Internet Defender is a clone of Security Defender. We wrote about it two weeks ago. The graphical user interface and self-defense mechanism hasn't changed much. The rogue program uses randomly names files and web browser hijacking to block legitimate security related websites and malware removal tools. Here are some of the fake security warnings it displays:
Internet Defender
Spyware.IEMonster process is found. The virus is going to send your passwords from Internet browser (Explorer, Mozilla Firefox, Outlook & others) to the third-parties. Click here for further protection of your data with Internet Defender.
Internet Defender Firewall AlertAlthough, it is possible to remove Internet Defender manually, we do not recommend doing so. First of all, it drops randomly named files into ApplicationData (Win XP) and ProgramData (Win Vista/7) folders. It could be rather difficult to identify and delete each malicious file from your computer. Secondly, Internet Defender can download additional malware onto your computer. That's why you should definitely scan your computer with anti-malware software. Last, but not least, if you have already purchased this phony security program, you should contact your credit card company and dispute the charges stating that Internet Defender 2011 is malicious software. If Internet Defender is installed on your computer, you should remove it immediately. Please follow the removal instructions below. If you have any questions or comments for us, please let us know. Good luck and be safe online!
Suspicious activity in your registry system space was detected. Rogue malware detected in your system. Data leaks and system damage are possible. Please use a deep scan option.
Internet Defender removal instructions (in Safe Mode with Networking):
1. Reboot your computer is "Safe Mode with Networking". As the computer is booting tap the "F8 key" continuously which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode with Networking" and press Enter key.
NOTE: Login as the same user you were previously logged in with in the normal Windows mode.
2. Download recommended anti-malware software (Spyware Doctor) and run a full system scan to remove this rogue security program from your computer. Don't forget to update anti-malware software before scanning.
Alternate Internet Defender removal instructions:
1. Download iexplore.exe (NOTE: iexplore.exe file is renamed HijackThis tool from TrendMicro).
Launch the iexplore.exe and click "Do a system scan only" button.
If you can't open iexplore.exe file then download explorer.scr and run it.
2. Search for such entry in the scan results (Windows XP):
O4 - HKLM\..\Run: [SET OF RANDOM CHARACTERS] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi", DllUnregisterServer
O4 - HKCU\..\Run: [SET OF RANDOM CHARACTERS] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi", DllUnregisterServer
O4 - Startup: [SET OF RANDOM CHARACTERS].lnk = C:\WINDOWS\system32\rundll32.exe
Select all similar entries and click once on the "Fix checked" button. Close HijackThis tool.
Associated Internet Defender files and registry values:
Files:
Windows XP
- C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS]_.mkv
- C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].avi
- C:\Documents and Settings\All Users\Application Data\[SET OF RANDOM CHARACTERS].ico
- C:\Program Files\Internet Defender
- C:\Program Files\Internet Defender\Internet Defender.dll
- C:\Documents and Settings\[UserName]\Local Settings\Temp\[SET OF RANDOM CHARACTERS].dll
- C:\ProgramData\[SET OF RANDOM CHARACTERS]_.mkv
- C:\ProgramData\[SET OF RANDOM CHARACTERS].avi
- C:\ProgramData\[SET OF RANDOM CHARACTERS].ico
- C:\Program Files\Internet Defender
- C:\Program Files\Internet Defender\Internet Defender.dll
- C:\Users\[UserName]\AppData\Local\Temp\[SET OF RANDOM CHARACTERS].dll
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS]"
No comments:
Post a Comment