Home » Security » Remove Windows Active Guard

Remove Windows Active Guard

Monday, July 23rd 2012 under Security by

The creators of Windows Safety Manager, Windows Care Taker and Windows Custodian Utility and a number of other malicious programs, which have even formed their own family, have come up with another malevolent tool for robbing people of their money – Windows Active Guard.

Following their traditions in creating seemingly legitimate names and layouts of their viruses, hackers have not failed this time, as well. Though it might look promising, this application is nothing more but malware, which does nothing to protect your computer’s safety – just the opposite; it opens up your computer for additional malware pieces. Unfortunately, there is no guarantee that Windows Active Guard will spare your computer. It uses clever strategies for infecting computers such as fake online scanners or Trojans. The more dangerous of the two is the one involving Trojans, because they sneak inside your PC without asking for permission and when inside they download Windows Active Guard.

Windows Active Guard screenshot

One of Windows Active Guard’ most efficient ways to make you believe your computer is infected with numerous viruses consists of fake scans. They are automatic, and the scanning screen appears without your authorization. It seems to be working hard on detecting viruses, but no such process is actually taking place. At the end, it only displays a fake list of infections and prompts you to buy its full version, which is – as you have probably guessed, fake. In addition to the phony scans, Windows Active Guard also floods your PC with bogus warnings, which are not only irritating, but they also manage to slow down your PC’s performance. Some examples of Windows Active Guard phony warnings are:

Firewall has blocked a program from accessing the Internet
C:\program files\internet explorer\iexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.

Windows Active Guard would try to make you believe that your sensitive information is at risk and could be disclosed to third parties and would then prompt you to buy its licensed version, which is advertised as a genuine anti-virus tool. The irony here is that your private and credit card data can only be exposed to third parties, i.e cyber criminals, if you follow Windows Active Guard’ advices and purchase its so-called full version. Why? Because by submitting your information to the specifically created purchase webpage of Windows Active Guard, you hand this information straight to hackers.

As if the rest of its mischief is not enough, Windows Active Guard also blocks your applications. Whenever you try to run an executable, Windows Active Guard terminates it in a malevolent attempt to scare you even more and make you believe you need to spend your money on Windows Active Guard – full version. Furthermore, Windows Active Guard replaces your Windows Task Manager and Registry editor with its own Advanced Process Control tool, which seems to be operating as a task manager, but is actually controlled by the malware.

There is only one way to treat Windows Active Guard, and it is to eliminate it. Since this infection is very stubborn and manages to root itself very deep into the system, we recommend you to use a legitimate automated tool for this purpose.


How to manually remove Windows Active Guard:

Kill Windows Active Guard processes:



Delete Windows Active Guard files:



Remove Windows Active Guard registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[rnd].exe
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\UID [rnd]
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe

*SpyHunter’s free scanner is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter’s malware suite to remove the malware threats.

*SpyHunter's free scanner is only for malware detection. If it detects malicious software on your computer, you will need to purchase SpyHunter's malware tool to remove the detected threats.

Choose Language