Windows Guard Tools

Posted: May 25, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	9

First Seen:	May 25, 2012
OS(es) Affected:	Windows

Windows Guard Tools markets itself as a system scanner that can defend your PC against viruses and other types of harmful software, but the real intent behind Windows Guard Tools's marketing is to make you pay money for fake security features. Just as Windows Guard Tools's creators haven't bothered to take the time to make Windows Guard Tools look like anything more than a minor tweak to identical variants of FakeVimes scamware, they've also been far too lazy to include actual threat detection or removal features in Windows Guard Tools. As a result, like most other types of rogue anti-malware scanners, Windows Guard Tools's best efforts can only produce inaccurate warning messages and fake system scans. SpywareRemove.com malware experts recommend that you treat Windows Guard Tools as hostile software to be eradicated by a genuine anti-malware product, since Windows Guard Tools may also create security vulnerabilities on your PC by launching browser redirects or attacking security-related Windows programs.

The Contrivances by Which Windows Guard Tools Makes a Grab for Your Wallet

Windows Guard Tools is a recent variant of rogue anti-malware software from Win32/FakeVimes, a scamware classification that includes both older PC threats such as Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. Windows Guard Tools and its brethren may be designed to work with Windows, but they're anything but Microsoft-affiliated products, and Windows Guard Tools is unable to provide any of the many anti-malware and security features that Windows Guard Tools pretends to have.

As a cover for its weaknesses, Windows Guard Tools will launch with Windows and create spontaneous and inaccurate pop-up alerts coupled with faux system scans, both of which imply that your PC is being attacked by rootkits, keyloggers, identity theft and other types of serious PC threats. Even if you're desperate to stop this flood of fake security information, SpywareRemove.com malware analysts don't see any reason to spend money on Windows Guard Tools, which can be forced into silence only by deleting Windows Guard Tools with a legitimate anti-malware application. Before you attempt this, you may also want to attempt to circumvent Windows Guard Tools's startup routine or fake Windows Guard Tools's registration with the key '0W000-000B0-00T00-E0020,' which also registers many other members of FakeVimes.

What Windows Guard Tools Really is Protecting When It Blocks Your Software

Windows Guard Tools may also attempt to prevent you from using some types of applications or interfere with features and functions for the benefit of its criminal partners. These attacks are all common to Win32/FakeVimes-based PC threats, and SpywareRemove.com malware researchers have made particular note of them due to the potential security problems that they can pose if Windows Guard Tools isn't deleted with appropriate software and appropriate alacrity:

Windows Guard Tools may redirect your browser to malicious websites (typically those that market rogue security programs like Windows Guard Tools itself).
Your browser searches may also be redirected to spam search engines and other sites, particularly if you're attempting to search with Google.
Most damningly, Windows Guard Tools can also attempt to disable various anti-virus and security programs by altering their Registry entries. This can be resolved by booting Windows Guard Tools in a way that avoids its auto start routine and then using appropriate software to restore your Registry or reinstall the programs that were disabled.

In spite of the latter attack, SpywareRemove.com malware experts don't recommend attempting to remove Windows Guard Tools without assistance from either a PC security expert or dedicated anti-malware programs, since many of Windows Guard Tools's attacks will alter the Windows Registry and other Windows components (which can damage your OS if edited improperly).

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\Protector-hdux.exe

File name: Protector-hdux.exe
Size: 1.95 MB (1952256 bytes)
MD5: 7d4eb4b40260e045dbb6340b60911284
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 25, 2012

%APPDATA%\Protector-scxq.exe

File name: Protector-scxq.exe
Size: 1.98 MB (1987584 bytes)
MD5: ced4214641a3e7220f6e6a4fca6eea63
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: May 25, 2012

%AppData%\Windows Guard Tools\ScanDisk_.exe

File name: %AppData%\Windows Guard Tools\ScanDisk_.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Guard Tools.lnk

File name: %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Guard Tools.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%AppData%\Windows Guard Tools\Instructions.ini

File name: %AppData%\Windows Guard Tools\Instructions.ini
Mime Type: unknown/ini
Group: Malware file

%CommonAppData%\58ef5\SP98c.exe

File name: %CommonAppData%\58ef5\SP98c.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%CommonAppData%\58ef5\SPT.ico

File name: %CommonAppData%\58ef5\SPT.ico
Mime Type: unknown/ico
Group: Malware file

%CommonAppData%\SPUPCZPDET\SPABOIJT.cfg

File name: %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg
Mime Type: unknown/cfg
Group: Malware file

%Desktop%\Windows Guard Tools.lnk

File name: %Desktop%\Windows Guard Tools.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%Programs%\Windows Guard Tools.lnk

File name: %Programs%\Windows Guard Tools.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%StartMenu%\Windows Guard Tools.lnk

File name: %StartMenu%\Windows Guard Tools.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ [unknown dir]\[unknown file name].exeHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgIDHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ [unknown file name].DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid\ {3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\InstallLocation [unknown dir]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\Publisher UIS Inc.HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\UninstallString “[unknown dir]\[unknown file name].exe” /delHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\DisplayIcon [unknown dir]\[unknown file name].exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\DisplayName Activate Ultimate ProtectionHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate Protection\DisplayVersion 1.1.0.1010HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Activate Ultimate Protection “%CommonAppData%\58ef5\SP98c.exe” /s /dHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UninstallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Activate Ultimate ProtectionHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFGHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracingHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask -65536HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize 1048576HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exeHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ClsidHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAVHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger svchost.exe

2 Comments

Victoria Kemp says:

May 26, 2012 at 12:00 pm

Never ever use windows security
cathy varney says:

May 27, 2012 at 2:37 pm

this window guard tools is on my Dell laptop..I ant it off..now! i cannot use my dell laptop because of this and i cannot remove it to save my life!!!!!