Home Malware Programs Rogue Anti-Spyware Programs Windows Safety Manager

Windows Safety Manager

Posted: April 17, 2012

Threat Metric

Threat Level: 10/10
Infected PCs: 9
First Seen: April 17, 2012
OS(es) Affected: Windows

Windows Safety Manager Screenshot 1Far from being a guardian of your computer's safety, Windows Safety Manager is a rogue anti-virus application that creates fake security alerts for the purposes of making its nonexistent services seem needed, as well as using a selection of other attacks that directly reduce your PC security. Symptoms of a Windows Safety Manager infection can include pop-up alerts, search engine hijacks, disabled Windows security features and problems with launching or running PC security programs. SpywareRemove.com malware researchers suggest that you do your best to identify and ignore fake alerts and other attempts at deceit that Windows Safety Manager may throw your way, and remove Windows Safety Manager with the same types of anti-malware programs that you would bring to bear against any virus, worm or Trojan.

Windows Safety Manager – a New Brand Name Wrapped Around a Well-Used Threat

Windows Safety Manager may want to convince you that Windows Safety Manager is an original and helpful anti-virus program, but SpywareRemove.com malware researchers have corroborated its existence as nothing more than a clone of other PC threats from FakeVimes. Identical clones of Windows Safety Manager that exhibit equally harmful characteristics include but aren't limited to Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. Besides looking just like each other, these scamware-based PC threats are also known for reusing their fake warning messages, and you may want to watch out for fake alerts on any Windows Safety Manager-infected computer.

While Windows Safety Manager's aim is to use its fake system information to threaten you into spending money on buying a purchasable version of its faux security software, SpywareRemove.com malware experts recommend that you keep your money to yourself. System scans, pop-up alerts and all other forms of security information from Windows Safety Manager are always fraudulent, and Windows Safety Manager will never detect or remove real PC threats from your computer. In spite of all this, you may find it helpful to fake registering Windows Safety Manager before you try to delete Windows Safety Manager with anti-malware software. One freely-circulated code, '0W000-000B0-00T00-E0020,' is available to accomplish this if you need to take that extra step to put Windows Safety Manager down.

How to Make Sure That Windows Safety Manager Doesn't Keelhaul Your Real Safety-Enhancing Software

Windows Safety Manager's fake security functions may be the centerpiece of its hoax as a rogue anti-virus product, but Windows Safety Manager is also equipped with other attacks that can be considered more dangerous to your PC than its pop-ups. Some of Windows Safety Manager's worst potential security risks include:

  • Altered system settings that reduce your Windows and browser security in various ways (such as by disabling invalid signature detection or the UAC).
  • Browser redirects that make your web browser lead you to unusual sites or fail to load benign websites. Windows Safety Manager is particularly likely to cause a redirect after you try to use a search engine.
  • A thorough security program blockade that prevents you from using anti-malware applications and Windows tools like Task Manager.

Fortunately, all of these issues can be put to a halt by just launching Windows in a way that disables Windows Safety Manager's automatic startup. For this purpose, SpywareRemove.com malware researchers can recommend Safe Mode or a boot from a removable drive, while afterward, Windows Safety Manager should be removed by a qualified anti-malware program.

Windows Safety Manager Screenshot 2Windows Safety Manager Screenshot 3Windows Safety Manager Screenshot 4Windows Safety Manager Screenshot 5Windows Safety Manager Screenshot 6Windows Safety Manager Screenshot 7Windows Safety Manager Screenshot 8Windows Safety Manager Screenshot 9Windows Safety Manager Screenshot 10Windows Safety Manager Screenshot 11Windows Safety Manager Screenshot 12Windows Safety Manager Screenshot 13Windows Safety Manager Screenshot 14Windows Safety Manager Screenshot 15

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 2.39 MB (2392576 bytes)
MD5: 82cc5b0597ed3e1c81269c7d0d02e518
Detection count: 90
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: February 4, 2014
%APPDATA%\Protector-hpp.exe File name: Protector-hpp.exe
Size: 2.03 MB (2033152 bytes)
MD5: 1905bdaf77029c09b4bcd685d87a20fe
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %APPDATA%
Group: Malware file
Last Updated: April 17, 2012
%SystemDrive%\Users\<username>\AppData\Roaming\Protector-cyss.exe File name: Protector-cyss.exe
Size: 1.93 MB (1934336 bytes)
MD5: 6ed6913e340792dff123b5b6de491daf
Detection count: 5
File type: Executable File
Mime Type: unknown/exe
Path: %SystemDrive%\Users\<username>\AppData\Roaming
Group: Malware file
Last Updated: April 17, 2012
%AppData%\result.db File name: %AppData%\result.db
Mime Type: unknown/db
Group: Malware file
%AppData%\NPSWF32.dll File name: %AppData%\NPSWF32.dll
File type: Dynamic link library
Mime Type: unknown/dll
Group: Malware file
%AppData%\Protector-[RANDOM CHARACTERS].exe File name: %AppData%\Protector-[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
%CommonStartMenu%\Programs\Windows Safety Manager.lnk File name: %CommonStartMenu%\Programs\Windows Safety Manager.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file
%Desktop%\Windows Safety Manager.lnk File name: %Desktop%\Windows Safety Manager.lnk
File type: Shortcut
Mime Type: unknown/lnk
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-4-7_2"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "ahwohainwk"HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswRunDll.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exeHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe

Additional Information

The following messages's were detected:
# Message
1Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
2Warning
Firewall has blocked a program from accessing the Internet
C:\program files\internet explorer\iexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
3Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.

Loading...