Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Advanced Defender Analysis and Removal

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg |

Advanced Defender is a fake security program that changes and disables the desktop background and then uses a flurry of false system messages in order to scare the user to purchase the program. This scareware disables the Windows task manager and stops Windows Security Center (wscsvc) to protect itself and blocks the execution of many programs. It was also observed dropping many harmless files in the Windows folder which are then detected by its own scan as malware.

A rogue security software such as Advanced Defender belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own.

Advanced Defender Aliases

The main executable is named download.exe (1.17 MB) in this instance and it is identified by 12/41 (29.27%) of the antivirus engines available at VirusTotal.

This scareware is known by the following aliases:

  • SHeur2.CLNI
  • TrojWare.Win32.Trojan.Agent.Gen
  • Trojan-Downloader:W32/FraudPack.ALIQ
  • W32/FraudPack.ALIQ!tr
  • Trojan.Win32.FraudPack.aliq
  • a variant of Win32/Kryptik.BYA
  • Trojan.Win32.Generic!BT
  • Mal/TDSSPack-Q
  • Cryp_Xed-22

Typical Advanced Defender Scare Messages

General protection you your PC is switched off or absent, so you are exposed to different kinds of threats – viruses, adware, spyware. Let Advanced Defender help you. Enable your protection immediately.

Advanced Defender found 19 infected files on your computer. Click here to delete threats.

Your PC isn’t being protected from spyware, so that unwanted application can steal your private data. Let Advanced Defender help you. Enable protection immediately.

Your web-surfing is now in unprotected mode, so you cannot browse the Web safely. Save your PC from unwanted threats. Let Advanced Defender help you. Enable protection immediately.

Your malware protection software is currently turned of, so that unwanted applications can turn your PC into adware center. Let Advanced Defender help you. Enable protection immediately.

Advanced Defender Associated Files and Folders

  • C:\Program Files\Advanced Defender\advanceddefender.exe
  • C:\Program Files\Advanced Defender\base.wdb
  • C:\Program Files\Advanced Defender\baseadd.wdb
  • C:\Program Files\Advanced Defender\conf.wcf
  • C:\Program Files\Advanced Defender\quarant.wdb
  • C:\Program Files\Advanced Defender\queue.wdb
  • C:\WINDOWS\system32\winscent.exe
  • C:\WINDOWS\certofSystem.exe
  • C:\WINDOWS\Explorers.exe
  • C:\WINDOWS\Microsoftdefend.dll
  • C:\WINDOWS\regp.exe
  • C:\WINDOWS\spoos.exe
  • C:\WINDOWS\Temp\scs1.tmp
  • C:\WINDOWS\Temp\scs2.tmp
  • C:\WINDOWS\Temp\scs3.tmp
  • C:\WINDOWS\Temp\scs4.tmp
  • C:\WINDOWS\Temp\scs5.tmp
  • C:\WINDOWS\Temp\scs6.tmp
  • C:\WINDOWS\Temp\scs7.tmp
  • C:\WINDOWS\Temp\scs8.tmp
  • C:\WINDOWS\tempfile2.bat
  • C:\Documents and Settings\\Desktop\Advanced Defender.LNK
  • C:\Documents and Settings\All Users\Microsoft PData\track.wid
  • C:\Documents and Settings\\My Documents\New Folder\download.php
  • C:\Documents and Settings\\Start Menu\Programs\Advanced Defender\Advanced Defender.lnk
  • C:\Documents and Settings\\Start Menu\Programs\Advanced Defender
  • C:\Program Files\Advanced Defender
  • C:\Program Files\Advanced Defender\q

Some of the file names may be randomly generated.

Advanced Defender Associated Registry Values and Keys

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Advanced Defender
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\advanceddefender
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr

Advanced Defender Associated Domains

This scareware was observed accessing the following domains during installation and operation:

  • goadvdef. com
  • advdefender. com

Note: Visiting the domains mentioned above may harm your computer system.

Advanced Defender Removal (How to remove Advanced Defender)

The free version of MalwareBytes’s Anti-Malware Free edition appears to remove Advanced Defender Scareware.

  1. Use an alternate browser like Firefox or Chrome to download MalwareBytes’s Anti-Malware and CCleaner Slim version or use a removable drive to transfer them to the affected computer.
  2. Boot in to Windows Safe Mode.
  3. Install and run MalwareBytes’s Anti-Malware. Go to the Update tab and check for updates. Once the update is completed, open the Scanner tab and choose a full-scan. Once the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
  4. Turn System Restore off and on
  5. Install, scan and clean the temporary files with CCleaner Slim version.

You should now be clean of this rogue. You may need reset your desktop background though.

If you are unable to get rid of this scareware, you may have other malware in addition to Advanced Defender. Please visit one of the recommended forums for malware help and post about your problem.

Advanced Defender Scareware — Screenshots

Advanced Defender Scareware — Video

Note: The Advanced Defender installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: