# Security tool pop ups



## mak2

Yesterday before my wife went to the store she wanted me to run off Kroger coupons for her.  I clicked on a link to a page from google search.  A Spyware blocker poped up and has popped up hundreds of times since then.  It says I have every terrible virus and worm known to man and for 29.95 this spyware firewall blocker can make it go away.  It has popped up hundreds of times since.  How do I make it go away without paying?  I have avast running now.  Help.


----------



## Gatorboy

Run Ad-aware (by Lavasoft) or SpyBot.   One, or both should find the problem.


----------



## Cowboy

If Your running Avast & its updated , Then its more then likelly a bug in googles search pages & You may very well have nothing wrong . I Would download & update this & run it to be sure . 

.http://download.cnet.com/Malwarebytes-Anti-Malware/3000-8022_4-10804572.html


 I keep it on My desktop & run it every once in awhile as it will pick up somethings the others wont catch . Let us know how it comes out . FYI NEVER download something from the net that is in a pop up that claims You have a virus .


----------



## jpr62902

Gatorboy said:


> Run Ad-aware (by Lavasoft) or SpyBot. One, or both should find the problem.


 
I used to be a fan of Ad-Aware, but it turned into a huge memory hog.  I've switched to Malwarebytes since.  Good software.


----------



## mak2

I have tried to download the Malwarebyte but the Security tools pop up keep popping up and stopping the program.  I shoot down 100's of popups in a minute or two.  Probably 10 while I have been typing this.  My background for my desktop is gone and every once in a while I get the blue screen of death.  Something must be helping because this is the longest I have been a ble to stay on line, dammit there was another popup.  So if I aint back for a while it is not because I have been arrested or you guys ran me off.  Thanks for the advice everyone, I am trying to use it but....


----------



## thcri RIP

jpr62902 said:


> I used to be a fan of Ad-Aware, but it turned into a huge memory hog.  I've switched to Malwarebytes since.  Good software.




Ditto on the Mal-ware bytes


----------



## jpr62902

mak2 said:


> I have tried to download the Malwarebyte but the Security tools pop up keep popping up and stopping the program. I shoot down 100's of popups in a minute or two. Probably 10 while I have been typing this. My background for my desktop is gone and every once in a while I get the blue screen of death. Something must be helping because this is the longest I have been a ble to stay on line, dammit there was another popup. So if I aint back for a while it is not because I have been arrested or you guys ran me off. Thanks for the advice everyone, I am trying to use it but....


 
Do you have another computer?  It sounds like you've got some persistent malware.  If you can download the Malwarebytes install file on to another computer, then put it on a flash drive.  You can do a search about your specific problem (Is the pop up from Windows XP Internet Security?) and there are some good instructions on how to get rid of it, but it includes editing your registry, so be careful.  I just dealt with this in the office a couple of months ago.


----------



## jpr62902

Instructions here:  http://www.ehow.com/how_6193223_uninstall-internet-security-windows-xp.html


----------



## Cowboy

Mak can You post the name of the type of security its asking you to download ? SpySherriff used to be one of the toughest ones to remove a few years back , But I haven,t heard of it for awhile . Best of luck sounds like you are indeed infected . Bob


----------



## jwstewar

My sister just had this same virus on both of her computers. Couldn't do much with either computer. Finally booted into Safemode with Network Support and downloaded Spybot S&D on it. It found the problem (and a few others) and corrected it on both of her computers.

I think Spybot wanted to do 2 or 3 scans on each computer, it finally got both of them cleaned up though.


----------



## mak2

Security tool, wants me to send them 49 bucks. It has taken me about 45 min to get to this thread because of all the pop ups, and they pop up over and over.  I cant get anything to download because the pop ups seem to stop them.  Damn it, this is frustrating.  Probably 50 popups that I have to exit out of while I was trying to type this.


