Windows Firewall Constructor Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Looking at the name ‘Windows Firewall Constructor’, one may think of a program that somehow builds firewalls. However, this nonsensical name actually belongs to one of the make fake security applications in the Rogue.VirusDoctor family of rogue anti-virus programs. While this is a well known family of rogue anti-virus programs, Windows Firewall Constructor is part of a large batch of clones of this family of malware that were released in 2012 and late 2011. Older versions of this fake security program include such malware as Virus Doctor and Security Shield, while more recent clones include Windows Basic Antivirus, Windows PRO Scanner and Windows Firewall Constructor itself. Regardless of their release date, all of these are basically the same malware threat – fake security programs that attempt to convince inexperienced computer users to purchase useless security applications. To avoid becoming infected with Windows Firewall Constructor, it is important to use reliable anti-malware software from a legitimate manufacturer and to avoid using free online malware scanners or visiting websites that are commonly associated with malware infections (such as pornographic video galleries or websites with streaming pirated movies).

Common Sources of a Windows Firewall Constructor Infection

Windows Firewall Constructor will usually be installed through a Trojan infection. Common Trojans known to install Windows Firewall Constructor include the Fake Microsoft Security Essentials Alert Trojan, the Vundo Trojan, and the Zlob Trojan. Windows Firewall Constructor may also be downloaded directly from a fake online malware scan, often found on websites that fail to monitor their advertisements correctly or that are build up for the singular purpose of distributing malware. When the victim agrees to one of these fake scans, the scan will do two things instead of actually scanning the victim’s computer system:

1. Fake online malware scans associated with Windows Firewall Constructor will attempt to exploit several known vulnerabilities in the victim’s operating system, web browser and applications in order to install Windows Firewall Constructor against the victim’s will.
2. These kinds of scans will always result positive for malware, offering then to install Windows Firewall Constructor as a way to get rid of these imaginary threats. Since ESG security analysts report that Windows Firewall Constructor is a malware infection itself, this is definitely not recommended.

To avoid becoming a victim of Windows Firewall Constructor, remember that fake security programs are a common malware distribution scam. Therefore, computer users need to be very careful and be sure that any security application you consider is legitimate.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Firewall Constructor?

Windows Firewall Constructor Technical Report

As new Windows Firewall Constructor details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Firewall Constructor:

The following fake error message(s) appears for Windows Firewall Constructor:

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

Warning! Virus Detected
Threat detected: FTP Server
Infected file: C:WindowsSystem32dllcachewmpshell.dll

‘How Windows Firewall Constructor Infects Your Computer’ Video

Windows Firewall Constructor Removal Details

Windows Firewall Constructor has typically the following processes in memory:

• %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
• %AppData%\NPSWF32.dll

Windows Firewall Constructor creates the following files in the system:

• %Desktop%\Windows Firewall Constructor.lnk
• %CommonStartMenu%\Programs\Windows Firewall Constructor.lnk
• %AppData%\result.db

Windows Firewall Constructor creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “dbbqyjinfs”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\McSACore.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bootwarn.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ss3edit.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312 “iexplore.exe”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PC_Antispyware2010.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wupdt.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = 2012-2-29_2
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\auto-protect.nav80try.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ethereal.exe

Important Article Disclaimer