Windows Safety Wizard

Threat Scorecard

Ranking: 16,395
Threat Level: 20 % (Normal)
Infected Computers: 135
First Seen: June 4, 2012
Last Seen: July 30, 2023
OS(es) Affected: Windows

Windows Safety Wizard Image

ESG malware analysts have classified Windows Safety Wizard as a malware application that should be avoided. While Windows Safety Wizard has the appearance of an actual anti-virus program, Windows Safety Wizard is actually one of the many clones of fake security software in the FakeVimes family of malware. These kinds of malware threats, known as rogue security programs, need to be purchased.

Windows Safety Wizard and the FakeVimes Family of Malware

The FakeVimes family of malware has been around for a long time; ESG malware analysts have received reports of FakeVimes attacks dating back to 2009. Unfortunately, these malware threats are still at large, and getting more dangerous as time goes on. Windows Safety Wizard and other FakeVimes rogue security programs released in 2012 tend to include a malicious rootkit component that makes them considerably more difficult to remove than previous versions of this malware infection. Some examples of clones of Windows Safety Wizard include Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst. Despite the fact that they have different names, these are all the same rogue security program.

Windows Safety Wizard and its clones will try to convince their victims that they must purchase a fake upgrade for this useless rogue security program. In order to do that, Windows Safety Wizard has various components that are designed to convince you that your computer system is severely infected with various types of malware. However, if you use the supposed features contained in Windows Safety Wizard's fake interface, they will result in error messages or browser redirects urging you that these nonexistent problems can only be removed with the use of an 'upgraded' version of Windows Safety Wizard. Of course, since Windows Safety Wizard has no actual anti-virus capabilities, paying for a full version of this fake security program is definitely not recommended.

Dealing with a Windows Safety Wizard Infection

To scare you into purchasing its 'full version', Windows Safety Wizard will use numerous error messages, a fake system scan and even block access to your files. You can trick Windows Safety Wizard into thinking that you have registered by entering the code 0W000-000B0-00T00-E0020. While this code will not remove Windows Safety Wizard, it will stop most of its irritating symptoms. However, removing Windows Safety Wizard with a strong, reliable anti-malware application will still be necessary.

Windows Safety Wizard Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Safety Wizard may create the following file(s):
# File Name Detections
1. %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
2. %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
3. %AppData%\NPSWF32.dll
4. %CommonStartMenu%\Programs\Windows Safety Wizard.lnk
5. %AppData%\1st$0l3th1s.cnf
6. %AppData%\result.db
7. %Desktop%\Windows Safety Wizard.lnk

Registry Details

Windows Safety Wizard may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "otbpxlqhjd"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsadbot.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\install[1].exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\npfmessenger.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-6-4_7"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\xp_antispyware.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srng.exe


The following messages associated with Windows Safety Wizard were found:

Trojan activity detected. System data security is at risk.
It is recommended to activate protection and run a full system scan.


Most Viewed