Wednesday, June 20, 2012

Remove Windows Proactive Safety virus without lingering

1.Description

Windows Proactive Safety is a phony anti-virus software that does its best to sale its non-existent commercial version by misleading gullible Internet users.


2. Malicious things done on the infected machine

It squeezes to the targeted PC without being noticed. It does not wait for your approval or consent. Windows Proactive Safety tunes up the system in such way to start after every Windows reboot. Once you restart your computer the pest interferes into your steady work with annoying pop ups and fake system checkups. Upon the termination of such bogus scans, the deceitful scan results are generated. The scanning reports are worth no trusting. The potential victim is misinformed that the PC needs immediate aid in order to prevent the PC crash. If you attempts to delete all allegedly detected insecure items by means of “almighty remedy” you will be rerouted to the web page where the commercial version of Windows Proactive Safety is offered.

3. Files

In the process of the installation, Windows Proactive Safety copies the following files to the hard disk.

  • %AppData%\NPSWF32.dll
  • %AppData%\Protector-[rnd].exe
  • %AppData%\result.db

4. System registry

Windows Proactive Safety creates the following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe

5. Screenshots of the malware


Windows Proactive Safety malware remover:

malware removal tool

Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)