1. Symantec/
  2. Security Response/
  3. PCDefender

PCDefender

Updated:
February 19, 2010 11:30:00 AM
Type:
Misleading Application
Name:
PC Defender
Version:
1.0.0.0
Risk Impact:
Medium
Systems Affected:
Windows
Behavior
The program may be manually downloaded and installed from the following location:
[http://]thexxxclick.info/32.h[REMOVED]

The program reports false or exaggerated system security threats on the computer.





Fake Detection Names
The program may falsely report detections of the following threats:





The user is then prompted to pay for a full license of the application in order to remove the threats.





Installation
When the program is executed, it creates the following folders:
  • C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender
  • C:\Program Files\Def Group
  • C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}


It also creates the following files:
  • %ProgramFiles%\Def Group\PC Defender\Antispyware.exe
  • %ProgramFiles%\Def Group\PC Defender\hook.dll
  • %ProgramFiles%\Def Group\PC Defender\proccheck.exe
  • %SystemDrive%\Documents and Settings\All Users\Desktop\PC Defender.lnk
  • %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\PC Defender\PC Defender.lnk
  • %Windir%\Installer\14d256.msi
  • %Windir%\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_96222EB958BE7AE1F3D10F.exe
  • %Windir%\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\_E99A03E2B966DDBBBF0A73.exe


The program may then delete the following file:
%SystemDrive%\Config.Msi

Next, the program modifies the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"Userinit" = "C:\WINDOWS\system32\userinit.exe,"C:\Program Files\Def Group\PC Defender\Antispyware.exe""

The program then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Def Group\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Documents and Settings\All Users\Start Menu\Programs\PC Defender\"" = ""
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\WINDOWS\Installer\{FC2ABC8E-3715-4A32-B8B5-559380F45282}\"" = ""
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService" = "MSIServer"
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSISERVER\0000\Control\"ActiveService" = "MSIServer"
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" = "0x00002001
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Program Files\Def Group\PC Defender\"proccheck.exe" = "proccheck"


Next, the program creates the following registry subkeys:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Features\E8CBA2CF517323A48B5B5539084F2528
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\Products\E8CBA2CF517323A48B5B5539084F2528_
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UpgradeCodes\C73BCE36FA1AA0E45AB2649A3FA0D390
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0C7636129D6C606AC34B4F77B98D933A
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\48F1979EDA9389E44C3097C667211849
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\AA7C3518924A9561AB587A3AED215D82
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E8CBA2CF517323A48B5B5539084F2528
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\E8CBA2CF517323A48B5B5539084F2528
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC2ABC8E-3715-4A32-B8B5-559380F45282}
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_MSISERVER\0000\Control
  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_MSISERVER\0000\Control
  • HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
  • HKEY_USERS\.DEFAULT\Software\Def Group
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\00000000000003e7
  • HKEY_USERS\S-1-5-21-1172441840-534431857-1906119351-500\Software\Microsoft\Windows Script
  • HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo
  • HKEY_USERS\S-1-5-18\Software\Def Group


It then deletes the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Config.Msi\"" = ""
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube