Windows Protection Unit Description
The year 2012 marked resurgence in the rogue security application scam. While these kinds of fake security programs were never really gone, security software had become much more effective at detecting and neutralizing these threats. The reason for this is that the largest families of rogue security programs, like the VirusDoctor or FakeVimes families, have been active since 2009, thus giving PC security analysts ample time to learn all they need to know in order to remove these threats quickly. However, FakeVimes family is making a comeback. While it seems that the rogue anti-virus programs in themselves are no different from previous versions of this malware family, this recent batch includes a nasty ZeroAccess rootkit infection which makes removal of the rogue anti-virus program much more difficult.
Windows Protection Unit, along with other fake security programs like Windows Crucial Scanner, Windows Foolproof Protector and Windows Cleaning Tools is one of the many versions of these newer iteration of the FakeVimes family of malware. If you detect that Windows Protection Unit is installed on your computer system, our team of malware researchers strongly advises using a reliable anti-malware program, or a specialized anti-rootkit tool, to remove Windows Protection Unit and its associated rootkit from your hard drive.
Windows Protection Unit’s Scam is No Different from Previous Rogue Anti-virus Programs
Even if Windows Protection Unit contains its added rootkit component, the scam Windows Protection Unit carries out is basically unchanged since 2009. Windows Protection Unit attempts to make its victim believe that Windows Protection Unit is a real security program and that the victim’s computer has become infected with viruses and Trojans. To do this, Windows Protection Unit can carry out several malicious operations, including making the victim’s computer slower, more unstable, block access to the victim’s files, and cause browser redirects. However, the main way in which Windows Protection Unit convinces its victims that their computer is under attack is using a large number of fake error messages and alarming security notifications that appear to come from Windows itself.
Once the victim has fallen for the scam, Windows Protection Unit will claim that the problems can only be fixed if the innocent PC user is willing to purchase a “full version” of Windows Protection Unit. Needless to say, since Windows Protection Unit is the one responsible for the problems on the victim’s computer, paying for this bogus security program is definitely not a good idea.
Type: Rogue AntiSpyware Programs
How Can You Detect Windows Protection Unit?
Download SpyHunter’s Detection Scanner
to Detect Windows Protection Unit.
Windows Protection Unit Technical Report
As new Windows Protection Unit details are reported by our customers and findings from our Threat Research Center, we will update this section.
Fake message for Windows Protection Unit:
The following fake error message(s) appears for Windows Protection Unit:
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.
Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.
Firewall has blocked a program from accessing the Internet.
Windows Media Player Resources
C:Windowssystem32dllcachewmploc.dll is suspected to have infected your PC. This type of virus
intercepts entered data and transmits them to a remote server.
‘How Windows Protection Unit Infects Your Computer’ Video
Windows Protection Unit Removal Details
Windows Protection Unit has typically the following processes in memory:
- %AppData%\Protector-[RANDOM CHARACTERS].exe
Windows Protection Unit creates the following files in the system:
- %Desktop%\Windows Protection Unit.lnk
- %CommonStartMenu%\Programs\Windows Protection Unit.lnk
Windows Protection Unit creates the following registry entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wIndows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-4-7_2″
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
- “WarnOnHTTPSToHTTPRedirect” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “ahwohainwk”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe