Windows 7: New Variant of "FAKE" Security Essentials to be aware of!

Some of you may remember the 2010 version of the fake Microsoft Security Essentials. In the last a totally new Aero styled twist to the previously known "protector.exe" trojan dropper that saw the fake SE or Windows Doctor scamware placed on your system has a new cousin to watch out for!

This latest malware will easily slip past any effect web guard as well as just about any av program! The user will unwittingly expose themselves to this by whatever form disguishes it to begin with.

The now called "protector-xfg.exe" trojan dropper downloads several trojans along with a fake "Security Essentials - Windows Defender". Note when trying to bring up the taskmanager to find out what process is new to end it you will find the SE along with a "Windows Process Manager" which basically takes over the taskmanager entirely preventing the disable of the scamware as well as the protector-xfg.exe trojan dropper.

Removal is basic as far as the main exe file by booting into safe mode to manually delete the file found under the user account sub folders once you have opened the file location. Here on one infected 7 laptop the protector-xfg.exe bug was first moved into a temp folder out from the user account while still being active prior to the reboot into safe mode.

With the VIPRE AV Home Premium version of that software installed and having removed several trojans already the fake SE still continued to indicate they were present risks. The obvious design of the malware was to point to already known about bugs in order to get people to buy the fake SE!

Unfortunately the laptop needed charging the first time it was looked at and the followup scan by VIPRE however revealed the quaranteened and then removed trojans as well as Fake SE seen as the last item in the scan results here.



The fake SE is dark almost black background in color with the look of any more recent software with the Aero style appearance with yellow and red coloring for text. That's quite a bit different in appearance from the 2010 version of a fake MS SE seen in the link above.

Thanks for this info.

great info nice to know for future possibilities of infections to warn others.

I only wish I could have grabbed a screen of how the fake scamware looked but was on someone else's laptop without a flash drive handy! The scamware looked too much like an updated form of the MS Security Essentials when prompting about 4 trojans it saw downloaded in the first place and when trying to bring up the taskmanager!

The taskmanager was obviously locked up first to prevent anyone from ending the protector-xfg.exe combo bug! Instead you saw the same fake SE screen only with two menu columns on the left one above the other with a "Windows Process Manager"! Or lock up of taskmanager!

The fake also pointed right at "C:\Program Files\Internet Explorer\iexplorer.exe" as a risk and designed to prevent any IE windows from staying open long enough to run any online security sweep or download a removal tool! This one was well written and aimed at forcing people to buy a non existent program!

Removal wasn't as hard IF you knew it was a fake to start with! While you wouldn't be able to takeownership over the protector-xfg.exe itself you could open two WE windows and see it moved out of the "C:\users\user account name\AppData\Roaming\" sub folder where this one was found into a temp folder.

The reboot in safe mode saw no events since the process was ended where that file was simply dragged into the Recycle Bin to say "bye bye!" to that one. The subsequent scan by VIPRE seen there was then able to remove the scam ware as well as the 4 trojans in one shot with no further traces of any of this found so far. IE is also running normally.

Just how the malware got on in the first place is another matter since the laptop was being borrowed by someone totally new with any pc! Namely a kid who lacks any actual experience besides a social network. The suspicion is that it wasn't from being on any site the firewall would have blocked.

The trial version for another av software as well as another browser were found installed without the owner's knowledge or permission being someone new with pcs as well. I think someone simply clicked on one too many links and ended up with... "THE BUG!"