Skip to Content
© Pixelrobot | Dreamstime.com
Security & privacy

This PC ‘toolbox’ is hiding malware that secretly generates revenue

The launch of Windows 11 might not have been as smooth as Microsoft anticipated, but users were nonetheless excited to tinker with the new features. One of these, exclusive to the latest operating system, is the ability to run Android apps on a desktop PC.

It sounded fantastic at first, but when the functionality arrived, many felt disappointed that it went through the Amazon App Store instead of the official Google Play Store. However, it didn’t take long for a developer to release a solution.

The solution is not what it’s cracked up to be. Read on to find out how this supposedly helpful tool is actually hiding malware.

Here’s the backstory

For those not willing to use the limited apps and functions of the Amazon App Store, a Github workaround sounded like the perfect answer.

Quickly gaining in popularity, Windows Toolbox claims to let you remove pre-installed apps, tweak your system’s performance and get Windows updates. This is in addition to allowing you access to Android apps through the Google Play Store.

But according to Bleeping Computer, as soon as users started to dig around in the tool’s code, they made a startling discovery. While it did all the things it promised, the toolkit also includes rudimentary Trojan malware.

Part of the malware sent users’ locations to a central server, but the primary payload served as a way to generate revenue by redirecting users to affiliate and referral URLs.

Bleeping Computer notes when infected users navigate to WhatsApp’s browser page, “the script will redirect them to one of the following random URLs, which contain make money scams, browser notifications scams, and promotions of unwanted software.”

What you can do about it

The Windows Toolbox isn’t a typical program that you install onto your computer through traditional methods. Instead, it is a script (or executable code) that tells your operating system what to do.

As such, you can’t simply uninstall it like you usually would. So, if you have (or ever had) the malicious Windows Toolkit on your Windows PC, there are a few things you must do to delete it.

  • On your desktop, double-click This PC
  • Double-click on Local Disk (C:)
  • Navigate to the folder C:\Windows\security\

If you see any of the following files or folders, click on it once to select it, then press Shift and Del at the same time. Finally, click Yes to permanently delete them without sitting in the recycle bin.

The files to look for are:

  • C:\Windows\security\pywinvera
  • C:\Windows\security\pywinveraa
  • C:\Windows\security\winver.png

There is also a hidden c:\systemfile that you must delete. If you don’t see it at first, click on View in the top tab and tick the box Hidden Items.

Keep reading

Microsoft announces big updates coming to Windows 11

Upgrading to Windows 11 is killing these laptops – Here’s what to do

Komando Community background

Join the Komando Community

Get even more know-how in the Komando Community! Here, you can enjoy The Kim Komando Show on your schedule, read Kim's eBooks for free, ask your tech questions in the Forum — and so much more.

Try it for 30 days