A friend recently asked me to take a look at her laptop as it was reporting that it had numerous viruses. When I fired it up, you couldn't run a thing, but there was numerous warnings about Viruses trying to steal my credit card data.
Of course the program wouldn't fix them as it hadn't been registered. On opening it's main window, you're confronted with a reasonably professional looking window. Aside from the shock tactics used in reporting the 'malware' there was very little to suggest that it was scareware. I'd not heard of Security Tool before this, but the combination of every other program allegedly being infected, the fact that they were all trying to steal my credit card data (or I suppose technically, hers), and the fact it wanted money to even think about clearing the 'infections' was enough to make me wonder.
Sure enough, a quick Google took me to Bleeping Computer where there was a description of the scareware, and instructions on how to remove it. Unfortunately, those instructions didn't work, so I went back to basics utilising bits of the guide where appropriate.
This lovely application stops you from running everything, and apparantly even updates the HOST file (in this case the HOSTS file was fine) so that, if by some miracle, you do manage to access the web, you won't get far!
Any attempt to run an application will cause a box warning you that Security Tool has detected a malicious program, and quite often tell you that it's trying to steal your credit card data. It also regularly pops up notifications warning you of multiple infections. In either case asking the software to fix the problem asks you to register the product for £70.
A confident (but naive) user may try to manually delete the files listed as 'infected', this is a very bad idea, some of them are core windows executables and are needed for the system to run properly. If, by the time you get to it, the user has done this, a re-install is probably the best bet. If not then you should be able to rid the system of this scareware using the following process.
Removing Security Tool
Note: You are advised to read the entire article before attempting this. If you do not feel confident following the steps, ask a professional to do it. Benscomputer.no-ip.org accepts no responsibility for any adverse effects that occur as a result of following these instructions, either correctly or incorrectly
Download Malwarebytes' Anti-Malware
If you do not wish to edit it manually, download a fresh copy of the HOSTS file here.
Burn these onto CD (I don't think this malware can spread via removable media, but best to play safe and avoid USB Sticks)
Restart the Computer in Safe Mode (Press F8 while the Windows XP screen is visible and select Safe Mode)
If possible, log in as a different user to the one you know to have been infected (Preferably Administrator)
Security Tool should not be running, if it is then this method probably won't work (you're still free to try!). Skip to the end of this article for more advice.
Browse to the CD and start the Malwarebytes installer
Follow the instructions to install the software
Don't restart your PC if prompted (I wasn't asked to)
Launch Malwarebytes and select full scan
Go make a brew, maybe do some coding, the scan took 90 minutes on my friends computer
Remove all infected files
Open C:\Windows\system32\Drivers\etc\HOSTS in Notepad and edit it to remove any entries added by the scareware (or simply copy the file from the CD instead).
Now you can restart the computer and log into Windows normally (Uninstall Malwarebytes if you wish!)
Once you have logged in, there will probably be a dead shortcut called Security Tool on the desktop. Delete it.
It may well be that this process didn't work for you (much like the rkill method on bleeping computer didn't work for me). In which case you are left with two real options, in the order that you should try them, they are;
- System Restore
- Full Re-install
If you are opting for the System Restore Method then be aware that there is no way the scareware will let you run it from within Windows. You will need to restart the computer and press F8 at the Windows loading screen. Some installs have a system restore option there (Not the same as load last known good configuration) whilst others require you to go into Safe Mode. Using the latter method, if you log in as Administrator, you should be presented with a dialog asking whether you wanted Safe Mode, or a System Restore. I think you can work out which option you need on this occassion!
If you are going for a FUll Re-install then for god's sake remember to at least try and make a backup of the customers files. You should be able to burn CD's despite the malware, obviously you'll need to use the built in Windows burning, but it should allow you. once the install has finished, make sure you scan every file on the CD to prevent re-infection.
In all cases, you are strongly advised to review the users security precautions to try and avoid such things occurring again. This may just involve explaining to the user how to check whether a piece of software is authentic or not.
Obviously the whole episode is a nightmare for the user. Security Tool is a nasty bit of code, especially as it relies on users fears (credit card data being stolen) to try and tempt its mark. Some of the warnings give the distinct impression that whilst the software has detected something nasty happening, it's not even going to try and stop it until you shell out £70 to register. Obviously if the user does register, they then put their finances at the mercy of the crooks as well!
On the plus side, I hadn't come across Malwarebytes before, and am quite impressed with it. Some of the features they wish to charge you to use strike me as quite basic, but at least it's good enough for situations such as this! I haven't looked to see how much they charge for the full version, but as long as it's not too much (and includes updates) it's probably worth the price.
The unfortunate truth is that these infections are not going to stop until we educate our users into how to spot them. With automatic installations they will continue to pop up, but if everyone is aware enough not to part with their money, the incentive will be taken away and infections like this will drop. Sadly the kind of changes needed for that to happen are just pipe dreams!