Windows Premium Guard

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 2
First Seen: April 26, 2012
OS(es) Affected: Windows

Windows Premium Guard Image

Windows Premium Guard has the appearance of a real security program, but do not be fooled: Windows Premium Guard's interface is just for show. According to ESG security analysts, Windows Premium Guard has no way of fixing a malware infection and is actually a kind of malware itself. Specifically, Windows Premium Guard belongs to a category of malware known as rogue security programs. These are misleading applications that attempt to convince computer users to buy bogus anti-virus software by staging a fake infection on the victim's computer system.

Windows Premium Guard is part of the FakeVimes family of rogue security software. This is a large family of malware that has been infecting PCs around the world since 2009. Windows Premium Guard belongs to a batch of FakeVimes clones that made its appearance in 2012. Examples of malware belonging to this specific group include Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst. The characteristic that sets apart this recent batch of FakeVimes malware from previous clones in this malware family is the fact that they tend to be bundled with a nasty rootkit component, often some variant of the ZeroAccess rootkit.

An Overview of the Windows Premium Guard Scam

The main way in which criminals profit from fake security software is by making PC users buy a license of the bogus security application. Computer users are attacked with a variety of misleading security alerts and alarming error messages claiming that the victim's computer is severely infected. Windows Premium Guard then poses as a real security program, but claims that these nonexistent viruses can only be removed with Windows Premium Guard's "full version." Windows Premium Guard also displays a fake system scan and deliberately causes a variety of problems on the victim's computer, such as decreasing system performance and causing browser redirects.

Paying for Windows Premium Guard is not only a waste of money, but also exposes you to identity theft and having your personal information become compromised. Also, ESG malware researchers have detected no actual anti-malware capabilities in the Windows Premium Guard program. You can fool Windows Premium Guard by entering the registration code 0W000-000B0-00T00-E0020 so that Windows Premium Guard will stop displaying its bothersome error messages. On the other hand, this will not delete the Windows Premium Guard infection from your computer. To do that, it is necessary to use a reliable anti-malware program with anti-rootkit capabilities.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

SpyHunter Detects & Remove Windows Premium Guard

Windows Premium Guard Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Premium Guard may create the following file(s):
# File Name MD5 Detections
1. Protector-xfac.exe d37032237c1ab112dd11583fe2a8dc0a 1
2. Protector-mnlu.exe ff3cb8c27cb3c89247fa0ef55f661dec 1
3. %AppData%\Protector-.exe
4. %AppData%\NPSWF32.dll
5. %AppData%\result.db
6. %Desktop%\Windows Premium Guard.lnk
7. %CommonStartMenu%\Programs\Windows Premium Guard.lnk

Registry Details

Windows Premium Guard may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\oaui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rcsync.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system32.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "uqcphfxlsq"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
"WarnOnHTTPSToHTTPRedirect" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashSimp2.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\monitor.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-4-25_4"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininetd.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fp-win_trial.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bargains.exe
HKEY_CURRENT_USER\Software\ASProtect

Messages

The following messages associated with Windows Premium Guard were found:

Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Error
Attempt to modify Registry key entries detected.
Registry entry analysis recommended.
Error
Keylogger activity detected. System information security is at risk. It is recommended to activate protection and run a full system scan.
Error
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.
Warning
Firewall has blocked a program from accessing the Internet
C:\program files\internet explorer\iexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
Warning
Firewall has blocked a program from accessing the Internet
C:program filesinternet exploreriexplore.exe
is suspected to have infected your PC. This type of virus intercepts entered data and transmits them to a remote server.
Warning! Identity theft attempt Detected
Warning! Spambot detected!
Attention! A spambot sending viruses from your e-mail has been detected on your PC.

Trending

Most Viewed

Loading...