Thursday, July 15, 2010

Remove Defense Center: nxourwwtssd.exe?!

.
How to remove the fake Defense Center antivirus.

Which Defense Center is a fake one?
This one ----->>

(You can see the unblinking eye asking for your money...) ;-P

It was two days before when I first read about Defense Center in Avast Blog : Defense center and a piece of luck and thought, who will be fooled with such a fake software? Nobody will install such thing. I already use a good AV, why bother to install another fake one?

But, to my dismay, one of the computer where I work is infected with this so called Defense Center. When I open the computer's recent documents, I found out multiple porn .3gps and some horny images. What tha...
>:-(

What happened when Defense Center is inside our computer?
Most notably is this three signs:
  • our current antivirus is not running/disabled
  • task manager is disabled
  • foreign icon exists in our system tray (next to the clock)
Brief autopsy shows that Defense Center has already..
  • disable the 'Run' command from Start menu
  • prevent us from launching any software from our desktop
    • running the .exe from Program Files is also a failure
  • blocked our access to Windows accessories, eg: Ms Paint, Command Prompt, etc..
  • blocked other Windows system tools (eg: regedit)
  • 'scanned' our system and showing pop-ups or fake security alerts telling that how our computer is badly infected with viruses and trojans blablabla repeatedly from time to time
  • completely disabling my Avira10 and GVR.exe from launching, grrrr..

So, how can we remove Defense Center then?
I found two ways of removing it, either by:
  • using a software, eg: Malwarebyte's Anti-Malware (MBAM)
  • manual removal, deleting files and modifying registries manually
    • refer to 2-Spyware.com : Remove Defense Center. Description and removal instructions.

Back to the infected computer, what I did is..
  • restart my computer again
  • press F8 repeatly (going Safe mode)
  • GVR.exe (kill all process) everything (just to make sure there only legimate windows process is running)
  • uninstall the fake av from my computer.. Ay? Nothing unusual???
    • my startup got something funny.. "bkcgwysg" and "nxourwwtssd.exe"??
(Click to enlarge)
  • delete it.
  • go to C;\Documents and Settings\[windows profile]\Local Settings\Application Data\
    • search for that "xawtmrviv" folder, delete it
  • check other area for similar and other foreign folder
  • scan it with av and GVR.exe
  • restart again
  • check from Autoruns.exe
(Click to enlarge)
    • delete
    • search other area and folders
    • scan the whole computer with av again.

    And finally, no more fake rogue dumb av nagging again. :-)
    But I wonder, do I need to scan with MBAM again?? Just wait and see.. ;-(


    OoiGi.blog: "I'm not so sure.. Need to learn more.."
    .