New Variant of "FAKE" Security Essentials to be aware of!

Night Hawk

Night Hawk

caught multibooting
Some of you may remember the 2010 version of the fake Microsoft Security Essentials. In the last a totally new Aero styled twist to the previously known "protector.exe" trojan dropper that saw the fake SE or Windows Doctor scamware placed on your system has a new cousin to watch out for!

This latest malware will easily slip past any effect web guard as well as just about any av program! The user will unwittingly expose themselves to this by whatever form disguishes it to begin with.

The now called "protector-xfg.exe" trojan dropper downloads several trojans along with a fake "Security Essentials - Windows Defender". Note when trying to bring up the taskmanager to find out what process is new to end it you will find the SE along with a "Windows Process Manager" which basically takes over the taskmanager entirely preventing the disable of the scamware as well as the protector-xfg.exe trojan dropper.

Removal is basic as far as the main exe file by booting into safe mode to manually delete the file found under the user account sub folders once you have opened the file location. Here on one infected 7 laptop the protector-xfg.exe bug was first moved into a temp folder out from the user account while still being active prior to the reboot into safe mode.

With the VIPRE AV Home Premium version of that software installed and having removed several trojans already the fake SE still continued to indicate they were present risks. The obvious design of the malware was to point to already known about bugs in order to get people to buy the fake SE!

Unfortunately the laptop needed charging the first time it was looked at and the followup scan by VIPRE however revealed the quaranteened and then removed trojans as well as Fake SE seen as the last item in the scan results here.

2wre0p3.jpg


The fake SE is dark almost black background in color with the look of any more recent software with the Aero style appearance with yellow and red coloring for text. That's quite a bit different in appearance from the 2010 version of a fake MS SE seen in the link above.
 

My Computers

System One System Two

  • Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    Custom builds = 2
    OS
    W7 Ultimate x64/W10 Pro x64/W11 Pro Triple Boot - Main PC W7 Remote PC Micro ATX W7 Pro x64/W11 Pro
    CPU
    AMD Phenom II X4 975 Deneb 3.6ghz - 965 2nd remote pc
    Motherboard
    Gigabyte GA-790XTA-UD4-Gigabyte GA-880GM-D2H remote pc
    Memory
    Kingston Hyper X DDR3 1600 1.5v 16gb - Hyper X Fury 8gb 2nd
    Graphics Card(s)
    MSI HD Radeon 5750 1gb - MSI HD Radeon 6450 on mini tower
    Sound Card
    Creative Labs X-Fi Xtreme Audio P - Realtek onooard 2nd case
    Monitor(s) Displays
    ASUS VW199T-P 19" HP 2082a Main-HP 2082a 20" remote pc
    Screen Resolution
    Asus 1440x900 - HP 1600x900
    Hard Drives
    WD Black 1TB HD per OS W7, W10, and pending W11 presently on 500gb OS Drive - Pending Triple 1TB HDs for Spanned Storage/backup volume
    Single 2TB external USB enclosure, single 1TB System 7 Host/Boot drive, Pending 8TB external HD for system image b
    PSU
    Corsair 750TX - primary / Corsair CX600 - second
    Case
    Antec 900-2 - SSD compatible / NZXT Vulcan mini tower
    Cooling
    Zalman CNPS9900A
    Keyboard
    AZIO L70 Backlit Letters Gaming - ONN Cordless/USB
    Mouse
    MSI DS200 Programmable, Logitech Cordless
    Internet Speed
    30mbps upgrade - primary hard wired - mini tower usb WiFi
    Antivirus
    GFI VIPRE Internet Security 2014 on W7 2016 beta on W10,
    Browser
    Cyberfox, WaterFox 64bit FF variants, FireFox x64, Pale Moon
    Other Info
    Accomdata fan cooled usb 2.0 PIDE/Sata II, III external enclosure.
    Sambient usb/eSata PATA/Sata II, III external enclosure.
  • Computer type
    PC/Desktop
    System Manufacturer/Model Number
    CUSTOM ASSEMBLY
    OS
    W7 Pro x64/W11 Pro
    CPU
    AMD Deneb 3.6ghz - 965
    Motherboard
    Gigabyte GA-880GM-D2H remote pc
    Memory
    Kingston Hyper X Fury 8gb
    Graphics Card(s)
    MSI HD Radeon 6450 DVI Output
    Sound Card
    Realtek onooard Creative or Other separate PENDING
    Monitor(s) Displays
    VIZIO 32" LCD TV Separate LCD Pending
    Screen Resolution
    1600x1080
    Hard Drives
    WD 500GB OS Host/Boot WD Green 1TB Storage/Backup
    PSU
    Corsair 600W - THERMALTAKE 600W spare case
    Case
    NZXT Vulcan mini tower
    Cooling
    Twin 120mm Top Fans - 240mm Side Cover
    Keyboard
    ONN Cordless/USB Logitech Cordless
    Mouse
    ONN USB/Cordless - Logitech Cordless
    Internet Speed
    DSL 5G
    Browser
    MS Edge, FireFox, WaterFox x64, FireFox Nightly
    Other Info
    OS Testing-Remote Access to Main TeamViewer
Thanks for this info.
 

My Computer

Computer Manufacturer/Model Number
Custom Built
OS
Windows 7 Pro with SP1 32bit
Motherboard
Intel D845GVS1 X86-based PC
Memory
2 gigs of RAM
Graphics Card(s)
Intel(R) 82845G/GL/GE/PE/GV Graphics Controller
Sound Card
Realtek AC'97 Audio
Monitor(s) Displays
Samsung SyncMaster 931BF Black 19" LCD Monitor
Screen Resolution
1280X960
Hard Drives
1. SAMSUNG SP0822N ATA Device ~ 80 GigaBytes

2. Seagate FreeAgent Go USB Device ~ 500 GigaBytes
Keyboard
COMPAQ Standard PS/2 Keyboard
Mouse
iBall Laser Precise Speedster
Internet Speed
4 mb/sec
great info nice to know for future possibilities of infections to warn others.
 

My Computer

Computer type
PC/Desktop
Computer Manufacturer/Model Number
custom build
OS
Windows 10 64bit
CPU
AMD Phenom II X4 925 (Deneb)(2.8GHz) OC 3.4GHz
Motherboard
M5A78L-MLX Plus
Memory
Corsair Vengeance DDR3 4GBX2 (8192MB)
Graphics Card(s)
XFX HD 6870 1GB (OC)- 940MHz core, mem 1150MHz
Monitor(s) Displays
Vizio 26' 1920x1080 / Acer 1336x768
Screen Resolution
1920x1080 60Hz /1336x768
Hard Drives
Kingston Digital 60GB SSDNow V300/500gb HDD Western Digital 7200rpm (/WD 160GB HDD 7200rpm
PSU
CORSAIR CX600 600w
Case
AZZA Orion 202 EVO
Cooling
cooler master hyper TX3 cpu cooler
Keyboard
Razer DeathStalker
Mouse
Logitech Optical Gaming Mouse G400
Antivirus
Defualt on win 10
Browser
Firefox
Other Info
cpu is overclocked in bios
I only wish I could have grabbed a screen of how the fake scamware looked but was on someone else's laptop without a flash drive handy! :( The scamware looked too much like an updated form of the MS Security Essentials when prompting about 4 trojans it saw downloaded in the first place and when trying to bring up the taskmanager!

The taskmanager was obviously locked up first to prevent anyone from ending the protector-xfg.exe combo bug! Instead you saw the same fake SE screen only with two menu columns on the left one above the other with a "Windows Process Manager"! Or lock up of taskmanager!

The fake also pointed right at "C:\Program Files\Internet Explorer\iexplorer.exe" as a risk and designed to prevent any IE windows from staying open long enough to run any online security sweep or download a removal tool! This one was well written and aimed at forcing people to buy a non existent program!

Removal wasn't as hard IF you knew it was a fake to start with! While you wouldn't be able to takeownership over the protector-xfg.exe itself you could open two WE windows and see it moved out of the "C:\users\user account name\AppData\Roaming\" sub folder where this one was found into a temp folder.

