Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Safety Anti-Spyware Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Once installed this rogue anti-spyware software starts with Windows, runs constantly in the background and uses scare messages about non-existent malicious files to convince the user to pay for activation.

A rogue security software such as Safety Anti-Spyware belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

This scareware is known by the following aliases:

Trojan.Win32.Inject, Win-Trojan/Fakealert, Trojan.Win32.Inject.alyb, Trojan:Win32/FakeRean and RogueAntiSpyware.SafetyAntiSpyware.

Typical Safety Anti-Spyware Scare Messages

safety antispyware scare messages Safety Anti Spyware Analysis and Removal

safety-antispyware-scare-messages

Security Warning! Malicious programs that may steal your private information and prevent your system from working properly are detected on your computer. Click here clean your PC immediately.

The installer file is named SafetyAntiSpyware.exe, about 1188352 bytes in size and is currently being detected by 27/40 (67.5%) of the anti-virus engines available at VirusTotal.

Safety Anti-Spyware Associated Files and Folders

  • C:\Program Files\Safety Anti-Spyware 3\Safety Anti-Spyware 3.exe
  • C:\Documents and Settings\malwarehelp.org\Desktop\SafetyAntiSpyware.exe
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Safety Anti-Spyware 3\Safety Anti-Spyware 3.lnk
  • C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Safety Anti-Spyware 3.lnk
  • C:\Documents and Settings\malwarehelp.org\Desktop\Safety Anti-Spyware 3.lnk
  • C:\WINDOWS\Prefetch\SAFETY ANTI-SPYWARE 3.EXE-08556251.pf
  • C:\Documents and Settings\malwarehelp.org\Start Menu\Safety Anti-Spyware 3
  • C:\Program Files\Safety Anti-Spyware 3

Some of the file names may be randomly generated.

Safety Anti-Spyware Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\safety anti-spyware 3
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Safety Anti-Spyware 3

Safety Anti-Spyware Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • http://updateantiviruscenter com
  • http://safetyantispywareshop com

Note: Visiting the domains mentioned above may harm your computer system.

Safety Anti-Spyware Removal (How to remove Safety Anti-Spyware)

The free versions of MalwareBytes’s Anti-Malware Free edition and SuperAntiSpyware appear to remove Safety Anti-Spyware Scareware.

  1. Use an alternate browser like Firefox or Chrome to download and Install either MalwareBytes’s Anti-Malware or SuperAntiSpyware from the links above.
  2. Also download CCleaner.
  3. Boot in to Windows Safe mode.
  4. Click to scan with your chosen software. Check mark all instances of the rogue security software and delete them.
  5. Turn System Restore off and on
  6. Install, scan and clean the temporary files with CCleaner.

You should now be clean of this rogue.

Safety Anti-Spyware Scareware — Screenshots

Safety Anti-Spyware Scareware — Video

Note: The Safety Anti-Spyware installation and removal was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer and Firefox. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: