6/19/2012

How to remove Windows Maintenance Guard?

1.Description

Windows Maintenance Guard is a nefarious anti-virus software that aims to gain commercial profit by taking advantage of users’ credulity.


2. Malicious things done on the infected machine

Windows Maintenance Guard pretends to scan the system for malicious objects. When this fake is terminated, the list of detected threats is generated where one can read about numerous viruses, worms and Trojans residing on the system. If one tries to remove these threats, he/she will be rerouted to the site where the commercial version of Windows Maintenance Guard is offered to fix all spotted bugs.

3. Files

In the process of the installation, Windows Maintenance Guard copies the following files to the hard disk.

  • %AppData%\NPSWF32.dll
  • %AppData%\Protector-[rnd].exe
  • %AppData%\result.db

4. System registry

Windows Maintenance Guard creates the following registry entries:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe

5. Screenshots of the malware




6. Windows Maintenance Guard automatic Remover

Posted by at
Labels: , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)