Windows Active Defender

Windows Active Defender Description

Type: Rogue AntiSpyware Programs

ScreenshotA large number of fake security programs in the FakeVimes family are wreaking havoc on computer systems all around the world. Windows Active Defender is one of the many bogus security applications belonging to this recent batch of malware in the WinPC Defender family. Unlike previous versions of malware in this family, Windows Active Defender and its clones have been known to include malicious components that make them a considerable threat to an infected computer system.

Why Windows Active Defender is More Dangerous than Previous FakeVimes Malware

Since this family of malware has been around since 2009, most legitimate security programs have few problems removing a FakeVimes-related malware infection. However, Windows Active Defender and other fake security programs in this family released in 2012 will include a rootkit component that greatly interferes with removal. This rootkit component, a variant of the Sirefef or ZeroAccess family of rootkits will often require a specialized anti-rootkit tool or an advanced anti-malware program with anti-rootkit technology. Examples of malware in the FakeVimes family belonging to the same nasty batch as Windows Active Defender include fake security programs like WinPC Defender, SystemDefender, IE Defender, IE Defender, XPdefender, WinDefender2008, PC Privacy Defender, Malware Defender 2009, Smart Defender Pro, Ultimate Defender, Advanced XP Defender, Security Defender Pro 2015.

Protecting Yourself from the Windows Active Defender Scam

The rogue security software scam is one of the most common online scams and has been around for several years. Windows Active Defender carries out a typical version of this con. Basically, Windows Active Defender will claim that your computer is severely infected with malware. Windows Active Defender is disguised as a legitimate security program and, among its many tactics, Windows Active Defender will display fake system scans and a large number of error messages urging the victim to fix these nonexistent problems. However, if you try to fix any of these supposed infections on your computer system, Windows Active Defender will claim that you need to upgrade to an expensive 'full version' of this fake security application. Of course, since Windows Active Defender has absolutely no way of removing malware and is part of a malware attack itself, ESG security analysts definitely advise against paying for this bogus security program.

The registration code 0W000-000B0-00T00-E0020 has been proven effective as a way of stopping error messages and other symptoms associated with malware in the FakeVimes family of malware. However, this code will not remove a Windows Active Defender infection from your computer. To do that, you will still need to use a reliable anti-malware program.

Technical Information

Screenshots & Other Imagery

SpyHunter Detects & Remove Windows Active Defender

Windows Active Defender Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Active Defender creates the following file(s):
# File Name MD5 Detection Count
1 Protector-wcsf.exe 6cbcda5f9b1954a1f35fd4bbdacaa9a4 1
2 %AppData%\Protector-[RANDOM CHARACTERS].exe N/A

Registry Details

Windows Active Defender creates the following registry entry or registry entries:
Registry key
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe\"Debugger" = "svchost.exe"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector = %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe\"Debugger" = "svchost.exe"
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe\Debugger = svchost.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe\"Debugger" = "svchost.exe"

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

2 Comments

  • Ralph Jenson:

    Windows Active Defender would not let me use Internet Explorer. How do I restore internet access? Do I download this to a USB drive and then install? Will try that way and see what happens. Thanks for the info on this.

  • Sjzbchqkamfn:

    They took all my money from my credit card