Fake Defragmenter Holds PCs for Ransom

Discussion in 'malware problems & news' started by hawki, Oct 26, 2010.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
    "Rogue antivirus products have been afflicting unsuspecting users for years now. Some actively plant malware while pretending to remove it. Others run a quick fake scan on the system and report dozens of spurious threats, threats that can only be removed if you pay the product's significant registration fee. But the latest, a nasty fake defragmenter discovered by researchers at CyberDefender Research Labs, is even worse."

    According to CyberDefender's research team, "System Defragmenter pretends to be an optimization program that will scan the hard drive to fix any memory problems and hard disk errors the machine may have." After it runs, trying to launch any program or shortcut on the desktop will just trigger the error message "Scan Hard Drive". The hard drive scan finishes with a warning that the drive has errors that can only be fixed if the user purchases the full program. And, according to CyberDefender, the payment page isn't actually secure but includes a fake "verified" green address bar.

    I assume that once you pay off this protection racket the fake software fixes the fake problems it created. Even then, all is not well, as the bad guys now have your credit card detailse.

    Full Story Here : http://www.pcmag.com/print_article2/0,1217,a=256111,00.asp?hidPrint=true
     
  2. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Thanks for the article and yep, this fake defragger is a mongrel of a thing.

    After installing it I noticed that my Windows Folder opens the Programs Folder and vice versa and kills most other exes.

    I did manage to get a scan going with Malwarebytes by going to the Start menu and right clicking Malwarebytes' Antimalware - Properties - Find Target then renaming mbam.exe to firefox.exe with things seeming back to normal after a scan/reboot with MBAM.

    1.JPG

    2.JPG

    3.JPG
     
  3. dw426

    dw426 Registered Member

    Joined:
    Jan 3, 2007
    Posts:
    5,543
    It would be sad if many people fell for this. How many defrag programs check for memory issues? The really bad part is that people will rely on a 3rd party defrag program when the built in Windows defrag does just as well.
     
  4. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Most users do not even know, that there is some defragmenter, people who know about it want some feedback and MS inbuilt just sucks, takes ages and provides no info.
     
  5. katio

    katio Guest

    Well, with Win 7 you never know it's there doing it's job.
     
  6. TairikuOkami

    TairikuOkami Registered Member

    Joined:
    Oct 10, 2005
    Posts:
    2,508
    Location:
    Slovakia
    Well at least in 7 it is a little better than in Vista, Vista's looks like a joke.
     
  7. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
  8. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    There's a Smart Defragmenter GUI from the same mob as well.

    Smart.JPG

    HDD.JPG
     
  9. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,954
    Location:
    DC Metro Area
  10. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    New GUI released.

    flash_player_installer.exe - 10/43 (23.3%)

    QD.JPG
     
  11. safeguy

    safeguy Registered Member

    Joined:
    Jun 14, 2010
    Posts:
    1,709
    I appreciate the honesty and you've got a valid strong point which I agree with but please don't shoot the tree down simply because of one bad apple.:p Each individual that uses a 3rd party defrag program has his/her own reasons (which may contradict your thoughts/stand) but that brings us onto a different topic altogether...irrelevant to the issue at hand here.
     
  12. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    New GUI to hit town.

    98e89a.exe - 10/42 (23.8%) - MD5 : 266c198ae5adc884f2c9f36bc2fe3615

    WinHDD.JPG
     
  13. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Breeding like flies!

    13417813.exe - 9/43 (20.9%) - MD5 : 198d062b0754239c16ac2ac708fc2965

    Win Defrag.JPG
     
  14. gerardwil

    gerardwil Registered Member

    Joined:
    Jan 17, 2004
    Posts:
    4,748
    Location:
    The Netherlands
    Fake Disk Cleanup Utilities

    http://www.symantec.com/connect/blogs/fake-disk-cleanup-utilities-ruse

    Gerard
     
    Last edited by a moderator: Dec 2, 2010
  15. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    11295468.exe - 25/43 (58.1%) - MD5 : 83450c018bfe641ae8d486b508fba420

    Win Def.JPG
     
  16. JRViejo

    JRViejo Global Moderator

    Joined:
    Jul 9, 2008
    Posts:
    20,917
    Location:
    U.S.A.
    Merged Threads to Continue Same Topic!
     
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    This thread refers, as well, @ Mods merge, split, etc as deemed necessary, preceeding thread has someone pointing here.
     
  18. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Renaming mbam.exe to explorer.exe gets a scan up and running with Malwarebytes which will take this rogue out.

    hmouHopOSV.exe - 16/43 - MD5 : 19d0024a1429c2ad387675d0c9b97547

    One.jpg

    Two.jpg

    Droppers:
    Three.JPG
     
  19. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Full removal instructions from Bleeping Computer here
     
  20. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    file.exe - 7/43 - MD5 : b2e7745e4116a3788224a005f67238d9

    Diag.JPG
     
Loading...
Thread Status:
Not open for further replies.