How To Remove The Windows Ultimate Safeguard Fake Antivirus Virus Infection (Scareware)

What Is The Windows Ultimate Safeguard Virus?

Windows Ultimate Safeguard is a fake Antivirus application (rogue Antivirus program, scareware) that infects computers by displaying a fake virus scan which shows multiple fake “potential threats”such as malware infections, viruses, and trojans in order to scare the infected computer user into purchasing the rogueWindows Ultimate Safeguard program. Which is why the term scareware is used to describe the Windows Ultimate Safeguard virus and others alike.

[Note]Similar Fake Antivirus Programs: Live Secuirty Platinum, Secuirty Tool, and Antivirus Live.[/Note]

Windows Ultimate Safeguard is from the FakeVimes family of malware, in particular scareware. Windows Ultimate Safeguard  get’s repacked and redistributed under different names, though their client program, at least this version of it, will always be called Windows Ultimate Safeguard.

Windows Ultimate Safeguard Virus

How Does Windows Ultimate Safeguard Infect Computers?

Windows Ultimate Safeguard virus infections can be aquired from the use and installation of freeware, shareware, and drive by download websites (such as Kangobox). Drive by download sites such as free streaming video websites usually ask and/or prompt the website visitor to install some sort of fake codec or flash player. In most cases with the Windows Ultimate Safeguard virus, the potential infected user is asked to install a fake version of Adobe Flash Player, which looks and seems real due to the rogue file being titled adobeflashplayer.exe or something similar.

If you visit a website (usually associated with free media, such as video) that asks or prompts for a codec, plugin, or file to be install in order to view or use their product, it is strongly suggested to avoid the website alltogether. Many viruses and other infections (especially adware and hijackers) are aquired through voluntary but unsuspected installation. Below is an example of an alert which is commonly placed at the top of a webpage in order to trick internet visitors into installaing malware.

Install Codec V Plugin

Keep in mind, many websites, especially websites that host free streaming videos (free movies and TV shows) will have a similar alert bar. Some are not malicious, while most of them are. In actuality you don’t need third party codecs and plugins to watch streaming videos online if your configurations for realistic scripts like Flash and Java are correct. Flash, HTML, and other scripts which can be used to display streaming videos are far too evolved to require third party codecs and plugins. Some applications such as DIVX players and flash players use their own codecs and plugins which can be emulated by rogue malicious programs, which is exactly how the Windows Ultimate Safeguard infection infects computers.

Windows Ultimate Safeguard can also infect computers through other rootkits and may install alongside sophisticate forms of malware.

Windows Ultimate Safeguard Infection Symptoms

  • Once Windows Ultimate Safeguard has installed onto a computer it will begin to perform a fake scan which will detect fake malicious files, be that adware, bacdoor trojans, spyware, viruses, and other forms of malware.
Windows Ultimate Safeguard Threats Found
  • Windows Ultimate Safeguard  displays a fake payment page, which it states is from onlineregister.com, pretends to be verified by Visa, and states that they provide a 30 day money back guarantee for their rogue program t. Windows Ultimate Safeguard’s fake payment page is loaded from a remote location, not onlineregister.com, and is not actually verified by Visa, nor will they supply a real 30 day money back guarantee.
OnlineRegister com Windows Ultimate Safeguard
  • Windows Ultimate Safeguard can disable Window’s task manager, Window’s registry editor and other system utilities.  For example typing Ctr+Alt+Del will bring upthe  rogue Windows Ultimate Safeguard program instead of the actual task manager.
  • Windows Ultimate Safeguard is known to block internet access for Google Chrome and Microsoft Internet Explorer. Windows Ultimate Safeguard is not likely to infect Mozilla Firefox, Apple Safari, and other browsers. (In these cases, follow the directions below to enter your computer in “Safe Mode With Networking”)
  • Windows Ultimate Safeguard prompts fake security alerts, but does not do so overwhelmingly and agressively like other scareware and fake Anvitirus programs do.
Windows Ultimate Safeguard Alerts:
  • Fake Windows Firewall Prompted Alert
Windows Ultimate Safeguard Firewall Block Google Chrome
  • Error: Software Without A Digital Signature Detected Alert Bubble
Error Digital Signature Windows Ultimate Safeguard

How To Remove The Windows Ultimate Safeguard Virus

There are many options to remove scareware applications and most of the time removal can be a task. Luckily Windows Ultimate Safeguard is not as difficult and laboring as similar malware infections because Windows Ultimate Safeguard does not generate while the computer users are in safe mode, giving the computer user a time window to detect and remove the Windows Ultimate Safeguard virus or install real Antivirus or Anti-Malware progams to scan for and remove the Windows Ultimate Safeguard infection.

Windows Ultimate Safeguard Removal Options

Outlined below are simple options to remove the Windows Ultimate Safeguard virus.

  1. Anti-Malware Software – Scan and remove Windows Ultimate Safeguard
  2. Manual Removal – Remove or rename Windows Ultimate Safeguard’s executable file
  3. Safe Mode With Networking – Scan and remove Windows Ultimate Safeguard
  4. System Restore – Restore computer to date and time before infection

1. Anti-Malware Software

Your safest bet to remove Windows Ultimate Safeguard is with Malwarebytes, they provide a free or paid version and have been involved in many discussions surrounding scareware and similar viruses. Try Malwarebytes, the Leader in Malware Removal.
[Small_Button class=”lightblue”] Remove Malware [/Small_Button]
AVG Anti-Virus 2012 Professional 1 PC 1 Year

Other software recommendations

1. AVG Anti-Virus 2012 – 20% off
2. AVG Anti-Virus 2012 Free Edition

2. Manually Remove Windows Ultimate Safeguard

Remove or rename Windows Ultimate Safeguard’s executable file

The main files for Windows Ultimate Safeguard are located in your computers Application Data folder. The App Data folder, by default is a hidden folder. To learn how to show hidden drives, files, and folders on Microsoft Windows please click here.

Windows Ultimate Safeguard App Data File Location:

A quick way to access your Application Data folder is to access Windows start menu and type %appdata% into the search field, then press Enter.

%Appdata%

  • Windows XP: C:\Documents and Settings\[Current User]\Application Data
  • Windows Vista/7: C:\Users\[Current User]\AppData\Roaming
Windows Ultimate Safeguard File names:

File names: Protector-ostr.exe, results.db

Windows Ultimate Safeguard Protector-ostr exe and result data base file

How To Manually Remove Windows Ultimate Safeguard

Simply delete Protector-ostr.exe (executable jar file) from your Application Data folder or rename the file (ie: virus.exe) to stop Windows Ultimate Safeguard virus from starting on your computer.

Windows Ultimate Safeguard Virus Exe File

Windows Ultimate Safeguard Removal Video

The video below shows how to access your Application Data folder and delete the malicious files associated with Windows Ultimate Safeguard.

3. Safe Mode With Networking

The plan with this option is to enter your computer in “safe mode with networking” and install anti-malware software. Proceed to scan, and remove  malicious files.

1. Reboot your computer in “Safe Mode with Networking”.  As the computer is booting tap the “F8 key” continuously to reach the correct menu.Use your keyboard to navigate to “Safe Mode with Networking” and press Enter. Shown below.

Safe mode with networking
The screen may appear black with the words “safe mode” in all four corners. Click your mouse where windows start menu is to bring up necessary browsing.
safe mode 4 corners

 

2. If you can easily access the internet to install removal software such as Malwarebytes (free or paid) do so, otherwise launch Internet Explorer. In Internet Explorer go to: Tools->Internet Options->Connections tab.
Click Lan Settings button and uncheck the checkbox labeled Use a proxy server for your LAN. Click OK.

LAN Tab

3. It is now recommended to download Malwarebytes (free or paid version) and run a full system scan to remove FBI Moneypak malware from your computer if you do not have this application on your system.

4. System Restore

Restore computer to date and time before infection. To learn more about Windows Restore please click here.

Windows Start Menu rstrui.exe Restore

1. Access Windows Start menu
2. Type rstrui.exe into the search field and press Enter
3. Follow instructions in Window’s Restore

Windows Start Menu Restore

Start Menu System RestoreStandard directions to quickly access Window’s System Restore Wizard.

1. Access windows Start menu and click All Programs.
2. Click and open Accessories, click System Tools, and then click System Restore.‌
If you are prompted for an administrator password or confirmation, type the password or provide confirmation.
3. Restore your computer to a date and time before infection.

Windows Safe Mode With Command Prompt Restore

During instances where the computer user can not access Windows desktop and the computer has become infected with malware, viruses, or other conflicts and malfunctions, entering Windows utilizing sage mode with command prompt is the suggested step to access Window’s restore center. If it is difficult to start windows in safe mode or if Windows’s brings up a black screen, with “safe mode” in the four corners – Don’t panic. Move your cursor to the lower left corner, where the Search box is usually visible in Windows Start Menu and it will come up, including the “Run” box.

1. Restart/reboot your computer. Unplug if necessary.
2. Enter Windows in “safe mode with command prompt”. To properly enter safe mode, repeatedly press F8 upon the opening of the boot menu.

Safe mode with command prompt

3. Once the Command Prompt appears type “explorer” and hit Enter. Sometimes during infections of malware and viruses you only have the opportunity to do this within 2-3 seconds. In some cases if this is not performed during the allotted seconds, viruses such as the FBI MoneyPak ransomware virus will not allow you to type “explorer” anymore.

Comand Prompt Type Explorer

4. Once Windows Explorer shows up browse to:

  • Win XP: C:\windows\system32\restore\rstrui.exe and press Enter
  • Win Vista/Seven: C:\windows\system32\rstrui.exe and press Enter

System32 rstrui
5. Follow all steps to restore or recover your computer system to an earlier time and date, before infection to complete Windows restore.
Restore system files and settings


Sean Doyle

http://Botcrawl.com

Sean Doyle is an engineer from Los Angeles, California. Sean's primary focuses include Internet Security, Web Spam, and Online Marketing.

Comments ( 4 )

  1. ReplyJason Baldridge (@MalwareBlogger)
    Excellent removal steps and detailed symptoms. Thanks for another great share!
  2. ReplyJason Baldridge (@MalwareBlogger)
    Excellent removal steps. Thanks for the share!