Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Security Tool Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Security Tool is one of the recent entrants to the family of rogue security software. Once installed the Security Tool scareware makes all the right noises expected from a fraudulent security software. A slew of warning messages in various sizes and colors about non-existent malware constantly bombard the desktop in order to scam the user to buy a subscription.

This scareware goes further by hijacking the desktop, hiding desktop icons and blocking programs from running.


A rogue security software such as Security Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

On restart this rogue security software hijacks the desktop, hides the desktop icons, deletes the wallpaper by manipulating the following registry key:

  • HKEY_CURRENT_USERControl PanelDesktop_Wallpaper = “”

In my limited tests, this scareware blocked running of all programs from mspaint, msconfig, Windows Media Player to the security software I had installed Sunbelt personal firewall, Malwarebytes Antimalware, Superantispyware, Hijackthis etc. Windows explorer was allowed to open and the browsers Internet Explorer and Firefox was allowed to run and access the internet with many fake firewall warnings.


The main installer is named install.exe with the file size of 1257024 bytes. It is detected by 9/40 (22.5%) of the virus engines available at the VirusTotal. It is detected in various names as W32/FakeAlert.DX3.gen!Eldorado, Trojan.Win32.FraudPack.acbl, Trojan:Win32/Winwebsec, RogueAntiSpyware.SecurityToolFraud and FraudTool.Win32.RogueSecurity (v).

This rogue security software creates a folder with a random 8 digit name in the Documents and SettingsAll UsersApplication Data folder.

Security Tool Associated Files and Folders


Some of the file names may be randomly generated.

Security Tool Associated Registry Values and Keys

  • C:Documents and SettingsAll UsersApplication Data72388331
  • HKLMSOFTWARE72388331
  • HKLMSOFTWARE72388331#FirstRun

Security Tool Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://theessentialbaby com/in.php
  • http://remotepaybill com/buy2.php?affid=00000
  • http://www.onlinebillingsolution net/buy2.php?affid=00000

Note: Visiting the domains mentioned above may harm your computer system.

Security Tool Removal (How to remove Security Tool)

The free versions of MalwareBytes’s Anti-Malware (mbam-setup.exe Direct download) and SuperAntiSpyware appear to remove Security Tool Scareware.

  1. Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Boot in to Windows Safe Mode.
  3. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  4. Turn System Restore off and on

You should now be clean of this rogue. You may need to reset your desktop background though.

Security Tool Scareware — Screenshots

Security Tool Scareware — Video

Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 13 comments… read them below or add one }

Danny Harris December 6, 2009 at 3:34 AM

omg. i thought i would never get rid of this crap. thanks to this site it helped me delete security tool from my pc and now it’s working fine. also when before you start the steps of deleting this virus , you want to already have your pc in safe mode by keep pressing f8 before your pc boots up! thanks again


Phil Jones February 26, 2010 at 3:03 AM

This is a goo write up but please keep in mind that these steps alone will not insure that you are free from infections. The vast majority of computers with this Fake AV/AS software also have trojan virus infections and those are probably the root of the the infection that you actually see.

Phil Jones C.E.O.
Site Tech


wooohoo April 19, 2010 at 5:38 AM

Please get rid of Windows, use Linux!
It’s free and free of viruses and malware!


ade April 23, 2010 at 12:24 AM

Thanks for taking time out to write this, it has really helped. My systems still being scanned as i type on my other comp, but its found 4 infected files so far so heres hoping. thanks again!


Lexy May 5, 2010 at 2:45 PM

I just want to thank you a million times over, I messed up and downloaded Security Tool. I definitely paid the price for it, but thank god the internet still worked.I looked up your very useful information and fixed my computer while saving my mother-in-law from a nervous break down. I seriously can’t thank you enough.


Richard August 12, 2010 at 7:38 PM

they security tool will not let me download anything to gt rid of it
ive tryed everything i can think of
help please??


Tabi September 10, 2010 at 4:39 PM

Thank u really much! I thought I had to reinstall windows 7 when i got this problem, but then I saw ur useful information which helped me very much! Now Im finally rid of this problem 🙂


jeffrey September 12, 2010 at 7:20 PM

I need help still! when i used those links to terminate or delete the security tool, after reboot they come back again!


Alex Messenger September 21, 2010 at 3:47 AM

May I suggest to those struggling to open programs that need to be, such as Malwarebytes, to rename the applications “iexlore” and Security tools will allow it to open as it thinks it is Internet Explorer and needs to allow this to open so that you can purchase its fake protection. Plus, make sure you update the Anti-malwares protection before use as the version this website leads you to is outdated. Hope this helps Alex!


Kalani October 28, 2010 at 12:34 PM

I just helped someone remove it, tried the *iexlore* trick, but it still wouldnt work. so i had to install it in save mode w/ network, so i can could update malware. after runing a full scan it picked it up and removed it. was on a windows 7 home edition laptop


allen October 30, 2010 at 3:24 AM

found the lastest version in /Documents and Settings/$USER/Local Settings/Application Data/4765432.exe
after using TRK 3.4 to find it, Malwarebytes now sees remaining pieces
after booting safe mode+net


Agent X November 27, 2010 at 5:13 AM

i had this. deleted user and created new.


Bev May 6, 2011 at 4:08 PM

Brilliant ,thanks so much ,just found the “Turn System Restore off and on” a bit hard (as a total technophobe) to get my head around.


Leave a Comment

Previous post:

Next post: