Threat Database Rogue Anti-Spyware Program Windows ProSecurity Scanner

Windows ProSecurity Scanner

Threat Scorecard

Threat Level: 100 % (High)
Infected Computers: 4
First Seen: May 8, 2012
OS(es) Affected: Windows

Windows ProSecurity Scanner Image

The FakeVimes family of malware has been a thorn in the sides of PC security researchers since 2009. This family of malicious bogus security programs is constantly updated, with new versions being uncovered in the wild at a staggering rate. Windows ProSecurity Scanner is one of the many clones of malware in the FakeVimes family and Windows ProSecurity Scanner belongs to a particularly vicious batch of FakeVimes clones released in 2012. These work in the same way as their predecessors, but tend to include a dangerous rootkit component that makes them very difficult to remove.

Other examples of rogue security programs in the FakeVimes family include Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst. Despite their different names, these are all essentially the same program, carrying out the same attack and using identical interfaces in each case.

An Overview of the Windows ProSecurity Scanner Scam

The Windows ProSecurity Scanner scam has not evolved much since the FakeVimes family of malware first started attacking computer systems in 2009. Basically, Windows ProSecurity Scanner will try to convince the victim that their computer system is severely infected with malware. Among the ways in which Windows ProSecurity Scanner tries to do this include displaying a uncountable amount of alarming error messages and pop-up notifications from the Task Bar, causing browser redirects, blocking access to security software, and making the infected computer system become unresponsive and unstable. When the victim launches Windows, Windows ProSecurity Scanner starts up automatically, displaying a fake system scan which will invariably display alarming results. However, trying to fix these supposed malware infections with Windows ProSecurity Scanner will result in an error message claiming that a 'full version' of Windows ProSecurity Scanner is needed to fix the selected problems. Of course, since Windows ProSecurity Scanner has no actual anti-malware capabilities and is actually part of a multi-component malware attack itself, ESG security analysts strongly advise against paying for this useless program.

Removing the Windows ProSecurity Scanner Intruder from Your Computer System

While removing Windows ProSecurity Scanner manually is possible, Windows ProSecurity Scanner will often be accompanied with a number of other malware programs and malicious files. Because of this, full manual removal can be impractical and ineffective. Instead, ESG security researchers strongly advise using a reliable anti-spyware application to remove Windows ProSecurity Scanner automatically. It is important to ensure that this program has an anti-rootkit component. You can stop Windows ProSecurity Scanner from displaying fake error messages with the registration code 0W000-000B0-00T00-E0020. While this will not remove Windows ProSecurity Scanner, it can stop its most annoying symptoms until you can remove this threat with a reliable anti-malware application.

SpyHunter Detects & Remove Windows ProSecurity Scanner

Windows ProSecurity Scanner Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows ProSecurity Scanner may create the following file(s):
# File Name MD5 Detections
1. Protector-pffr.exe 97d95bc48ac13976ca23714f39b29982 3
2. Protector-krll.exe b1be655f2338357154b5e7421b3637dc 1
3. %AppData%\NPSWF32.dll
4. %AppData%\Protector-[RANDOM CHARACTERS].exe
5. %AppData%\result.db

Registry Details

Windows ProSecurity Scanner may create the following registry entry or registry entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Inspector %AppData%\Protector-[RANDOM CHARACTERS].exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorAdmin 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\UID [RANDOM CHARACTERS]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\net [date of installation]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ConsentPromptBehaviorUser 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE\Debugger svchost.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings\ID 4
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe\Debugger svchost.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVCare.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVENGINE.EXE


Most Viewed