Remove System Defender

[Hermit]

Remove System Defender

This is a Fake-AV Type malware that scares the user to purchasing an "Activation Code" to "remove" the infections. It also tries to look like Windows Defender, a part of fooling the user into thinking that it is a legitimate application.

Screenshots:



Startup Method:
System Defender starts itself by using a loader that pretends to be a .avi file.

Code:

HKCU\..\Run: [random] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\[random].avi", DllUnregisterServer 

Example:
O4 - HKCU\..\Run: [4ce2f71a-66e4-41ab-babb-4df7399bbe94_39] "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\4ce2f71a-66e4-41ab-babb-4df7399bbe94_39.avi", DllUnregisterServer

It invokes rundll32.exe (which is a legitimate file) to load [random].avi
The [random].avi then downloads/drops the main infection component to the %temp% directory which generates the pop-ups that is shown on the screenshots above.

Removal Guide:

You can easily remove this infection by running the PC Tools Threat Removal Tool.

If you choose to deal with the infection manually, you will need to do the following:

1. Navigate to %CommonAppData% and locate [random].avi, delete the file

Note: You may need to enable to view all the Hidden files and folder, please follow the steps below to check.

. Go to Control Panel -> Folder Option
. Click on View (2nd tab)
. Under "Hidden Files and folder", check following items

- Checked for "Show hidden files and folders"
- Unchecked for "Hide extensions for known file types"
- Unchecked for "Hide protected operating system files"
- Click on Apply and OK.

*Please change it back after you have located the files

2. Go to Start > Run. Type in "msconfig" and click on OK.
3. On the System Configuration Utility, click on "Startup" tab and look under the "Command" column that mentions "C:\WINDOWS\system32\rundll32.exe" "C:\Documents and Settings\All Users\Application Data\[random].avi", DllUnregisterServer"