Subscribe to Malware Help RSS Feed RSS Feed - Subscribe to Malware Help. Org on Twitter Follow on Twitter - Malware Help YouTube Channel YouTube Channel - Subscribe to Malware Help by Email Subscribe by Email

Windows Defence Center Removal and Analysis

by Shanmuga| Tweet This | Google +1 | Facebook | Stumble It | Reddit | Digg | del.icio.us

Windows Defense Center uses the fake Microsoft Security Essentials alert to get itself on to victims computers. Once latched on to the system it blocks execution of most applications including system administrative tasks like command prompt, registry editor, task manager etc. It uses the names of legitimate running processes to create fake security alerts. Windows Defence Center manages to run even in Windows safe mode, making it difficult to remove. This malware stops and disables Windows Defender, Microsoft Security Essentials and System restore.

Scareware like Windows Defence Center are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

windows defence center  2 Windows Defence Center Removal and Analysis

Windows Defence Center Removal (How to remove Windows Defence Center)

SuperAntiSpyware FREE version was able to remove this infection.

If you have access to another user account or the Administrator account:

  1. Log on to your computer with a different user account.
  2. Download SuperAntiSpyware FREE version or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  3. Double-click SUPERAntiSpyware.exe to start the installation. Proceed with installation following the prompts. If you have internet connection, click Yes when asked to check for latest updates. Otherwise click NO.
  4. Once the update and installation is completed, Launch SuperAntiSpyware and click Scan your Computer. Select the drives to be checked in Scan Location and then select Perform complete Scan. Click Next to start scanning.
  5. When the scan is completed, review the scan summary. Click OK and then Next to remove the detected items. If prompted restart immediately to complete the removal process.
  6. Turn System Restore off and on.

You should now be clean of this rogue.

If you do not have access to another user account or the Administrator account:

  1. Download SUPERAntiSpyware Free Portable Scanner or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
  2. Double-click the downloaded scanner to start it. It may be noted that the downloaded scanner is automatically saved using a random file name to avoid getting blocked by existing malware infections.
  3. Click Scan your Computer. Select the drives to be checked in Scan Location and then select Perform complete Scan. Click Next to start scanning.
  4. When the scan is completed, review the scan summary. Click OK and then Next to remove the detected items. If prompted restart immediately to complete the removal process.

Windows Defence Center Analysis

Windows Defense Center drops a randomly named malicious file in the %AppData% folder which is used to hijack the Windows Shell via Winlogon hijack.

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = C:\Documents and Settings\malwarehelp.org\Application Data\cqtuko.exe

It uses HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options in the Windows Registry to disable execution of many security application. Modification of this registry key allows the redirection of the execution of one application to another.

In this case the security application executable’s are mapped to svchost.exe, a Windows system file, so for example, when you click on the avast antivirus icon to start it, svchost.exe will start and since it has no gui window associated with it, you will see nothing and avast antivirus will not be executed.

A rogue security software such as Windows Defence Center belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan dropper was about 231KB in size and found protected by a packer ( ASProtect) to prevent it from being reverse engineered. It was detected by 10/ 42 (23.8%) of the virus engines available at VirusTotal.

This scareware is identified as:

  • Trojan.Generic.KD.150917
  • PUA.Packed.ASPack
  • Trojan.Win32.FakeAV.bfwy
  • a variant of Win32/Adware.PrivacyGuard2010.AR
  • Mal/FakeAV-IO
  • Trojan.Agent/Gen-FakeAlert
  • Trojan.Win32.Generic.pak!cobra

Typical Windows Defence Center Scare Messages

Microsoft Security Essentials Alert. Potential Threat Details. Microsoft Security Essentials detected potential threats that might compromise your private or damage your computer. Your access to these items may be suspended until you take an action. Click ‘show details’ to learn more.

Threat prevention solution found. Security system analysis has revealed critical file system vulnerability caused by severe malware attacks.
Risk of system files infection:
The detected vulnerability may result in unauthorized access to private information and hard drive data with a seriuos possibility of irreversible data loss and unstable PC performance. To remove the malware please run a full system scan. Press ‘OK’ to install the software necessary to initiate system files check. To complete the installation process please reboot your computer.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

  • Immediately contact the bank that issued the card and dispute the charges.
  • Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Windows Defence Center Associated Files and Folders

C:\Documents and Settings\malwarehelp.org\Application Data\cqtuko.exe

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Windows Defence Center Associated Registry Values and Keys

HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = C:\Documents and Settings\malwarehelp.org\Application Data\cqtuko.exe

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AFWSERV.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AFWSERV.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTSVC.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTSVC.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTUI.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVASTUI.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGUI.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EGUI.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EKRN.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCUI.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCUI.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSMPENG.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSMPENG.EXE#Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSSECES.EXE
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSSECES.EXE#Debugger

HKLM\software\microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR=01000000

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Windows Defence Center Associated Domains

This scareware was observed accessing the following domains during installation and operation:

soft-store-inc.com
78.26.187.134

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Windows Defence Center Scareware — Screenshots

Windows Defence Center Scareware — Video

Note: The Windows Defence Center installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

You may also like to read



{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: