Windows Premium Defender Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Windows Premium Defender is one of the many existing fake security applications in the infamous FakeVimes family. This family of malware, active since 2009, has been especially active in 2012 due to the addition of a dangerous rootkit component to FakeVimes bogus security applications. This rootkit is a variant in the Sirefef family of rootkits. While malware in the FakeVimes family were released before 2012 was not particularly difficult to remove, the addition of this rootkit component makes Windows Premium Defender and its many clones considerably more difficult to remove than before. Dealing with a Windows Premium Defender infection will typically require the use of a reliable anti-malware application with anti-rootkit capabilities, or the use of a specialized anti-rootkit tool. Examples of clones of Windows Premium Defender include Windows Web Combat, Windows Virtual Angel and Windows Profound Security.

Most Windows Premium Defender infections will be the result of a social engineering attack – that is, criminals will use deception to convince victims to download either Windows Premium Defender or a downloader or dropper Trojan. Some ways in which this can happen include the following:

1. Windows Premium Defender may be advertised on unsafe websites, often offering a free scan of your computer system in order to protect it from malware. However, these kinds of advertisements will actually use exploits to install Windows Premium Defender directly or they will claim that your computer system is severely infected so that you will download Windows Premium Defender yourself.
2. Another common way criminals deliver Windows Premium Defender and similar fake security programs is through spam email campaigns. Typically, criminals will send out a misleading email message containing an email attachment disguised as a harmless text or image file. However, this attachment will usually contain a Trojan dropper or downloader that can then be utilized to set up Windows Premium Defender.
3. The kind of Trojans mentioned above are also commonly disguised as fake video codecs required to view pornographic videos on unsafe websites. After opening the fake video, the victim will receive an error message claiming that it is necessary to download a video codec. However, this supposed codec will actually be a Trojan that can then download and install Windows Premium Defender on the infected computer system.

The main purpose of Windows Premium Defender is to talk its victims into believing that their machines are badly infected with malware. ESG security researchers advise ignoring all notifications that Windows Premium Defender displays and instead using a strong anti-malware program to take care of this pest.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Premium Defender?

‘How Windows Premium Defender Infects Your Computer’ Video

Windows Premium Defender Removal Details

Windows Premium Defender has typically the following processes in memory:

• %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
• %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
• %AppData%\NPSWF32.dll

Windows Premium Defender creates the following files in the system:

• %AppData%\1st$0l3th1s.cnf
• %AppData%\result.db

Windows Premium Defender creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “cwhstknlsh”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-7-13_7″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe
• HKEY_CURRENT_USER\Software\ASProtect
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-bugsfix.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep95.exe

Important Article Disclaimer