Windows Custom Safety
Written by Tomas Meskauskas on
What is Windows Custom Safety and how to remove it?
Windows Custom Safety is a rogue program which imitates a real antivirus software and tries to trick PC users into purchasing it's licence key. It's an empty software which doesn't have any of the features required for a legitimate security program, the lack of virus definition database and virus scan engine clearly states that Windows Custom Safety is a fake antivirus program which shouldn't be trusted. All the processes that are shown by this program are imitated, this bogus software doesn't actually scan your PC for security infection, it imitates this system check-up to force you into believing that your computer has severe security issues.
To eliminate these supposedly detected spyware and viruses you will be asked to activate "ultimate protection", that means buying Windows Custom Safety. Don't even consider paying for the removal of the security threats that are indicated by this program, it's a scam created by Internet criminals. You will send your money to Cyber criminals and your PC will stay infected with this rogue program. You should ignore all the security scans and warning pop-ups displayed by this software, combined with registry modifications these scans and messages serves the goal of tricking you into purchasing a totally useless software.
To distribute Windows Custom Safety Internet criminals are using misleading websites which either displays fake security warning messages or uses security vulnerabilities in users PC to install this rogue antivirus program. Your PC could have got infected with this fake security scanner when you clicked on a fake online security message or fake anonymous torrent connection pop-up. Other known method of spreading Windows Custom Safety is displaying a fake online security scan which indicates various security infections and asks PC user to download and install this bogus software to eliminate these supposedly detected security threats .Don't trust this or any similar looking program, Windows Custom Safety comes from a big family of rogue programs which all shares the same user interface. Previous versions of this malicious program were named Windows Privacy Module, Windows Maintenance Suite, Windows PC Aid and over one hundred others. If you have noticed this program on your desktop you should use this removal guide and eliminate it from your PC.
Windows Custom Safety generates such fake warning messages:
"Warning! Virus Detected Threat detected: FTP Server Infected file: C:\Windows\System32\dllcache\wmploc.dll"
"Warning! Identity theft attempt Detected Hidden connection IP: 58.82.12.124 Target: Your passwords for sites"
"Error Key-logger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan"
Windows Custom Safety removal:
Before downloading the remover for Windows Custom Safety click a question mark icon at the top of the main window of this program, choose "Activate Now" and enter this registration code: 0W000-000B0-00T00-E0020 This will enable blocked Windows functions and will make the further removal process much easier, after entering the activation code continue to downloading the spyware remover.
remover for Windows Custom Safety
If you can't download or run spyware remover try running registry fix (link below). It enables execution of programs. download registryfix.reg file, double click it, click YES and then OK.
After removing Windows Custom Safety, you will need to reset your Hosts file. Don't skip this step, this malware modifies your Hosts files, and you will encounter browser redirect problems if malicious entries will not be removed from hosts file.
Hosts file is used to resolve some canonical names of websites to IP addresses. When it is changed, the user may be redirected to malicious site still seeing good URL in address bar. It is very hard to find out if the site is genuine or not, when hosts file is modified. To fix this, please download Microsoft Fix It tool, that restores your hosts file to Windows default. Run this tool when downloaded and follow the on-screen instructions. Download link below:
After doing all these steps your computer should be clean. Windows Custom Safety will be removed.
If you can't use Internet or your browser is closed after a few moments when you open it (Internet explorer, Firefox, Opera, Chrome)
Depending on the version of this infection, Windows Custom Safety may close your browser when you open it and you can't download removal software. If you have this problem, you may try to do the following:
Click Start then click Run. (Windows logo button on Win7/Vista)
In Windows XP, When the Run dialog appears enter this text: www.pcrisk.com/download-spyware-remover and then press ENTER. In Windows 7 and Vista you can just type this text directly in search field and press ENTER (when pressed Windows logo button)
After pressing enter, Download file dialog will appear. Click Run and follow the on-screen instructions to scan your computer. If you can't run the downloaded file, try renaming it to iexplore.exe
By renaming this file, you will trick Windows Custom Safety and it will think, that you are trying to run Internet Explorer.
Manual Windows Custom Safety removal:
If you were unable to remove Windows Custom Safety using the steps above, you can use this manual removal instruction. Use it at your own risk. If you don't have strong computer knowledge you could harm your operating system. Be careful and use it only if you are an experienced computer user. (Instructions on how to end processes, remove registry entries...)
End these Windows Custom Safety processes:
random.exe
Protector.exe (Protector.exe file may have 3 or more random characters at the end of it's file name like ProtectionGQY.exe)
Remove these Windows Custom Safety registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoler.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net
Delete these Windows Custom Safety files:
%StartMenu%\Programs\Windows Custom Safety.lnk
%AppData%\Protector.exe (NOTE: this file may have various symbols at the end of it's name. Look for the similar file name pattern and remove it)
%AppData%\result.db
%Desktop%\Windows Custom Safety.lnk
Other tools known to remove Windows Custom Safety: