Windows Pro Safety Release Description

[+] Click Image to Enlarge

• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 
• 

Windows Pro Safety Release is a fraudulent security program. While Windows Pro Safety Release has the external appearance of an actual anti-virus application, at its core it has no actual anti-malware components; Windows Pro Safety Release is designed to execute a well-worn online scam. The Windows Pro Safety Release scam consists in making the victim believe that their computer system is severely infected with viruses and Trojans. Then, Windows Pro Safety Release will claim that a ‘full version’ must be purchased in order to remove these non-existent threats. Windows Pro Safety Release’s supposed upgrade is not cheap ($99 USD), and considering that it is absolutely useless, ESG malware analysts strongly recommend against purchasing this fake security program. Instead, Windows Pro Safety Release should be removed with a real, fully updated anti-malware tool.

Windows Pro Safety Release Belongs to the FakeVimes Family of Rogue Security Software

Windows Pro Safety Release is one of the many fake anti-virus programs in the FakeVimes family of rogue security software, a particularly large family of malware that has been active since 2009. While PC security analysts are well acquainted with malware like Windows Pro Safety Release, fake anti-virus programs in the FakeVimes family released in 2012 have included a rootkit component that makes them more difficult to remove and detect than previous iterations of FakeVimes malware. There are dozens of clones of Windows Pro Safety Release, including such fake security programs as Windows Safeguard Upgrade, Windows Shielding Utility and Windows Trojans Inspector. Because of their integrated rootkit, a specialized anti-rootkit tool may be necessary to remove Windows Pro Safety Release and its clones from an infected computer system.

Protecting Yourself from the Windows Pro Safety Release Scam

Most fake security programs like Windows Pro Safety Release are delivered with the help of a Trojan infection. These can be acquired in several ways, including malicious email attachments, a downloader Trojan infection, or fake video codecs on high-risk websites. However, the most common cause of a rogue security program infection is clicking on corrupted online advertisements supposedly offering a free online malware scan. These will invariably return a false positive result and urge the victim to download a program like Windows Pro Safety Release. Most of the time, they will also attempt to use exploits to install the rogue security program in the background while the supposed ’scan’ is going on.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Pro Safety Release?

Windows Pro Safety Release Technical Report

As new Windows Pro Safety Release details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Pro Safety Release:

The following fake error message(s) appears for Windows Pro Safety Release:

Error
Keylogger ativity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.

Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.

Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

‘How Windows Pro Safety Release Infects Your Computer’ Video

Windows Pro Safety Release Removal Details

Windows Pro Safety Release has typically the following processes in memory:

• %AppData%\NPSWF32.dll
• %AppData%\Protector-{RANDOM 4 CHARACTERS}.exe
• %AppData%\Protector-{RANDOM 3 CHARACTERS}.exe

Windows Pro Safety Release creates the following files in the system:

• %AllUsersProfile%\Start Menu\Programs\Windows Pro Safety Release.lnk
• %UserProfile%\Desktop\Windows Pro Safety Release.lnk
• %AppData%\result.db

Windows Pro Safety Release creates the following registry entries:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-2-17_2″
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “ID” = 0
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “rudbxijemb”
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exe

Important Article Disclaimer