Jump to content


Photo
- - - - -

Windows Proactive Safety Rogue Removal Instructions


  • Please log in to reply
2 replies to this topic

#1 Arief Prabowo

Arief Prabowo

    Forum Veteran

  • Emsisoft Employee
  • 2478 posts
  • LocationIndonesia

Posted 20 June 2012 - 01:57 PM

The Emsisoft malware research team has discovered a new outbreak of the Windows Proactive Safety. Emsisoft Anti-Malware detects this malware as Rogue.Win32.WindowsProactiveSafety.

Windows Proactive Safety is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase.

Create new files:

%AppData%\Protector-[random].exe
%AppData%\result.db
%UserProfile%\Desktop\Windows Proactive Safety.lnk
%AllUsersProfile%\Start Menu\Programs\Windows Proactive Safety.lnk

Create new registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
Inspector = %AppData%\Protector-[random].exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
Debugger = svchost.exe
HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
Debugger = svchost.exe
many similar entries…

Screenshots:

[attachment=12240:Rogue_Win32_WindowsProactiveSafety_1.png] [attachment=12241:Rogue_Win32_WindowsProactiveSafety_2.png] [attachment=12242:Rogue_Win32_WindowsProactiveSafety_3.png] [attachment=12243:Rogue_Win32_WindowsProactiveSafety_4.png] [attachment=12244:Rogue_Win32_WindowsProactiveSafety_5.png] [attachment=12245:Rogue_Win32_WindowsProactiveSafety_6.png]

To register this rogue application you can try the following serial number:

0W000-000B0-00T00-E0020

How to remove the infection of Windows Proactive Safety (Rogue.Win32.WindowsProactiveSafety)?

To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
Best regards,

Arief Prabowo [Research]

Emsisoft Team - http://www.emsisoft.com
Posted Image

#2 vendoragnostic

vendoragnostic

    New Member

  • Members
  • Pip
  • 1 posts
  • LocationLos Angeles, CA
  • OS:Windows 7
  • AV:none
  • HIPS:wide open
  • Other:ak 47

Posted 07 July 2012 - 02:28 AM

What is the benefit of registering the application?

 ]


#3 Arief Prabowo

Arief Prabowo

    Forum Veteran

  • Emsisoft Employee
  • 2478 posts
  • LocationIndonesia

Posted 07 July 2012 - 05:04 AM

It may help the removal process in case you want to remove it manually.
Best regards,

Arief Prabowo [Research]

Emsisoft Team - http://www.emsisoft.com
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users