Windows Guard Tools

Updated: May 25, 2012 Rogue 0 Comment

This page contains detailed instructions in removing Windows Guard Tools. Aside from the malware, you also need to delete the Trojan that comes with it.

Windows Guard Tools is not the right software is you are looking for an effective one. Because this program is fake and will never protect your system against Trojans and viruses. In fact, the mere you see it inside the computer indicates that you are under attack by Windows Guard Tools. After knowing that this program is dangerous, there is no need to panic. You can always contain the infection if you will follow the removal guide on this page.

First, you must know how the malware gets inside the PC. To tell you frankly, you must not rely solely to the antivirus programs on the computer. Windows Guard Tools may still get inside even if you think that you got the best protection. This is because, rogue program are working side-by-side with a Trojan. In recent times, Trojans are more harmful and prevalent due to the advanced method applied by its creator. You may have already heard of rootkit techniques wherein Trojans can embed malicious code onto Windows processes to conceal the infection.

After knowing some facts about Windows Guard Tools, it is clear to that, you have to deal with two infections, the malware and the Trojan. With the guide below, you can hit these two easily without any hassles.

Screenshot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Windows Guard Tools Removal Procedures

REMOVAL TOOL:
In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer. Here is Malwarebytes Anti-Malware download page.

MANUAL REMOVAL PROCEDURE:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Guard Tools”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
Protector-(random characters).exe

2. You need to update installed antivirus application to have the latest database.

3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Guard Tools Virus.

4. Registry entries created by Windows Guard Tools must also be removed from the Windows system. Please refer below for entries associated to the rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- ForWindows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

5. Exit registry editor.

6. Get rid of Windows Guard Tools start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
Protector-(random characters).exe

7. Click Apply and restart Windows.

Technical Details and Additional Information:

Malicious Files Added by Windows Guard Tools
%AppData%\NPSWF32.dll
%AppData%\Protector-(random 3 characters).exe
%AppData%\Protector-(random 4 characters).exe
%AppData%\result.db
%CommonStartMenu%\Programs\Windows Guard Tools.lnk
%Desktop%\Windows Guard Tools.lnk

File Location for Windows Versions:

  • %AppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
  • %StartMenu% on Vista/7 it refers to C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu while for Windows XP/2000 this is C:\Documents and Settings\<Current User>\Start Menu\.

Windows Guard Tools Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “u_2012-5-24_6″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “rwqyuplaue”
HKEY_CURRENT_USER\Software\ASProtect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe
… and many more similar entries.

Alternative Removal Method for Windows Guard Tools

Option 1 : Use Windows System Restore to return Windows to previous state

If Windows Guard Tools enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Windows Guard Tools infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.