I’ve recently encountered a Trojan Horse program called SecurityTool that has a very convincing friendly facade. When I first saw it, I thought that it was a legitimate antivirus program / firewall, similar to Norton 360. It seems to scan your PC and discover infections. It disables all user programs except itself “for your protection” and hijacks the web browser to point the user to a web page where it attempts to have the user buy a program that will “fix” his/her computer. It’s essentially ransomware. Please don’t enter your credit card number when this program is active — who knows who will then capture your credit card info?!
It looks like this originated from the same evil geniuses who created PC Antispyware 2010: http://russbellew.spaces.live.com/Blog/cns!D5F86162D2CCCC87!495.entry
Here are simple instructions to remove SecurityTool: http://www.2-spyware.com/remove-security-tool.html. I’ve found that the folder that contains the SecurityTool executable may have a different name than the one referred to within the article. You may have luck discovering its folder’s name by booting into Safe Mode (press F8 at startup) and running msconfig.exe to examine the startup group. The SecurityTool executable file is easily identifiable because it will probably be the only startup group executable file that’s located in a subdirectory beneath Documents and Settings.
I’ve used a different removal procedure. I physically remove the infected PC’s hard drive, and temporarily hang that hard drive as a slave from a known clean PC, and then (step1) use the clean PC to scan the infected hard drive. AVG 8.5 will detect and remove the offending executable files. This method treats the registry as just another set of files, so after returning the hard drive to the infected PC, you’ll need to scan it. When you’re done, you will probably be left with a vestigial item in the startup group. To avoid this, note what was removed in step 1 and remove any reference to it within the startup group. (Use either msconfig.exe or SpyBot Search & Destroy in Advanced / Tools / Startup to do this.)
Increasingly, I find myself routinely removing infected hard drives from victims’ PCs to scan them on clean PCs. Otherwise, I’m trying to clean an infected PC with an infected PC.