I was recently doing some testing in the VM with several of the various rogues that we are seeing lately. This testing was mainly looking at how Malware modifies proxy settings and such (will be in a later article). One of the rogues that that landed was the Security Tool Malware. Most of these rogues are usually pretty simple to remove if you know what you’re doing and use the right tools. The removal method detailed by Grinler at BleepingComputer using rkill and MalwareBytes will usually do the trick removing the rogues.
This particular variant was very aggressive and diverted my attention away from what I was doing to how can this thing be removed. Basically what happens is the random process that is created by the Malware blocks just about everything from running, including Task Manager.
C:\Documents and Settings\All Users\Application Data\01284924\01284924.exe
This process is started with a run key every time Windows starts. Even using rkill as described in the BC guide was not successful. A command window from rkill would pop-up for a quick second then close. Giving the following message from the Malware.
The removal guide says to ignore this warning and keep trying to run the tool. This was not successful in my case. Basically nothing will run, neither Windows tools or tools like HijackThis, DDS, OTL, etc…, and the desktop has been rendered blank.
Well, after playing around for a while in Normal Mode and getting nowhere, I decided to get back to basics and boot into Safe Mode. This is not anything new and we were trained to do this early on in Malware removal. This made things very simple. The process did not run, so my desktop appeared and I could run any and all tools. I simply used HijackThis to take out the run key, deleted the folder, and rebooted into Normal Mode. This will disable the active part of the Malware, allowing you to run tools like MalwareBytes to finish off the rest.
This is certainly not “earth shattering” news and Malware removal experts I’m sure are saying “no duh, Safe Mode is nothing new!!!”, but getting back to basics can be the way to go with removing Malware sometimes.