Windows Work Catalyst virus – how to get rid manually

Windows Work Catalyst is a virus which acts like a legitimate computer security tool. Although it is a fake software created by hackers to earn extra money by offering non-existing security solutions as paid services. WindowsWorkCatalyst is marked as a dangerous rogue spyware that works just like the way other fake malwares do, i.e Windows Attention utility virus, Windows Inspection Utility vrius. All these programs are fake and use a Microsoft Security Essentials Alert to show a relation with microsoft which is a fraud.

WindowsWorkCatalyst malware gets into your computer through malicious websites. After getting into your computer, you may notice suspicious activities like browser redirection to unwanted web pages and most common problem of annoying popup windows displayed on your screen by interval of a few minutes. These popups display fake scan reports telling you that WindowsWork Catalyst program has detected viruses and other system security problems with your computer that must be affixed very soon by using Windows Work Catalyst`s full version.
fake windows work catalyst virus Windows Work Catalyst virus   how to get rid manually

Windows WorkCatalyst virus may display these messages:

Threat prevention solution found
Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a serious possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press ‘OK’ to install the software necessary to initiate system files check. To complete the installation process please reboot your computer

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.
Location: c:\windows\system32\taskmgr.exe
Viruses: Backdoor.Win32.Rbot

Microsoft Security Essentials Alert
Potential Threat Details

Microsoft Security Essentials detected potential threats that might compromise your private or damage your computer. Your access to these items may be suspended until you take an action. Click ‘show details’ to learn more.

Remember! All these warnings, alerts and virus removal offers made by Windows Work Catalyst virus are fake. This program is totally a useless software. It is specially designed to extort your money by selling its fake security products as it is a scamware. You should ignore these warnings, avoid purchase of this program, avoid clicking any link within its popups and do not install any additional component of it. All you have to do is to immediately remove Windows Work Catalyst from your computer upon detection.

How to remove Windows Work Catalyst virus manually:

To remove this virus manually, complete the following set of tasks. Do not forget to create a backup before getting started to the manual removal guide.
To do these steps, you may also want to know,
How to stop a proccess
How to delete registry entries

Stop Windows Work Catalyst processes:
[random name].exe

Remove Windows Work Catalyst registry keys:
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = ‘%UserProfile%Application Data[SET OF RANDOM CHARACTERS].exe’
HKEY_CURRENT_USERSoftwareMicrosoftWindows NTCurrentVersionWinlogon “Shell” = ‘%UserProfile%Application DataMicrosoft[SET OF RANDOM CHARACTERS].exe’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsegui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsekrn.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsascui.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsmpeng.exe “Debugger” = ‘svchost.exe’
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionsmsseces.exe “Debugger” = ‘svchost.exe’ Note

Auto Removal

To remove this virus Automatically, We suggest following tools:

Malware Bytes Anti-Malware (Download)


  1. Nick from London says:

    Thanks very helpful, I managed to sort out a neighbours infected computer.

    I used a Linux Live CD to remove the randomly named .exe file that is located, as stated, in the Documents & Settings folder of the user who was logged in when WWC installed.

    I noted the date of the exe file is the date of installation and was the only exe file in the folder.

    Then we rebooted, used regedit as suggested and rebooted again and the computer was back to normal.