Home Malware Programs Rogue Anti-Spyware Programs Windows Tweaking Utility

Windows Tweaking Utility

Posted: May 15, 2011

ScreenshotWindows Tweaking Utility is a rogue security program that offers fake system optimization and protection features in exchange for your money. While on your PC, Windows Tweaking Utility will enhance the appearance that you need it by blocking the usage of various applications, creating inaccurate threat alerts and hijacking your web browser. Windows Tweaking Utility is also likely to be accompanied by a Trojan, and for this reason, it's suggested you avoid trying to remove Windows Tweaking Utility without the help of a well-designed anti-malware application.

The Trojan That Carries Windows Tweaking Utility to Your Doorstep

As of mid-2011, Windows Tweaking Utility is a recent update of pre-existing rogue programs like Windows Power Expansion, Windows Work Catalyst, Windows Utility Tool and Windows Optimal Solution. These rogue programs, including Windows Tweaking Utility, are installed onto new PCs by the Fake Microsoft Security Essentials Alert Trojan.

The initial fake warning message from the Fake Microsoft Security Essentials Alert Trojan may resemble the following example:

Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your computer. Your access to these items may be suspended until you take action. Click 'Show Details' to learn more.

The Trojan follows this up by showing a fake Trojan detection before it installs Windows Tweaking Utility or another rogue program from the same family.

Installation of Windows Tweaking Utility is usually followed up with an immediate reboot. Windows Tweaking Utility and similar rogue programs will create Windows Registry entries that allow the threats to run automatically whenever Windows starts, and the reboot places Windows Tweaking Utility in a good position to offer up alarming fake system scans and other inaccurate warnings.

What Windows Tweaking Utility Really Tweaks on Your PC

Windows Tweaking Utility will create many different and entirely false warnings and pop-up alerts on your PC, including:

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.

Warning! Running trial version!
The security of your computer has been compromised!
Now running trial version of the software!
Click here to purchase the full version of the software and get full protection for your PC!

System component corrupted!
System reboot error has occurred due to lsass.exe system process failure.
This may be caused by severe malware infections.
Automatic restore of lsass.exe backup copy completed.
The correct system performance can not be resumed without eliminating the cause of lsass.exe corruption.

Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can`t [sic] guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update the database!

Warning!
Name: [application file name]
Name: [application file path]
Application that seems to be a key-logger is detected. System information security is at risk. It is recommended to enable the security mode and run total System scanning.

Additionally, your computer will be threatened by the following attacks as long as Windows Tweaking Utility remains active:

  • Barricaded applications. Windows Tweaking Utility may announce common Windows utilities like Notepad to be infected and refuse to let you access them. You'll also find it difficult to access various anti-malware applications and may experience a disabled or neutered firewall.
  • Windows Tweaking Utility may also use proxy server-based exploits to hijack your web browser. This allows Windows Tweaking Utility to reset your homepage to a malicious one and redirect you to hostile websites with ease, even if you click a link to an entirely different website. You should also watch for potential fake warning screens that prevent you from accessing certain websites.

Removing Trojans like the Fake Microsoft Security Essentials Alert is difficult, and all the more so when Windows Tweaking Utility is blocking off your every action. Consider using Safe Mode in conjunction with advanced anti-malware scanners to remove Windows Tweaking Utility and related threats from your PC.


ScreenshotScreenshotScreenshotScreenshotScreenshot

File System Modifications

  • The following files were created in the system:
    # File Name
    1 %UserProfile%\Application Data\Microsoft\[RANDOM CHARACTERS].exe

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Shell = "%AppData%\Microsoft\{RANDOM CHARACTERS}.exe"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR " = '1'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'

Additional Information on Windows Tweaking Utility

  • The following messages's were detected:
    # Message
    1 Threat prevention solution found
    Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
    Risk of system files infection:
    The detected vulnerability may result in unauthorized access to private information and hard drive data with a serious possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press 'OK' to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.
    2 Microsoft Security Essentials Alert
    Potential Threat Details
    Microsoft Security Essentials detected potential threats that might compromise your private or damage your computer. Your access to these items may be suspended until you take an action. Click 'show details' to learn more.
    3 System Security Warning
    Attempt to modify register key entries is detected. Register entries analysis is recommended.

    Warning!
    Location: c:\windows\system32\taskmgr.exe
    Viruses: Backdoor.Win32.Rbot

    4 Attention
    Suspicious software activity is detected.
    Please start system files scanning for details.

    5 Warning!
    Name: taskmgr.exe
    Name: C:\WINDOWS\taskmgr.exe.
Loading...