Friday, December 21, 2012

Virus Alert - Win 7 Defender

I just found out today about a new virus that is going around called Win 7 Defender. It is a scareware virus that is designed to look like a legitimate anti-virus program but actually only provides false security warnings. It is spread by masquerading as a program that requires viewing an online video and once installed it modifies your .exe file associations to point to the Win 7 Defender interface.
Once installed it will pretend to scan your machine and present you with multiple false positive infections on your PC. If you try and remove these infections it will state that you need to purchase the program before you will be able to execute the removal. Under NO circumstances should you do so! This virus was created for one reason, to scare you into thinking you are infected so you will purchase the program.

Removal Process:
  1. From a clean computer download Rkill here. Save this file to a thumb drive so you can copy it to the infected computer
  2. Restart the infected computer in Safe Mode with Networking. You do this by pressing the F8 key during the start-up process as soon as you see anything on the screen. 
     
  3. Once the computer has booted plug in the flash drive and run Rkill. This will terminate the Win 7 Defender process so you can safely remove it.
  4. Now you should download and install Malwarebytes Anti-Malware (if you do not already have it)
  5. Once installed it will automatically run and offer to scan your PC. Make sure you run a FULL scan.
  6. When the scan completes you will be asked to view the results Click OK
  7. You will be taken to a screen that shows all the infected files. Check all files and Click Removed Selected
  8. Close Malwarebytes and Restart your PC in normal mode and the virus should be gone.
My advice is be careful on the links you click on especially from suspicious email's. Delete it and be safe, not sorry!
Additional Information:
Associated Win 7 Defender Files
  • %AllUsersProfile%\Desktop\Win 7 Defender.lnk
  • %CommonAppData%\pcdfdata\
  • %CommonAppData%\pcdfdata\<random>.exe
  • %CommonAppData%\pcdfdata\app.ico
  • %CommonAppData%\pcdfdata\config.bin
  • %CommonAppData%\pcdfdata\defs.bin
  • %CommonAppData%\pcdfdata\support.ico
  • %CommonAppData%\pcdfdata\uninst.ico
  • %CommonAppData%\pcdfdata\vl.bin
  • %CommonStartMenu%\Programs\Win 7 Defender\
  • %CommonStartMenu%\Programs\Win 7 Defender\Remove Win 7 Defender.lnk
  • %CommonStartMenu%\Programs\Win 7 Defender\Win 7 Defender Help and Support.lnk
  • %CommonStartMenu%\Programs\Win 7 Defender\Win 7 Defender.lnk
File Location Notes:
  • %AllUsersProfile% refers to the All Users Profile folder. By default, this is C:\Documents and Settings\All Users for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.
  • %CommonAppData% refers to the Application Data folder for the All Users Profile. By default, this is C:\Documents and Settings\All Users\Application Data for Windows 2000/XP and C:\ProgramData\ for Windows Vista/7.
  • %CommonStartMenu% refers to the Windows Start Menu for All Users. Any programs or files located in the All Users Start menu will appear in the Start Menu for all user accounts on the computer. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Start Menu\, and for Windows Vista/7/8 it is C:\ProgramData\Microsoft\Windows\Start Menu\.
  • %CommonAppData% refers to the Application Data folder in the All Users profile. For Windows XP, Vista, NT, 2000 and 2003 it refers to C:\Documents and Settings\All Users\Application Data\, and for Windows Vista/7 it is C:\ProgramData.
Effected Registry Settings:
  • HKEY_CLASSES_ROOT\.exe "(Default)" = "<random>"
  •  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcdfdata
  • HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command "(Default)" = ""%CommonAppData%\pcdfdata\<random>.exe" /ex "%1" %*"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "pcdfsvc" = "%CommonAppData%\pcdfdata\<random>.exe /min"

More to come!

If you like this blog give it a g+1

No comments:

Post a Comment