Windows Privacy Extension

By | July 1, 2012 | 0 Comment

Windows Privacy Extension is name-changing fake antivirus software. Fresh copies of this malware are released daily in hoping to target as many victims as it can. It is obvious that members from this group wear the same skin. See the screen shot image below.

To be able to reach a target PC, Windows Privacy Extension utilizes a Trojan that can make your antivirus program unstable. It directly hit the running process and instantly kills it. Next, it will corrupt the file making the antivirus useless. Without a protection, target computer becomes more exposed to succeeding attack planned by the Trojan. It can now drop and execute a copy of Windows Privacy Extension to helpless computer.

When the fake software is running, it exhibits so many fake warnings. All of them recount how a virus strikes the computer. It all points to the immediate removal by asking user to purchase the full version of Windows Privacy Extension. Every computer user should disregard this one piece of advice. If not, this will lead to a payment-processing page where attackers will charge your credit card account for a licensed copy of this worthless software.

Remove Windows Privacy Extension when you notice it on the computer. It is rogue and therefore, you should eliminate it as soon as possible. See the guide below to help you take out this malware effectively.

Type Rogue
Sub-Type FakeAV
OS Affected Windows

What are the Symptoms of Windows Privacy Extension Infection?

Here is a screenshot image of the rogue program when it begins to scan the computer.

It will modify Windows Registry and add the following entries:
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings “WarnOnHTTPSToHTTPRedirect” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegedit” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableRegistryTools” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System “DisableTaskMgr” = 0
HKCU\Software\Microsoft\Windows\CurrentVersion\Run “Inspector”
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings “net” = “u_2012-5-24_6”
HKCU\Software\Microsoft\Windows\CurrentVersion\Settings “UID” = “mskcufgftr”
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njsyqwin.exe
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SafetyKeeper.exe

The threat will drop the following malicious files:
%AppData%\NPSWF32.dll
%AppData%\Protector-[random 3 characters].exe
%AppData%\Protector-[random 4 characters].exe
%AppData%\result.db
%CommonStartMenu%\Programs\Windows Privacy Extension.lnk
%Desktop%\Windows Privacy Extension.lnk

Leave a Reply

Your email address will not be published. Required fields are marked *