Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

WinDefender 2009 Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

WinDefender 2009 is one of the recent rogue security software. A variant of the rogue IE Defender and Total Secure it deceptively looks similar to Windows Defender, a legitimate Microsoft anti-malware program.

A rogue security software belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Note: Visiting any of the malware hosting domains mentioned below may be injurious to the health of your computer system.

WinDefender 2009 Screenshot

WinDefender 2009 Screenshot

This rogueware is currently installed through registered to by the ICANN accredited registrar BIZCN.COM, INC. It appears to be hosted at the IP located in Delaware – Wilmington – Network Engineering Technologies Research Center Llc.

The rogue installer is named WinDefender2009.exe and is about 1.71 MB in size. This file must be manually executed for the installation of the rogue anti-spyware. At this point only 25% of the antivirus engines at VirusTotal was able to identify this file as an undesirable file.

WinDefender-2009 VirusTotal Screenshot

WinDefender-2009 VirusTotal Screenshot

This installer file is downloaded from the IP in Latvia. This IP is also home to the nameservers of other malware domains:, and

After the rogueware is sucessfully installed it contacts mothership at, specifically with a page curiously named infected.php through the process windef.exe

Once the user is tricked into installing this scareware, the popup window like the one captured below appear periodically. When the user clicks the "OK" button, he is taken to their own 256 bit secure SSL payment page certified by Equifax Secure Inc.

WinDefender 2009 Scare Popup

WinDefender 2009 Scare Popup

WinDefender 2009 – Associated Files and Folders

  • C:\Program Files\WinDefender
  • C:\Program Files\WinDefender\ekrn.exe
  • C:\Program Files\WinDefender\uninstall.exe
  • C:\Program Files\WinDefender\windef.exe
  • C:\Program Files\WinDefender\WinDefender.s1
  • C:\Program Files\WinDefender\WinDefender.s2
  • C:\Program Files\WinDefender\WinDefender.s3
  • C:\Program Files\WinDefender\WinDefender.s4
  • C:\Program Files\WinDefender\WinDefender.s5
  • C:\Program Files\WinDefender\WinDefender.s6
  • C:\WINDOWS\k.txt
  • C:\WINDOWS\Prefetch\
  • C:\WINDOWS\Prefetch\

Note: File names may be randomly generated.

WinDefender 2009 – Associated Registry keys and values

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#UninstallString
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#InstallLocation
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#DisplayName
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#DisplayIcon
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#DisplayVersion
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#VersionMajor
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#VersionMinor
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#NoModify
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinDefender 2009#NoRepair
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\windefender2009
  • HKU\S-1-5-21-746137067-776561741-1417001333-1003\Software\WinDefender2009

WinDefender 2009 – Associated Domains


WinDefender 2009 – Removal (How to remove WinDefender 2009)

The free versions of MalwareBytes’s Anti-Malware and SuperAntiSpyware appear to remove this rogue security software quite comfortably.

I would also recommend turning off and on the System Restore to clear any infected restore points and using CCleaner to clear the temp folders and files to avoid recurrence.

If you still see symptoms associated with this rogue anti-spyware, please post your problem at one of the Recommended Online Forums for Malware Help.

WinDefender 2009 – Rogue Gallery

WinDefender 2009 – Video

Note: The above installation was tested on a fully patched Windows XP SP3 running updated versions of Internet Explorer 7 and Firefox 3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 2 comments… read them below or add one }

uvio December 6, 2008 at 9:55 PM

Hi Everybody,

Removing wuindefender may not help with the annoying popups and redirections. Further, you may get the popups without ever having windefender. Here are steps to remove these

1) To remove the pop up, first go to IE.
2) Open tools -> Internet Options.
3) Click on the ‘Programs’ tab
4) Click on the ‘Manage Add-Ons’ button
5) Try to isolate an add on with the following characteristics – The publisher field will be blank, the file name will contain the follwing combinations of letters (courtesy s!ri-urz)

composed from a dictionary:
g, h, c, z, o, e

Possible filenames are:
gco.dll, gce.dll, gzo.dll, gze.dll, hco.dll, hce.dll, hzo.dll, hze.dll

5) Disable any add-on with the above characteristics by clicking on its ‘Name’ field (thus highlighting the name) and clicking the ‘disable’ button. Click ‘OK’ and ‘Ok’ once more.
6) Close all browsers
7) Delete any shortcuts on the desktop, Favorites, Start Menu with names like the following: Cheap Pharmacy Online.url , Search Online.url, SMS Trap.url and VIP Casino.url (or any suspicious ones)
8) Now, search for the dll file from step 4. It’s probably hiding in the system32 folder. YOu may not be able to delete it unless you do so from a command window (or perhaps not even then)

8) download ‘hijack this’ from here
9) Install and run hijack this.
10) Click ‘Do a System Scan and save a log file’
11) Seach for the bad ‘gzo.dll’ type dll in the log…
12) Put a check mark in the box next to this entry in the hijack this screen
14)Click the ‘fix checked’ button
15) This should delete it.
16) Do a reboot to be safe.
ok hope that helped


andy December 8, 2008 at 1:50 PM

i dont know how, but this malware already in my computer!! i’ve install superantispyware and scan my computer but it cant find any problem..
the pop up keep comin and annoys u have any other solution to this?


Leave a Comment

Previous post:

Next post: