Windows Maintenance Guard

By | June 19, 2012 | 0 Comment

Windows Maintenance Guard is a rogue antivirus program from the same group of cyber criminals who created Windows Secure Web Patch. This malware is distributed via Trojan that can also install it without your approval. Once it is loaded, it will issue fake alerts stating that your computer is infected with viruses. This trick attempts to scare you and make you thinks that PC is severely infected. Then, Windows Maintenance Guard will begin to persuade you into purchasing a program that assures instant removal. Keep in mind that rogue programs are not capable of performing virus scan and removal. They are created primarily to mimic what real antivirus program does. Windows Maintenance Guard may scan the system but what you can receive is false detection. Rogue program is similarly incapable of protecting a computer against virus attack, thus, it is worthless.

During installation, Trojan will execute changes to your computer so that Windows Maintenance Guard will run on its own after your Windows log on. Them it launches a virus scan and reports so many infections that it cannot fix unless you are using a full version of Windows Maintenance Guard. You must know that even if the licensed version is in your possession, still you cannot remove the threats it identified. We need to mention once again that there are no threats other than Windows Maintenance Guard itself. Therefore, you must start running a virus scan on the computer with the help of genuine security program. Make sure that it has the most recent database so that your antivirus will leave no files of Windows Maintenance Guard.

Type Rogue
Sub-Type FakeAV
OS Affected Windows XP, Windows Vista, Windows 7

What are the Symptoms of Windows Maintenance Guard Infection?

Once this rogue program enters the computer, it will run a virus scan just like other legitimate security program does. However, since Windows Instant Scanner is fake, it will produce fictitious results. Below is the screenshot image.

Windows Maintenance Guard Scanner

It will modify Windows Registry and add the following entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “u_2012-5-24_6”
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “mkmslopcmd”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\titaninxp.exe

The threat will drop the following malicious files:
%AppData%\NPSWF32.dll
%AppData%\Protector-[random 3 characters].exe
%AppData%\Protector-[random 4 characters].exe
%AppData%\result.db
%CommonStartMenu%\Programs\Windows Maintenance Guard.lnk
%Desktop%\Windows Maintenance Guard.lnk

Leave a Reply

Your email address will not be published. Required fields are marked *