Windows Custom Safety

Threat Scorecard

Ranking: 12,074
Threat Level: 20 % (Normal)
Infected Computers: 10,238
First Seen: June 8, 2012
Last Seen: September 18, 2023
OS(es) Affected: Windows

Windows Custom Safety Image

Windows Custom Safety is a fake security program that belongs to the FakeVimes family of malware. Bogus security applications like Windows Custom Safety are known as rogue security programs. These kinds of applications are designed to trick inexperienced computer users, making them think that they are in need of an expensive, useless, bogus anti-malware program. Since Windows Custom Safety has absolutely no real anti-malware capabilities, ESG security researchers strongly advise against purchasing its 'full version' or allowing Windows Custom Safety to remain on your hard drive. Instead, you should remove Windows Custom Safety as soon as possible with the help of a real anti-malware program that is fully up to date.

Windows Custom Safety and Its Many Clones

The FakeVimes family of malware comprises dozens of fake security programs, with new iterations of this malware family being released every day. Rogue security programs in the FakeVimes family of malware dates back to 2009. While the fake security programs themselves have not changed much since then, criminals have started bundling Windows Custom Safety and other FakeVimes clones with dangerous rootkits and other Trojans. This makes Windows Custom Safety more difficult to remove than malware in the FakeVimes family that was released before 2012. Clones of Windows Custom Safety also released in 2012 also include programs like Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

How Windows Custom Safety Tries to Scam Its Victims

Rogue security programs like Windows Custom Safety are among the most common types of online scams. Basically, their goal is to scare their victims into purchasing an expensive, but useless, upgrade to their fake security program. Windows Custom Safety has several ways in which Windows Custom Safety does this. For example, Windows Custom Safety will display a large number of fake error messages and alarming security alerts. It will also perform a fake malware scan on the victim's hard drives, claiming to find an unusually high number of malware infections present. However, if you try to use Windows Custom Safety to fix these supposed problems, Windows Custom Safety will claim that it is necessary to purchase a 'full version' of this fake security program. Since Windows Custom Safety has no actual way to remove malware from your computer system and is part of a malware attack itself, ESG security analysts strongly advise against paying for this useless fake security application.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Windows Custom Safety Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Custom Safety may create the following file(s):
# File Name Detections
1. %AppData%\Protector-[RANDOM CHARACTERS].exe

Registry Details

Windows Custom Safety may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\"Debugger" = "svchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\"Debugger" = "svchost.exe"

URLs

Windows Custom Safety may call the following URLs:

cleanupallthreats.com

Messages

The following messages associated with Windows Custom Safety were found:

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.
Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.
Warning
Firewall has blocked a program from accessing the Internet.
Windows Media Player Resources
C:Windowssystem32dllcachewmploc.dll
C:Windowssystem32dllcachewmploc.dll is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Trending

Most Viewed

Loading...