Home Malware Programs Rogue Anti-Spyware Programs Windows Custom Safety

Windows Custom Safety

Posted: June 8, 2012

Threat Metric

Ranking: 11,545
Threat Level: 2/10
Infected PCs: 23,978
First Seen: June 8, 2012
Last Seen: September 18, 2023
OS(es) Affected: Windows

Windows Custom Safety Screenshot 1The FakeVimes scamware train has shown no signs of slowing down with its latest offering to the masses, Windows Custom Safety. This rogue anti-malware scanner may pretend to keep phishing attacks, rootkits, spyware and other threats away from your hard drive, but SpywareRemove.com malware researchers have verified Windows Custom Safety's inability to do any of the aforementioned defensive acts. Instead of giving your computer an increase in safety, Windows Custom Safety will institute a lock down against your PC's real security software, redirect your browser to hostile sites and display fake explanations for these attacks that include the names of practically every PC threat imaginable – except itself. Once it's identified, deleting Windows Custom Safety should occupy the top slot on your schedule, although you may also need to disable Windows Custom Safety with any of the methods below to access appropriate anti-malware programs.

How Windows Custom Safety Customizes Your Safety in Perverse Ways

Windows Custom Safety is marketed in the form of a multi-featured security and anti-malware product, but its software actually is focused on the opposite aim: of making your computer unsafe, feeding you false security information and blocking anything that could thwart these attacks. These are traits that Windows Custom Safety shares with other variants of FakeVimes such as Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. While Windows Custom Safety launches with Windows and is easily identified, its attacks are not always as out-in-the-open, and SpywareRemove.com malware researchers have noted common Windows Custom Safety symptoms as shown below:

  • Search engine redirects to malicious sites.
  • Blocked PC security websites that are replaced by fraudulent error pages.
  • Pop-up alerts that warn you about the presence of attacks or harmful programs that actually aren't present in the first place (such as identity theft or unrelated rootkits).
  • Fake system scans that Windows Custom Safety uses to continue its illusion of your PC being attacked by unrealistically large amounts of varied PC threats.
  • Anti-malware and security programs that Windows Custom Safety blocks with inaccurate warning messages – typically about supposed infections that have latched onto these programs. Blocked software can extend to basic Windows utilities like Task Manager.

Getting Windows Back to Normal without Windows Custom Safety's Shifty Assistance

Windows Custom Safety, like all modern members of the FakeVimes family of rogue anti-malware programs, has been confirmed to make modifications to Windows file during its infection process. These changes may allow your PC to be continued to be attacked by browser redirects and other issues even after Windows Custom Safety is deleted, if you fail to remove all of Windows Custom Safety's alterations. SpywareRemove.com malware researchers suggest using a reputable brand of anti-malware equipment to scan your complete PC for all traces of Windows Custom Safety and remove them in an automated fashion, since manual removal is hazardous for non-experts in PC security.

Since PC threats from Windows Custom Safety's family may also be installed by other forms of hostile software, such as Trojan droppers, SpywareRemove.com malware research team also recommends that you use thorough system scanning features that can detect related PC threats, in addition to Windows Custom Safety. Updating your anti-malware software prior to trying to delete Windows Custom Safety is also encouraged since Windows Custom Safety is a recent derivative of its family.

Windows Custom Safety Screenshot 2Windows Custom Safety Screenshot 3Windows Custom Safety Screenshot 4Windows Custom Safety Screenshot 5Windows Custom Safety Screenshot 6Windows Custom Safety Screenshot 7Windows Custom Safety Screenshot 8Windows Custom Safety Screenshot 9Windows Custom Safety Screenshot 10Windows Custom Safety Screenshot 11Windows Custom Safety Screenshot 12

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe File name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\"Debugger" = "svchost.exe"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe

Additional Information

The following URL's were detected:
cleanupallthreats.com
The following messages's were detected:
# Message
1Error Keylogger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan.
2Error Software without a digital signature detected. Your system files are at risk. We strongly advise you to activate your protection.
3Warning Firewall has blocked a program from accessing the Internet. Windows Media Player Resources C:\Windows\system32\dllcache\wmploc.dll C:\Windows\system32\dllcache\wmploc.dll is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

4 Comments

Loading...