Home Malware Programs Rogue Anti-Spyware Programs Windows Salvage System

Windows Salvage System

Posted: June 4, 2011

ScreenshotWindows Salvage System is a recent repackaging of older rogue security programs. Like many other rogue threats, Windows Salvage System is distributed by Fake Microsoft Security Essentials Alert Trojans and uses false positive warnings to pretend to be a benevolent anti-virus utility. Infections by Windows Salvage System and related malicious software put your web browser applications in danger of being hijacked and may also interfere with other security-related programs. You should avoid purchasing Windows Salvage System. Instead, delete Windows Salvage System by using updated security software to scan your PC.

Examining a Windows Salvage System Infection and the Toxic Consequences

Windows Salvage System is a clone of other rogue security and anti-virus programs that are installed by Fake Microsoft Security Essentials Alert Trojans - examples of these clones include, but are far from limited to, Windows Necessary Firewall, Windows Oversight Center, Windows Custom Settings and Windows Risks Preventions. A Fake Microsoft Security Essentials Alert Trojan will create a variety of different errors while dropping its payload to convince you that the rogue program is beneficial.

For example, here's one of Fake Microsoft Security Essentials Alert's common errors:

Threat prevention solution found
Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a seriuos [sic] possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press 'OK' to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.

Most reports also indicate that the Fake Microsoft Security Essentials Alert Trojan ironically creates popup warnings about fake Trojan threats. Regardless of what errors are used, after these messages, Windows Salvage System or a similar rogue threat will be installed afterwards, and your PC will be rebooted.

This reboot lets Windows Salvage System make full use of its startup Windows Registry entries to launch without your consent. Besides faking system scans with inevitably poor and inaccurate results, Windows Salvage System will also create fake errors of its own:

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.

Warning!
Location: [application file path]
Viruses: Backdoor.Win32.Rbot

Warning!
Name: [application file name]
Name: [application file path]
Application that seems to be a key-logger is detected. System information security is at risk. It is recommended to enable the security mode and run total System scanning.

Warning! Database update failed!
Database update failed!
Outdated viruses databases are not effective and can't [sic] guarantee adequate protection and security for your PC!
Click here to get the full version of the product and update the database!

System component corrupted!
System reboot error has occurred due to lsass.exe system process failure.
This may be caused by severe malware infections.
Automatic restore of lsass.exe backup copy completed.
The correct system performance can not be resumed without eliminating the cause of lsass.exe corruption.

Like most rogue security programs, Windows Salvage System can't detect real threats to your PC. All of Windows Salvage System's errors and other information should be disregarded for being irrelevant, misleading and potentially self-destructive for your computer.

Likewise, you should avoid having anything to do with the Windows Salvage System website, which is likely to attack your PC with Trojans and attempt to use your personal information and finances for fraud.

Salvaging Your PC from Windows Salvage System

It's strongly recommended that you avoid manually deleting Windows Salvage System program files or trying to use a provided uninstaller. These actions may cause an incomplete deletion that lets Windows Salvage System recover with ease. In addition, improperly removing Windows Salvage System's Registry entries can harm your operating system.

Other problems that may get in the way of removing Windows Salvage System include:

  • Browser hijacks that change your homepage settings, redirect you to malicious websites, play advertisements or use fake unsafe website errors to block safe websites. Browser hijacks are usually accomplished by an unauthorized change of proxy server settings or malicious Registry entries.
  • Difficulty in launching security-related programs, including anti-malware scanners, Windows Task Manager, the Registry Editor and MSConfig. Although Windows Salvage System may create fake infection warnings about these programs, the programs are undamaged; Windows Salvage System is simply blocking them.
  • In both cases, Safe Mode or booting from a secure source (like your original operating system CD) will let you run all affected programs without being attacked by Windows Salvage System. Neither your browser nor your security programs are harmed, and once you remove Windows Salvage System and any related threats by using suitable anti-malware programs your computer will return to normal health.


    ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

    File System Modifications

    • The following files were created in the system:
      # File Name
      1 %UserProfile%\Application Data\Microsoft\[RANDOM CHARACTERS].exe

    Registry Modifications

    • The following newly produced Registry Values are:
      HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger" = 'svchost.exe'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore "DisableSR " = '1'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = '0'

    Additional Information on Windows Salvage System

    • The following messages's were detected:
      # Message
      1 Warning!
      Name: [application file name]
      Name: [application file path]
      Application that seems to be a key-logger is detected. System information security is at risk. It is recommended to enable the security mode and run total System scanning.
      2 System component corrupted!
      System reboot error has occurred due to lsass.exe system process failure.
      This may be caused by severe malware infections.
      Automatic restore of lsass.exe backup copy completed.
      The correct system performance can not be resumed without eliminating the cause of lsass.exe corruption.
      3 Warning! Database update failed!
      Database update failed!
      Outdated viruses databases are not effective and can't [sic] guarantee adequate protection and security for your PC!
      Click here to get the full version of the product and update the database!
      4 System Security Warning
      Attempt to modify register key entries is detected. Register entries analysis is recommended.
      5 Threat prevention solution found
      Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
      Risk of system files infection:
      The detected vulnerability may result in unauthorized access to private information and hard drive data with a seriuos [sic] possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press 'OK' to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.
      6 Warning!
      Location: [application file path]
      Viruses: Backdoor.Win32.Rbot
    Loading...