----------



## Cowboy

Yep thats a bad one Mak . Heres a link if you can get to it from maybe another computer to maybe help you figure out how to remove it . 

http://www.2-spyware.com/remove-security-tool.html


----------



## Cowboy

Afterthought , Can You run your Avast scanner or have you tried that allready ? BTW it is a scamvirus So do not buy or download it .

 Another link to help if you can get to it . 

http://www.bleepingcomputer.com/virus-removal/remove-security-tool


----------



## mak2

I have tried everything you guys have reccommended, and the security tool blocks everything I try to download.


----------



## thcri RIP

Once you have the malware file on a memory stick can you try booting your computer in Safe Mode and then try installing it?


Murph


----------



## jpr62902

mak2 said:


> I have tried everything you guys have reccommended, and the security tool blocks everything I try to download.


 

It doesn't matter if you boot up in safe mode.  You have to delete the registry entries for the virus before you can reboot and download\install Malwarebytes or some other virus removal tool.  Use the instructions Cowboy linked to.


----------



## bczoom

SmitFraudFix has taken care of these for me in the past.
http://forums.cnet.com/5208-6132_102-0.html?threadID=290669


----------



## Cowboy

At least try to open the Bleeping computer link I posted Mak . Then Scroll down to this & read the instructions *rkill.com Download Link* , Or If clicking on the link might let you do it from here Download this file . The trojan may not block You But I,m not sure . 

Heres some of the instructions in case its blocking the link . 


Print out these instructions as we may need to close every window that is open later in the fix.
It is possible that the infection you are trying to remove will not allow you to download files on the infected computer. If you find this is the case when following these instructions, then you will need to download the requested files in this guide to another computer and then transfer them to the infected computer. You can transfer the files via a CD/DVD, external drive, or USB flash drive.
Before we can do anything we must first end the processes that belong to Security Tool so that it does not interfere with the cleaning procedure. To do this, download the following file to your *Desktop.*

*rkill.com Download Link*
As this infection hides the Windows desktop, we need to open up a window that allows us to see the icons. 

If you are using Windows XP perform the following steps: Click on the *Start* button and then click on the *Run* menu item. When the Run box opens, type *%UserProfile%\desktop* in the Open: field and then press *Enter* on your keyboard.​If you are in Windows Vista or Windows 7 perform the following steps. Click on the *Start* button and type *%UserProfile%\desktop* in the *Search* field at the bottom of the start menu. Then press Enter on your keyboard.​
You should now see a window that shows all of your desktop icons, including the *rkill.com* program. Now double-click on the *rkill.com* in order to automatically attempt to stop any processes associated with Security Tool and other Rogue programs. Please be patient while the program looks for various malware programs and ends them. When it has finished, the black window will automatically close and you can continue with the next step. If you get a message that rkill is an infection, do not be concerned. This message is just a fake warning given by Security Tool when it terminates programs that may potentially remove it. If you run into these infections warnings that close Rkill, a trick is to leave the warning on the screen and then run Rkill again. By not closing the warning, this typically will allow you to bypass the malware trying to protect itself so that rkill can terminate Security Tool . So, please try running Rkill until malware is no longer running. You will then be able to proceed with the rest of the guide.*

Do not reboot your computer after running rkill as the malware programs will start again. *
Now you should download Malwarebytes' Anti-Malware, or MBAM, from the following location and save it to your desktop:

*Malwarebytes' Anti-Malware Download Link*
When the file has finished downloading, look on your desktop for mbam-setup.exe and right-click on it and select *Rename*. The title of the program will now have a blinking cursor where you can edit the name. Please change the name of the program to *Explorer.exe*.
After you rename the mbam-setup.exe to Explorer.exe, close all your programs and Windows on your computer, including this one.
Double-click on the icon on your desktop named *Explorer.exe*. This will start the installation of MBAM onto your computer.
When the installation begins, keep following the prompts in order to continue with the installation process. Do not make any changes to default settings and when the program has finished installing and is at the last screen, make sure you uncheck both of the *Update Malwarebytes' Anti-Malware* and *Launch Malwarebytes' Anti-Malware* check boxes. Then click on the *Finish* button. If Malwarebytes' prompts you to reboot, *please do not do so*.

