Windows 8 and 8.1 Forums


New Variant of "FAKE" Security Essentials to be aware of!

  1. #1


    Posts : 738
    1st W10 Professional x64/W7 Ultimate x64 - 2nd Remote system: W10 Insider Builds/W7 Professional

    New Variant of "FAKE" Security Essentials to be aware of!


    Some of you may remember the 2010 version of the fake Microsoft Security Essentials. In the last a totally new Aero styled twist to the previously known "protector.exe" trojan dropper that saw the fake SE or Windows Doctor scamware placed on your system has a new cousin to watch out for!

    This latest malware will easily slip past any effect web guard as well as just about any av program! The user will unwittingly expose themselves to this by whatever form disguishes it to begin with.

    The now called "protector-xfg.exe" trojan dropper downloads several trojans along with a fake "Security Essentials - Windows Defender". Note when trying to bring up the taskmanager to find out what process is new to end it you will find the SE along with a "Windows Process Manager" which basically takes over the taskmanager entirely preventing the disable of the scamware as well as the protector-xfg.exe trojan dropper.

    Removal is basic as far as the main exe file by booting into safe mode to manually delete the file found under the user account sub folders once you have opened the file location. Here on one infected 7 laptop the protector-xfg.exe bug was first moved into a temp folder out from the user account while still being active prior to the reboot into safe mode.

    With the VIPRE AV Home Premium version of that software installed and having removed several trojans already the fake SE still continued to indicate they were present risks. The obvious design of the malware was to point to already known about bugs in order to get people to buy the fake SE!

    Unfortunately the laptop needed charging the first time it was looked at and the followup scan by VIPRE however revealed the quaranteened and then removed trojans as well as Fake SE seen as the last item in the scan results here.

    Click image for larger version

    The fake SE is dark almost black background in color with the look of any more recent software with the Aero style appearance with yellow and red coloring for text. That's quite a bit different in appearance from the 2010 version of a fake MS SE seen in the link above.

      My System SpecsSystem Spec

  2. #2


    Hafnarfjörður IS
    Posts : 4,376
    Linux Centos 7, W8.1, W7, W2K3 Server W10


    Hi there
    If you are unfortunate enough to get this -- just RESTORE from a decent Virus Free backup.

    Would you REALLY trust an Infected computer that had been used to clean itself.
    We ALL know that NO A/V software can ever be 100% cast iron solid -- so why should you believe that the "cleansing" is 100% OK either.

    In any case if the Virus is discovered AFTER the fact the you really don't know what has been happening between Infection and Discovery time. A/V software IMO is only of any use if it operates in REAL time.

    If you do "Batch scans" and discover something then only a clean restore or OS re-install IMO is sufficient.

    Cheers
    jimbo
      My System SpecsSystem Spec

  3. #3


    Posts : 1,851
    8250 x86 + 7 SP1 x86 + Ubuntu 12.04 LTS x86


    Quote Originally Posted by jimbo45 View Post
    Would you REALLY trust an Infected computer that had been used to clean itself.
    No, and anyone that would claim they can would be full of it. That's precisely why I always recommend Killdisk after an infection, to low-level (alright only manufacturer of the drive can truly low-level, but I'm talking consumer low-level) format the drive.

    Any security expert would say the same thing like you or I, and if not, he or she wouldn't be an expert lol.
      My System SpecsSystem Spec

  4. #4


    Posts : 738
    1st W10 Professional x64/W7 Ultimate x64 - 2nd Remote system: W10 Insider Builds/W7 Professional


    The problem there is that there is no system image to fall back on! The fortunate side of this however was that there was no registry involvement with this particular malware to find. The exe bug file was what launched the fake gui as well as scripted to download that along with the four trojans also confirmed present by the av program used here.

    The design of this wasn't for trashing the OS but for the con job of "scare tactic make people buy fake security program"! This latest fakeware looks far more like the MS Security Essentials when compared to the blue and red color patterned fakeware seen back in 2010.

    The good thing was being able to remove it completely IF you have a good malware remover as well as foresight to track things down like opening up the file location when right clicking on the fakeware gui itself. Once located you can move it into a temp folder out of the user account sub folder to keep track of it long enough to reboot into safe mode. Your malware remover can delete the remaining items once you have dealt with the main protector-xfg.exe bug file.

    Unfortunately not everyone would from not being anywhere as pc savay as people you would find always looking at various pc situations as well as getting familiar with a large variety of hardware/software issues. For the novice web browsing email checking weekend user scams like this are often the result of seeing the home pc brought into a repair shop for a good fee if not getting duped into spending for a program that doesn't even exist!
      My System SpecsSystem Spec

  5. #5


    Posts : 1,851
    8250 x86 + 7 SP1 x86 + Ubuntu 12.04 LTS x86


    heh heh I hear all you're saying - but now what is to stop somebody with knowledge to use this fake a/v program to be the scapegoat while also delivering the TRUE malicious payload on the side along with it.

    The end user thinks - "oh alright I cleared my system, all is good." While the black hat sits back and says "thank you for root access".

    The hard truth is that once a machine is infected, no amount of going over this or that can be a guarantee to security/reliability.
      My System SpecsSystem Spec

  6. #6


    Posts : 738
    1st W10 Professional x64/W7 Ultimate x64 - 2nd Remote system: W10 Insider Builds/W7 Professional


    Nothing is ever written in stone! After the last few weeks however no other sign of any malware has been detected since this was removed showing it was fortunate enough not to see anything else dumped on along with it!

    When looking over the last IE session it was learned the kid who had borrowed the portable had been in a Google session of some type and had also installed the Chrome browser without permission suggesting the click to install without asking lead to seeing this to start with!

    For the more experience user the suspicions on something and wanting to first look over information at a home page would have easily prevented this to begin with. For a newbie just about first time user lacking any common sense from experience tnis caught that one offguard.

    When selecting a security program of any type here the first thing often looked is how well is the rootkit protection as well as how well it will flag any other malwares before any harm is seen. One thing I can add here is it was a good thing that a good av program was on already. I also suspect that if this had been seen on the 8 CP the updated security may have also flagged the rogue scamware since MS has obviously improved the security in the new to come version over what was seen in 7 even!
      My System SpecsSystem Spec

  7. #7


    Posts : 1,308
    Windows 8 enterprise x64


    oh boy, how long it take to copy a 15 gb folder ? .... this is what it will take to replace my Linux Pinguy or my Windows 7 that I use in VM to browse Internet IF something happen....big IF here.
      My System SpecsSystem Spec

  8. #8


    Posts : 738
    1st W10 Professional x64/W7 Ultimate x64 - 2nd Remote system: W10 Insider Builds/W7 Professional


    I never copied an entire folder but simply moved the protector-xfg.exe bug out of the sub folder it was found in to a folder used for ironically the Recycle Bin icon pinned to the taskbar. That seemed to be the appropiate place to see that one go!
      My System SpecsSystem Spec

  9. #9


    Hafnarfjörður IS
    Posts : 4,376
    Linux Centos 7, W8.1, W7, W2K3 Server W10


    Hi there
    even if you don't use commercial programs like Acronis then there are excellent basic FREE one's around -.

    One of the problems is that STORE bought PC's invariably (apart from the hidden recovery partition -- I think it's cheap enough these days a recovery USB should be provided instead --that's another issue however|) have everything installed on the "C" partition.

    It would be better to have the OS installed in it's own say 55 GB partition and a "D" partition for users data etc.

    Backing up a 55 GB image containing all your installed apps - even big one's like Adobe suite CS 5.5 and the OS with say Acronis or Macrium will only take around 25 - 35 mins AT THE MOST --even on a smallish laptop.

    The problem arises with new computers that when you just have a "C" drive you can't "Image" the partition to itself and maybe some of these users don't have external drives etc and backing up to DVD's is always fraught with a bit of "Luck" element when you try and restore.

    Most users probably aren't knowledgeable enough to use partition tools to re-partition the "C" drive.

    Stores could do far more to help customers to make sensible backups when they get home by

    1) Partition the disks when the OS is pre installed -- or change the installation program that the user first starts when he/ she gets the machine home and runs through its initial setup routine to automatically partition the disks at initial start up.


    2) Stop messing about trying to push stupid unwanted security packages on people when they buy a Computer -- usually it's McAffee or Symantec -- both HIDEOUS choices for Non corporates


    3) "Extended Warranties" IMO should be OUTLAWED -- the average joe is often conned into paying almost a significant percentage of the actual price of the article in question for this when the Manufacturers guarantee (one to two years - compulsory in EU and EFA) is more than sufficient.

    Last week in the UK I saw some hapless 55 year oldish or so woman being pestered to spend 30 GBP extended warranty on a 45 GBP printer.

    Fortunately she was more "Savvy" than most. I was in the line behind her and together we made an official complaint to the Store Manager, Consumer trading standards, the Store owners (Kingfisher), Companies House (company almost doing Rogue Trading) and the Financials services Ombudsman. We also sent a complaint to BBC's Watchdog program too.

    She was too scared to do this herself but I'm quite a decent size-ish blondish almost Malevolent Viking looking so the tiny Philipino security guys kept well away while we waited for the Store Manager to emerge from his "eyrie" probably drinking his Champagne for the day.

    Not that in the UK this will make an IOTA of difference but it made the Lady's day and it was quite good fun seeing a red face store manager suffering under inquisition when asked "Is this how you enjoy earning your money by robbing consumers blind".

    Cheers
    jimbo
      My System SpecsSystem Spec

  10. #10


    Posts : 738
    1st W10 Professional x64/W7 Ultimate x64 - 2nd Remote system: W10 Insider Builds/W7 Professional


    You can't save a full image to any partition it is made from unless copying the image over from either another drive or partition even later. For laptop users a small usb external enclosure will take a 2.5" drive there for use when creating an image backup or for the additional storage space.

    In fact for one older Vista laptop I removed the drive from the unit once that drive was trashed by a virus(I-Worm, Fake anti-spyware program) seeing that wiped and repartitioned and used for storing an image of a clean install on a new larger drive. Acronis True IE was used for that one.

    I expect to see some but not a lot needed of improvement in the backup features 88 will be seeing since those in 7 have been reliable in every instance. That as well as Acronis will take a snapshot of the 100mb System Reserved BCD store, boot manager partition as well as the main C volume. Acronis also grabbed the small recovery partition seen on the Vista laptop there as well.

    The problem seen with the 7 laptop however was not having the chance to grab an image before the owner loaned it out and whamo new bug soon seen! Fortunately I could still perform a clean install and simply use the key on the sticker for that already looking after another 7 Home Premium build if ever found necessary which would then definitely see an image created.

    An image saved to an external usb drive or a drive in a usb enclosure takes quite a bit longer however then seen when saving to another internal storage drive! Try about 3.5hrs.! Timed 35min. backups from the 497gb images here made with both Acronis and the 7 image option compared to what someone will see when backing up through the USB 2.0 bus taking that long is something many would simply opt out of.

    Obvioulsy most won't be seeing images quite that large unless storing a large volume of files on the main drive itself which would include having a second partition when spliting a drive to store files on. Yet recently I talked with someone who had 1.2tb across two drives(C 1tb, storage 1.5tb) he was trying to make a single image with the 7 backup option rather then using a 3rd program that would be the recommend for that. The problem was simply too much data plus two drives involved to use the Windows option there.

    As far as the bloatwares and trial wares that's typical with OEM premade systems due to contracts with the software companies. You'll never see that disappear! In fact the one thing nice about a clean install on an OEM machine when needed is the instant removal of all the bloat. But you also may lose other prepackaged apps including the utility for creating a full recovery disk which may not be avvailable at that manufacturer's support site by chance.

    Not good! At the trial wares can be uninstalled easily to solve a lot of that. The one thing you won't see however is the Windows is now setting up each time you turn your machine on in case you got nailed by a bug during a previous session. Who is going to want to wait while the OS reinstalls itself over and over on each new startup? NO ONE! The OEMs instead provide the full factory restore option on most new and recently new machines to do away with recovery media as well as provide a recovery option for the noob!
      My System SpecsSystem Spec

Page 1 of 2 12 LastLast
New Variant of "FAKE" Security Essentials to be aware of!
Related Threads
Hi all, So I'm kind of stuck.. I currently have the problem where I am in an endless cycle of "loading files" -> "Windows Boot Manager" (see: How To Boot Into Safe Mode On Windows 8 (The Easy Way)). I have tried to load all of the options -- and none successfully load. I also end up at...
BSOD Windows 8 "Kernel Security Check Failure" in BSOD Crashes and Debugging
I Get This BSOD Everyday. Is It Because of The Old Firmware of My SSD??
Hi. My PC just BSOD while playing games but this was only after it crashed to black screen unresponsiveness. A couple hours after the first crash (maybe after 1.5 hrs of gaming once again) it BSOD with the "Kernel Security Check Failure" error. SF diagnostic included below. I appreciate...
Eight Forums Android App Eight Forums IOS App Follow us on Facebook