Tuesday, November 26, 2013

Remove Windows Cleaning Toolkit, an excellent sample of malicious counterfeited program

Windows Cleaning Toolkit excels in two things: first, it is very good in showing its popups; second, it stops other applications in a breath.
The point is the message and scan windows it generates contain misleading information only and the programs it blocks are harmless and legit and probably critical to you. The former effect is made possible and may apply to virtually any application you attempt to run by modifying relevant registry entry, so that whenever you request exe file to open this piece of malware triggers itself.
The malware classifies as a fake antivirus. As you can see, removal of Windows Cleaning Toolkit is not about its deceptive nag screens only: you also need to clean it in order just to be able to run your normal apps.
Free scanner available here is a perfect solution to get rid of Windows Cleaning Toolkit and any other bad impurities to your software environment and files system.





Manual removal directions:

Delete files:
%AppData%\guard-.exe
%AppData%\result1.db

Delete Windows Cleaning Toolkit registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\\Users\\User\\AppData\\Roaming\\guard-.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"

No comments: