Home Malware Programs Rogue Anti-Spyware Programs Windows Advanced Toolkit

Windows Advanced Toolkit

Posted: June 22, 2012

Threat Metric

Threat Level: 10/10
Infected PCs: 35
First Seen: June 22, 2012
Last Seen: January 8, 2020
OS(es) Affected: Windows

Windows Advanced Toolkit Screenshot 1While the scamware family of FakeVimes already has a profusion of members, its criminal distributors apparently felt that it needed at least one more variant with Windows Advanced Toolkit. Windows Advanced Toolkit exhibits all the expected symptoms of this family, including displaying inaccurate security alerts, hijacking your web browser and attempting to steal money and financial information via selling registration keys. Since Windows Advanced Toolkit doesn't include any of the memory-monitoring, phishing-preventing or PC threat-detecting functions that Windows Advanced Toolkit might appear to have, SpywareRemove.com malware research team recommends that you treat Windows Advanced Toolkit as a threat itself, rather than as the security software Windows Advanced Toolkit uses as its disguise. Windows Advanced Toolkit will attempt to evade removal methods that would work on legitimate software, but as a member of a widely-recognized group of fake anti-malware scanners, Windows Advanced Toolkit can be deleted by real security applications without any significant trouble.

How Windows Advanced Toolkit is Just Another Example of Tools That Set About Harming Your PC

Windows Advanced Toolkit borrows its appearance from older members of the FakeVimes family of fake anti-malware programs, and, accordingly, bears a strong resemblance to Windows Security Center. On a first glance, what modifications Windows Advanced Toolkit does possess appear to be along the lines of adding extra security features, such as a memory-monitoring utility. Lamentably, Windows Advanced Toolkit's security functions are incapable of doing anything other than providing inaccurate data about the kinds of attacks and infections that your PC suffers through under its ministrations. Windows Advanced Toolkit's attacks include both various types of pop-up warnings and system scans that display pre-determined and negative results, including wide ranges of high-level PC threats like Trojans, keyloggers and worms.

Windows Advanced Toolkit's poor security features are merely an excuse for Windows Advanced Toolkit to hawk its purchasable version, which SpywareRemove.com malware researchers strongly encourage you to avoid. Because spending money on Windows Advanced Toolkit can result in other charges to your bank account or credit card, you should contact the relevant companies to take appropriate security precautions if you've made the miscalculation of treating Windows Advanced Toolkit like a purchase-worthy program. Other attacks that you may want to watch out for while Windows Advanced Toolkit is active-in-memory include:

  • Browser redirects to unusual websites, including search engine hijacks, redirects to fake error pages and redirects to Windows Advanced Toolkit-promoting websites.
  • Unrelated applications being blocked, with an especial emphasis on security-related software like Task Manager. SpywareRemove.com malware analysts note that this may make it critical for you to prevent Windows Advanced Toolkit from launching before you can remove Windows Advanced Toolkit safely from your computer.
  • Windows Registry settings that are changed to harm your computer's default security (for example, by allowing your browser to easily download malicious and improperly-IDed files).

Nudging Your Computer Out of the Way of Windows Advanced Toolkit's Path of Victims

Although Windows Advanced Toolkit promotes itself as an independent anti-malware program, SpywareRemove.com malware experts have found that Windows Advanced Toolkit is copied directly from past examples of FakeVimes-based rogue anti-malware products. Consequentially, you should also be ready to avoid any Windows application that bears a strong resemblance to Windows Advanced Toolkit, such as Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. Windows Advanced Toolkit's FakeVimes family has been noted as being specialized for the Windows OS, although other operating systems can still be vulnerable to attacks by other families of rogue security programs.

Windows Advanced Toolkit and its relatives typically are propagated throughout the web by fake online scanners, pop-up alerts and fraudulent media player updates. In some cases, a second PC threat, such as Zlob or other Trojan downloaders may be used to install Windows Advanced Toolkit. In optimal circumstances, removing Windows Advanced Toolkit should utilize system scans that can also delete related PC threats with Windows Advanced Toolkit, or you may be unable to prevent the Trojan from reinstalling Windows Advanced Toolkit after a reboot.

Windows Advanced Toolkit Screenshot 2Windows Advanced Toolkit Screenshot 3Windows Advanced Toolkit Screenshot 4Windows Advanced Toolkit Screenshot 5Windows Advanced Toolkit Screenshot 6Windows Advanced Toolkit Screenshot 7Windows Advanced Toolkit Screenshot 8Windows Advanced Toolkit Screenshot 9Windows Advanced Toolkit Screenshot 10Windows Advanced Toolkit Screenshot 11

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%\Protector-ajff.exe File name: Protector-ajff.exe
Size: 2.35 MB (2355200 bytes)
MD5: a8852241fc353dd8d654f4eadbf91a77
Detection count: 89
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: January 8, 2020
%AppData%\Windows Advanced Toolkit\ScanDisk_.exe File name: %AppData%\Windows Advanced Toolkit\ScanDisk_.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%AppData%\Windows Advanced Toolkit\Instructions.ini File name: %AppData%\Windows Advanced Toolkit\Instructions.ini
Mime Type: unknown/ini
Group: Malware file
%AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Advanced Toolkit.lnk File name: %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Advanced Toolkit.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%CommonAppData%\SPUPCZPDET\SPABOIJT.cfg File name: %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg
Mime Type: unknown/cfg
Group: Malware file
%CommonAppData%\58ef5\SPT.ico File name: %CommonAppData%\58ef5\SPT.ico
Mime Type: unknown/ico
Group: Malware file
%CommonAppData%\58ef5\SP98c.exe File name: %CommonAppData%\58ef5\SP98c.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%Desktop%\Windows Advanced Toolkit.lnk File name: %Desktop%\Windows Advanced Toolkit.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Programs%\Windows Advanced Toolkit.lnk File name: %Programs%\Windows Advanced Toolkit.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%StartMenu%\Windows Advanced Toolkit.lnk File name: %StartMenu%\Windows Advanced Toolkit.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ [unknown dir]\[unknown file name].exeHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgIDHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ [unknown file name].DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid\ {3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive SafetyHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive Safety\DisplayIcon [unknown dir]\[unknown file name].exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Proactive Safety"%CommonAppData%\58ef5\SP98c.exe" /s /dHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UninstallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive Safety\DisplayName Windows Malware FirewallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Windows Proactive Safety\DisplayVersion 1.1.0.1010HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Maintenance Guard\UninstallString "[unknown dir]\[unknown file name].exe"/delHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive SafetyInstallLocation [unknown dir]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Maintenance Guard\Publisher UIS Inc.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ClsidHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFGHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask -65536HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize 1048576HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracingHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAVHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe

Additional Information

The following messages's were detected:
# Message
1Error
Attempt to run a potentially dangerous script detected.
Full system scan is a highly recommended.
2Error
Keylogger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan.
3Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

One Comment

Loading...