Windows Safety Maintenance

Updated: May 25, 2012 Rogue 0 Comment

There a many versions of rogue program that that we wrote about recently which originates from FakeVimes family. Here comes another one in the name of Windows Safety Maintenance. It still upholds the same purpose – to attract innocent users into buying the full version of it. In order to accomplish this mission, Windows Safety Maintenance will show warning about virus infection and advices an instant removal. Unfortunately, victims must activate the program first and needs to buy the license code through their online store.

Keep in mind that Windows Safety Maintenance is a rogue software. It may imitate how real antivirus scans the computer but it does not have the same functions. Fake programs are created in the sole purpose of misleading users so that authors may earn a profit from this illegal activity. No threats detected by Windows Safety Maintenance inside your computer are true. None of the Trojans and viruses identified by this program exists. It attempts to create a situation and show you that the endorsed product is needed by the system. Well, you don’t have to buy Windows Safety Maintenance. It is useless and will do nothing good for the computer.

What you can do now is start the removal of Windows Safety Maintenance itself. Go through our removal procedure on this page and eliminate this threat immediately. We firmly advise the use of legit security program in fighting all types of malware.

Screenshot Image:

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Windows Safety Maintenance Removal Procedures

REMOVAL TOOL:
In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer. Here is Malwarebytes Anti-Malware download page.

MANUAL REMOVAL PROCEDURE:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Safety Maintenance”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
Protector-(random characters).exe

2. You need to update installed antivirus application to have the latest database.

3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Safety Maintenance Virus.

4. Registry entries created by Windows Safety Maintenance must also be removed from the Windows system. Please refer below for entries associated to the rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- ForWindows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.

5. Exit registry editor.

6. Get rid of Windows Safety Maintenance start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
Protector-(random characters).exe

7. Click Apply and restart Windows.

Technical Details and Additional Information:

Malicious Files Added by Windows Safety Maintenance
%AppData%\NPSWF32.dll
%AppData%\Protector-(random 3 characters).exe
%AppData%\Protector-(random 4 characters).exe
%AppData%\result.db
%CommonStartMenu%\Programs\Windows Safety Maintenance.lnk
%Desktop%\Windows Safety Maintenance.lnk

File Location for Windows Versions:

• %AppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
• %StartMenu% on Vista/7 it refers to C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu while for Windows XP/2000 this is C:\Documents and Settings\<Current User>\Start Menu\.

Windows Safety Maintenance Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “u_2012-5-24_6″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “jnsteukswo”
HKEY_CURRENT_USER\Software\ASProtect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe
… and many more similar entries.