Windows Crashes Deliverer

There are quite a few kinds of malware that can infect your PC, and Windows Crashes Deliverer is among one of the tricker to extricate. It masquerades as an anti-virus application and in fact gives the appearance of a valid application, this malware is part of a relatively new class of malicious programs that can be described as rogue anti-spyware or scareware. For these programs, the objective is to convince you to buy it to protect your machine and in the process of doing so create the appearance of damage on your machine.

After this is installed on your system, it will take over your Windows desktop shell. As a result, when your computer restarts rather than run the standard Windows desktop you will be running Crashes Deliverer instead. This program actually creates a randomly assigned file name for the application and places that in:

%ApplicationData%\User Profile\Microsoft\[random].exe

Where [random] is in fact a random series of letters and numbers. Removal will require something like RKill to eliminate Crashes Deliverer from memory, I will explain in a little more detail how this can work.

1. Run Fake Scan. On reboot, Crashes Deliverer will take over your desktop. Follow the instructions to run the fake scan and then press Fix Errors. You won’t be able to get to your Windows desktop (or at least a crippled version of that) until completing the fake scan.
2. Close Crashes Deliverer Window. Close this window after completing the fake scan. Be aware that the program doesn’t actually exit, it will continue to run in the background thwarting many activities. For example, if you attempt to open Window Task Manager at this time it would erroneously identify that as a virus. Ignore all these warnings, this is not a true anti-virtus program.
3. Run RKill. Use RKill to terminate Crashes Deliverer, since you can’t bring up Task Manager or many other popular utilities for process management, RKill is going to be your best bet. Note that Crashes Deliverer can identify RKILL.EXE, so you must rename the program in order for it to run.
4. Update Your Registry. Remove the invalid registry key for the Windows logon shell, this will be pointing to the invalid Crashes Deliverer [random].exe. The following registry path should be purged: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon\Shell.
5. Remove Malware Executable. Remove the malware executable under %ApplicationData%\User Profile\Microsoft\[random].exe. You can use the name of the executable from the previous step or look for a sufficiently cryptic program name.
6. Run Anti-Virus. This should be something other than the anti-virus you were running before Crashes Deliverer, since it was unable to detect it. You can use something like Malwarebytes or Spybot.
7. Reboot.

It’s easy to see how you might get lured into running this program, it purports to be a trustworthy source for anti-virus protection. In fact, the only intention is to convince you to spend money on a program that will actually do nothing for you. If you do enter your credit card information, you should contact your credit card company and inform them of what has happened