Windows Prime Shield

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 6
First Seen: January 14, 2014
Last Seen: May 5, 2019
OS(es) Affected: Windows

Windows Prime Shield is one of the many rogue security programs in the FakeVimes family. FakeVimes rogue security programs tend to be among the most common forms of active rogue security software. Programs like Windows Prime Shield have the external appearance of legitimate anti-virus programs but do not have the capacity to detect or remove threats. In fact, programs like Windows Prime Shield are considered a form of threats themselves and should be removed immediately.

Windows Prime Shield Uses Old Tactics to Entice Novice PC Users

Windows Prime Shield may enter a computer using typical threats delivery methods. For example, Windows Prime Shield may be installed by a Trojan infection, through social engineering methods or using attack websites containing threatening exploit kits. The main purpose of Windows Prime Shield is to show as much evidence as Windows Prime Shield can 'prove' that the target computer is severely infected with various threats. Windows Prime Shield pretends to be a 'trial version' of a legitimate anti-virus program. Windows Prime Shield displays fake virus scans and irritating pop-up error messages claiming that the victim's computer is severely infected. Whenever the computer users try to use Windows Prime Shield to fix these supposed problems, additional error messages will appear, claiming that it is necessary to pay for a 'full version' of Windows Prime Shield, usually by using Ukash or other online payment services.

Members of the FakeVimes family use the same tactic to try to induce PC user to purchase its useless product. Among its clones are Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst.

Which Trouble Windows Prime Shield Can Bring to the PC It Invades?

There are numerous problems associated with Windows Prime Shield, including the following:

  • Windows Prime Shield makes harmful changes to your computer's settings that make it more vulnerable to threats and cause various performance issues.
  • Windows Prime Shield prevents you from accessing your software or files, displaying bogus error messages whenever you try to do so.
  • Windows Prime Shield displays numerous irritating pop-up windows and fraudulent system alerts so you will be convinced that your computer is infected with threats.
  • Windows Prime Shield may interfere with your Web browser, causing redirects to websites linked to the Windows Prime Shield or completely preventing you from opening your Web browser at all.
  • Windows Prime Shield will interfere with legitimate security software as a way of protecting itself from removal.

File System Details

Windows Prime Shield may create the following file(s):
# File Name Detections
1. %AppData%\svc-[RANDOM CHARACTERS].exe
2. %UserProfile%\Desktop\Windows Prime Shield.lnk
3. %AllUsersProfile%\Start Menu\Programs\Windows Prime Shield.lnk
4. %AppData%\result1.db

Registry Details

Windows Prime Shield may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bckd "ImagePath" = "123123.sys"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations "LowRiskFileTypes" = ".zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments "SaveZoneInformation" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon "Shell" = "%AppData%\safe-[RANDOM].exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableVirtualization" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\k9filter.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "GuardSoftware" = "%AppData%\svc-lefx.exe"


The following messages associated with Windows Prime Shield were found:

There's a suspicious software running on your PC. For more details, run a system file check.
Trojan activity detected. System data security is at risk. It is recommended to activate protection and run a fully system scan.
Firewall has blocked a program from accessing the Internet

Windows NT Logon Application
C:\Windows\system32\winlogon.exe is suspected to have infected your PC.
This type of virus intercepts entered data and transmits them to a remote server.


Most Viewed