Windows Pro Rescuer Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

The presence of Windows Pro Rescuer in a computer system indicates that computer system has become invaded with malware. Specifically, Windows Pro Rescuer belongs to a 2012 variant of the FakeVimes family of rogue security programs. Fake anti-virus applications such as Windows Pro Rescuer are very common and part of a popular scam that claims numerous victims every day. The FakeVimes family of these kinds of malware infections has been around since 2009, which means that PC security researchers are very well acquainted with Windows Pro Rescuer and its variants. However, the 2012 variant of these fake security programs tends to include an added rootkit complement to the infection (often belonging to the ZeroAccess family.) This can make removal of Windows Pro Rescuer very difficult without the help of a specialized anti-rootkit tool.

Apart from carrying out its scam, Windows Pro Rescuer can also disable legitimate security programs and cause several problems on the infected PC, such as system crashes and browser redirects. Because of this, removing Windows Pro Rescuer should be a priority. There are dozens of clones of Windows Pro Rescuer, including such fake security programs as Windows Crucial Scanner, Windows Safety Toolkit and Windows Cleaning Tools. These should be annihilated with a trustworthy anti-malware tool.

Do Not Fall for the Windows Pro Rescuer Scam

The main Windows Pro Rescuer scam involves making a computer user believe that their computer system is infested with malware. Windows Pro Rescuer passes itself off as a legitimate anti-virus program which does little more than detect numerous fake infections on the victim’s computer system. Windows Pro Rescuer uses various tactics in order to carry out its scam, including displaying numerous misleading error messages and causing the infected computer’s web browser to display error messages constantly and to visit Windows Pro Rescuer’s web page.

However, if the victim attempts to use Windows Pro Rescuer to solve these imaginary problems, this fake security program will claim that it is necessary to register for a “full version” of Windows Pro Rescuer. Of course, registration is not cheap. ESG security analysts have observed that the registration code 0W000-000B0-00T00-E0020 can fool Windows Pro Rescuer, allowing the victim to gain access to their legitimate security software without some of Windows Pro Rescuer’s most annoying features. However, it is important to remember that the code mentioned above will not remove Windows Pro Rescuer; to do this, a reliable anti-malware program is still needed.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Pro Rescuer?

Windows Pro Rescuer Technical Report

As new Windows Pro Rescuer details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Pro Rescuer:

The following fake error message(s) appears for Windows Pro Rescuer:

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

‘How Windows Pro Rescuer Infects Your Computer’ Video

Windows Pro Rescuer Removal Details

Windows Pro Rescuer has typically the following processes in memory:

• Protector-[rnd].exe
• Inspector-[rnd].exe

Windows Pro Rescuer creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “rudbxijemb”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-2-17_2″
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “ID” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe

Important Article Disclaimer