Windows Active Guard Description
Windows Active Guard is a malware program that belongs to the FakeVimes family of fake security software. Windows Active Guard carries out a common online scam that involves pretending to be a real security program in order to convince inexperienced computer users that they must pay for an expensive ‘upgrade’. Since there are no real anti-malware capabilities on Windows Active Guard and it is, in reality, a malware infection itself, ESG malware researchers strongly recommend ignoring all of Windows Active Guard’s warnings and removing this bogus security program with a reliable anti-malware application.
Windows Active Guard’s Family of Rogue Security Programs
FakeVimes malware have been active since 2009 and have been continually updated since then. One of the reasons why malware in the FakeVimes family have been increasingly active in 2012 is because criminals have started to integrate a rootkit component into the FakeVimes attack. Using a variant of the Sirefef rootkit, criminals can make programs such as Windows Active Guard particularly difficult to remove or even detect as malware. Examples of other fake security programs in the FakeVimes family released in 2012 include Windows PC Aid, Windows Safety Wizard and Windows Malware Firewall. Do not be fooled by their different names, they are all essentially the same malware infection.
How Windows Active Guard Tries to Steal Your Money
Windows Active Guard is designed to impersonate a legitimate security program. However, unlike a real anti-virus application, Windows Active Guard will always indicate that your computer is severely infected with malware. If you try to use Windows Active Guard to fix these supposed problems, Windows Active Guard will direct you to its website, where you will be urged to purchase an expensive ‘upgrade’ to fix these nonexistent problems. Windows Active Guard will also harass you with continual error messages and alarming security notifications in order to pressure you into falling for its scam.
Do not pay for this fake security application, even if this is done in order to stop its annoying error message. In fact, you can stop these with the registration code 0W000-000B0-00T00-E0020. It is important to remember that this registration code will not remove Windows Active Guard. The only way to remove this fake security program is by using a real, legitimate and proper anti-malware application that possesses anti-rootkit capabilities. In most cases, an alternative boot method is also recommended before attempting to remove this threat.
Type: Rogue AntiSpyware Programs
How Can You Detect Windows Active Guard?
Download SpyHunter’s Detection Scanner
to Detect Windows Active Guard.
Windows Active Guard Technical Report
As new Windows Active Guard details are reported by our customers and findings from our Threat Research Center, we will update this section.
Fake message for Windows Active Guard:
The following fake error message(s) appears for Windows Active Guard:
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
‘How Windows Active Guard Infects Your Computer’ Video
Windows Active Guard Removal Details
Windows Active Guard has typically the following processes in memory:
- %AppData%\Protector-[RANDOM CHARACTERS].exe
Windows Active Guard creates the following registry entries:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[RANDOM CHARACTERS].exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe