Windows Pro Defence Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Since early 2012, ESG security researchers have been faced with the appearance of numerous fake security applications belonging to the FakeVimes family of malware. Although this family of malware has been active since 2009, this recent batch of malware in the FakeVimes is altogether more vicious and difficult to remove than previous iterations of this malware family. This happens because they are often bundled with a rootkit component in the ZeroAccess (also known as Sirefef) family of malware. Windows Pro Defence is one of the many fake security applications in this family of malware that includes this dangerous rootkit component. If Windows Pro Defence is installed on your computer system, this is a sign that your machine may have been infected with dangerous malware that is difficult to remove. ESG security researchers recommend removing Windows Pro Defence and its associated malware with the aid of an applicable anti-malware program with anti-rootkit technology.

How Criminals Use Windows Pro Defence to Steal Your Money

The Windows Pro Defence scam is one of the countless online scams that have been around for many years. Basically, Windows Pro Defence is designed in order to convince its victims that their PCs are severely infected with malware, despite the fact that Windows Pro Defence is actually a kind of malware infection itself. Posing as a legitimate security program, Windows Pro Defence will display numerous error messages and pop-up notifications that will indicate that the victim’s computer has become infected with various Trojans and viruses. Windows Pro Defence will also run a bogus scan of the victim’s hard drive and cause other symptoms on the victim’s PC (such as browser redirects and blocking access to certain files and applications). Whenever the victim tries to fix these supposed malware problems with Windows Pro Defence, this fake security program will indicate that it is necessary to ‘upgrade’ to an expensive ‘full version’ of Windows Pro Defence. Of course, since Windows Pro Defence has no real anti-malware components, this supposed upgrade is definitely not recommended.

Dealing with Windows Pro Defence and Its Many Clones

New clones of malware in the FakeVimes family are released nearly every day. Some examples of clones of Windows Pro Defence (also bundled with the ZeroAccess rootkit) include malware such as Windows Control Series, Windows Advanced Toolkit, and Windows Maintenance Guard. While removal of Windows Pro Defence should be carried out with a reliable anti-malware tool, ‘registering’ Windows Pro Defence with the registration code 0W000-000B0-00T00-E0020 can stop some of Windows Pro Defence’s more irritating symptoms, such as browser redirects and irritating pop-up notifications.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Pro Defence?

Windows Pro Defence Technical Report

As new Windows Pro Defence details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Pro Defence:

The following fake error message(s) appears for Windows Pro Defence:

Error
Attempt to modify registry key entries detected. Registry entry analysis is recommended.

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Attempt to run a potentially dangerous script detected.
Full system scan is highly recommended.

‘How Windows Pro Defence Infects Your Computer’ Video

Windows Pro Defence Removal Details

Windows Pro Defence has typically the following processes in memory:

• %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
• %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
• %AppData%\NPSWF32.dll

Windows Pro Defence creates the following files in the system:

• %AppData%\result.db
• %AppData%\1st$0l3th1s.cnf

Windows Pro Defence creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-6-24_4″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bipcpevalsetup.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\W3asbas.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msdm.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
• HKEY_CURRENT_USER\Software\ASProtect
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\protector.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\srng.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “wmlkovyjad”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gbmenu.exe

Important Article Disclaimer