1.Description
Windows Safety Maintenance has the status of fake AV program that represents a serious menace for all computers.
2. Behavior inside the compromised system
Windows Safety Maintenance pretends to analyze the system for malicious objects presence and generates scanning reports with multiple computer infections detected. These reports in fact are misleading and should not be taken seriously. Probably there no viruses on your system except Windows Safety Maintenance
3. Files
In the process of the installation, Windows Safety Maintenance copies the following files to the hard disk.
- %AppData%\NPSWF32.dll
- %AppData%\Protector-[rnd].exe
- %AppData%\result.db
4. System registry
Windows Safety Maintenance creates the following registry entries:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
- HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
We would recommend you to eliminate this computer infection immediately upon detection to avoid system damage and personal details leakage.
No comments:
Post a Comment