Windows Guard Tools

Windows Guard Tools Description

Type: Rogue AntiSpyware Programs

ScreenshotIgnore Windows Guard Tools' name; this program does not provide tools to guard your computer against malware, because Windows Guard Tools is closely associated with various Trojans and is part of a malware attack. If you find that Windows Guard Tools is installed on your computer, this is a definite sign that your machine has become exposed to dangerous malware. ESG security analysts strongly recommend removing Windows Guard Tools immediately using a reliable anti-malware application. Failure to remove Windows Guard Tools from an infected computer can expose your PC to other malware, put your sensitive data in jeopardy, and potentially cause irreparable harm to your operating system.

Understanding Malware Like Windows Guard Tools

Malware infections like Windows Guard Tools are commonly known as rogue security programs. These kinds of malware infections carry out a scam that attempts to lure PC users that they need to purchase a useless fake security program, exposing their credit card information in the process. To carry out their scam, fake security programs like Windows Guard Tools will insist that the victim's computer is severely infected with malware. However, trying to fix these problems with the rogue security program will simply result in an error message and, often, being redirected to a website where the victim is urged to 'upgrade' their fake anti-virus program (a process that is, of course, not free.) Windows Guard Tools in particular has been associated with the Sirefef rootkit, a dangerous malware infection that can accompany Windows Guard Tools and prevent its rapid detection and removal. If your computer has become infected with the Sirefef rootkit, it may be necessary to use a specialized anti-rootkit tool before you can remove Windows Guard Tools.

Windows Guard Tools Belongs to a Large Family of Malware

Windows Guard Tools is part of the FakeVimes family of rogue security software, a large family of malware that has been active since 2009. However, even though most security programs can remove malware in the FakeVimes family, Windows Guard Tools' associated rootkit component can make the removal process more difficult than normal. Other examples of malware in the FakeVimes family that include a rootkit component include programs like Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

The registration number 0W000-000B0-00T00-E0020 has been observed to be effective in stopping Windows Guard Tools' irritating symptoms. However, this registration will merely stop Windows Guard Tools from displaying symptoms; it will still be necessary to remove this fake security program from your computer.

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Windows Guard Tools

Windows Guard Tools Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Guard Tools creates the following file(s):
# File Name MD5 Detection Count
1 Protector-hdux.exe 7d4eb4b40260e045dbb6340b60911284 2
2 Protector-scxq.exe ced4214641a3e7220f6e6a4fca6eea63 2
3 %CommonAppData%\58ef5\SP98c.exe N/A
4 %AppData%\Windows Guard Tools\ScanDisk_.exe N/A
5 %CommonAppData%\58ef5\SPT.ico N/A
6 Programs%\Windows Guard Tools.lnk N/A
7 %AppData%\Windows Guard Tools\Instructions.ini N/A
8 %Desktop%\Windows Guard Tools.lnk N/A
9 %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Guard Tools.lnk N/A
10 %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg N/A
11 %StartMenu%\Windows Guard Tools.lnk N/A

Registry Details

Windows Guard Tools creates the following registry entry or registry entries:
Registry key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\UninstallString “[unknown dir]\[unknown file name].exe” /del
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\DisplayVersion 1.1.0.1010
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ [unknown file name].DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask -65536
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid\ {3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\Publisher UIS Inc.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\DisplayName Activate Ultimate Protection
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ Implements DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\InstallLocation [unknown dir]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\DisplayIcon [unknown dir]\[unknown file name].exe,0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Activate Ultimate Protection “%CommonAppData%\58ef5\SP98c.exe” /s /d
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ [unknown dir]\[unknown file name].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize 1048576
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ Implements DocHostUIHandler
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger svchost.exe

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.