Security Tool is one of the recent entrants to the family of rogue security software. Once installed the Security Tool scareware makes all the right noises expected from a fraudulent security software. A slew of warning messages in various sizes and colors about non-existent malware constantly bombard the desktop in order to scam the user to buy a subscription.
This scareware goes further by hijacking the desktop, hiding desktop icons and blocking programs from running.
A rogue security software such as Security Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.
On restart this rogue security software hijacks the desktop, hides the desktop icons, deletes the wallpaper by manipulating the following registry key:
- HKEY_CURRENT_USERControl PanelDesktop_Wallpaper = “”
In my limited tests, this scareware blocked running of all programs from mspaint, msconfig, Windows Media Player to the security software I had installed Sunbelt personal firewall, Malwarebytes Antimalware, Superantispyware, Hijackthis etc. Windows explorer was allowed to open and the browsers Internet Explorer and Firefox was allowed to run and access the internet with many fake firewall warnings.
The main installer is named install.exe with the file size of 1257024 bytes. It is detected by 9/40 (22.5%) of the virus engines available at the VirusTotal. It is detected in various names as W32/FakeAlert.DX3.gen!Eldorado, Trojan.Win32.FraudPack.acbl, Trojan:Win32/Winwebsec, RogueAntiSpyware.SecurityToolFraud and FraudTool.Win32.RogueSecurity (v).
This rogue security software creates a folder with a random 8 digit name in the Documents and SettingsAll UsersApplication Data folder.
Security Tool Associated Files and Folders
- C:DOCUMENTS AND SETTINGSALL USERSAPPLICATION DATA7238833172388331.EXE
- C:DOCUMENTS AND SETTINGSMALWAREHELP.ORGDESKTOPSECURITY TOOL.LNK
- C:DOCUMENTS AND SETTINGSMALWAREHELP.ORGSTART MENUPROGRAMSSECURITY TOOL.LNK
- C:DOCUMENTS AND SETTINGSALL USERSAPPLICATION DATA72388331
Some of the file names may be randomly generated.
Security Tool Associated Registry Values and Keys
- C:Documents and SettingsAll UsersApplication Data72388331
Security Tool Associated Domains
This scareware was observed accessing the following domains during installation and operation:
- http://theessentialbaby com/in.php
- http://remotepaybill com/buy2.php?affid=00000
- http://www.onlinebillingsolution net/buy2.php?affid=00000
Note: Visiting the domains mentioned above may harm your computer system.
Security Tool Removal (How to remove Security Tool)
- Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
- Boot in to Windows Safe Mode.
- Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
- Turn System Restore off and on
You should now be clean of this rogue. You may need to reset your desktop background though.
Security Tool Scareware — Screenshots
Security Tool Scareware — Video
Note: The above installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.