Windows Safety Protection

Windows Safety Protection is a counterfeit anti-virus product that belongs to a large-scale Internet scam activities. It was part of a group where other rogue programs like Windows Problem Protector and Windows Shield Protector also belongs. Windows Safety Protection will be promoted by means of a fake  Microsoft Security Essentials alert that will disguise as part of system security and detect unknown Trojan on the computer. This warning will prompt a message asking users to perform an online scan of the computer and will instantly detect another threat that is said to be infecting some files on the system. Next move is to bring in a solution to resolve computer issues and will advise to download and install an unregistered version of Windows Safety Protection. A complete installation of Windows Safety Protection virus will prompt to reboot the computer, and after a restart it will run a local virus scan and again this unwanted application will display false information regarding computer’s security status. Windows Safety Protection will repeatedly remind computer users that viruses are present either by fake scan or warning messages.

As mentioned, diagnostics performed by this rogue program are just for promotional gimmicks. Threats does not really occur on the computer, and if it really is, Windows Safety Protection will be the primary culprit. It is a virus itself. Remove Windows Safety Protection immediately to avoid additional harm it may cause on the affected PC. Use only legitimate and trusted security program to get rid of it and other registry entries and components hidden on the computer.

Screen Shot Image:

Image of Windows Safety Protection

Alias: Windows Safety Protection Virus

Damage Level: Medium

Systems Affected: Windows 9x, 2000, XP, Vista, Windows 7

Windows Safety Protection Removal Procedures

Manual Removal:
1. Press Ctrl+Alt+Del on keyboard to stop process associated to “Windows Safety Protection”. When Windows Task Manager opens, go to Processes Tab and find and end the following process:
(random characters).exe

2. You need to update your installed antivirus application to have the latest database.
3. Thoroughly scan the computer and any detected threats must be removed. If removal is prohibited, it is best to quarantine the infected item. Manually locating and deleting of malicious files should also be performed. Please see files below that are related to Windows Safety Protection Virus.
4. Registry entries created by Windows Safety Protection must also be remove from the Windows system. Please refer below for entries associated to the rogue program. [how to edit registry]
5. Exit registry editor.
6. Get rid of Windows Safety Protection start-up entry by going to Start > Run, type msconfig on the “Open” dialog box. A windows containing System Configuration Utility will be launched. Go to Startup tab and uncheck the following Start-up item(s):
(random characters).exe

7. Click Apply and restart Windows.

Windows Safety Protection Removal Tool:
In order to completely remove the threat, click here to download and run Malwarebytes Anti-Malware. Sometimes, Trojans will block the downloading and installation of MBAM. If this happens, download it from a clean computer and rename the executable file before executing on the infected machine.

Using Portable SuperAntiSpyware:
To thoroughly remove the virus, it is best to do a separate scan of another security program so that other infected files not detected by anti-virus application can be remove as well. Click here to download and run SAS Portable Scanner.

Technical Details and Additional Information:

If Windows Safety Protection is installed, it will begin to display fake alerts as an scare tactics to mislead victims:

System component corrupted!
System reboot error has occurred due to lsass.exe system process failure.
This may be caused by severe malware infections.
Automatic restore of lsass.exe backup copy completed.
The correct system performance can not be resumed without eliminating the cause of lsass.exe corruption.

Warning!
Name: firefox.exe
Name: c:\program files\firefox\firefox.exe
Application that seems to be a key-logger is detected. System information security is at risk. It is recommended to enable the security mode and run total System scanning.

Malicious Files Added by Windows Safety Protection:
%UserProfile%\Application Data\[random].exe

Windows Safety Protection Registry Entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon “Shell” = ‘%UserProfile%\Application Data\[random].exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe “Debugger” = ‘svchost.exe’

Leave a Reply

Your email address will not be published. Required fields are marked *