Security Tool infected a computer at work

[Chao]

I got called from the local HMAA office for help because a virus screen keeps popping on the pc and the staff cannot do the work. Turns out it is a Security Tool virus and trojan infection.

It disable the Task Manager so there is no access to shutting it down through task manager. It blocks every *.exe file from being executed by giving a fake warning that those files are infected with virus. The only screen that is shown is the Security Tool and the link to activate the program for $$$$.

I plugged in my USB drive and tried to run a virus program, but nothing work. Later on, I learned that some of the *.exe files also got infected from the plug. The virus creates or attaches itself to the autorun.inf file so that anytime the driv is plugged into any computer, it will get executed first. So watch out for that. Disable autorun before plugging in an infected drive.

I took the hard drive out and plug it as a slave to another computer and did complete scan, heal and remove all the infected files. When I plug it to the old computer and and start it as normal, the virus is still there.

So, I am going to back to work today to clean it up and I am going to try this:

http://www.howtogeek.com/howto/9505/how-to-remove-security-tool-and-other-roguefake-antivirus-malware/


I wish the staff would use firefox instead so I can install a security warning (Wow) for all their their google search results. IE does not have that.

[Chao]

Resolve:

Boot PC into Safe Mode.
Run Combofix, Antivirus, heal or remove infected files
Run msconfig, uncheck all selection in Startup


Computer boot up clean.