Emsisoft New Malware Blog » Windows PC Defender http://www.anti-malware-blog.com Just another WordPress weblog Wed, 25 Jan 2012 06:47:18 +0000 en hourly 1 http://wordpress.org/?v=3.3.1 Windows PC Defender Adware Removal Instructions http://www.anti-malware-blog.com/2009/09/23/windows-pc-defender-adware-removal-instructions/ http://www.anti-malware-blog.com/2009/09/23/windows-pc-defender-adware-removal-instructions/#comments Wed, 23 Sep 2009 12:18:00 +0000 admin http://www.anti-malware-blog.com/post.aspx?id=b92734a8-bdfc-438b-b0e6-d565fea63ec2 The Emsi Software malware research team has discoverd a new outbreak for the Windows PC Defender adware. a-squared Anti-Malware detect this malware as Adware.Win32.WindowsPCDefender.

Windows PC Defender is rogue security software that show false warning messages and show misleading scan results. The advertisement will state that you are infected and then prompt you to download Windows PC Defender to your computer. If you download and install Windows PC Defender, it will start automatically when your computer starts. The installer will also create numerous harmless files on your computer, usually at Recent folder, that are used to impersonate malware files. Once the program is running it will scan your computer and then display these files as infections, but will not allow you to remove them until you purchase the program.

The main program will extract several files to (the name of the files and directory for this rogue are random):

  • %CommonAppData%\b0cf5\WPba6.exe
  • %CommonAppData%\WPCDSys\wpcd.cfg
  • %AppData%\Microsoft\Internet Explorer\Quick Launch\Windows PC Defender.lnk
  • %AppData%\Windows PC Defender\Instructions.ini
  • %UserProfile%\Cookies\index.dat
  • %UserProfile%\Cookies\virus demo@support.zonedialog[1].txt
  • %UserProfile%\Desktop\1587.mof
  • %UserProfile%\Desktop\Windows PC Defender.lnk
  • %UserProfile%\Desktop\WPCD.ico
  • %UserProfile%\Desktop\BackUp\HyperSnap-DX.lnk
  • %UserProfile%\Desktop\WPCDSys\vd952342.bd
  • %UserProfile%\Recent\ANTIGEN.tmp
  • %UserProfile%\Recent\cb.dll
  • %UserProfile%\Recent\cid.exe
  • %UserProfile%\Recent\cid.sys
  • %UserProfile%\Recent\CLSV.drv
  • %UserProfile%\Recent\exec.drv
  • %UserProfile%\Recent\fix.sys
  • %UserProfile%\Recent\grid.tmp
  • %UserProfile%\Recent\kernel32.tmp
  • %UserProfile%\Recent\PE.sys
  • %UserProfile%\Recent\PE.tmp
  • %UserProfile%\Recent\ppal.drv
  • %UserProfile%\Recent\SM.tmp
  • %UserProfile%\Recent\tjd.sys
  • %UserProfile%\Recent\tjd.tmp
  • %UserProfile%\Start Menu\Windows PC Defender.lnk
  • %UserProfile%\Start Menu\Programs\Windows PC Defender.lnk

And create new registry entry:

  • HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Run\Windows PC Defender

This rogue also try to modify hosts file:

