Windows Safety Maintenance
If you are infected with Windows Safety Maintenance and looking for a removal procedure, you can try the guide on this page. We offer free tool to delete the malware instantly.
There a many versions of rogue program that that we wrote about recently which originates from FakeVimes family. Here comes another one in the name of Windows Safety Maintenance. It still upholds the same purpose – to attract innocent users into buying the full version of it. In order to accomplish this mission, Windows Safety Maintenance will show warning about virus infection and advices an instant removal. Unfortunately, victims must activate the program first and needs to buy the license code through their online store.
Keep in mind that Windows Safety Maintenance is a rogue software. It may imitate how real antivirus scans the computer but it does not have the same functions. Fake programs are created in the sole purpose of misleading users so that authors may earn a profit from this illegal activity. No threats detected by Windows Safety Maintenance inside your computer are true. None of the Trojans and viruses identified by this program exists. It attempts to create a situation and show you that the endorsed product is needed by the system. Well, you don’t have to buy Windows Safety Maintenance. It is useless and will do nothing good for the computer.
What you can do now is start the removal of Windows Safety Maintenance itself. Go through our removal procedure on this page and eliminate this threat immediately. We firmly advise the use of legit security program in fighting all types of malware.
Damage Level: Medium
Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7
Windows Safety Maintenance Removal Procedures
In order to completely remove the threat, it is best to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected computer. Here is Malwarebytes Anti-Malware download page.
MANUAL REMOVAL PROCEDURE:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Safety Maintenance”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
2. You need to update installed antivirus application to have the latest database.
3. Thoroughly scan the system and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Safety Maintenance Virus.
4. Registry entries created by Windows Safety Maintenance must also be removed from the Windows system. Please refer below for entries associated to the rogue program.
- For Windows 2000/XP: Go to Start > Run, type “regedit” on dialog box then press Enter on keyboard.
- ForWindows Vista/7: Go to Start > Search Program and Files, type “regedit” and press Enter.
5. Exit registry editor.
6. Get rid of Windows Safety Maintenance start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
7. Click Apply and restart Windows.
Technical Details and Additional Information:
Malicious Files Added by Windows Safety Maintenance
%AppData%\Protector-(random 3 characters).exe
%AppData%\Protector-(random 4 characters).exe
%CommonStartMenu%\Programs\Windows Safety Maintenance.lnk
%Desktop%\Windows Safety Maintenance.lnk
File Location for Windows Versions:
- %AppData% for Vista/7 refers to C:\Users\<Current User>\AppData\Roaming, while for Windows XP/2000 user it is C:\Documents and Settings\<Current User>\Application Data.
- %StartMenu% on Vista/7 it refers to C:\Users\<Current User>\AppData\Roaming\Microsoft\Windows\Start Menu while for Windows XP/2000 this is C:\Documents and Settings\<Current User>\Start Menu\.
Windows Safety Maintenance Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “u_2012-5-24_6″
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “jnsteukswo”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscfxas.exe
… and many more similar entries.
Alternative Removal Method for Windows Safety Maintenance
Option 1 : Use Windows System Restore to return Windows to previous state
If Windows Safety Maintenance enters the computer, there is a big chance that Windows files, registry entries and other essential components are also infected. System Restore can reinstate clean system files by restoring the configuration to an earlier date. The method also replaces compromised files with a clean version. If you have a saved restore point before Windows Safety Maintenance infiltrates the PC, we highly encourage you to execute this procedure if none of the above works. You may proceed with Windows System Restore, click here to see the full procedure.