Windows Safety Maintenance

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 11
First Seen: May 24, 2012
OS(es) Affected: Windows

ScreenshotDespite its name, Windows Safety Maintenance will not maintain your computer system's safety. This is because Windows Safety Maintenance is actually a malware infection thinly disguised as a legitimate security application. Therefore, it is important to identify Windows Safety Maintenance as a threat and to remove Windows Safety Maintenance from an infected computer system as soon as possible. The presence of Windows Safety Maintenance on a computer will usually indicate a severe malware infection on that computer. ESG malware researchers strongly recommend removing Windows Safety Maintenance with a trustworthy anti-malware program that is frequently updated. Not removing Windows Safety Maintenance can result in your sensitive data being leaked or your operating system being irreparably damaged.

Windows Safety Maintenance belongs to a kind of malware infection known as a rogue security program. Fake security applications like Windows Safety Maintenance use a variety of tactics to convince their victims that their computer system is severely infected with many nonexistent viruses and Trojans. They do this so that the victim will agree to purchase a useless 'full version' of the fake security program as a way to fix these manufactured threats. Windows Safety Maintenance does not limit itself to displaying annoying error messages and fake system scans, Windows Safety Maintenance will also wreak havoc on a computer system, changing system settings, causing browser redirects and causing the infected computer system to crash frequently. Worst of all, Windows Safety Maintenance is usually associated with a dangerous rootkit infection known as ZeroAccess. This rootkit component can make Windows Safety Maintenance removal problematic, often needing the intervention of a specialized anti-rootkit application.

Windows Safety Maintenance and the FakeVimes Family of Malware

Windows Safety Maintenance belongs to a very large family of bogus security applications commonly known as FakeVimes. Rogue security programs in the FakeVimes family have infected computer systems since 2009. This means that most anti-malware programs can deal easily with these kinds of threats, provided that their associated rootkit infection can be removed first. Examples of FakeVimes rogue security applications include Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

While 'registering' Windows Safety Maintenance will not remove this fake security program, you can still enter the registration number 0W000-000B0-00T00-E0020 in order to stop many of this fake security program's error messages and other irritating symptoms. However, removing Windows Safety Maintenance will still be necessary to keep your computer system safe.

SpyHunter Detects & Remove Windows Safety Maintenance

Windows Safety Maintenance Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Safety Maintenance may create the following file(s):
# File Name MD5 Detections
1. Protector-trei.exe 0c23465333b236c6bba316fac9513290 9
2. Protector-ysgk.exe cb2a1efb9a03dd129169e6ecef5b8e7d 1
3. Protector-ttqo.exe 796aa00839dbaf2184accbc24aefbba2 1
4. %AppData%\Protector-{RANDOM 4 CHARACTERS}.exe
5. %AppData%\Protector-{RANDOM 3 CHARACTERS}.exe
6. %CommonAppData%\58ef5\SP98c.exe
7. %AppData%\NPSWF32.dll
8. %AppData%\Windows Safety Maintenance\ScanDisk_.exe
9. %Desktop%\Windows Safety Maintenance.lnk
10. %AppData%\Windows Safety Maintenance\Instructions.ini
11. %StartMenu%\Windows Safety Maintenance.lnk
12. %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Safety Maintenance.lnk
13. %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg
14. %AppData%\result.db
15. %Programs%\Windows Safety Maintenance.lnk
16. %CommonAppData%\58ef5\SPT.ico
17. file.exe 868c130259a35bf95f80c642de40cc45 0

Registry Details

Windows Safety Maintenance may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe

1 Comment

Windows Safety Maintenance is another nefarious antivirus program fabricated by IT frauds, developers of FakeVimes rogue clan. The purpose of this badware is to rob some funds from gullible non-advanced Internet users. Just like its forerunner this badware declares about multiple insecure items spotted on your computer and recommends you buying the registered version of the program, as a superb solution for virus detection and removal


Most Viewed