Windows Secure Surfer

By Domesticus in Rogue Anti-Spyware Program | 316 views
Rate it:
1 Star2 Stars3 Stars4 Stars5 Stars (1 votes, average: 5.00 out of 5)
Loading ... Loading ...
 More... More

Windows Secure Surfer Description

Image Screenshot

[+] Click Image to Enlarge

Windows Secure Surfer will not help you surf the web more securely, and Windows Secure Surfer is not affiliated in any way with Microsoft or any legitimate security company. In fact, Windows Secure Surfer is a kind of malware infection itself, a category of malware known as rogue security programs. Windows Secure Surfer belongs to a particularly large family of rogue security software known as Rogue:FakeVimes. Malware in this family carries out a common online scam that has the objective of convincing inexperienced computer users that they need to purchase a useless fake security program.

While most reliable security programs can remove malware in the FakeVimes family, malware researchers have run into considerably more resilient malware infections in this family since early 2012. This is because the criminals behind Windows Secure Surfer and its clones have started bundling these fake security programs with the ZeroAccess, rootkit, which makes removal considerably more difficult than normal. Known clones of Windows Secure Surfer include Windows Be-on-guard Edition, Windows ProSecure Scanner and Windows Trojans Inspector.

The Windows Secure Surfer scam is quite common and is nearly identical to the scam perpetrated by most rogue security programs. Basically, criminals use bogus security software to convince inexperienced computer users that their computer system is severely infected this malware. However, the real malware infection is the fake security program itself, along with its associated malware. Windows Secure Surfer will pretend to scan the victim’s computer system and, regardless of the state of the victim’s computer, Windows Secure Surfer will claim that Windows Secure Surfer has found a severe virus and Trojan infection. However, trying to fix this supposed infection with Windows Secure Surfer simply results in error messages claiming that the victim must purchase a ‘full version’ of Windows Secure Surfer to fix the selected problems. Of course, since Windows Secure Surfer is not a real security program, ESG malware analysts vigorously advocate against buying Windows Secure Surfer.

As part of its scam, Windows Secure Surfer can cause a number of problems in the infected computer system. These include poor system performance, browser redirects, and – the main symptom of a rogue security program infection – intrusive and misleading error messages. While a reliable anti-malware program with anti-rootkit technology is necessary to remove Windows Secure Surfer, you can temporarily stop its most annoying symptoms with the registration code 0W000-000B0-00T00-E0020.

Type: Rogue AntiSpyware Programs

How Can You Detect Windows Secure Surfer?

Download SpyHunter’s Detection Scanner
to Detect Windows Secure Surfer.

Can’t install SpyHunter? Click here to view possible causes of installation issues.

Windows Secure Surfer Technical Report

As new Windows Secure Surfer details are reported by our customers and findings from our Threat Research Center, we will update this section.

Fake message for Windows Secure Surfer:

The following fake error message(s) appears for Windows Secure Surfer:

Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

Error
Trojan activity detected. System data security is at risk. It is recommended to activate protection and run a full system scan.

Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.

‘How Windows Secure Surfer Infects Your Computer’ Video

Windows Secure Surfer Removal Details

Windows Secure Surfer has typically the following processes in memory:

  • %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
  • %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
  • %AppData%\NPSWF32.dll

Windows Secure Surfer creates the following files in the system:

  • %AppData%\result.db

Windows Secure Surfer creates the following registry entries:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-5-13_4″
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\padmin.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\vsched.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\gator.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\outpost.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prizesurfer.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MalwareRemoval.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorUser” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
  • HKEY_CURRENT_USER\Software\ASProtect
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\prmt.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avkwctl9.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\otfix.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “ConsentPromptBehaviorAdmin” = 0
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system “EnableLUA” = 0
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “hspbkebjqj”
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\normist.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\panixk.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\patch.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe

Important Article Disclaimer

ESG Support Center

This entry was last updated on 05/13/12 and posted on 05/13/12. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.
« Windows Be-on-Guard Edition
Trojan win32:sirefef-sm »

Leave a Comment

Note: Abusive comments are not allowed. Please do not post comments regarding technical support issues. ESG customers that have issues with SpyHunter should open a customer support ticket.

*
To prove you're a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.
Click to hear an audio file of the anti-spam word

Popular Malware

Popular Trojans

Recent Malware

Home | SpyHunter Risk Assessment Model | Privacy Policy | End User License Agreement | Additional Terms and Conditions
Copyright 2003-2012. Enigma Software Group USA, LLC. All Rights Reserved.