Windows Warding System

1. Program description

Windows Warding System is a type of misleading application that pretends to be legitimate security software, such as an antivirus scanner or registry cleaner, but which actually provides the user with no protection (Rogue Security Software).

2. Actions

The program starts a misleading scan process. Once the scan is started Windows Warding System generates and shows fake messages about viruses, trojans and worms detected on the computer. Still the detected viruses cannot be deleted unless the program license is purchased.

3. Files

During the installation Windows Warding System copies the following files to the hard drive:

• %AppData%\Protector-[random].exe
• %AppData%\result.db
• %UserProfile%\Desktop\Windows Warding System.lnk
• %AllUsersProfile%\Start Menu\Programs\Windows Warding System.lnk

4. System registry

In order to function normally Windows Warding System creates the following branch in the system registry:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
  Inspector = %AppData%\Protector-[random].exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\
  Debugger = svchost.exe
• HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\
  Debugger = svchost.exe
• and many others

5. Screenshots of the program

6. Windows Warding System removal

Before uninstalling Windows Warding System by OS Windows standard tools register the software using the following serial number:

0W000-000B0-00T00-E0020

	Useful references
	Download trial version of Kaspersky Lab product Download Kaspersky Removal Tool 2011