Today, when I was cleaning up my kids PC, I saw on the Desktop an object, kind of icon, with name “Shredder” without an extension and with a behaviour characteristic to many malware programs –it locks itself on the desktop taking off the possibility to delete it and it has only two context menu(right-click) options:
Open
Create Shortcut
This is how the icon looks like :
For all other files from the Desktop I have a lot of options as you all know like Delete, Rename, Cut, Copy, Open with, entries added by WinRAR(Add to archive), entries added by my antivirus for scanning the file in discussion, and entries added to load files into Unlocker which I have installed for unlocking problematic files which gives errors on deleting them as : “The file is in use by another program or user” or “Cannot delete file: Access is denied”.
Returning to my “Shredder” case, and without the option to right click ->delete the object or right-click -> Unlocker (to unlock and delete), I’ve tried to drag and drop it over Recycle Bin, but it isn’t worked. Secondly I’ve tried the Command Prompt :
del C:\Documents and Settings\%user%\Desktop\Shredder.exe
but without much success : the file simply won’t leave my Desktop, and running the above command gives the “The system cannot find the file specified” error. All this interesting enough, begun to be a challenge. I know that the settings and entries related to Context Menu are in the registry, so I begin to search the registry :
Run->regedit.exe and Ctrl+F to begin searching for “Shredder entry. After a lot of registry keys added by Tune Up Utilities Shredder component, a key attract my attention and I exported it, here it is :
Windows Registry Editor Version 5.00
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}]
@=”Shredder”
“Drop”=hex(7):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,57,00,69,00,6e,00,66,00,65,00,\
72,00,6e,00,6f,00,5c,00,50,00,43,00,20,00,43,00,6f,00,6e,00,66,00,69,00,64,\
00,65,00,6e,00,74,00,69,00,61,00,6c,00,5c,00,50,00,43,00,43,00,6f,00,6e,00,\
66,00,69,00,64,00,65,00,6e,00,74,00,69,00,61,00,6c,00,2e,00,65,00,78,00,65,\
00,22,00,00,00,2f,00,73,00,68,00,72,00,65,00,64,00,20,00,22,00,25,00,73,00,\
22,00,00,00,00,00,00,00
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\DefaultIcon]
@=”\”C:\\Program Files\\Winferno\\PC Confidential\\PCConfidential.exe\”,4″
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\InProcServer32]
@=”\”C:\\Program Files\\Common Files\\Winferno\\wse2007.dll\””
“ThreadingModel”=”Apartment”
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\Shell]
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\Shell\Open]
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\Shell\Open\Command]
@=”\”C:\\Program Files\\Winferno\\PC Confidential\\PCConfidential.exe\””
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\shellex]
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\shellex\DropHandler]
@=”{07D9182D-F50C-4F1D-8B2B-8DA37811C26B}”
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\shellex\PropertySheetHandlers]
@=”{07D9182D-F50C-4F1D-8B2B-8DA37811C26B}”
[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\ShellFolder]
“Attributes”=hex:00,01,00,00
As you can see, the key values are related to PC Confidential.exe, in Program Files\Winferno\PC Confidential. I have deleted the whole registry key with subkeys and values and after a Restart(Log Off works aswell) the icon suffered a transformation :
with a changed Context menu including this time the option to delete the file. I simply right click-> delete it, getting this icon off from my computer desktop.
If you do a Google search for PC Confidential 2008 keywords, you will find that it is a typical rogue software, masquerading as an antimalware and cleaning tool and generating a ton of false alerts and warnings, leading you to buy it. Users reports they have only problems running it, computer hangs up, slower Internet browsing, annoying pop-ups for upgrading to an upgraded version, false scanning reports claiming the computer is at high-risk and the program must be purchased to get the problems solved. It’s a complete image of how a rogue antimalware–a malware itself is behaving, with all the symptoms.
Under no circumstances this software must be not purchased, to avoid a lot of troubles as stealing credit card details, or to prevent future possible computer infections by using it. In my opinion this software is coming from an untrusted source and can “open the gate” for other malware, e.g trojans, viruses or adware, using such methods to lock itself on the computer Desktop, the program lose the user trust. I finished the cleaning process by doing an whole computer scan with my trusted antivirus, it is a known fact that malware can drop or can be dropped by another malware programs.
Anyway, if you ever will get in this kind of trouble described here, the method posted above is solving your problem. And don’t forget, to prevent computer infections, don’t download and install all the games and programs found on the Internet, as my kids do all the time.
I run a computer repair business, and get a lot of malware removal clients… My general arsenal is that i first use Emsisoft Anti-Malware, then Malwarebytes Anti-Malware but if for whatever reason there is still an infection on the machine I use SuperAntiSpyware.
it was very interesting to read cleanbytes.net
I want to quote your post in my blog. It can?
And you et an account on Twitter?
Just found your blog on google and I believe it is a shame that you are not ranked higher since this is a terrific post. To change this I decided to add your site to my RSS reader and I will try to mention you in one of my posts because you really deserv more readers when publishing content of this quality.
PC Confidential 2008 is an Internet Eraser tool from winferno.com. It is not an antimalware program.
http://www.softsea.com/review/PC-Confidential.html
Check out Major Geeks comments:
http://forums.majorgeeks.com/showthread.php?t=170777
They have the latest 2010 version now, maybe you should give it a try:
http://www.winferno.com/store/brands/winferno/PC-Confidential/
Perfect, this solved my problem on the job! I can’t wait to browse more 🙂
Graphics Card, what text are you clicking when the browser freezes ? and what browser ?
I don’t use any special java…