Windows Premium Console

By | June 26, 2012 | 0 Comment

After releasing so many version of rogue software, FakeVimes family now introduces Windows Premium Console. This fake antivirus apparently mimics every aspect of older variants. The only noticeable change that author has applied is in its name. Since this is a copycat, expect that this new version will perform the same actions as what the other does. It includes the following:

  • Redirect Internet browser to unknown web sites.
  • It blocks user’s Internet access and display a fake warning page.
  • Promote the rogue program using pop-up alerts and system tray messages.
  • Display a bunch of fake security notices.
  • The malware will disable installed antivirus program on victim’s PC.
  • Prevent user from opening any software or executable files.

Windows Premium Console arrives in the same manner as other rogue program does. They used to exploit software fault and breach security setup on the target computer. Once it gains an access, it starts to make changes and configure itself to run on Windows start-up. Once running on the computer, removing this malware will be difficult. A change it has made on the system assures that it remains attached until victim has paid for the full version.

So far, the easiest way we can think of is activating the program using the provided code. From there, you can now proceed with the removal. This step does not require you to spend a penny in order to remove Windows Premium Console.

Type Rogue
Sub-Type FakeAV
OS Affected Windows

What are the Symptoms of Windows Premium Console Infection?

Windows Premium Console Fake Scanner

It will modify Windows Registry and add the following entries:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “2012-6-25_5”
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “dwnydbbihd”
HKEY_CURRENT_USER\Software\ASProtect
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ants.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rav8win32eng.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\system.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wininetd.exe

The threat will drop the following malicious files:
%AppData%\NPSWF32.dll
%AppData%\Protector-[random 3 characters].exe
%AppData%\Protector-[random 4 characters].exe
%AppData%\result.db

Leave a Reply

Your email address will not be published. Required fields are marked *