Windows Premium Defender

Threat Scorecard

Ranking: 15,846
Threat Level: 20 % (Normal)
Infected Computers: 6
First Seen: July 13, 2012
Last Seen: May 6, 2024
OS(es) Affected: Windows

Windows Premium Defender Image

Windows Premium Defender is one of the many existing fake security applications in the infamous FakeVimes family. This family of malware, active since 2009, has been especially active in 2012 due to the addition of a dangerous rootkit component to WinPC Defender bogus security applications. This rootkit is a variant in the Sirefef family of rootkits. While malware in the FakeVimes family were released before 2012 was not particularly difficult to remove, the addition of this rootkit component makes Windows Premium Defender and its many clones considerably more difficult to remove than before. Dealing with a Windows Premium Defender infection will typically require the use of a reliable anti-malware application with anti-rootkit capabilities, or the use of a specialized anti-rootkit tool.

Examples of clones of Windows Premium Defender include WinPC Defender, SystemDefender, IE Defender, IE Defender, XPdefender, WinDefender2008, PC Privacy Defender, Malware Defender 2009, Smart Defender Pro, Ultimate Defender, Advanced XP Defender, Security Defender Pro 2015.

Most Windows Premium Defender infections will be the result of a social engineering attack – that is, criminals will use deception to convince victims to download either Windows Premium Defender or a downloader or dropper Trojan. Some ways in which this can happen include the following:

  1. Windows Premium Defender may be advertised on unsafe websites, often offering a free scan of your computer system in order to protect it from malware. However, these kinds of advertisements will actually use exploits to install Windows Premium Defender directly or they will claim that your computer system is severely infected so that you will download Windows Premium Defender yourself.
  2. Another common way criminals deliver Windows Premium Defender and similar fake security programs is through spam email campaigns. Typically, criminals will send out a misleading email message containing an email attachment disguised as a harmless text or image file. However, this attachment will usually contain a Trojan dropper or downloader that can then be utilized to set up Windows Premium Defender.
  3. The kind of Trojans mentioned above are also commonly disguised as fake video codecs required to view pornographic videos on unsafe websites. After opening the fake video, the victim will receive an error message claiming that it is necessary to download a video codec. However, this supposed codec will actually be a Trojan that can then download and install Windows Premium Defender on the infected computer system.

The main purpose of Windows Premium Defender is to talk its victims into believing that their machines are badly infected with malware. ESG security researchers advise ignoring all notifications that Windows Premium Defender displays and instead using a strong anti-malware program to take care of this pest.


15 security vendors flagged this file as malicious.

Anti-Virus Software Detection
Panda Generic Malware
Fortinet W32/Kryptik.AIK!tr
Ikarus Trojan-Dropper.Win32.Dapato
Microsoft Rogue:Win32/FakePAV
Comodo ApplicUnwnt.Win32.AdWare.WintionalityChecker.AK
Sophos Troj/FakeAV-FVC
K7AntiVirus Trojan
CAT-QuickHeal Trojan.FakeAV.nncj
Panda Trj/CI.A
Fortinet W32/FakeAV.NNCJ!tr
Ikarus Trojan.Win32.Tibs
AhnLab-V3 Trojan/Win32.FakeAV
Microsoft Trojan:Win32/Tibs
McAfee-GW-Edition Artemis!5599B8B756F8

SpyHunter Detects & Remove Windows Premium Defender

Windows Premium Defender Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Premium Defender may create the following file(s):
# File Name MD5 Detections
1. Windows Premium Defender.exe 5599b8b756f8ec3a6cc0f6d94bd3be44 3
2. %AppData%\Protector-[RANDOM 4 CHARACTERS].exe
3. %AppData%\Protector-[RANDOM 3 CHARACTERS].exe
4. %AppData%\NPSWF32.dll
5. %AppData%\1st$0l3th1s.cnf
6. %AppData%\result.db

Registry Details

Windows Premium Defender may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "cwhstknlsh"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cssurf.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpupd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Quick Heal.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvarch16.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-7-13_7"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AntivirusPlus.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wyvernworksfirewall.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcvsrte.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\homeav2010.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\win-bugsfix.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sweep95.exe


The following messages associated with Windows Premium Defender were found:

Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.
Torrent Alert
Recommended: Please use secure encrypted protocol for torrent links.
Torrent link detected!
Receiving this notifications means that you have violated the copyright laws. Using Torrent for downloading movies and licensed software shall be prosecuted and you may be sued for cybercrime and breach of law under the SOPA legislation.
Firewall has blocked a program from accessing the Internet
C:\program files\internet explorer\iexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.

1 Comment

I realy want the virus on my computer to go away. So what do i do?


Most Viewed