Windows Interactive Safety Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Despite the fact that Windows Interactive Safety looks like an anti-virus program, Windows Interactive Safety is not a real security application. ESG security researchers consider that Windows Interactive Safety is a kind of malware infection generally established as a rogue security application. These kinds of threats are fake security applications that are part of a common online scam. Windows Interactive Safety is one of the dozens of fake security applications that belong to the FakeVimes family of malware.

This family of bogus anti-virus software has been active since 2009 and most security applications can remove these threats with few problems. However, in 2012 ESG malware analysts observed that criminals started to include a rootkit component in these attacks. This rootkit, one of the many dangerous threat from the Sirefef family of rootkits, gave new life to the FakeVimes family of malware, making its fake security software considerably more difficult to remove or detect than previous versions. If you find that Windows Interactive Safety is installed on your computer, you should remove this threat with a reliable anti-malware program and an anti-rootkit utility.

There are many clones of Windows Interactive Safety, programs with no differences only another name. Some of these include programs with names like Windows Expert Series, Windows Virus Hunter and Windows Web Commander. To carry out their scam, these programs will pretend to be legitimate anti-virus applications. However, unlike a real anti-virus, they will always indicate that your computer is corrupted by malware, without regard to the actual state of the computer. Then, they will try to make it look like that you need to acquire an expensive upgrade to a ‘full version’ if you wish to remove these fake viruses from your computer. Programs like Windows Interactive Safety are designed to harass their victims with constant, alarming error messages and browser redirects, making them an annoyance and a serious hindrance when trying to operate the infected machine.

Despite all of Windows Interactive Safety’s alarming notifications, it is important to remember that Windows Interactive Safety has no real anti-malware capabilities. You can stop many of this malicious program’s fake error messages with the registration number 0W000-000B0-00T00-E0020. Although ‘registering’ Windows Interactive Safety will stop most of its symptoms, Windows Interactive Safety will remain on the infected computer, making it more vulnerable to further malware threats. Because of this, full removal of Windows Interactive Safety should still be a priority.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Interactive Safety?

Windows Interactive Safety Technical Report

As new Windows Interactive Safety details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Interactive Safety:

The following fake error message(s) appears for Windows Interactive Safety:

Error
Attempt to modify registry key entries detected.
Registry entry analysis is recommended.

Warning
Firewall has blocked a program from accessing
the Internet
Windows XP USER API Clien: DLL
User32.dll
User32.dll is suspended to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
Recommended:
Please click “Prevent attack” button to prevent all attacks and protect your PC.

‘How Windows Interactive Safety Infects Your Computer’ Video

Windows Interactive Safety Removal Details

Windows Interactive Safety has typically the following processes in memory:

• %AppData%\Protector-[rnd].exe

Windows Interactive Safety creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “rudbxijemb”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-2-17_2″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “ID” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe

Important Article Disclaimer