If you receive a code 2 error while installing Malwarebytes's, please press the *OK* button to close these errors as we will resolve them in future steps. The code 2 error will look similar to the image below.






​
As this infection deletes a core executable of Malwarebytes', or does not allow it to run, we will need to download a new copy of it and put it in the *C:\program files\Malwarebytes' Anti-Malware\ *folder. To download the file please click on the following link:

*Malwarebytes' EXE Download*​When your browser prompts you where to save it to, please save it to the *C:\program files\Malwarebytes' Anti-Malware\ *folder. When downloading the file, it will have a random filename. Please leave the filename the way it is as it is important that it is not changed. You may want to write down the name of the file as you will need to know the name in the next step.
Once the file has been downloaded, open the *C:\program files\Malwarebytes' Anti-Malware\ *folder and double-click on the file you downloaded in step 14. MBAM will now start and you will be at the main program screen as shown below.





​
Before you can perform a scan, you must first update the program. To do this click on the* Update* tab, and that at the new screen click on the *Check for Updates* button. Malwarebytes' will now check for new updates and download and install them as necessary. When the update is completed, you will be prompted with a message stating either that you already have the latest updates or that they have been updated. Either way, you should now click on the *OK* button to continue.
Now click on the *Scanner* tab and make sure the the *Perform full scan* option is selected. Then click on the *Scan* button to start scanning your computer for *Security Tool *related files.
MBAM will now start scanning your computer for malware. This process can take quite a while, so we suggest you go and do something else and periodically check on the status of the scan. When MBAM is scanning it will look like the image below.





​
When the scan is finished a message box will appear as shown in the image below. 






​You should click on the OK button to close the message box and continue with the *SecurityTool *removal process.
You will now be back at the main Scanner screen. At this point you should click on the *Show Results* button.
A screen displaying all the malware that the program found will be shown as seen in the image below. Please note that the infections found may be different than what is shown in the image.






​
You should now click on the *Remove Selected* button to remove all the listed malware. MBAM will now delete all of the files and registry keys and add them to the programs quarantine. When removing the files, MBAM may require a reboot in order to remove some of them. If it displays a message stating that it needs to reboot, please allow it to do so. Once your computer has rebooted, and you are logged in, please continue with the rest of the steps.
When MBAM has finished removing the malware, it will open the scan log and display it in Notepad. Review the log as desired, and then close the Notepad window.
You can now exit the MBAM program.
As this infection also changes your Windows HOSTS file, we want to replace this file with the default version for your operating system. Please note that if you or your company has added custom entries to your HOSTS file then you will need to add them again after restoring the default HOSTS file. In order to protect itself, *SecurityTool *changes the permissions of the HOSTS file so you can't edit or delete it. To fix these permissions please download the following batch file and save it to your desktop:
*Hostsperm.bat Download Link*​When the file has finished downloading, double-click on the hostsperm.bat file that is now on your desktop. If Windows asks if you if you are sure you want to run it, please allow it to run. Once it starts you will see a small black window that opens and then quickly goes away. This is normal and is nothing to be worried about. You should now be able to access your HOSTS file.
We now need to delete the *C:\Windows\System32\Drivers\etc\HOSTS* file. Once it is deleted, download the following HOSTS file that corresponds to your version of Windows and save it in the *C:\Windows\System32\Drivers\etc* folder. If the contents of the HOSTS file opens in your browser when you click on a link below then right-click on the appropriate link and select *Save Target As...*, if in Internet Explorer, or *Save Link As..*, if in Firefox, to download the file.
*Windows XP HOSTS File Download Link*
*Windows Vista HOSTS File Download Link*
*Windows 2003 Server HOSTS File Download Link*
*Windows 2008 Server HOSTS File Download Link* 
*Windows 7 HOSTS File Download Link*​Your Windows HOSTS file should now be back to the default one from when Windows was first installed.
You can also delete the *Explorer.exe* program from your desktop.
Your computer should now be free of the *SecurityTool *program. You may want to consider *purchasing the PRO version of Malwarebytes' Anti-Malware* to protect against these types of threats in the future, as if you had the real-time protection component, that comes with the paid for version, activated it would not have allowed this infection to install.
If you are still having problems with your computer after completing these instructions, then please follow the steps outlined in the topic linked below:
*Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help*


