Windows Safety Wizard Removal Report

Windows Safety Wizard

By Domesticus in Rogue Anti-Spyware Program | 129 views

Rate it:

(No Ratings Yet)

Loading ...

[+] Click Image to Enlarge

ESG malware analysts have classified Windows Safety Wizard as a malware application that should be avoided. While Windows Safety Wizard has the appearance of an actual anti-virus program, Windows Safety Wizard is actually one of the many clones of fake security software in the FakeVimes family of malware. These kinds of malware threats, known as rogue security programs, need to be purchased.

Windows Safety Wizard and the FakeVimes Family of Malware

The FakeVimes family of malware has been around for a long time; ESG malware analysts have received reports of FakeVimes attacks dating back to 2009. Unfortunately, these malware threats are still at large, and getting more dangerous as time goes on. Windows Safety Wizard and other FakeVimes rogue security programs released in 2012 tend to include a malicious rootkit component that makes them considerably more difficult to remove than previous versions of this malware infection. Some examples of clones of Windows Safety Wizard include Windows Malware Firewall, Windows PC Aid and Windows Trojans Inspector. Despite the fact that they have different names, these are all the same rogue security program.

Windows Safety Wizard and its clones will try to convince their victims that they must purchase a fake upgrade for this useless rogue security program. In order to do that, Windows Safety Wizard has various components that are designed to convince you that your computer system is severely infected with various types of malware. However, if you use the supposed features contained in Windows Safety Wizard’s fake interface, they will result in error messages or browser redirects urging you that these nonexistent problems can only be removed with the use of an ‘upgraded’ version of Windows Safety Wizard. Of course, since Windows Safety Wizard has no actual anti-virus capabilities, paying for a full version of this fake security program is definitely not recommended.

Dealing with a Windows Safety Wizard Infection

To scare you into purchasing its ‘full version’, Windows Safety Wizard will use numerous error messages, a fake system scan and even block access to your files. You can trick Windows Safety Wizard into thinking that you have registered by entering the code 0W000-000B0-00T00-E0020. While this code will not remove Windows Safety Wizard, it will stop most of its irritating symptoms. However, removing Windows Safety Wizard with a strong, reliable anti-malware application will still be necessary.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Safety Wizard?

Download SpyHunter’s Detection Scanner
to Detect Windows Safety Wizard.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

‘How Windows Safety Wizard Infects Your Computer’ Video

Windows Safety Wizard Removal Details

Windows Safety Wizard has typically the following processes in memory:

%AppData%\Protector-[RANDOM 4 CHARACTERS].exe
%AppData%\Protector-[RANDOM 3 CHARACTERS].exe
%AppData%\NPSWF32.dll

Windows Safety Wizard creates the following files in the system:

%CommonStartMenu%\Programs\Windows Safety Wizard.lnk
%AppData%\1st$0l3th1s.cnf
%AppData%\result.db
%Desktop%\Windows Safety Wizard.lnk

Windows Safety Wizard creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “otbpxlqhjd”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[1].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKEY_CURRENT_USER\Software\ASProtect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-6-4_7″
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srng.exe

Important Article Disclaimer

This entry was last updated on 06/4/12 and posted on 06/4/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.