Windows Proactive Safety

Posted: June 20, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	9

First Seen:	June 20, 2012
Last Seen:	January 8, 2020
OS(es) Affected:	Windows

Since Windows Proactive Safety includes many of the superficial aesthetics of outdated versions of Windows Security Center, you may be inclined to think that Windows Proactive Safety could be a legitimate security product, but Windows Proactive Safety's actual nature is pure and simple scamware. While Windows Proactive Safety uses pop-ups and system scans to convince you that an army of remote attackers and malicious applications are banging at your PC's gates, SpywareRemove.com malware researchers have divined that Windows Proactive Safety is incapable of providing legitimate security information or removing any of the PC threats that Windows Proactive Safety says are on your computer. As a garden-variety rogue anti-malware scanner, Windows Proactive Safety should be treated as hostile as any virus, and deleting Windows Proactive Safety with a strong anti-malware product is heavily encouraged.

Windows Proactive Safety – the Computer Guardian Against Imaginary Enemies

Windows Proactive Safety is a typical example of modern variants from the family of scamware that's labeled FakeVimes or FakeVimes, which members include Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. Although Windows Proactive Safety and similar PC threats are often marketed by fake online scanners, SpywareRemove.com malware researchers warn that Windows Proactive Safety can also be installed by separate PC threats, especially those that piggyback on download links for popular codecs and movie player updates. Windows Proactive Safety's most visible behavior includes launching itself without your permission as soon as Windows starts, and then using this vantage point to display inaccurate pop-up warnings and system scans.

Windows Proactive Safety's warning messages will imitate the formats of normal system alerts, and may also include taskbar notifications and similar pop-ups that appear to be sent by Windows itself. As long as Windows Proactive Safety is open, Windows Proactive Safety will try to persuade you that your computer is being assaulted by high-level PC threats like keyloggers and rootkits, but Windows Proactive Safety doesn't have any real threat-detecting capabilities in the first place. Accordingly, Windows Proactive Safety's persistent requests for you to spend money on its registration key should never be heeded, and SpywareRemove.com malware research team suggests contacting your credit card company or bank if you've given financial information to the criminals that promote Windows Proactive Safety.

Why Deleting Windows Proactive Safety with All Due Speed is Crucial for Your PC's Safety

Lamentably, Windows Proactive Safety is more than just a fake anti-malware scanner; Windows Proactive Safety also is an architect of various types of very real attacks against infected PCs. Some of the attacks that SpywareRemove.com malware experts have associated with Windows Proactive Safety include:

Browser hijacks that lead your web browser to unwanted sites. These sites frequently are malicious and may be used as part of attacks against your online searches.
Needlessly restricted software usage. Windows Proactive Safety may stop you from using real security programs, including anti-virus scanners, firewall programs and tools like the Windows Task Manager. In some cases, SpywareRemove.com malware analysts have found that it may be necessary to restore the Windows Registry to regain deleted program entries.
A variety of disabled Windows settings, especially settings that are linked to security for your Windows account or web browser. Files with invalid signatures may be downloaded without appropriate system alerts and UAC functionality may be crippled.

Faking Windows Proactive Safety's registration process with the code '0W000-000B0-00T00-E0020' can be helpful to assist with its deletion, although SpywareRemove.com malware experts stress that this is just one of multiple steps that may be required for Windows Proactive Safety's removal.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%APPDATA%\Protector-mllt.exe

File name: Protector-mllt.exe
Size: 2.39 MB (2398208 bytes)
MD5: 3313bbc5ffd642dd82495ddd07091996
Detection count: 60
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: January 8, 2020

%AppData%\Windows Proactive Safety\ScanDisk_.exe

File name: %AppData%\Windows Proactive Safety\ScanDisk_.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%AppData%\Windows Proactive Safety\Instructions.ini

File name: %AppData%\Windows Proactive Safety\Instructions.ini
Mime Type: unknown/ini
Group: Malware file

%AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Proactive Safety.lnk

File name: %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows Proactive Safety.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%Desktop%\Windows Proactive Safety.lnk

File name: %Desktop%\Windows Proactive Safety.lnk
Mime Type: unknown/lnk
Group: Malware file

%CommonAppData%\SPUPCZPDET\SPABOIJT.cfg

File name: %CommonAppData%\SPUPCZPDET\SPABOIJT.cfg
Mime Type: unknown/cfg
Group: Malware file

%CommonAppData%\58ef5\SPT.ico

File name: %CommonAppData%\58ef5\SPT.ico
Mime Type: unknown/ico
Group: Malware file

%CommonAppData%\58ef5\SP98c.exe

File name: %CommonAppData%\58ef5\SP98c.exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

%Programs%\Windows Proactive Safety.lnk

File name: %Programs%\Windows Proactive Safety.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

%StartMenu%\Windows Proactive Safety.lnk

File name: %StartMenu%\Windows Proactive Safety.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{CLSID Path}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ [unknown dir]\[unknown file name].exeHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgIDHKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ [unknown file name].DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\Clsid\ {3F2BBC05-40DF-11D2-9455-00104BC936FF}HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive SafetyHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive Safety\DisplayIcon [unknown dir]\[unknown file name].exe,0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Windows Proactive Safety"%CommonAppData%\58ef5\SP98c.exe" /s /dHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\UninstallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive Safety\DisplayName Windows Malware FirewallHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Windows Proactive Safety\DisplayVersion 1.1.0.1010HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Maintenance Guard\UninstallString "[unknown dir]\[unknown file name].exe"/delHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Proactive SafetyInstallLocation [unknown dir]HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Windows Maintenance Guard\Publisher UIS Inc.HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ClsidHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Classes\Dumped_.DocHostUIHandler\ Implements DocHostUIHandlerHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableConsoleTracing 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\EnableFileTracing 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFGHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileTracingMask -65536HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\MaxFileSize 1048576HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\ConsoleTracingMask -65536HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG\FileDirectory %windir%\tracingHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVWEBGRD.EXEHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AluSchedulerSvc.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAVHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\Debugger svchost.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe