Windows Microsoft Guardian is a rogue program that acts as an anti-spyware program in order to earn your trust so that you give away your personal and credit card information. Here’s how it tries to do so.
Being a member of the Fake Microsoft Security Essentials family, Windows Microsoft Guardian will get installed on your machine via a Trojan that will infect your computer first and start displaying lots of alerts suggesting that your system is infected with an Unknown Win32/Trojan. The Trojan then will start a fake scan at the end of which state that a file on your system is infected with Trojan.Horse.Win32.PAV.64.a.
The Trojan will then try to install Windows Microsoft Guardian by convincing you that it’s the only way to get rid of the threat. By agreeing, Windows Microsoft Guardian will be automatically downloaded and installed on your machine, posing as an anti-spyware program.
Once Windows Microsoft Guardian is installed on your machine, every time you will reboot your computer you will not be able to easily access your normal desktop screen. Instead you will be presented with a screen belonging to Windows Microsoft Guardian, suggesting that your machine is infected and that you need to perform another scan.
Once the fake scan is completed Windows Microsoft Guardian will present you lots of fake threats on your computer and it will then strongly recommend to buy and install the full version of the Windows Microsoft Guardian else you won’t be able to get rid of these threats.
As you can see, the real Trojan is actually trying to scare you into giving away your credit card information and throw away your money. Do NOT give your credit card information thinking that the full version of Windows Microsoft Guardian will help as it is just another fake. Now, let’s get rid of this threat once and for all.
Windows Microsoft Guardian Removal Guide
Before we get on with the disinfection process you need to keep in mind a few things.
*First, as we’ve said before, in order to access your regular desktop screen you will need to go through the fake scanning process and then press the X button on the top right corner of the Windows Microsoft Guardian screen.
***Third, you might not be able to download these files on the infected machine due to the fact that Windows Microsoft Guardian might prevent you to access the internet. If this is the case then you will need to download the files elsewhere and get them on the infected machine via CD/DVD or other portable means.
- The first step in our disinfection process is to kill any processes related to Windows Microsoft Guardian. For that you will need to run RKill. Do so and let it scan your computer. In case you will get warning messages regarding the security of your machine being compromised because of RKill then ignore them are attempts of Windows Microsoft Guardian to preserve itself.
*Note that in case RKill won’t do the trick for you, you’ll need to download and install another renamed copy of RKill like iExplore.exe.
- The next step is restoring your Windows Registry Shell value else you will not be able to access your desktop screen at all after we’ve dealt with Windows Microsoft Guardian. To do so run Shell.reg on your system and let it do its thing (merge the data).
- Now comes the actual disinfection. Start the installation process for Malwarebytes’ Anti-Malware (MBAM) and make sure that both the Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware buttons are checked. Once the installation finishes, you might be prompted for a reboot. If so then restart your computer.
- At Windows start-up MBAM will automatically run and update itself. Press the OK button in the message box and you will be presented the MBAM main screen. There, go to the Scanner tab, check the Perform full scan radio button and then press the Scan button below.
- Once MBAM finishes scanning your computer you will be presented with a full list of threats that were found on your machine. Make sure every one of these threats are checked and then press the Remove Selected button. Once the disinfection is done, you might be prompted to restart your computer. If so, then please allow your computer to reboot.
If you followed these steps accordingly your machine should be now clean. However, considering the fact that your machine got infected in the first place, you might have a vulnerable program or more on your computer. It’s strongly recommended that you follow this guide and use Secunia PSI to determine whether you have vulnerabilities on your system or not.