Windows Custom Safety Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Windows Custom Safety is a fake security program that belongs to the FakeVimes family of malware. Bogus security applications like Windows Custom Safety are known as rogue security programs. These kinds of applications are designed to trick inexperienced computer users, making them think that they are in need of an expensive, useless, bogus anti-malware program. Since Windows Custom Safety has absolutely no real anti-malware capabilities, ESG security researchers strongly advise against purchasing its ‘full version’ or allowing Windows Custom Safety to remain on your hard drive. Instead, you should remove Windows Custom Safety as soon as possible with the help of a real anti-malware program that is fully up to date.

Windows Custom Safety and Its Many Clones

The FakeVimes family of malware comprises dozens of fake security programs, with new iterations of this malware family being released every day. Rogue security programs in the FakeVimes family of malware dates back to 2009. While the fake security programs themselves have not changed much since then, criminals have started bundling Windows Custom Safety and other FakeVimes clones with dangerous rootkits and other Trojans. This makes Windows Custom Safety more difficult to remove than malware in the FakeVimes family that was released before 2012. Clones of Windows Custom Safety also released in 2012 also include programs like Windows Safety Wizard, Windows Malware Firewall and Windows PC Aid.

How Windows Custom Safety Tries to Scam Its Victims

Rogue security programs like Windows Custom Safety are among the most common types of online scams. Basically, their goal is to scare their victims into purchasing an expensive, but useless, upgrade to their fake security program. Windows Custom Safety has several ways in which Windows Custom Safety does this. For example, Windows Custom Safety will display a large number of fake error messages and alarming security alerts. It will also perform a fake malware scan on the victim’s hard drives, claiming to find an unusually high number of malware infections present. However, if you try to use Windows Custom Safety to fix these supposed problems, Windows Custom Safety will claim that it is necessary to purchase a ‘full version’ of this fake security program. Since Windows Custom Safety has no actual way to remove malware from your computer system and is part of a malware attack itself, ESG security analysts strongly advise against paying for this useless fake security application.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Custom Safety?

Windows Custom Safety Technical Report

As new Windows Custom Safety details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Custom Safety:

The following fake error message(s) appears for Windows Custom Safety:

Warning
Firewall has blocked a program from accessing the Internet.
Windows Media Player Resources
C:Windowssystem32dllcachewmploc.dll
C:Windowssystem32dllcachewmploc.dll is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

‘How Windows Custom Safety Infects Your Computer’ Video

Windows Custom Safety Removal Details

Windows Custom Safety has typically the following processes in memory:

• %AppData%\Protector-[RANDOM CHARACTERS].exe

Windows Custom Safety creates the following registry entries:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\”Debugger” = “svchost.exe”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\”Debugger” = “svchost.exe”
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\”Debugger” = “svchost.exe”

Important Article Disclaimer