The Emsi Software malware research team has discoverd a new outbreak of the Desktop Defender 2010 adware. a-squared Anti-Malware detects this malware as Adware.Win32.DesktopDefender2010.

Desktop Defender 2010 is a rogue scanner program, it shows misleading scan results and fake security alerts. If you download and install Windows PC Defender 2010, it will be automatically configured to start each time you log on into Windows. Once the program is running it will scan your computer and then displays fake infections, but will not allow you to remove them until you purchase it.

This rogue has some protection, one of them is the protection against virtual machine. When user try to run the Installer of this rogue on the virtual machine environment, the application will crash.

And also protects himself from the unwanted applications, e.g. File Monitor and Registry Monitor from SysInternals.

Create new files:

• %ProgramFiles%\Desktop Defender 2010\msvcr71.dll
• %ProgramFiles%\Desktop Defender 2010\pthreadVC2.dll
• %ProgramFiles%\Desktop Defender 2010\shellext.dll
• %ProgramFiles%\Desktop Defender 2010\siglsp.dll
• %ProgramFiles%\Desktop Defender 2010\tdifw_drv_WLH.sys
• %ProgramFiles%\Desktop Defender 2010\tdifw_drv_WXP.sys
• %ProgramFiles%\Desktop Defender 2010\uninstall.exe
• %ProgramFiles%\Desktop Defender 2010\AF.dll
• %ProgramFiles%\Desktop Defender 2010\daily.cvd
• %ProgramFiles%\Desktop Defender 2010\Desktop Defender 2010.exe
• %ProgramFiles%\Desktop Defender 2010\guide.chm
• %ProgramFiles%\Desktop Defender 2010\hjengine.dll
• %ProgramFiles%\Desktop Defender 2010\IEAddon.dll
• %ProgramFiles%\Desktop Defender 2010\MFC71.dll
• %ProgramFiles%\Desktop Defender 2010\MFC71ENU.DLL
• %ProgramFiles%\Desktop Defender 2010\msvcp71.dll
• %SystemRoot%\system32\drivers\tdifw_drv.sys
• %AllUsersProfile%\Desktop\Desktop Defender 2010.lnk
• %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010.lnk
• %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010\How to Activate Desktop Defender 2010.lnk
• %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010\Activate Desktop Defender 2010.lnk
• %AllUsersProfile%\Start Menu\Programs\Desktop Defender 2010\Desktop Defender 2010.lnk
• %UserProfile%\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Defender 2010.lnk
• %UserProfile%\Local Settings\Temp\kgn.exe
• %UserProfile%\Local Settings\Temp\kilslmd.exex
• %UserProfile%\Local Settings\Temp\kn.a.exe
• %UserProfile%\Local Settings\Temp\.tt1.tmp
• %UserProfile%\Local Settings\Temp\.tt1.tmp.exe
• %UserProfile%\Local Settings\Temp\gedx_ae09.exe
• %UserProfile%\Local Settings\Temp\nsq18.tmp\ext.dll
• %UserProfile%\Local Settings\Temp\nsq18.tmp\System.dll

Create new registry entries:

• HKEY_LOCAL_MACHINE\software\Classes\*\shellex\ContextMenuHandlers\antivirus_contextscan
• HKEY_LOCAL_MACHINE\software\Classes\AppID\IEAddon.DLL
• HKEY_LOCAL_MACHINE\software\Classes\AppID\{C0E56AC2-9F72-436E-B6E7-AEC28AF9E4EB}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{08EEC6AD-7486-487F-89B7-5A3716DDAE14}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{08EEC6AD-7486-487F-89B7-5A3716DDAE14}\InprocServer32
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\InprocServer32
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\ProgID
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\Programmable
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\CLSID\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}\VersionIndependentProgID
• HKEY_LOCAL_MACHINE\software\Classes\Drive\shellex\ContextMenuHandlers\antivirus_contextscan
• HKEY_LOCAL_MACHINE\software\Classes\Folder\shellex\ContextMenuHandlers\antivirus_contextscan
• HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane
• HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane\CLSID
• HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane\CurVer
• HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane.1
• HKEY_LOCAL_MACHINE\software\Classes\IEAddon.StatusBarPane.1\CLSID
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}\ProxyStubClsid
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}\ProxyStubClsid32
• HKEY_LOCAL_MACHINE\software\Classes\Interface\{5B184B9D-B7BD-4FEA-8D1F-5E27182206A5}\TypeLib
• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}
• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0
• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\0
• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\0\win32
• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\FLAGS
• HKEY_LOCAL_MACHINE\software\Classes\TypeLib\{3ED0E410-5C8E-47B6-A75D-D10B886E903C}\1.0\HELPDIR
• HKEY_LOCAL_MACHINE\software\Desktop Defender 2010
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CCB5551D-8594-4999-85F9-1E3EABCB95AC}
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Uninstall\Desktop Defender 2010
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdifw_drv
• HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run, “Desktop Defender 2010″

Screenshots:

How to remove the infection of Adware.Win32.DesktopDefender2010?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.

Tags: Defender, Desktop, Rogue

This entry was posted on Saturday, October 31st, 2009 at 16:50 and is filed under Malware Alerts, Removal Help. You can follow any responses to this entry through the RSS 2.0 feed. Responses are currently closed, but you can trackback from your own site.