The reboot in safe mode saw no events since the process was ended where that file was simply dragged into the Recycle Bin to say "bye bye!" to that one. The subsequent scan by VIPRE seen there was then able to remove the scam ware as well as the 4 trojans in one shot with no further traces of any of this found so far. IE is also running normally.

Just how the malware got on in the first place is another matter since the laptop was being borrowed by someone totally new with any pc! Namely a kid who lacks any actual experience besides a social network. The suspicion is that it wasn't from being on any site the firewall would have blocked.

The trial version for another av software as well as another browser were found installed without the owner's knowledge or permission being someone new with pcs as well. I think someone simply clicked on one too many links and ended up with... :eek: "THE BUG!"
 

My Computers

System One System Two

  • Computer type
    PC/Desktop
    Computer Manufacturer/Model Number
    Custom builds = 2
    OS
    W7 Ultimate x64/W10 Pro x64/W11 Pro Triple Boot - Main PC W7 Remote PC Micro ATX W7 Pro x64/W11 Pro
    CPU
    AMD Phenom II X4 975 Deneb 3.6ghz - 965 2nd remote pc
    Motherboard
    Gigabyte GA-790XTA-UD4-Gigabyte GA-880GM-D2H remote pc
    Memory
    Kingston Hyper X DDR3 1600 1.5v 16gb - Hyper X Fury 8gb 2nd
    Graphics Card(s)
    MSI HD Radeon 5750 1gb - MSI HD Radeon 6450 on mini tower
    Sound Card
    Creative Labs X-Fi Xtreme Audio P - Realtek onooard 2nd case
    Monitor(s) Displays
    ASUS VW199T-P 19" HP 2082a Main-HP 2082a 20" remote pc
    Screen Resolution
    Asus 1440x900 - HP 1600x900
    Hard Drives
    WD Black 1TB HD per OS W7, W10, and pending W11 presently on 500gb OS Drive - Pending Triple 1TB HDs for Spanned Storage/backup volume
    Single 2TB external USB enclosure, single 1TB System 7 Host/Boot drive, Pending 8TB external HD for system image b
    PSU
    Corsair 750TX - primary / Corsair CX600 - second
    Case
    Antec 900-2 - SSD compatible / NZXT Vulcan mini tower
    Cooling
    Zalman CNPS9900A
    Keyboard
    AZIO L70 Backlit Letters Gaming - ONN Cordless/USB
    Mouse
    MSI DS200 Programmable, Logitech Cordless
    Internet Speed
    30mbps upgrade - primary hard wired - mini tower usb WiFi
    Antivirus
    GFI VIPRE Internet Security 2014 on W7 2016 beta on W10,
    Browser
    Cyberfox, WaterFox 64bit FF variants, FireFox x64, Pale Moon
    Other Info
    Accomdata fan cooled usb 2.0 PIDE/Sata II, III external enclosure.
    Sambient usb/eSata PATA/Sata II, III external enclosure.
  • Computer type
    PC/Desktop
    System Manufacturer/Model Number
    CUSTOM ASSEMBLY
    OS
    W7 Pro x64/W11 Pro
    CPU
    AMD Deneb 3.6ghz - 965
    Motherboard
    Gigabyte GA-880GM-D2H remote pc
    Memory
    Kingston Hyper X Fury 8gb
    Graphics Card(s)
    MSI HD Radeon 6450 DVI Output
    Sound Card
    Realtek onooard Creative or Other separate PENDING
    Monitor(s) Displays
    VIZIO 32" LCD TV Separate LCD Pending
    Screen Resolution
    1600x1080
    Hard Drives
    WD 500GB OS Host/Boot WD Green 1TB Storage/Backup
    PSU
    Corsair 600W - THERMALTAKE 600W spare case
    Case
    NZXT Vulcan mini tower
    Cooling
    Twin 120mm Top Fans - 240mm Side Cover
    Keyboard
    ONN Cordless/USB Logitech Cordless
    Mouse
    ONN USB/Cordless - Logitech Cordless
    Internet Speed
    DSL 5G
    Browser
    MS Edge, FireFox, WaterFox x64, FireFox Nightly
    Other Info
    OS Testing-Remote Access to Main TeamViewer
You must log in or register to reply here.
Back
Top