Removing "Security Tools" virus/trojan/malware

image

Don't believe anything this trojan says. It's a dirty, filthy little piece of scamware and every threat its reporting is a lie. Security Tools should just report itself and get it over and done with.

It will block most applications from running, so you'll need to somehow get Task Manager up and running before it starts.

Some people use safe mode, others have reported that "CTRL + ALT + DEL" works and can open up the Task Manager without it complaining. If not, try "CTRL + SHIFT + ESC", which does the same thing.

If that doesn't work, you'll have to create a shortcut to "taskmgr.exe" and move it into your "Start Menu > Startup" folder by dragging it with the mouse. Reboot your computer to get access to Task Manager.

Once you have Task Manager up and running, look under "Processes" and close off any program which has all numbers for the filename.

After killing off the pesky little bugger, we're now able to run new programs without any problems.

Run "services.msc" from "Start > Run". Find the following services and then stop and disable each one:

  • Browser Defender Update Service
  • PC Tools Auxiliary Service
  • PC Tools Security Service

Download MalwareBytes Anti-Malware to scan, unlock the files in use and remove the Security Tool Virus. While it scans, we can do some manual removal.

Now go to "Start > Run" again to load up "msconfig". Go to "Startup" tab and disable anything that is within the "Spyware Doctor" folder (or anything that looks suspicious). For me it was "ISTray".

Now open up the following folders and move as much junk out of there as you can. Skip the files that are locked.

  • C:\Program Files\Spyware Doctor
  • C:\Program Files\Common Files\PC Tools
  • C:\ProgramData\PC Tools

Open up "Start > Run" and fire up "regedit". Go to and delete the following registry keys:

  • HKEY_CURRENT_USER\Software\Security Tool
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Browser Defender_is1
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spyware Doctor

Now the easier part. Search through the registry for anything containing "Spyware Doctor". I've made a list of the items I've found but they may vary from computer to computer.

Best bet is to just do the scan manually.

  • HKEY_CLASSES_ROOT\CLSID\{472734EA-242A-422B-ADF8-83D1E48CC825}
  • HKEY_CLASSES_ROOT\CLSID\{70F8E90E-353A-47AB-B297-C576345EE693}
  • (there was another one here that I forgot to copy before deleting)
  • HKEY_CLASSES_ROOT\CLSID\{F94D9C45-A227-4173-8AC3-6D276B288D9A}
  • HKEY_CLASSES_ROOT\TypeLib\{175B7885-28AB-4D18-8773-7A13A99980A4}
  • HKEY_LOCAL_MACHINE\SOFTWARE\PCTools
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Browser Defender Update Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sdAuxService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sdCoreService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\Browser Defender Update Service
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sdAuxService
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\sdCoreService

Now hopefully you've learnt your lesson and started to use a proper antivirus.

Every infected machine I look at is running one of the following 3 security suites; McAfee, Norton or Sophos. Goes to show (again) that they're fucking shit and not worth paying for.

 
Copyright © Twig's Tech Tips
Theme by BloggerThemes & TopWPThemes Sponsored by iBlogtoBlog