Windows Active Guard

Windows Active Guard Description

Type: Adware

ScreenshotWindows Active Guard is a malware program that belongs to the FakeVimes family of fake security software. Windows Active Guard carries out a common online scam that involves pretending to be a real security program in order to convince inexperienced computer users that they must pay for an expensive 'upgrade'. Since there are no real anti-malware capabilities on Windows Active Guard and it is, in reality, a malware infection itself, ESG malware researchers strongly recommend ignoring all of Windows Active Guard's warnings and removing this bogus security program with a reliable anti-malware application.

Windows Active Guard's Family of Rogue Security Programs

Malware in the FakeVimes family has been active since 2009 and have been continually updated since then. One of the reasons why malware in the FakeVimes family have been increasingly active in 2012 is because criminals have started to integrate a rootkit component into the FakeVimes attack. Using a variant of the Sirefef rootkit, criminals can make programs such as Windows Active Guard particularly difficult to remove or even detect as malware. Examples of other fake security programs in the FakeVimes family released in 2012 and previous years include Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst. Do not be fooled by their different names, they are all essentially the same malware infection.

How Windows Active Guard Tries to Steal Your Money

Windows Active Guard is designed to impersonate a legitimate security program. However, unlike a real anti-virus application, Windows Active Guard will always indicate that your computer is severely infected with malware. If you try to use Windows Active Guard to fix these supposed problems, Windows Active Guard will direct you to its website, where you will be urged to purchase an expensive 'upgrade' to fix these nonexistent problems. Windows Active Guard will also harass you with continual error messages and alarming security notifications in order to pressure you into falling for its scam.

Do not pay for this fake security application, even if this is done in order to stop its annoying error message. In fact, you can stop these with the registration code 0W000-000B0-00T00-E0020. It is important to remember that this registration code will not remove Windows Active Guard. The only way to remove this fake security program is by using a real, legitimate and proper anti-malware application that possesses anti-rootkit capabilities. In most cases, an alternative boot method is also recommended before attempting to remove this threat.

Technical Information

Screenshots & Other Imagery

Windows Active Guard Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Active Guard creates the following file(s):
# File Name Detection Count
1 %AppData%\Protector-[RANDOM CHARACTERS].exe N/A

Registry Details

Windows Active Guard creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe

More Details on Windows Active Guard

The following messages associated with Windows Active Guard were found:
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.