RadioWest.ca

[Dan Sys]

While busy filing away stickers and other radio stuff tonight using some traditional radio related sites for reference, my computer suddenly started going berserk. Pop-ups galore and no capabilities to open anything up. After doing some research on Linda's computer I found out that I have been infected with the "Security Tool" virus (when my McAfee anti-virus protection was supposedly enabled).

This is a real nasty virus as it has totally taken my computer over. Can't do a damn thing, except for limited functions in Safe Mode. I've been running back & forth all night between the 2 computers trying to come up with a solution. It won't let me download possible fixes (such as Spyware Doctor) and the instructions to remove it manually that I'm finding on Google are just too damn complicated.

Anybody have any suggestions?

[Buckley]

Have you tried a System Restore in Safe Mode? This sometimes works.

Is this one of those viruses that pretends it's a virus scanner or whathaveyou? If you can possibly run AVG Free, it may be able to remove it. If it's not a very well hidden virus, you may be able to close the process (in task manager) which could buy you some time.

[Dan Sys]

Thanks for the advice Buckley. Wikipedia also suggests that you do the "system restore" thing in safe mode too:
http://en.wikipedia.org/wiki/Security_Tool
I tried it and I couldn't get it to work. It just continually asked me for my password even though the one I provided was correct. This virus somehow seems to block any procedure involved with its removal.

However, I'm happy to report that after about 8 hours of pulling my hair I think the problem has been solved. I stumbled upon a computer forum group on Google that recommended a free anti-malware download from Malwarebytes. I was actually able to download it in safe mode with no problems. The scan picked up the "security tool" infection and removed it. So far so good, but it makes me wonder why I'm paying the big bucks to McAfee when they let things like this slip by their anti-virus protection.

Now it's time for this old fart to hit the sack.....way past my bedtime.

[DirkSteele]

I've gone through this one before. My symptom was I had a pop up saying any ".exe" file I tried to open was infected. That went from Registry Edit, to Recycle Bin to Task Manager.

This is how evil it is. When the virus installs, it has a random character placed in the file name. So, one install it is something like "s8kwSecurityTool.exe", the next computer gets "a2soSecurityTool.exe".

That trick lets it avoid most anti-virus. Anti-virus can be nothing more than a program that searches for known malicious file names. When you have something that changes its file name every time it installs....virus scans can't find it.

You lucked out with Mallwarebytes finding it.

Bottom line on this virus is that it installs in your under your user folder in Windows. It launches every time you boot up. It "hides" your user folder in Windows so you have to have your "show hidden folders" enabled. It also changed my Internet Explorer LAN settings to use their proxy server so I had to roll that back as well. The way I caught it is to open up the task manager as soon as you can as your computer boots up. Then you will see the program in the "processes" tab and you can stop it. That gives you access to the rest of your programs. From there I ripped it out piece by piece and then used Mallwarebytes to clean up what was left.

A real nasty little bugger. Since it is in code on bad websites, my suggestion is to switch to Firefox. For whatever reason, Firefox gives you a warning about malicious sites that could give you an unwanted download. Even if you get one of those false mailer-dameon message with an HTML attachment which are very common these days....Firefox puts up its block.

[Dan Sys]

Interesting, I guess I got off easy Dirk (knock on wood). I am finding that the computer seems a tad slower than it was and I'm also getting a whole new set of pop-ups and prompts that seem to be originating from the system tray, but at least it's working now and those nuisance " infected .exe" pop-ups appear to be gone.

Should the "Use a proxy server for your LAN" box in Internet Options (LAN Settings) be checked or unchecked? I think I might have tinkered with this last night and I can't remember what the previous setting was.

[Steve Sanderson]

Interesting, I guess I got off easy Dirk (knock on wood). I am finding that the computer seems a tad slower than it was and I'm also getting a whole new set of pop-ups and prompts that seem to be originating from the system tray, but at least it's working now and those nuisance " infected .exe" pop-ups appear to be gone.

Should the "Use a proxy server for your LAN" box in Internet Options (LAN Settings) be checked or unchecked? I think I might have tinkered with this last night and I can't remember what the previous setting was.

It's not checked on mine Dan.

[Buckley]

Interesting, I guess I got off easy Dirk (knock on wood). I am finding that the computer seems a tad slower than it was and I'm also getting a whole new set of pop-ups and prompts that seem to be originating from the system tray, but at least it's working now and those nuisance " infected .exe" pop-ups appear to be gone.

Should the "Use a proxy server for your LAN" box in Internet Options (LAN Settings) be checked or unchecked? I think I might have tinkered with this last night and I can't remember what the previous setting was.

You should normally keep it unchecked.

Now that you've got rid of the virus I'd suggest using a few tools to clean things up if you think McAfee's not getting everything:
- Microsoft Security Essentials: http://www.microsoft.com/security_essentials/ - I've been pretty happy with it so far (it hasn't been in release for very long), it's Microsoft's successor to Defender. Does find a few things that other programs couldn't find, and does a good job of alerting you right when it finds something.
- Spybot: http://www.safer-networking.org/en/index.html - I find it does a great job of clearing out cookies and a few Trojan Horses, but then I haven't used it for a couple years, so it might be even better now.

I will say that I had a similar virus last week, AVG found it right away, but it doesn't seem to be as brutal on Windows 7. Security Essentials alerted me to a couple issues and cleared them first, which might have helped, then I was able to open up task manager, close the running "programs", run AVG to clean the rest of the virus, reboot, and everything was back to normal.

[PMC]

Anybody have any suggestions?

Download Ubuntu Linux, then burn it to a CD.... Keep it handy for cleaning up windows

http://www.ubuntu.com/

You should then use it to boot the machine from the CD `live' version, the next time a windows virus appears.... if you have info on the virus itself, then it can be found in the Linux FAT32 or NTFS directory structure and deleted... then reboot Windows etc.

The Ubuntu Linux DVD can be bought with a printed manual at any Chapters bookstore for $40.

Get the desktop version, which has a graphical interface. There is a server version that does not have a GUI, and is for dedicated use etc.

[Dan Sys]

Thanks for all the advice and help gentlemen. Everything seems to be back to normal now.