  • 74.125.45.100 4-open-davinci.com
  • 74.125.45.100 securitysoftwarepayments.com
  • 74.125.45.100 privatesecuredpayments.com
  • 74.125.45.100 secure.privatesecuredpayments.com
  • 74.125.45.100 getantivirusplusnow.com
  • 74.125.45.100 secure-plus-payments.com
  • 74.125.45.100 www.getantivirusplusnow.com
  • 74.125.45.100 www.secure-plus-payments.com
  • 74.125.45.100 www.getavplusnow.com
  • 74.125.45.100 www.securesoftwarebill.com
  • 74.125.45.100 secure.paysecuresystem.com
  • 74.125.45.100 paysoftbillsolution.com
  • 206.53.61.77 google.ae
  • 206.53.61.77 google.as
  • 206.53.61.77 google.at
  • 206.53.61.77 google.az
  • 206.53.61.77 google.ba
  • 206.53.61.77 google.be
  • 206.53.61.77 google.bg
  • 206.53.61.77 google.bs
  • 206.53.61.77 google.ca
  • 206.53.61.77 google.cd
  • 206.53.61.77 google.com.gh
  • 206.53.61.77 google.com.hk
  • 206.53.61.77 google.com.jm
  • 206.53.61.77 google.com.mx
  • 206.53.61.77 google.com.my
  • 206.53.61.77 google.com.na
  • 206.53.61.77 google.com.nf
  • 206.53.61.77 google.com.ng
  • 206.53.61.77 google.ch
  • 206.53.61.77 google.com.np
  • 206.53.61.77 google.com.pr
  • 206.53.61.77 google.com.qa
  • 206.53.61.77 google.com.sg
  • 206.53.61.77 google.com.tj
  • 206.53.61.77 google.com.tw
  • 206.53.61.77 google.dj
  • 206.53.61.77 google.de
  • 206.53.61.77 google.dk
  • 206.53.61.77 google.dm
  • 206.53.61.77 google.ee
  • 206.53.61.77 google.fi
  • 206.53.61.77 google.fm
  • 206.53.61.77 google.fr
  • 206.53.61.77 google.ge
  • 206.53.61.77 google.gg
  • 206.53.61.77 google.gm
  • 206.53.61.77 google.gr
  • 206.53.61.77 google.ht
  • 206.53.61.77 google.ie
  • 206.53.61.77 google.im
  • 206.53.61.77 google.in
  • 206.53.61.77 google.it
  • 206.53.61.77 google.ki
  • 206.53.61.77 google.la
  • 206.53.61.77 google.li
  • 206.53.61.77 google.lv
  • 206.53.61.77 google.ma
  • 206.53.61.77 google.ms
  • 206.53.61.77 google.mu
  • 206.53.61.77 google.mw
  • 206.53.61.77 google.nl
  • 206.53.61.77 google.no
  • 206.53.61.77 google.nr
  • 206.53.61.77 google.nu
  • 206.53.61.77 google.pl
  • 206.53.61.77 google.pn
  • 206.53.61.77 google.pt
  • 206.53.61.77 google.ro
  • 206.53.61.77 google.ru
  • 206.53.61.77 google.rw
  • 206.53.61.77 google.sc
  • 206.53.61.77 google.se
  • 206.53.61.77 google.sh
  • 206.53.61.77 google.si
  • 206.53.61.77 google.sm
  • 206.53.61.77 google.sn
  • 206.53.61.77 google.st
  • 206.53.61.77 google.tl
  • 206.53.61.77 google.tm
  • 206.53.61.77 google.tt
  • 206.53.61.77 google.us
  • 206.53.61.77 google.vu
  • 206.53.61.77 google.ws
  • 206.53.61.77 google.co.ck
  • 206.53.61.77 google.co.id
  • 206.53.61.77 google.co.il
  • 206.53.61.77 google.co.in
  • 206.53.61.77 google.co.jp
  • 206.53.61.77 google.co.kr
  • 206.53.61.77 google.co.ls
  • 206.53.61.77 google.co.ma
  • 206.53.61.77 google.co.nz
  • 206.53.61.77 google.co.tz
  • 206.53.61.77 google.co.ug
  • 206.53.61.77 google.co.uk
  • 206.53.61.77 google.co.za
  • 206.53.61.77 google.co.zm
  • 206.53.61.77 google.com
  • 206.53.61.77 google.com.af
  • 206.53.61.77 google.com.ag
  • 206.53.61.77 google.com.ar
  • 206.53.61.77 google.com.au
  • 206.53.61.77 google.com.bn
  • 206.53.61.77 google.com.br
  • 206.53.61.77 google.com.by
  • 206.53.61.77 google.com.bz
  • 206.53.61.77 google.com.cu
  • 206.53.61.77 google.com.ec
  • 206.53.61.77 google.com.fj
  • 206.53.61.77 www.google.ae
  • 206.53.61.77 www.google.as
  • 206.53.61.77 www.google.at
  • 206.53.61.77 www.google.az
  • 206.53.61.77 www.google.ba
  • 206.53.61.77 www.google.be
  • 206.53.61.77 www.google.bg