*Associated Security Tool Files:*
*Please note that the files and folders for Security Tool and SecurityTool have random names.*

%UserProfile%\Application Data\4946550101
%UserProfile%\Application Data\4946550101\4946550101.bat
%UserProfile%\Application Data\4946550101\4946550101.cfg
%UserProfile%\Application Data\4946550101\4946550101.exe
%UserProfile%\Desktop\Security Tool.lnk
%UserProfile%\Start Menu\Programs\Security Tool.lnk​*Associated Security Tool Windows Registry Information:*
*Please note that the files and folders for Security Tool and SecurityTool have random names.*

HKEY_CURRENT_USER\Software\Security Tool
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "4946550101"​ 
*This is a self-help guide. Use at your own risk.*​*BleepingComputer.com can not be held responsible for problems that may occur by using this information. If you would like help with any of these fixes, you can ask for malware removal assistance in our Virus, Trojan, Spyware, and Malware Removal Logs forum.*
*If you have any questions about this self-help guide then please post those questions in our AntiVirus, Firewall and Privacy Products and Protection Methods forum and someone will help you.*






   Once You do that it should kill the process thats stopping you from downloading malwarbytes . 


Mods if This is not OK to do it this way feel free to Delete .


----------



## mak2

thanks Cowboy and everybody, man that is a killer virus.  Literally.  My wife went out and bought me a new laptop, I have been wanting one anyway but she broght it home last night to suprise me.  I dont have it up and running yet.  Right now I am at work.  When my wife bought that laptop she bought a anti virus CD with it and it has already been downloaded to the new one.  Is it ethical to download the antivirus on the old lap top or is the user agreement to use it on just one machine?  I am going to try cowboys last post when I get home tonight, but the virus blocks everything I try.  Thanks again everyone.


----------



## Cowboy

mak2 said:


> thanks Cowboy and everybody, man that is a killer virus. Literally. My wife went out and bought me a new laptop, I have been wanting one anyway but she broght it home last night to suprise me. I dont have it up and running yet. Right now I am at work. When my wife bought that laptop she bought a anti virus CD with it and it has already been downloaded to the new one. Is it ethical to download the antivirus on the old lap top or is the user agreement to use it on just one machine? I am going to try cowboys last post when I get home tonight, but the virus blocks everything I try. Thanks again everyone.


 
Congrats on the new puter Mak , It might depend on Which Anti Virus disk Your wife bought . But as far as I know Unless its windows related it dont make no difference on how many computers you put it on . 

Best of luck on the old puter , Just make sure & try to download the rkill first , Even if you have to do it from here I Doubt the virus will let you go to any computer help sites thats why I C&P,ed it here .


----------



## tsaw

CB.. has the answer with that great (long) post. You will have to follow them instructions to the tee.
You certainly have a nasty one. It is so bad that it has put the "fix" in your "hosts" file. The hosts file contains websites that are banned from viewing. Thus - you can't d/l the fix.


----------



## Galvatron

Might be worth just for a simple solution checking if this virus as been added to your Add-ons on your browser...hit tools on your internet browser and look through the Add-ons.

Happened to my son once but only a stab in the dark from me....good luck Mak.


----------



## mak2

I will try it, I am on a different computer now.  I had heard of people getting viruses and it shutting down their computer, but I was nto sure I beleived them.  Do now.  Made mine unusable in seconds.


----------

