Windows Active Guard

Windows Active Guard Description

ScreenshotWindows Active Guard is a malware program that belongs to the FakeVimes family of fake security software. Windows Active Guard carries out a common online scam that involves pretending to be a real security program in order to convince inexperienced computer users that they must pay for an expensive 'upgrade'. Since there are no real anti-malware capabilities on Windows Active Guard and it is, in reality, a malware infection itself, ESG malware researchers strongly recommend ignoring all of Windows Active Guard's warnings and removing this bogus security program with a reliable anti-malware application.

Windows Active Guard's Family of Rogue Security Programs

Malware in the family has been active since 2009 and have been continually updated since then. One of the reasons why malware in the FakeVimes family have been increasingly active in 2012 is because criminals have started to integrate a rootkit component into the FakeVimes attack. Using a variant of the Sirefef rootkit, criminals can make programs such as Windows Active Guard particularly difficult to remove or even detect as malware. Examples of other fake security programs in the FakeVimes family released in 2012 and previous years include Do not be fooled by their different names, they are all essentially the same malware infection.

How Windows Active Guard Tries to Steal Your Money

Windows Active Guard is designed to impersonate a legitimate security program. However, unlike a real anti-virus application, Windows Active Guard will always indicate that your computer is severely infected with malware. If you try to use Windows Active Guard to fix these supposed problems, Windows Active Guard will direct you to its website, where you will be urged to purchase an expensive 'upgrade' to fix these nonexistent problems. Windows Active Guard will also harass you with continual error messages and alarming security notifications in order to pressure you into falling for its scam.

Do not pay for this fake security application, even if this is done in order to stop its annoying error message. In fact, you can stop these with the registration code 0W000-000B0-00T00-E0020. It is important to remember that this registration code will not remove Windows Active Guard. The only way to remove this fake security program is by using a real, legitimate and proper anti-malware application that possesses anti-rootkit capabilities. In most cases, an alternative boot method is also recommended before attempting to remove this threat.

Technical Information

Screenshots & Other Imagery

Tip: Turn your sound ON and watch the video in Full Screen mode to fully experience how Windows Active Guard infects a computer.

Windows Active Guard Video

Windows Active Guard Image 1 Windows Active Guard Image 2 Windows Active Guard Image 3 Windows Active Guard Image 4 Windows Active Guard Image 5 Windows Active Guard Image 6 Windows Active Guard Image 7 Windows Active Guard Image 8 Windows Active Guard Image 9 Windows Active Guard Image 10 Windows Active Guard Image 11 Windows Active Guard Image 12

Registry Details

Windows Active Guard creates the following registry entry or registry entries:
RegistryKey
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe

More Details on Windows Active Guard

The following messages associated with Windows Active Guard were found:
Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.
Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.