Windows Virtual Firewall

Posted: July 16, 2012

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Ranking:	10,888
Threat Level:	2/10
Infected PCs:	18,521

First Seen:	July 16, 2012
Last Seen:	October 9, 2023
OS(es) Affected:	Windows

Windows Virtual Firewall is a new variant of FakeVimes, a Trojan family that uses fake security scans and pop-ups warnings to present misleading information about your PC's status. Windows Virtual Firewall, like all of its ilk, pretends to be an anti-malware product with a generous assortment of other security features, such as a memory-monitoring utility, a firewall manager and, of course, an anti-virus scanner. Although Windows Virtual Firewall is a new arrival to the FakeVimes family of rogue anti-malware applications, its appearance and functions are identical to that of other recent members.

Why There Isn't Anything 'Virtual' About Windows Virtual Firewall's Real Features

Although Windows Virtual Firewall is a new arrival to the FakeVimes family of rogue anti-malware applications, its appearance and functions are identical to that of other recent members. PCs that are infected with Windows Virtual Firewall will be immediately detectable under most circumstances, since Windows Virtual Firewall will launch with Windows and proceed to display a range of inaccurate pop-up warnings. These are accompanied by system scans that include nonexistent (albeit accurately-defined) PC threats, including rootkits and advanced forms of spyware. Closely-related PC threats from Windows Virtual Firewall's family include examples such as Privacy Guard Pro, PrivacyGuard Pro 2.0, Extra Antivirus, Fast Antivirus 2009, Presto TuneUp, Windows Security Suite, Smart Virus Eliminator, Packed.Generic.245, Volcano Security Suite, Windows Enterprise Suite, Enterprise Suite, Additional Guard, Live PC Care, PC Live Guard, Live Enterprise Suite, Security Antivirus, My Security Wall, CleanUp Antivirus and Smart Security. All of them can be diagnosed by a shared interface and such fake features as the 'Advanced Process Control.' Although Windows Virtual Firewall is a recently-identified variant of FakeVimes that may require updates to your anti-malware software to detect Windows Virtual Firewall, in most respects, Windows Virtual Firewall is identical to other scamware from its family and can endanger your PC with browser redirects, unwarranted settings changes and malfunctioning security programs.

Fake security features may be Windows Virtual Firewall's quintessential characteristics, but SpywareRemove.com malware researchers have also acquired familiarity with other FakeVimes-based attacks that are more dangerous to your PC than pop-ups and fraudulent scans. Prominent risks that are possible with any FakeVimes infection, including Windows Virtual Firewall are noted below:

Browser redirects to harmful sites, including fake search engines, sites that conduct drive-by-download attacks and sites that promote fake security programs similar to Windows Virtual Firewall.
Deleted Registry entries that prevent unrelated programs, such as anti-virus scanners, from launching properly.
Programs that are blocked from memory – particularly Windows utilities such as the Task Manager and Registry Editor. SpywareRemove.com malware analysts note that unlike programs with deleted Registry components, programs that are blocked from memory should be accessible once you disable Windows Virtual Firewall.
Settings changes that disable default Windows security features, including the UAC and browser protection from malicious file downloads.

Toning Down the Heat of Windows Virtual Firewall's Assaults

Because Windows Virtual Firewall can be involved in blocking anti-malware scanners and other security programs, SpywareRemove.com malware researchers encourage you to deactivate Windows Virtual Firewall before you try to delete Windows Virtual Firewall with said software. Popular strategies for doing this include booting from a USB drive device or booting Windows into Safe Mode, although other techniques are also available if necessary. In the meantime, you should strive to avoid interaction with websites that are promoted in Windows Virtual Firewall's redirects and, in particular, be careful to avoid throwing away money on purchasing Windows Virtual Firewall.

After Windows Virtual Firewall is prevented from launching, Windows Virtual Firewall can be removed by any reasonably-accurate anti-malware product, although an updated database may be necessary to guarantee Windows Virtual Firewall's accurate identification. Related PC threats, such as Trojan downloaders, may also be on your hard drive, and a full system is also recommended by SpywareRemove.com malware experts.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%AppData%\Protector-[RANDOM CHARACTERS].exe

File name: %AppData%\Protector-[RANDOM CHARACTERS].exe
File type: Executable File
Mime Type: unknown/exe
Group: Malware file

Registry Modifications

The following newly produced Registry Values are:

HKEY..\..\{Value}HKEY_CURRENT_USER\Software\ Microsoft\Windows\CurrentVersion\Policies\System "DisableRegistryTools" = 0 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableTaskMgr" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings "WarnOnHTTPSToHTTPRedirect" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System "DisableRegedit" = 0HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "net" = "2012-2-17_2"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "UID" = "rudbxijemb"HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Settings "ID" = 0HKEY..\..\..\..{Subkeys}HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Inspector"HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ERROR_PAGE_BYPASS_ZONE_CHECK_FOR_HTTPS_KB954312HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avp32.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\divx.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mostat.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\platin.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tapinstall.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\_avpcc.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ashDisp.exeHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zapsetup3001.exe

Additional Information

The following URL's were detected:

virtuallylend.com