WinPC Defender

bitznpcz

bitznpcz

Active Member
Reaction score
33
Location
Chesterfield, UK
I have got a variant of the fake Anti-Virus programs called WinPC Defender. This one seems a lot more sophisticated than the others and installs several rootkits.

Malwarebytes and Combofix are detected by the program and you cannot install them. However, there is a workaround - rename the installation files to something else!

These things are getting harder to remove and very time consuming...

Noticed the husband has been clicking on porn links - do I tell the wife?? ;)
 

Attachments

  • rootkits.jpg
    rootkits.jpg
    34.5 KB · Views: 125
I had a similar example to that last week, a bit of a paint to remove as little would run including GMER although I managed to kill the rootkit with IceSword. BTW there's only one actual rootkit in the above screendump and thats the one buried in the drivers folder.

One thing I've found with many rootkits is that although they will try to stop GMER from running, you can often get around this by having a zipped copy of GMER on your memory stick/toolkit CD and running from within the zip archive. :)
 
I remember once when I was just starting a friend of mine asked me to take a look over his computer. If I spent 1 hour on his PC he spent 1 hour asking me to remove traces of porn sites he visits at night so that his wife wouldn't discover haha
 
iptech said:
I had a similar example to that last week, a bit of a paint to remove as little would run including GMER although I managed to kill the rootkit with IceSword. BTW there's only one actual rootkit in the above screendump and thats the one buried in the drivers folder.

One thing I've found with many rootkits is that although they will try to stop GMER from running, you can often get around this by having a zipped copy of GMER on your memory stick/toolkit CD and running from within the zip archive. :)
Click to expand...

I have only tried GMER a couple of times - can anyone explain how to interpret the output? In the Rootkit/Malware tab there are always hundreds of things listed - how do you know what is a rootkit? Does it show you in red as shown on the GMER website?
 
My nephew had the WinPC defender and others. It was very, very nasty.

The admin user lost admin rights even though the account was in the admin group.
The could not install new apps.
Could not run apps already installed.
Renaming apps helped for only one app.
Booting into safemode did not allow ANYTHING to work.

After 30 minutes I just re-installed. (The one day that I didnt have my USB toolkit).
It was also to teach him a lesson about going to "porn" sites

I never thought about running stuff from within a zip file. I will have to try it.
Thank you for bringing up GMER I never heard of it. I have used IceSword though.
 
bitznpcz said:
I have only tried GMER a couple of times - can anyone explain how to interpret the output? In the Rootkit/Malware tab there are always hundreds of things listed - how do you know what is a rootkit? Does it show you in red as shown on the GMER website?
Click to expand...
It should do, but I've seen rootkits that haven't shown up in red.

If you're unsure about using GMER standalone don't forget it is the core component of Combofix, so analysing the output logs from Combofix from an infected machine can give you a good guide of where these puppies lurk and how they work.

A good introduction to rootkits and using software such as GMEE, DarkSpy, etc. is "the Dummies Guide to Rootkits". For more advanced stuff the book "Rootkits: Subverting the Windows Kernel" is an excellent read. Although ultimately, the best way to learn is to get your hands dirty and get stuck in.
 
iptech said:
You should have been able to identify a rootkit infection within thirty minutes, getting rid of them can take some patience though.
Click to expand...

Oh trust me I dont let those thing bother me. In this case it was my nephew and I did not have with me my tiny USB that I carry in my wallet.
Since my nephew got it by going to porn sites and because I was not there for PC work I took the easy route also to teach him a lesson.

My first re-install was this lady who took her work laptop home. She let her son go to any websites and download anything on her work PC.
Here is the funny part. I got a ticket to work on her PC. I get there and I need nasty super XXX pop up ads of all kinds. What made this funny was that it is usually a guy who get those, but this one was a lady. All were apps were close but those things would just bombard the screen.
My boss made with re-install it.
 
You must log in or register to reply here.

Similar threads

Blue House Computer Help
Rootkit scanning and removal
2
Replies
20
Views
4K
Sky-Knight
Sky-Knight
HCHTech
Office Home & Business 2024 Perpetual
Replies
5
Views
1K
Sky-Knight
Sky-Knight
Pork Chop
[SOLVED] Can't remove fake BSOD that might use mshta.exe
Replies
5
Views
966
NviGate Systems
NviGate Systems
Metanis
[TIP] A "new" Microsoft Defender is showing up on my home PCs
Replies
5
Views
2K
britechguy
britechguy
Rigo
Flaky browsers especially on new tabs
2
Replies
26
Views
5K
GTP
GTP
Back
Top