Home Malware Programs Rogue Anti-Spyware Programs Windows Safety Checkpoint

Windows Safety Checkpoint

Posted: April 27, 2012

Threat Metric

Threat Level: 10/10
Infected PCs: 7
First Seen: April 27, 2012
Last Seen: February 6, 2019
OS(es) Affected: Windows

Windows Safety Checkpoint Screenshot 1Windows Safety Checkpoint is marketed as a supposed anti-virus scanner that also includes a solid range of other security-related features, but in spite of its aesthetics, Windows Safety Checkpoint is just another rogue anti-virus application that displays fake warnings about Trojans, unauthorized network activity and other attacks that don't exist. Because Windows Safety Checkpoint is also derived from a family of scamware that have been noted for browser hijacks, attacks against unrelated security programs and attempts to disable Windows security features, SpywareRemove.com malware researchers consider Windows Safety Checkpoint to be an active danger to your PC that should be removed during an anti-malware scan immediately after noticing symptoms of the Windows Safety Checkpoint infection. Even though Windows Safety Checkpoint's primary purpose is to seduce you into throwing away your money on its purchasable version, the registered version of Windows Safety Checkpoint is just as lacking in value as its 'free' version, and buying Windows Safety Checkpoint should never be considered a viable solution to a Windows Safety Checkpoint infection or other computer problems.

Windows Safety Checkpoint: Rogue AV Software That's Closer to Virus Than Anti-Virus Itself

Windows Safety Checkpoint draws its lineage from FakeVimes, a group of fake anti-virus applications that have been in distribution since 2010. In the past two years, Win32/FakeVimes scamware like Windows Safety Checkpoint have reappeared under new names again and again, with common examples of Windows Safety Checkpoint clones including Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. Although some variants of Win32/FakeVimes-based rogue anti-virus bear some minor discrepancies in their appearances, SpywareRemove.com malware researchers have found that recent variants like Windows Safety Checkpoint are always identifiable by fake features like 'anti-phishing,' an 'Advanced Process Control' an 'All-In-One Suite,' an anti-virus scanner and various pop-up alerts.

System scans, pop-ups and other forms of information that are provided by Windows Safety Checkpoint will always try to portray your PC as being under attack by an unrealistically large quantity of high-level PC threats, but such warnings can be safely ignored as fraudulent. Besides being incapable of detecting real Trojans, viruses or other PC threats, Windows Safety Checkpoint is also incapable of deleting any type of malicious software – even if you waste money on its purchasable version. Nevertheless, SpywareRemove.com malware experts note that registering Windows Safety Checkpoint for free with the code '0W000-000B0-00T00-E0020' can sometimes be useful for removing Windows Safety Checkpoint with less interference.

The Full Checklist of Windows Safety Checkpoint's Aggressions

Fake security pop-ups, system scans and similar types of inaccurate system analyses can always be considered Windows Safety Checkpoint's raison d'être, but some functions of Windows Safety Checkpoint that are secondary to its primary purpose can actually be of greater danger than its primary attacks. Like other fake anti-virus applications based on Win32/FakeVimes, Windows Safety Checkpoint may also enact hostile behavior against legitimate security programs and some Windows features, such as:

  • Windows Safety Checkpoint may disable the UAC, which SpywareRemove.com malware experts stress is a high-priority security attack that allows PC threats like Windows Safety Checkpoint to make unauthorized changes to your computer.
  • Windows Safety Checkpoint may hijack your web-browsing activities, especially for the sake of redirecting you from reputable search engines to suspicious or outright hostile ones. Such hijacks are likely to function in all types of web browsers due to a Trojan changing the Hosts file.
  • Windows Safety Checkpoint may also prevent you from using real security programs, including Task Manager, while Windows Safety Checkpoint is active. In cases where this prevents you from running an anti-malware scan to delete Windows Safety Checkpoint, SpywareRemove.com malware analysts can recommend Safe Mode, a boot from a network-shared drive or a boot from a removable drive to launch Windows without Windows Safety Checkpoint getting in the way.


Windows Safety Checkpoint Screenshot 2Windows Safety Checkpoint Screenshot 3Windows Safety Checkpoint Screenshot 4Windows Safety Checkpoint Screenshot 5Windows Safety Checkpoint Screenshot 6Windows Safety Checkpoint Screenshot 7Windows Safety Checkpoint Screenshot 8Windows Safety Checkpoint Screenshot 9Windows Safety Checkpoint Screenshot 10Windows Safety Checkpoint Screenshot 11

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



%APPDATA%\Protector-ucxk.exe File name: Protector-ucxk.exe
Size: 1.86 MB (1865216 bytes)
MD5: e2b9f9e66abbb94a9477ca14a3ad39d8
Detection count: 97
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: April 27, 2012
%APPDATA%\Protector-obux.exe File name: Protector-obux.exe
Size: 1.86 MB (1860608 bytes)
MD5: 6d3b5309cfb72ace5320a827d09a91df
Detection count: 76
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: April 27, 2012
%AppData%\Inspector-[RANDOM CHARACTERS].exe File name: %AppData%\Inspector-[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%AppData%\Protector-[RANDOM CHARACTERS].exe File name: %AppData%\Protector-[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "ID" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "rudbxijemb"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-2-17_2"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe

Additional Information

The following messages's were detected:
# Message
1Error Trojan activity detected. System data security is at risk.
2Warning Firewall has blocked a program from accessing the Internet C:\program files\internet explorer\iexplore.exe is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Loading...