Security Tool Analysis and Removal
December 2, 2009 by Shanmuga
Filed under Featured, Rogue Security Software, spyware removal
Security Tool is one of the recent entrants to the family of rogue security software. Once installed the Security Tool scareware makes all the right noises expected from a fraudulent security software. A slew of warning messages in various sizes and colors about non-existent malware constantly bombard the desktop in order to scam the user to buy a subscription.
This scareware goes further by hijacking the desktop, hiding desktop icons and blocking programs from running.
A rogue security software such as Security Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
On restart this rogue security software hijacks the desktop, hides the desktop icons, deletes the wallpaper by manipulating the following registry key:
- HKEY_CURRENT_USER\Control Panel\Desktop_Wallpaper = “”
In my limited tests, this scareware blocked running of all programs from mspaint, msconfig, Windows Media Player to the security software I had installed Sunbelt personal firewall, Malwarebytes Antimalware, Superantispyware, Hijackthis etc. Windows explorer was allowed to open and the browsers Internet Explorer and Firefox was allowed to run and access the internet with many fake firewall warnings.
The main installer is named install.exe with the file size of 1257024 bytes. It is detected by 9/40 (22.5%) of the virus engines available at the VirusTotal. It is detected in various names as W32/FakeAlert.DX3.gen!Eldorado, Trojan.Win32.FraudPack.acbl, Trojan:Win32/Winwebsec, RogueAntiSpyware.SecurityToolFraud and FraudTool.Win32.RogueSecurity (v).
This rogue security software creates a folder with a random 8 digit name in the Documents and Settings\All Users\Application Data folder.
Security Tool Associated Files and Folders
- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\72388331\72388331.EXE
- C:\DOCUMENTS AND SETTINGS\MALWAREHELP.ORG\DESKTOP\SECURITY TOOL.LNK
- C:\DOCUMENTS AND SETTINGS\MALWAREHELP.ORG\START MENU\PROGRAMS\SECURITY TOOL.LNK
- C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\72388331\
Some of the file names may be randomly generated.
Security Tool Associated Registry Values and Keys
- HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN#72388331
- C:\Documents and Settings\All Users\Application Data\72388331
- HKLM\SOFTWARE\72388331
- HKLM\SOFTWARE\72388331#FirstRun
Security Tool Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://theessentialbaby com/in.php
- http://remotepaybill com/buy2.php?affid=00000
- http://www.onlinebillingsolution net/buy2.php?affid=00000
Note: Visiting the domains mentioned above may harm your computer system.
Security Tool Removal (How to remove Security Tool)
The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove Security Tool Scareware.
- Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Also download CCleaner.
- Boot in to Windows Safe Mode.
- Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
- Turn System Restore off and on
- Install, scan and clean the temporary files with CCleaner.
You should now be clean of this rogue. You may need to reset your desktop background though.
Security Tool Scareware — Screenshots
Security Tool Scareware — Video
Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.
omg. i thought i would never get rid of this crap. thanks to this site it helped me delete security tool from my pc and now it’s working fine. also when before you start the steps of deleting this virus , you want to already have your pc in safe mode by keep pressing f8 before your pc boots up! thanks again
This is a goo write up but please keep in mind that these steps alone will not insure that you are free from infections. The vast majority of computers with this Fake AV/AS software also have trojan virus infections and those are probably the root of the the infection that you actually see.
Thanks
Phil Jones C.E.O.
Site Tech