Windows Protection Unit

Threat Scorecard

Ranking: 3,922
Threat Level: 20 % (Normal)
Infected Computers: 9,108
First Seen: April 16, 2012
Last Seen: September 20, 2023
OS(es) Affected: Windows

Windows Protection Unit Image

The year 2012 marked resurgence in the rogue security application scam. While these kinds of fake security programs were never really gone, security software had become much more effective at detecting and neutralizing these threats. The reason for this is that the largest families of rogue security programs, like the WinWebSec or FakeVimes families, have been active since 2009, thus giving PC security analysts ample time to learn all they need to know in order to remove these threats quickly. However, FakeVimes family is making a comeback. While it seems that the rogue anti-virus programs in themselves are no different from previous versions of this malware family, this recent batch includes a nasty ZeroAccess rootkit infection which makes removal of the rogue anti-virus program much more difficult.

Windows Protection Unit, along with other fake security programs, is one of the many versions of these newer iteration of the FakeVimes family of malware.l Among its many clones are Virus Melt, Presto TuneUp, Fast Antivirus 2009, Extra Antivirus, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, PC Live Guard, Live PC Care, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus, Smart Security, Windows Protection Suite, Windows Work Catalyst. If you detect that Windows Protection Unit is installed on your computer system, our team of malware researchers strongly advises using a reliable anti-malware program, or a specialized anti-rootkit tool, to remove Windows Protection Unit and its associated rootkit from your hard drive.

Windows Protection Unit’s Scam is No Different from Previous Rogue Anti-virus Programs

Even if Windows Protection Unit contains its added rootkit component, the scam Windows Protection Unit carries out is basically unchanged since 2009. Windows Protection Unit attempts to make its victim believe that Windows Protection Unit is a real security program and that the victim's computer has become infected with viruses and Trojans. To do this, Windows Protection Unit can carry out several malicious operations, including making the victim's computer slower, more unstable, block access to the victim's files, and cause browser redirects. However, the main way in which Windows Protection Unit convinces its victims that their computer is under attack is using a large number of fake error messages and alarming security notifications that appear to come from Windows itself.

Once the victim has fallen for the scam, Windows Protection Unit will claim that the problems can only be fixed if the innocent PC user is willing to purchase a "full version" of Windows Protection Unit. Needless to say, since Windows Protection Unit is the one responsible for the problems on the victim's computer, paying for this bogus security program is definitely not a good idea.ScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshotScreenshot

Windows Protection Unit Video

Tip: Turn your sound ON and watch the video in Full Screen mode.

File System Details

Windows Protection Unit may create the following file(s):
# File Name Detections
1. %AppData%\NPSWF32.dll
2. %AppData%\Protector-[RANDOM CHARACTERS].exe
3. %AppData%\result.db
4. %Desktop%\Windows Protection Unit.lnk
5. %CommonStartMenu%\Programs\Windows Protection Unit.lnk

Registry Details

Windows Protection Unit may create the following registry entry or registry entries:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bidef.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\wIndows NT\CurrentVersion\Image File Execution Options\aswRunDll.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aswUpdSv.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-4-7_2"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "EnableLUA" = 0
"WarnOnHTTPSToHTTPRedirect" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\winupdate.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dvp95.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\inetlnfo.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\atcon.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "ahwohainwk"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorAdmin" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rtvscn95.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tds-3.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system "ConsentPromptBehaviorUser" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ozn695m5.exe


Windows Protection Unit may call the following URLs:


The following messages associated with Windows Protection Unit were found:

Keylogger activity detected. System information security is at risk.
It is recommended to activate protection and run a full system scan.
Software without a digital signature detected.
Your system files are at risk. We strongly advise you to activate your protection.
Firewall has blocked a program from accessing the Internet.
Windows Media Player Resources
C:Windowssystem32dllcachewmploc.dll is suspected to have infected your PC. This type of virus

intercepts entered data and transmits them to a remote server.


Most Viewed