Windows Custom Safety

Posted: June 8, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	11,545
Threat Level:	2/10
Infected PCs:	23,978

First Seen:	June 8, 2012
Last Seen:	September 18, 2023
OS(es) Affected:	Windows

The FakeVimes scamware train has shown no signs of slowing down with its latest offering to the masses, Windows Custom Safety. This rogue anti-malware scanner may pretend to keep phishing attacks, rootkits, spyware and other threats away from your hard drive, but SpywareRemove.com malware researchers have verified Windows Custom Safety's inability to do any of the aforementioned defensive acts. Instead of giving your computer an increase in safety, Windows Custom Safety will institute a lock down against your PC's real security software, redirect your browser to hostile sites and display fake explanations for these attacks that include the names of practically every PC threat imaginable – except itself. Once it's identified, deleting Windows Custom Safety should occupy the top slot on your schedule, although you may also need to disable Windows Custom Safety with any of the methods below to access appropriate anti-malware programs.

How Windows Custom Safety Customizes Your Safety in Perverse Ways

Windows Custom Safety is marketed in the form of a multi-featured security and anti-malware product, but its software actually is focused on the opposite aim: of making your computer unsafe, feeding you false security information and blocking anything that could thwart these attacks. These are traits that Windows Custom Safety shares with other variants of FakeVimes such as Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. While Windows Custom Safety launches with Windows and is easily identified, its attacks are not always as out-in-the-open, and SpywareRemove.com malware researchers have noted common Windows Custom Safety symptoms as shown below:

Search engine redirects to malicious sites.
Blocked PC security websites that are replaced by fraudulent error pages.
Pop-up alerts that warn you about the presence of attacks or harmful programs that actually aren't present in the first place (such as identity theft or unrelated rootkits).
Fake system scans that Windows Custom Safety uses to continue its illusion of your PC being attacked by unrealistically large amounts of varied PC threats.
Anti-malware and security programs that Windows Custom Safety blocks with inaccurate warning messages – typically about supposed infections that have latched onto these programs. Blocked software can extend to basic Windows utilities like Task Manager.

Getting Windows Back to Normal without Windows Custom Safety's Shifty Assistance

Windows Custom Safety, like all modern members of the FakeVimes family of rogue anti-malware programs, has been confirmed to make modifications to Windows file during its infection process. These changes may allow your PC to be continued to be attacked by browser redirects and other issues even after Windows Custom Safety is deleted, if you fail to remove all of Windows Custom Safety's alterations. SpywareRemove.com malware researchers suggest using a reputable brand of anti-malware equipment to scan your complete PC for all traces of Windows Custom Safety and remove them in an automated fashion, since manual removal is hazardous for non-experts in PC security.

Since PC threats from Windows Custom Safety's family may also be installed by other forms of hostile software, such as Trojan droppers, SpywareRemove.com malware research team also recommends that you use thorough system scanning features that can detect related PC threats, in addition to Windows Custom Safety. Updating your anti-malware software prior to trying to delete Windows Custom Safety is also encouraged since Windows Custom Safety is a recent derivative of its family.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe

File name: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = svchost.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\"Debugger" = "svchost.exe"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\"Debugger" = "svchost.exe"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe

Additional Information

The following URL's were detected:

cleanupallthreats.com

The following messages's were detected:

#	Message
1	Error Keylogger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan.
2	Error Software without a digital signature detected. Your system files are at risk. We strongly advise you to activate your protection.
3	Warning Firewall has blocked a program from accessing the Internet. Windows Media Player Resources C:\Windows\system32\dllcache\wmploc.dll C:\Windows\system32\dllcache\wmploc.dll is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

4 Comments

Thomas Deering says:

June 10, 2012 at 12:43 pm

I bought windows custom safety but did not get a product key
edwin wingate says:

June 11, 2012 at 11:45 am

downloaded wjndows custom safety thought it was with windows now not sure what i did need to get rid of it
edwin wingate says:

June 11, 2012 at 11:48 am

thought windows custom safety was with windows 7
LOL says:

June 11, 2012 at 11:49 am

0W000-000B0-00T00-E0020
with this code can you stop the fake alerts
🙂