  • 206.53.61.77 www.google.bs
  • 206.53.61.77 www.google.ca
  • 206.53.61.77 www.google.cd
  • 206.53.61.77 www.google.com.gh
  • 206.53.61.77 www.google.com.hk
  • 206.53.61.77 www.google.com.jm
  • 206.53.61.77 www.google.com.mx
  • 206.53.61.77 www.google.com.my
  • 206.53.61.77 www.google.com.na
  • 206.53.61.77 www.google.com.nf
  • 206.53.61.77 www.google.com.ng
  • 206.53.61.77 www.google.ch
  • 206.53.61.77 www.google.com.np
  • 206.53.61.77 www.google.com.pr
  • 206.53.61.77 www.google.com.qa
  • 206.53.61.77 www.google.com.sg
  • 206.53.61.77 www.google.com.tj
  • 206.53.61.77 www.google.com.tw
  • 206.53.61.77 www.google.dj
  • 206.53.61.77 www.google.de
  • 206.53.61.77 www.google.dk
  • 206.53.61.77 www.google.dm
  • 206.53.61.77 www.google.ee
  • 206.53.61.77 www.google.fi
  • 206.53.61.77 www.google.fm
  • 206.53.61.77 www.google.fr
  • 206.53.61.77 www.google.ge
  • 206.53.61.77 www.google.gg
  • 206.53.61.77 www.google.gm
  • 206.53.61.77 www.google.gr
  • 206.53.61.77 www.google.ht
  • 206.53.61.77 www.google.ie
  • 206.53.61.77 www.google.im
  • 206.53.61.77 www.google.in
  • 206.53.61.77 www.google.it
  • 206.53.61.77 www.google.ki
  • 206.53.61.77 www.google.la
  • 206.53.61.77 www.google.li
  • 206.53.61.77 www.google.lv
  • 206.53.61.77 www.google.ma
  • 206.53.61.77 www.google.ms
  • 206.53.61.77 www.google.mu
  • 206.53.61.77 www.google.mw
  • 206.53.61.77 www.google.nl
  • 206.53.61.77 www.google.no
  • 206.53.61.77 www.google.nr
  • 206.53.61.77 www.google.nu
  • 206.53.61.77 www.google.pl
  • 206.53.61.77 www.google.pn
  • 206.53.61.77 www.google.pt
  • 206.53.61.77 www.google.ro
  • 206.53.61.77 www.google.ru
  • 206.53.61.77 www.google.rw
  • 206.53.61.77 www.google.sc
  • 206.53.61.77 www.google.se
  • 206.53.61.77 www.google.sh
  • 206.53.61.77 www.google.si
  • 206.53.61.77 www.google.sm
  • 206.53.61.77 www.google.sn
  • 206.53.61.77 www.google.st
  • 206.53.61.77 www.google.tl
  • 206.53.61.77 www.google.tm
  • 206.53.61.77 www.google.tt
  • 206.53.61.77 www.google.us
  • 206.53.61.77 www.google.vu
  • 206.53.61.77 www.google.ws
  • 206.53.61.77 www.google.co.ck
  • 206.53.61.77 www.google.co.id
  • 206.53.61.77 www.google.co.il
  • 206.53.61.77 www.google.co.in
  • 206.53.61.77 www.google.co.jp
  • 206.53.61.77 www.google.co.kr
  • 206.53.61.77 www.google.co.ls
  • 206.53.61.77 www.google.co.ma
  • 206.53.61.77 www.google.co.nz
  • 206.53.61.77 www.google.co.tz
  • 206.53.61.77 www.google.co.ug
  • 206.53.61.77 www.google.co.uk
  • 206.53.61.77 www.google.co.za
  • 206.53.61.77 www.google.co.zm
  • 206.53.61.77 www.google.com
  • 206.53.61.77 www.google.com.af
  • 206.53.61.77 www.google.com.ag
  • 206.53.61.77 www.google.com.ar
  • 206.53.61.77 www.google.com.au
  • 206.53.61.77 www.google.com.bn
  • 206.53.61.77 www.google.com.br
  • 206.53.61.77 www.google.com.by
  • 206.53.61.77 www.google.com.bz
  • 206.53.61.77 www.google.com.cu
  • 206.53.61.77 www.google.com.ec
  • 206.53.61.77 www.google.com.fj
  • 206.53.61.77 google.com
  • 206.53.61.77 www.google.com
  • 206.53.61.77 bing.com
  • 206.53.61.77 www.bing.com
  • 206.53.61.77 search.yahoo.com
  • 206.53.61.77 www.search.yahoo.com
  • 206.53.61.77 search.live.com
  • 206.53.61.77 search.msn.com

Malware screenshots:

How to remove the infection of Adware.Win32.WindowsPCDefender?

To delete this malware infection, please download and install a-squared Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine

]]> http://www.anti-malware-blog.com/2009/09/23/windows-pc-defender-adware-removal-instructions/feed/ 0