Share on Twitter Share on Stumble Upon Share on Digg Share on Delicious


Providing cost-effective local computer repair and network support in the middle Tennessee area

Remote Access Portal

Remote Access Icon
Home About Us Onsite Services Online Services Self Help Pricing Blog Inquiries


Windows Warding Module Interface

Windows Warding Module Removal Tutorial

The rogue Windows Warding Module anti-spyware is part of the Rogue.FakeVimes group of malicious computer infections. It masquerades as a legitimate application that provides protection against online viruses and threats. But it's just the opposite of what it claims. Once it has been installed on your computer, it will automatically start once you login to Windows. And at each start Windows Warding Module will perform a fake scan and display fabricated results of threats that it has detected on your computer. If you attempt to have it remove any of the fake detected threats, it prompts you to purchase a license before it will proceed to do so.

Windows Warding Module may be installed by fake online virus scanners that state something along the lines of an infection has been found and to click on them to perform a scan of your computer. It may also be installed thru drive-by installations during visits to compromised websites.

Under no circumstances should you purchase a license for this bogus product. Doing so would place your financial information at great risk.

To remove this infection, you'll need to download a couple of software utilities on a known clean computer and then afterwards, copy them onto the infected computer via a flash drive or a burned cd/dvd. The utilities that you will need include:

  1. TFC (Temp File Cleaner)
  2. Emsisoft Emergency Kit


Possible Windows Warding Module Activation Codes: 0W000-000B0-00T00-E0001

                                                                                               0W000-000B0-00T00-E0002

                                                                                               0W000-000B0-00T00-E0003


How to remove Windows Warding Module

  1. To remove this infection, begin by starting the infected computer into "Safe Mode with Command Prompt".














  1. Next, log into Windows and insert the burned cd/dvd or flash drive with the needed removal utilities into the compromised computer.
  2. Once the command prompt opens, navigate to the external drive with the downloaded software by typing it's drive letter and a colon at the command prompt. You'll need to enter "D:" or possibly "E:" at the prompt. And to verify that you're accessing the correct drive, type "Dir' at the prompt to display the contents of the selected drive's contents. If you created a directory and placed the files within it, you'll need to type "cd directory name", replace "Directory Name' with the name that you assigned the file folder.
















  1. Once you have access to the files, start the "Temp File Cleaner" by typing "TFC.exe" at the command prompt. Then proceed to remove your temporary files by following the prompts.
















  1. Next, after deleting the temp files, decompress the Emsisoft Emergency Kit by typing it's executable at the prompt. If you're unsure of it's file name, type "Dir' at the command prompt to redisplay the contents of the directory.
  1. Next, start the Emergency kit by navigating to it's directory by typing "cd Directory Name" and then afterwards type "Start.exe". Replace Directory Name with the folder name that you decompressed the Emergency Kit into.
  2. Afterwards click on “Emergency Kit Scanner”.

















  1. Next, click on “Scan Now”.





















  1. Next, select the “Deep Scan” option and click on the “Scan’ button down at the bottom.



















  1. After the scanner completes, remove any malicious files that it located on the computer.
  2. Next, restart the computer normally.

At this point the Windows Warding Module should now be completely removed from the computer. But if there are still indications of the original infection, you may need to follow the instructions from one of our other more aggressive removal tutorials.



Windows Warding Module  Associated Files:

%AppData%\guard-<random>.exe

%AppData%\result1.db


Windows Warding Module Associated Windows Registry Information Data:


HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\guard-<random>.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell"="C:\\Users\\User\\AppData\\Roaming\\guard-<random>.exe"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes"=".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation"=1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe "Debugger"="svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe "Debugger"="svchost.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = "0"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"







Smith Technical Resources makes no guarantees or claims that the information contained in this article will help you completely remove the above listed malicious program(s) from your computer.  There are several variations of each particular virus in the wild . And the procedure listed above may not be adequate for the specific version of the virus that your computer has been compromised by.

If you feel uncomfortable performing any of the procedures that we've listed on this page, please contact a professional computer repair company in your area and have them complete the needed repairs on your computer. Smith Technical Resources takes no responsibility for any possible damage that could result from your use of the above instructions.

©Smithtechres.com 2013 All Rights Reserved. Website Privacy Policy. Site Map

Emsisoft Emergency Kit Interface Emsisoft Emergency Kit Deep Scan Option Safe Mode with Command Prompt Command Prompt directory navigation example Command Prompt Emsisoft Emergency Kit Security status screen


You may also be interested in the following tutorials: