Windows Virtual Angel
Written by Tomas Meskauskas on
Windows Virtual Angel - how to remove?
Windows Virtual Angel is another fake antivirus software which originates from a family of rogues called "FakeVimes". This rogue family has well over one hundred malicious software which all shares the same user interface. Seems like Internet criminals has tough time coming up with new names for their misleading programs Windows Virtual Angel is not a common name for a security program. While the name is new, the core of the program and the looks are the same as it's predecessors, Cyber criminals who are actively distributing fake antivirus programs from this rogue family are also using similar trickery to install Windows Virtual Angel on user's computers.
On most cases this and other rogue applications from "FakeVimes" family are distributed using fake online security scan pop-ups or by false online security warning messages. These misleading messages states that user's computers are infected with viruses and that they should download and install Windows Virtual Angel to remove the supposedly found security threats. New bogus websites which shows such pop-up and uses security vulnerabilities to install Windows Virtual Angel are created daily. Best way to prevent such fake security scanners and other malware from entering your PC is using a legitimate antivirus and anti-spyware programs, also don't be tricked by any of online pop-ups that states about severe PC infections, they are fake and Cyber criminals are actively using such po-ups to promote their malicious software.
If you have noticed Windows Virtual Angel or identically looking program which asks you to activate "ultimate" protection in order to remove security infections you can be sure that you are dealing with a fake antivirus software. It's a scam which uses trickery - shows fake security scan results hoping that you will pay for it's full version to remove them. In reality none of the security infections that are indicated in Windows Virtual Angel's detection list actually exist on your PC. Internet criminals who released this scam are hoping that you will believe that your computer is at risk and you will send you money to them. Previous variants of this scam were named Windows Profound Security, Windows Expert Series and Windows Virus Hunter. Don't be fooled by the security scans and warning messages generated by this rogue software, use this step-by-step removal guide and eliminate Windows Virtual Angel from your PC.
Windows Virtual Angel generates such fake warning messages:
"Warning! Virus Detected Threat detected: FTP Server Infected file: C:\Windows\System32\dllcache\wmploc.dll"
"Warning! Identity theft attempt Detected Hidden connection IP: 58.82.12.124 Target: Your passwords for sites"
"Error Key-logger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan"
"Microsoft Security Essentials detected potential threats that might compromise your privacy or damage your computer. You need to clean your computer immediatly to prevent the system crash"
"Trojan-PSW.Win32.launch Hack Tool:Win32/Welevate.A Adware.Win32.Fraud"
Windows Virtual Angel removal:
Before downloading the remover for Windows Virtual Angel click a question mark icon at the top of the main window of this program, choose "Activate Now" and enter this registration code: 0W000-000B0-00T00-E0020 This will enable blocked Windows functions and will make the further removal process much easier, after entering the activation code continue to downloading the spyware remover.
remover for Windows Virtual Angel
If you can't download or run spyware remover try running registry fix (link below). It enables execution of programs. download registryfix.reg file, double click it, click YES and then OK.
Manual Windows Virtual Angel removal instructions:
Step 1
Start your computer in safe mode. Click Start, then click Shut down. Select Restart and click OK. During your computer starting process press F8 key on your keyboard multiple times until Windows Advanced Options menu shows up, then select Safe mode with networking from the list and press ENTER.
Step 2
Now we need to remove proxy settings. Windows Virtual Angel adds a proxy to your Internet connection settings to show various errors when you try to access Internet. To do this, open Internet explorer, click Tools and select Internet Options. Then select the "Connections" tab.
In the "Connections" tab, click LAN settings, if a "Use a proxy server for your LAN" is checked, uncheck it and press OK.
Step 3
Download HijackThis and save it on your desktop. Some malicious programs are able to block HijackThis so when you click the download link, in the Save dialog rename HijackThis.exe to iexplore.exe and only then click the Save button. After saving the file on your desktop, double click it. In the main HijackThis window click “Do a system scan only” button. Select these entries (place a tick at the left of the entry):
O4 - HKCU\..\Run: [Inspector] %AppData%\Protector.exe (Protector.exe file may have 3 or more random characters at the end of it's file name like ProtectionGQY.exe)
After selecting required entries, click "Fix Checked" and these entries will be removed. After this procedure you can close HijackThis and proceed to the next removal step.
Step 4
Download a legitimate anti-spyware software to fully remove Windows Virtual Angel from your computer.
Step 5
After removing Windows Web Commander, you will need to reset your Hosts file. Don't skip this step, this malware modifies your Hosts files, and you will encounter browser redirect problems if malicious entries will not be removed from hosts file.
Hosts file is used to resolve some canonical names of websites to IP addresses. When it is changed, the user may be redirected to malicious site still seeing good URL in address bar. It is very hard to find out if the site is genuine or not, when hosts file is modified. To fix this, please download Microsoft Fix It tool, that restores your hosts file to Windows default. Run this tool when downloaded and follow the on-screen instructions. Download link below:
Finish
After completing all these steps your computer should be clean.
Other tools known to remove Windows Virtual Angel:
Some malicious software modifies browser settings and disables downloads of spyware and virus removing software. If you have problems downloading anti-spyware software with Internet Explorer, try downloading with Chrome, FireFox, Opera, etc.
If you can't access Internet:
Load your computer in safe mode. Click Start, click Shut down, click Restart, click OK. During your computer starting process press F8 key on your keyboard multiple times until you see Windows Advanced Option menu, then select Safe mode with networking from the list.
Start Task manager. Press ctrl+alt+del (or ctrl+shift+esc) and end task the processes of rogue program. ( if after this procedure you can't access any programs press ctrl+alt+del, click File, select New Task, and type explorer.exe then press OK.
Open Internet explorer, click Tools and select Internet Options. Select Connections, then click LAN settings, if a Use a proxy server for your LAN is checked, un-check it and press OK.
After this procedure you should be able to access Internet. Now you can download anti-spyware software from our "Top spyware removers" section and run a full scan. Download, install and don't forget to update your selected anti-spyware program. Then run a full system scan.
Manual Windows Virtual Angel removal:
If you were unable to remove Windows Virtual Angel using the steps above, you can use this manual removal instruction. Use it at your own risk. If you don't have strong computer knowledge you could harm your operating system. Be careful and use it only if you are an experienced computer user. (Instructions on how to end processes, remove registry entries...)
End these Windows Virtual Angel processes:
random.exe
Protector.exe (Protector.exe file may have 3 or more random characters at the end of it's file name like ProtectionGQY.exe)
Remove these Windows Virtual Angel registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashLogV.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\beagle.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\jedi.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msa.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ntvdm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav7.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spoler.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vir-help.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net
Delete these Windows Virtual Angel files:
%StartMenu%\Programs\Windows Virtual Angel.lnk
%AppData%\Protector.exe (NOTE: this file may have various symbols at the end of it's name. Look for the similar file name pattern and remove it)
%AppData%\result.db
%Desktop%\Windows Virtual Angel.lnk