Update (4:15 PM EDT): We received an email from our reader Colin saying that his laptop has just got infected with a virus called Advanced PC Shield 2012. The following files have been contributed by our reader:
- C:\Documents and Settings\Colin\Start Menu\Programs\Advanced PC Shield 2012\Buy Advanced PC Shield 2012.lnk
- C:\Documents and Settings\Colin\Start Menu\Programs\Advanced PC Shield 2012\Launch Advanced PC Shield 2012.lnk
- C:\Documents and Settings\Colin\Desktop\Buy Advanced PC Shield 2012.lnk
- C:\Documents and Settings\Colin\Local Settings\Application Data\gr5291f5w5071a02.exe
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "gr5291f5w5071a02.exe"
Update (4:23 PM EDT):
Virustotal.com results: 2 /42
MD5: 4182cf81203e73ef44e642214b04d712
http://www.virustotal.com/file-scan/report.html?id=06b773f3a121851b9919e905b925721c2b2189372f407085aec611727f18e2a0-1317223457
Update (7:56 PM EDT):
Advanced PC Shield 2012 displays the following fake security alerts:
Severe system damage!
Spyware and viruses detected in the background. Sensitive system components under attack! Data loss, identity theft and system corruption are possible.
Act now, click here for a free security scan.
Tracking software found!
Your PC activity is being monitor. Possible spyware infection. Your data security may be compromised. Sensitive data can be stolen.
Prevent damage now by completing a security scan.
This scarware reports the same infections on different computers. It doesn't actually scan your computer. Advanced PC Shield 2012 reports the following infections:
- Java.Trojan.Downloader.OpenConnection
- Trojan.Spy.ZBot
- Worm.P2P.Pron
- Exploit.CplLnk.Gen
- Win32.Worm.Prolaco
- Trojan.Android.Geinimi
- Backdoor.Destroy
- AprNet-Worm.Win32.Kolab
- Win32.Worm.Stuxnet
- Trojan.MSIL.Agent
- Trojan.Win32.Agent
- Trojan.Spy.Ursnif
- Win32.Ramnit
- Java.Backdoor.ReverseBackdoor
- Backdoor.Bifrose
- Backdoor.Win32.Rbot
- AprWorm.Win32.Agent
- Trojan.Win32.Qhost
- wscui_class
Cyber crooks offer online support too. You can leave a ticket at advancedpc.coguar-systems-support.info. There's a great chance that they will actually help you, however, any any payment-related questions are usually ignored.
Although, Advanced PC Shield 2012 doesn't block malware removal tools, at least the current version, you can still activate it manually and make the removal procedure easier in case you got more aggressive version of this fake anti-virus product. Just click on Registration and select Manual Activation. Then use the following code: 8945315-6548431
However, the biggest problem is that Advanced PC Shield 2012 drops a rootkit (Trojan:WinNT/Necurs) that blogs legitimate anti-virus programs and makes it difficult to remove the infection from the computer. Hopefully, you can use TDSSKiller to remove rootkits from your computer. Otherwise, you'll have to use Combofix. For more information, please follow the removal instructions below.
Advanced PC Shield 2012 removal instructions:
1. Download ComboFix from one of the following URL: http://www.bleepingcomputer.com/download/anti-virus/combofix
2. Temporarily disable your anti-virus and anti-spyware programs as they may may interfere with Combofix.
3. Double-click on the ComboFix to run the utility. Please read the disclaimer and if you agree, click on the I Agree button.
4. ComboFix is now preparing to run. It may take a few moments. ComboFix will create a System Restore and prompt you to install Microsoft Windows Recovery Console. Please click on the Yes button to continue.
5. Please follow the directions given by ComboFix in order to finish the installation of the Microsoft Windows Recovery Console. Once finished, click on the Yes button to scan your computer for malware.
6. ComboFix will now start scanning your computer for malicious software. This may take up to ten minutes.
7. When ComboFix has finished, it may automatically reboot your computer. Don't worry, that's OK. Just don't reboot your computer manually. After a reboot it will show a log file. Advanced PC Shield 2012 should be gone from your computer.
8. Download free anti-malware software from the list below and run a full system scan to remove the remains.
NOTE: with all of these tools, if running Windows 7 or Vista they MUST be run as administrator. Launch the program and follow the prompts. Don't forget to update the installed program before scanning.
Associated Advanced PC Shield 2012 files and registry values:
Files:
Windows XP:
- %WINDIR%\SYSTEM32\drivers\[SET OF RANDOM CHARACTERS].sys
- %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Buy Advanced PC Shield 2012.lnk
- %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
- %UserProfile%\Desktop\Buy Advanced PC Shield 2012.lnk
- %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Launch Advanced PC Shield 2012.lnk
%UserProfile% refers to: C:\Documents and Settings\[User Name]
Windows Vista/7:
- %WINDIR%\SYSTEM32\drivers\[SET OF RANDOM CHARACTERS].sys
- %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Buy Advanced PC Shield 2012.lnk
- %UserProfile%\Local Settings\Application Data\[SET OF RANDOM CHARACTERS].exe
- %UserProfile%\Desktop\Buy Advanced PC Shield 2012.lnk
- %UserProfile%\Start Menu\Programs\Advanced PC Shield 2012\Launch Advanced PC Shield 2012.lnk
%UserProfile% refers to: C:\Users\[User Name]
Registry values:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[SET OF RANDOM CHARACTERS]
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 "*" = '1'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges\Range1 ":Range" = '127.0.0.1'
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "[SET OF RANDOM CHARACTERS].exe"
No comments:
Post a Comment