Windows Protection Unit

By JubileeX in Rogue Anti-Spyware Program | 124 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...
 More... More

Windows Protection Unit Description

Image Screenshot

[+] Click Image to Enlarge

The year 2012 marked resurgence in the rogue security application scam. While these kinds of fake security programs were never really gone, security software had become much more effective at detecting and neutralizing these threats. The reason for this is that the largest families of rogue security programs, like the VirusDoctor or FakeVimes families, have been active since 2009, thus giving PC security analysts ample time to learn all they need to know in order to remove these threats quickly. However, FakeVimes family is making a comeback. While it seems that the rogue anti-virus programs in themselves are no different from previous versions of this malware family, this recent batch includes a nasty ZeroAccess rootkit infection which makes removal of the rogue anti-virus program much more difficult.

Windows Protection Unit, along with other fake security programs like Windows Crucial Scanner, Windows Foolproof Protector and Windows Cleaning Tools is one of the many versions of these newer iteration of the FakeVimes family of malware. If you detect that Windows Protection Unit is installed on your computer system, our team of malware researchers strongly advises using a reliable anti-malware program, or a specialized anti-rootkit tool, to remove Windows Protection Unit and its associated rootkit from your hard drive.

Windows Protection Unit’s Scam is No Different from Previous Rogue Anti-virus Programs

Even if Windows Protection Unit contains its added rootkit component, the scam Windows Protection Unit carries out is basically unchanged since 2009. Windows Protection Unit attempts to make its victim believe that Windows Protection Unit is a real security program and that the victim’s computer has become infected with viruses and Trojans. To do this, Windows Protection Unit can carry out several malicious operations, including making the victim’s computer slower, more unstable, block access to the victim’s files, and cause browser redirects. However, the main way in which Windows Protection Unit convinces its victims that their computer is under attack is using a large number of fake error messages and alarming security notifications that appear to come from Windows itself.

Once the victim has fallen for the scam, Windows Protection Unit will claim that the problems can only be fixed if the innocent PC user is willing to purchase a “full version” of Windows Protection Unit. Needless to say, since Windows Protection Unit is the one responsible for the problems on the victim’s computer, paying for this bogus security program is definitely not a good idea.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Protection Unit?

Download SpyHunter’s Detection Scanner
to Detect Windows Protection Unit.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

Windows Protection Unit Technical Report

As new Windows Protection Unit details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Protection Unit:

The following fake error message(s) appears for Windows Protection Unit:

Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.

Error
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.

Warning
Firewall has blocked a program from accessing the Internet.
Windows Media Player Resources
C:Windowssystem32dllcachewmploc.dll
C:Windowssystem32dllcachewmploc.dll is suspected to have infected your PC. This type of virus

intercepts entered data and transmits them to a remote server.

‘How Windows Protection Unit Infects Your Computer’ Video

Windows Protection Unit Removal Details

Windows Protection Unit has typically the following processes in memory:

  • %AppData%\NPSWF32.dll
  • %AppData%\Protector-[RANDOM CHARACTERS].exe

Windows Protection Unit creates the following files in the system:

  • %AppData%\result.db
  • %Desktop%\Windows Protection Unit.lnk
  • %CommonStartMenu%\Programs\Windows Protection Unit.lnk

Windows Protection Unit creates the following registry entries:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wIndows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-4-7_2″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
  • “WarnOnHTTPSToHTTPRedirect” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “ahwohainwk”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe

Important Article Disclaimer

ESG Support Center

This entry was last updated on 04/16/12 and posted on 04/16/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« Windows Crucial Scanner
TabQuery.com »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.