Security Tool - False Application

Security Tool is a false computer application (also known as a rogue program), designed to deceive user using various scare tactics, for this reason the program therefore is also referenced as a scareware. Security Tool can be either installed through fake Video ActiveX Codec or corrupt online computer scanner page.

As Security Tool is fake antivirus, it will not be installed as any other trusted computer application. Rogue program will drop several malicious files on the system and make untoward changes in Windows Registry. The main infection file is also included in startup list in order to launch Security Tool every time operating system boots.

After rogue program has been installed it will start computer system scan immediately, giving user suspicious list of found threats in the end. Virus entries in scan report should not be trusted as they may not even exist or indicate legal Windows system files.

Trying to run any program, executable file or Task Manager will result in the following message:

• taskmgr.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using taskmgr.exe to connect to remote host.

To start Security Tool removal process:

1. Go to "Windows" directory and open "System32" folder (C:\Windows\system32). If there are no desktop icons, begin with Start -> My Computer.
2. Rename file taskmgr.exe to iexplore.exe. If file extensions are hidden, file taskmgr should be renamed as iexplore.
3. Double-click renamed file to open Task Manager.
4. Under Processes tab find malicious process, which name is random string of digits (in this case the process name is 2090413546.exe) and end it.
5. Important! In each case of infection process name may be different (in this case it's "2090413546"). To assure the right process is killed:
   • download Hijackthis executable file to desktop.
   • Go to Start -> Run
   • Type in "C:" (without quotes)
   • Navigate to C:\Documents and Settings\%user profile%\Desktop
   • Rename HijackThis to iexplore or HijackThis.exe to iexplore.exe (if file extensions are enabled)
   • Double click renamed file and choose "Do a system scan only"
   • If the results indicate at least one of the following entries, you have process name that has to be killed (in red):

     O4 - HKLM\..\Run: [2090413546] C:\Documents and Settings\999\Application Data\2090413546\2090413546.exe
     O4 - HKLM\..\Run: [2090413546] C:\DOCUME~1\ALLUSE~1\APPLIC~1\2090413546\2090413546.exe

This might be helpful. Security Tool warnings appeared in the taskbar area will lead user to payment page, which will open in a full screen mode. User will be offered to buy software license for 2 years or a lifetime. Do not enter any payment information like card number, expiration date or cvv2 code, because Security Tool is a scam. If you accidentally got into payment page, choose "continue unprotected" in the bottom of the screen to exit the window.

O2 - BHO: IETimbar - {1163E531-B58E-4BB9-B877-0906A0A22AEC} - C:\Program Files\Internet Explorer\IETimbar\IETimbar.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\PushWare\cpush.dll
O2 - BHO: google cache - {296AB1C7-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\MICROSOFT\winsys.dll

O4 - HKLM\..\RunOnce: [CPushSetup] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\PushWare\cpush.dll"
O4 - HKLM\..\Run: [2090413546] C:\Documents and Settings\999\Application Data\2090413546\2090413546.exe
O4 - HKCU\..\Run: [Install] C:\Documents and Settings\999\Application Data\2090413546\2090413546.bat