Windows Defence Counsel

By Domesticus in Rogue Anti-Spyware Program | 165 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...
 More... More

Windows Defence Counsel Description

Image Screenshot

[+] Click Image to Enlarge

Windows Defence Counsel is one of the many fake security programs in the FakeVimes family of malware. Malware such as Windows Defence Counsel is referred to as rogue security software. Rogue security programs like Windows Defence Counsel try to carry out an online scam which consists in trying to convince the victims that it is necessary for them to purchase a useless ‘full version’ of the fake security program. To do this, Windows Defence Counsel will try to convince the victims that their computer system is severely infected with malware. While this is technically true, what Windows Defence Counsel fails to tell you is that the severe malware infection is actually Windows Defence Counsel itself!

The scam that Windows Defence Counsel carries out is among the most common kinds of online scams. There are thousands of programs similar to Windows Defence Counsel. The severity of the malware attack varies from one fake security program to another. While some of these fake security programs will simply pretend to be legitimate security programs and pester their victims with fake error messages, some of the most malicious kinds of rogue security programs will actually change your computer’s settings and employ a variety of Trojan and rootkit components in order to take over the victim’s computer. Unfortunately, Windows Defence Counsel belongs to the second kind; Windows Defence Counsel may cause browser redirects, cause a computer system to become slow or unstable, and that Windows Defence Counsel makes dangerous changes to the infected computer system’s settings and registry.

Windows Defence Counsel and the FakeVimes Family of Malware

The FakeVimes family of malware has been active since 2009. Windows Defence Counsel belongs to a variety of malware in the FakeVimes family that was first seen in late 2011 and that has been very active in 2012. Examples of these fake security programs include Windows Internet Booster, Windows Daily Advisor and Windows Advanced User Patch. The main danger that these variants of the FakeVimes family of malware pose is the fact that they will often use the ZeroAccess rootkit in order to hide from detection. Because of this, ESG security analysts recommend using an anti-rootkit tool before trying to remove a Windows Defence Counsel infection. You can’t trick Windows Defence Counsel into thinking that you have paid the registration fee with the code 0W000-000B0-00T00-E0020. This code will not remove Windows Defence Counsel, but will stop its most annoying symptoms while you seek a permanent solution.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Defence Counsel?

Download SpyHunter’s Detection Scanner
to Detect Windows Defence Counsel.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

Windows Defence Counsel Technical Report

As new Windows Defence Counsel details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Defence Counsel:

The following fake error message(s) appears for Windows Defence Counsel:

Error
Attempt to modify registry key entries detected. Registry entry analysis is recommended.

Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

‘How Windows Defence Counsel Infects Your Computer’ Video

Windows Defence Counsel Removal Details

Windows Defence Counsel has typically the following processes in memory:

  • %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
  • %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
  • %AppData%\NPSWF32.dll

Windows Defence Counsel creates the following files in the system:

  • %AppData%\result.db

Windows Defence Counsel creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
  • HKEY_CURRENT_USER\Software\ASProtect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\infwin.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ssg_4104.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
  • _HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-5-27_7″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\pavsched.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapro.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\webdav.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “whecqycyiq”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSurvey.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sbserv.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsm32.exe

Important Article Disclaimer

ESG Support Center

This entry was last updated on 05/27/12 and posted on 05/27/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« PUP.BundleInstaller.OI
TrojanDownloader:Win32/Adload.DA »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Follow ESG

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.