Home > Threats > Security Tool

Security Tool - False Application

Posted on 30 September 2009 under Rogue Programs

1. What is Security Tool?

Security Tool is a false computer application (also known as a rogue program), designed to deceive user using various scare tactics, for this reason the program therefore is also referenced as a scareware. Security Tool can be either installed through fake Video ActiveX Codec or corrupt online computer scanner page.

As Security Tool is fake antivirus, it will not be installed as any other trusted computer application. Rogue program will drop several malicious files on the system and make untoward changes in Windows Registry. The main infection file is also included in startup list in order to launch Security Tool every time operating system boots.

After rogue program has been installed it will start computer system scan immediately, giving user suspicious list of found threats in the end. Virus entries in scan report should not be trusted as they may not even exist or indicate legal Windows system files.

Trying to run any program, executable file or Task Manager will result in the following message:
  • taskmgr.exe is infected with worm Lsas.Blaster.Keyloger. This worm is trying to send your credit card details using taskmgr.exe to connect to remote host.

1.1. To start Security Tool removal process:

  1. Go to "Windows" directory and open "System32" folder (C:\Windows\system32). If there are no desktop icons, begin with Start -> My Computer.
  2. Rename file taskmgr.exe to iexplore.exe. If file extensions are hidden, file taskmgr should be renamed as iexplore.
  3. Double-click renamed file to open Task Manager.
  4. Under Processes tab find malicious process, which name is random string of digits (in this case the process name is 2090413546.exe) and end it.
  5. Important! In each case of infection process name may be different (in this case it's "2090413546"). To assure the right process is killed:
    • download Hijackthis executable file to desktop.
    • Go to Start -> Run
    • Type in "C:" (without quotes)
    • Navigate to C:\Documents and Settings\%user profile%\Desktop
    • Rename HijackThis to iexplore or HijackThis.exe to iexplore.exe (if file extensions are enabled)
    • Double click renamed file and choose "Do a system scan only"
    • If the results indicate at least one of the following entries, you have process name that has to be killed (in red):

      O4 - HKLM\..\Run: [2090413546] C:\Documents and Settings\999\Application Data\2090413546\2090413546.exe
      O4 - HKLM\..\Run: [2090413546] C:\DOCUME~1\ALLUSE~1\APPLIC~1\2090413546\2090413546.exe

2. Security Tool screen shot:

Security Tool

3. How to remove Security Tool:

  1. Internet connection might be disabled or Internet browser might be blocked by Security Tool, so it won't be possible to download any files to infected computer. In this case please download all files required for Security Tool removal to another computer and then transfer them on the infected one using CD/DVD or USB flash drive.
  2. To remove Security Tool download Spyware Doctor and install the program (for the installation guide click here). Before installation, make sure all other programs and windows are closed.
  3. After the installation, computer scan should be started automatically. If so, please move to the next step. If not, click "Status" on the left side menu and press "Scan Now" button to run computer scanner as shown in the picture below:

  4. After the scan has been completed and scan results have been generated, press "Fix Checked" button to remove Security Tool.

  5. Restart the computer to complete Security Tool removal procedure.
This might be helpful. Security Tool warnings appeared in the taskbar area will lead user to payment page, which will open in a full screen mode. User will be offered to buy software license for 2 years or a lifetime. Do not enter any payment information like card number, expiration date or cvv2 code, because Security Tool is a scam. If you accidentally got into payment page, choose "continue unprotected" in the bottom of the screen to exit the window.

4. Security Tool files:

2090413546.exe

5. Hijackthis entries:

O2 - BHO: IETimbar - {1163E531-B58E-4BB9-B877-0906A0A22AEC} - C:\Program Files\Internet Explorer\IETimbar\IETimbar.dll
O2 - BHO: AdPopup - {11F09AFD-75AD-4E51-AB43-E09E9351CE16} - C:\Program Files\Common Files\PushWare\cpush.dll
O2 - BHO: google cache - {296AB1C7-FB22-4D17-8834-064E2BA0A6F0} - C:\WINDOWS\MICROSOFT\winsys.dll
O4 - HKLM\..\RunOnce: [CPushSetup] "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\Common Files\PushWare\cpush.dll"
O4 - HKLM\..\Run: [2090413546] C:\Documents and Settings\999\Application Data\2090413546\2090413546.exe
O4 - HKCU\..\Run: [Install] C:\Documents and Settings\999\Application Data\2090413546\2090413546.bat