack 3
10/20/2009 8:22:28 AM
mbam-log-2009-10-20 (08-22-28).txt
Scan type: Quick Scan
Objects scanned: 122229
Time elapsed: 2 minute(s), 21 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 4
Memory Processes Infected:
C:\explorer.exe (Worm.AutoRun) -> Failed to unload process.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe cpcp.cpo bef0regiiav) Good: (Explorer.exe) -> Quarantined and deleted successfully.
Folders Infected:
(No malicious items detected)
Files Infected:
C:\RECYCLER\S-1-5-21-3059475876-2038652877-875210689-9888\Dc60\52740927.exe (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\gordong194\Desktop\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\Documents and Settings\gordong194\Start Menu\Programs\Security Tool.LNK (Rogue.SecurityTool) -> Quarantined and deleted successfully.
C:\explorer.exe (Worm.AutoRun) -> Delete on reboot.
