For many years its been common internet knowledge that you don’t open email messages from people you don’t know.  It’s also understood that you don’t click on popup ads.  Unfortunately, now malware coders are making their ads look like legitimate virus warnings so unsuspecting users think that they are really infected with some virus and they click on the ad thinking that the proposed application will clean their system.  What the application does is install itself then it constantly sends warnings about virus infections and requests you activate the program.  Of course, activation requires payment so your system is effectively rendered useless because of frequent interruptions.

One of these types of malware programs is Security Tool.  This is particularly nasty because it installs itself in a hidden folder and then registers itself as a service so it preempts most of the tools you would normally use to troubleshoot the problem.  Try to bring up Task Manager, you get Security Tool.  Try to get to the control panel, you get Security Tool.  Pretty much everything you try brings up Security Tool.

I recently had a friend bring a laptop to me that had been infected with this malware.  I tried booting into safe mode but there was no way to access the hidden folder from the directory explorer.  I remembered I had a Live Linux CD so I decided to use that as to fix the problem.  Here’s what I did (Note: this system was running Vista, yours may be a little different):

  1. Before rebooting Vista, right click on the desktop shortcut to Security Tool and select properties.
  2. Make note of the hidden folder where it is installed and the application name.  I my case, the application was at C:\Application Data\13324922\13324922.exe (your version may be different but it will probably have a number instead of a name so you can’t easily find it–evil).
  3. Reboot using a Linux Live disk.
  4. Once Linux boots, mount the hard disk (usually just a double-click is required) and locate the folder where Security Tool is installed.
  5. Rename the folder to something it won’t expect (I just renamed the folder to “other”).
  6. Remove the Linux disk and reboot into Vista.
  7. At this point, Security Tool should no longer interrupt since it can’t find the location of the executable.  Open regedit and search for the name of the application (in my case, I searched for “13324922″).
  8. Delete every entry in the registry that makes reference to the malware application.
  9. Delete the folder you renamed in step 5.

That should do it.  Once you have removed the folder the executable can’t start and once you remove the registry entries, Vista can’t complain that it can’t find the application.  Now just make sure you purchase a true anti-virus application and install it so you don’t go through this again.

Happy debugging.

Post to Twitter Tweet This Post