Monthly Archives: May 2010

Fake Antivirus “Security Tool” terminating new processes

This fake antivirus software calling itself “Security Tool” intercepts binary files at the point of execution terminates it. Weather it be a bat, com or exe extension the fake av terminates them upon execution. This can be very frustrating when trying to remove this malware on a standalone machine. Fortunately not all processes get terminated; Internet Explorer (iexplore.exe) and Windows Explorer (explorer.exe) do load up so we can use these to our advantage. Our main goal would be to locate and remove this fake av software. Running explorer.exe from start..run will load up the explorer window and from there we can browse to well known locations where the fake av software usually gets dropped.

C:\WINDOWS\
C:\WINDOWS\system32\
C:\Documents and Settings\All Users\Application Data\
C:\Documents and Settings\{username}\Application Data\
C:\Documents and Settings\{username}\Local Settings\Application Data\

Look for unusual files or folders in these locations and if found then rename and reboot. If your pc boots up normally then go the folder which you renamed earlier and delete the malware. In this case this fake av software was called 29225727.exe and was located in

C:\Documents and Settings\{username}\Application Data\

Make sure in your folder options “Show hidden files and folders” is selected before browsing as it might have a hidden attribute set.

Another way you can locate the malware is by searching for the file through Windows Explorer. You can search for files for a certain date, for only exe’s, etc. To get an idea on what the executable file might be called you can browse to the C:\WINDOWS\Prefetch\ folder and see last few files written and search for those executables.

Finally another way is by right-clicking on the shortcut from start..programs..Security Tool menu (if exists) and take note of the path then just go to the path, rename and reboot.