Fake alert : PC Defender Antivitus
File size: 1056768 bytes
MD5 : 2396047703db29f8789df8d1bb91d236
SHA1 : e079605c0b426a24be68485130f58db11f221e34
...
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| AhnLab-V3 | 2010.08.08.00 | 2010.08.07 | - |
| AntiVir | 8.2.4.34 | 2010.08.08 | - |
| Antiy-AVL | 2.0.3.7 | 2010.08.06 | - |
| Authentium | 5.2.0.5 | 2010.08.07 | - |
| Avast | 4.8.1351.0 | 2010.08.08 | Win32:Adware-gen |
| Avast5 | 5.0.332.0 | 2010.08.08 | Win32:Adware-gen |
| AVG | 9.0.0.851 | 2010.08.08 | - |
| BitDefender | 7.2 | 2010.08.08 | - |
| CAT-QuickHeal | 11.00 | 2010.08.07 | - |
| ClamAV | 0.96.0.3-git | 2010.08.08 | - |
| Comodo | 5686 | 2010.08.08 | - |
| DrWeb | 5.0.2.03300 | 2010.08.08 | Trojan.Fakealert.18633 |
| Emsisoft | 5.0.0.36 | 2010.08.08 | - |
| eSafe | 7.0.17.0 | 2010.08.08 | - |
| eTrust-Vet | 36.1.7773 | 2010.08.07 | - |
| F-Prot | 4.6.1.107 | 2010.08.07 | - |
| F-Secure | 9.0.15370.0 | 2010.08.07 | - |
| Fortinet | 4.1.143.0 | 2010.08.08 | - |
| GData | 21 | 2010.08.08 | Win32:Adware-gen |
| Ikarus | T3.1.1.84.0 | 2010.08.08 | - |
| Jiangmin | 13.0.900 | 2010.08.07 | - |
| Kaspersky | 7.0.0.125 | 2010.08.08 | - |
| McAfee | 5.400.0.1158 | 2010.08.08 | - |
| McAfee-GW-Edition | 2010.1 | 2010.08.08 | - |
| Microsoft | 1.6004 | 2010.08.08 | - |
| NOD32 | 5349 | 2010.08.07 | Win32/Adware.PCDefender |
| Norman | 6.05.11 | 2010.08.08 | - |
| nProtect | 2010-08-08.01 | 2010.08.08 | - |
| Panda | 10.0.2.7 | 2010.08.08 | - |
| PCTools | 7.0.3.5 | 2010.08.08 | - |
| Prevx | 3.0 | 2010.08.08 | - |
| Rising | 22.59.05.04 | 2010.08.07 | - |
| Sophos | 4.56.0 | 2010.08.08 | - |
| Sunbelt | 6703 | 2010.08.08 | Trojan.Win32.Generic.pak!cobra |
| SUPERAntiSpyware | 4.40.0.1006 | 2010.08.08 | - |
| Symantec | 20101.1.1.7 | 2010.08.08 | - |
| TheHacker | 6.5.2.1.338 | 2010.08.08 | - |
| TrendMicro | 9.120.0.1004 | 2010.08.08 | - |
| TrendMicro-HouseCall | 9.120.0.1004 | 2010.08.08 | - |
| VBA32 | 3.12.12.8 | 2010.08.04 | - |
| ViRobot | 2010.7.29.3961 | 2010.08.08 | - |
| VirusBuster | 5.0.27.0 | 2010.08.08 | - |
...
Files Added
C:\Program Files\Def Group\PC Defender\uninstall.bat
C:\Program Files\Def Group\PC Defender\proccheck.exe
C:\Program Files\Def Group\PC Defender\rundelay.exe
C:\Program Files\Def Group\PC Defender\prockill64.exe
C:\Program Files\Def Group\PC Defender\prockill32.exe
C:\Program Files\Def Group\PC Defender\pcdef.exe
C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\Uninstall.lnk
Registry modification
Values Added
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
PC Defender: "C:\Program Files\Def Group\PC Defender\pcdef.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\AuthorizedCDFPrefix: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Comments: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Contact: "Def Group"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\DisplayVersion: "2.0.0"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\HelpLink: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\HelpTelephone: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\InstallDate: "20100809"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\InstallLocation: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\InstallSource: "C:\Documents and Settings\Administrator\Desktop\"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\ModifyPath: "MsiExec.exe /X{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\NoModify: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Publisher: "Def Group"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Readme: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Size: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\EstimatedSize: 0x0000053C
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\UninstallString: "MsiExec.exe /X{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\URLInfoAbout: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\URLUpdateInfo: ""
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\VersionMajor: 0x00000002
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\VersionMinor: 0x00000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\WindowsInstaller: 0x00000001
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Version: 0x02000000
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\Language: 0x00000409
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{456A3B12-8FE6-41AE-9E5C-5E55F0712C09}\DisplayName: "PC Defender"
Value Modified
HKLM\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify: 0x00000001
------------------------------------------------------------------------
วิธีกำจัด /แก้ไข : Fake alert : PC Defender Antivitus
------------------------------------------------------------------------
วิธีที่ 1 : Manual Delete
1. โปรแกรม Process Explorer แล้ว Click ขวาที่ไฟล์ pcdef.exe แล้วเลือก Kill process Tree
2. เข้าไปที่ C:\Program Files แล้ว delete folder ชื่อ Def Group ทิ้งไป
3. ใช้ โปรแกรม Hijack This Fix checked ที่บรรทัดนี้
O4 - HKLM\..\Run: [PC Defender] C:\Program Files\Def Group\PC Defender\pcdef.exe
........................
or
วิธีที่ 2 : ใช้โปรแกรม Malwarebytes' AntiMalware กำจัดออก
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4410
Windows 5.1.2600 Service Pack 2
Internet Explorer 8.0.6001.18702
09/08/2553 20:35:14
mbam-log-2010-08-09 (20-35-14).txt
Scan type: Quick scan
Objects scanned: 129610
Time elapsed: 5 minute(s), 33 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 8
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{af4da69b-e1d6-469a-855b-6445294857d4} (Spyware.OnlineGames) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pc defender (Rogue.PCDefender) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> No action taken.
Folders Infected:
C:\Program Files\Def Group\PC Defender (Rogue.PCDefender) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender (Rogue.PCDefender) -> No action taken.
Files Infected:
C:\Program Files\Def Group\PC Defender\pcdef.exe (Rogue.PCDefender) -> No action taken.
C:\Program Files\Def Group\PC Defender\proccheck.exe (Rogue.PCDefender) -> No action taken.
C:\Program Files\Def Group\PC Defender\prockill32.exe (Rogue.PCDefender) -> No action taken.
C:\Program Files\Def Group\PC Defender\prockill64.exe (Rogue.PCDefender) -> No action taken.
C:\Program Files\Def Group\PC Defender\rundelay.exe (Rogue.PCDefender) -> No action taken.
C:\Program Files\Def Group\PC Defender\uninstall.bat (Rogue.PCDefender) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk (Rogue.PCDefender) -> No action taken.
C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\Uninstall.lnk (Rogue.PCDefender) -> No action taken.
No comments:
Post a Comment