Windows Malware Firewall Removal Report

Windows Malware Firewall

By ESGI Advisor in Rogue Anti-Spyware Program | 997 views

Rate it:

(1 votes, average: 5.00 out of 5)

Loading ...

[+] Click Image to Enlarge

Despite its name, Windows Malware Firewall is not an actual firewall and Windows Malware Firewall has no way of protecting you from malware. Basically, Windows Malware Firewall is a malware infection disguised as a legitimate security program. Applications like Windows Malware Firewall are known as rogue security programs, malicious applications designed to convince PC users that they need to waste their money purchasing fake security software. Windows Malware Firewall belongs to a particularly large family of these kinds of fake security programs known as the FakeVimes family of malware.

Windows Malware Firewall is Part of the FakeVimes Family of Fake Security Software

Malware in the FakeVimes family has been active for several years, at least since 2009. Windows Malware Firewall is a fairly typical example of malware in the FakeVimes family which means that most security programs have no problems removing Windows Malware Firewall. However, fake security software in the FakeVimes family released in 2012 will often include a rootkit component that can be quite hard to remove. Apart from Windows Malware Firewall, examples of fake anti-virus programs in the FakeVimes family released in 2012 include programs like Windows Pro Rescuer, Windows Home Patron, Windows Recovery Series and Windows Safety Checkpoint.

The Windows Malware Firewall scam is not particularly complicated. Basically, this fake security program will do everything in its power to convince its victim that their computer system is severely infected with various kinds of viruses and Trojans. However, trying to use Windows Malware Firewall to fix these problems only results in error messages and redirects claiming that the victim must purchase a ‘full version’ of Windows Malware Firewall in order to fix the supposed malware infection on their computer system. Of course, since Windows Malware Firewall has absolutely no real ant-virus capabilities, paying for this fake security program is a waste of money in addition to a severe security risk.

Dealing With a Windows Malware Firewall Infection

As was mentioned before, most legitimate security programs can deal with Windows Malware Firewall, provided that you first remove its associated rootkit infection. ESG security researchers have observed that this rootkit is a variant of the infamous ZeroAccess rootkit and that it can often be removed with a specialized anti-rootkit tool or with an advanced anti-malware application with integrated anti-rootkit technology. You can pretend to register Windows Malware Firewall with the registration code 0W000-000B0-00T00-E0020; this will stop many of Windows Malware Firewall’s most irritating symptoms, although it will not remove Windows Malware Firewall from your computer system.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Malware Firewall?

Download SpyHunter’s Detection Scanner
to Detect Windows Malware Firewall.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

Windows Malware Firewall Technical Report

As new Windows Malware Firewall details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Malware Firewall:

The following fake error message(s) appears for Windows Malware Firewall:

Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.

Error
Keylogger ativity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.

Error
Trojan activity detected. System data security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

Warning! Identity theft attempt Detected

System Security Warning
Attempt to modify register key entries is detected. Register entries analysis is recommended.
Warning!
Location: c:windowssystem32 askmgr.exe
Viruses: Backdoor.Win32.Rbot

‘How Windows Malware Firewall Infects Your Computer’ Video

Windows Malware Firewall Removal Details

Windows Malware Firewall has typically the following processes in memory:

%AppData%\Protector-[RANDOM 4 CHARACTERS].exe
%AppData%\Protector-[RANDOM 3 CHARACTERS].exe

Windows Malware Firewall creates the following files in the system:

%AppData%\result.db

Windows Malware Firewall creates the following registry entries:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\aAvgApi.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\”Debugger” = “svchost.exe”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\”Debugger” = “svchost.exe”
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\”Debugger” = “svchost.exe”

Important Article Disclaimer

This entry was last updated on 01/15/13 and posted on 06/1/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.