Windows Abnormality Checker

Windows Abnormality Checker Description

Type: Rogue AntiSpyware Programs

ScreenshotWindows Abnormality Checker is one of the many bogus security programs belonging to this extensive group of malware. While this malware family has been around since 2009, ESG security researchers have grown concerned about malware in this family released in 2012. It seems that the most recent versions of malware in the FakeVimes group of bogus security software includes a harmful rootkit infection that can be quite difficult to remove. This rootkit has been identified as a variant of the ZeroAccess, or Sirefef rootkit. This makes Windows Abnormality Checker and its clones considerably more difficult to remove than previous iterations of the FakeVimes family of malware.

Known clones of Windows Abnormality Checker include such fake security programs as Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

How Criminals Use Windows Abnormality Checker to Scam Their Victims

The Windows Abnormality Checker scam is not complicated; basically, criminals will try to trick their victims into thinking that they need to purchase a fake security program. To do this, Windows Abnormality Checker, disguised as a legitimate anti-spyware program, will alert the victim with increasingly alarming error messages that their computer system is severely infected with malware. Then, when the victim tries to use Windows Abnormality Checker to fix these supposed malware problems, this fake security program will claim that an 'upgrade' to a supposed full version of Windows Abnormality Checker is needed. Of course, this upgrade is not free. Not only that, paying for Windows Abnormality Checker will also put your credit card information and personal data in the hands of scammers, putting you at risk for identity theft or credit card fraud.

Removing Windows Abnormality Checker from Your Computer System

Because most FakeVimes malware programs can be removed easily with a reliable anti-malware program, the main difficulty in dealing with Windows Abnormality Checker is removing its associated rootkit component. To achieve this, it may be compulsory to use a strong anti-malware program with anti-rootkit components or to use an independent anti-rootkit utility. Entering the code 0W000-000B0-00T00-E0020 when asked for a serial number can stop many of Windows Abnormality Checker's error messages. However, this will not remove Windows Abnormality Checker from the infected computer system. ESG malware analysts recommend removing Windows Abnormality Checker completely due to the possibility of further intrusions into your computer system and to ensure that your personal information is safe.

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Windows Abnormality Checker

Windows Abnormality Checker Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Abnormality Checker creates the following file(s):
# File Name MD5 Detection Count
1 Protector-tisf.exe 487420328bdcd34e4224cc4f3ae1a328 39
2 Protector-npvl.exe a708766a8e4d4161541d22fbb0bdf05f 2
3 %AppData%\NPSWF32.dll N/A
4 %AppData%\Protector-[RANDOM CHARACTERS].exe N/A
5 %AppData%\result.db N/A

Registry Details

Windows Abnormality Checker creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.