Malicious behaviour — PC Confidential 2008

Today, when I was cleaning up my kids PC, I saw on the Desktop an object, kind of icon, with name “Shredder” without an extension and with a behaviour characteristic to many malware programs –it locks itself on the desktop taking off the possibility to delete it and it has only two context menu(right-click) options:

Open

Create Shortcut

This is how the icon looks like :

 

For all other files from the Desktop I have a lot of options as you all know like Delete, Rename, Cut, Copy, Open with, entries added by WinRAR(Add to archive), entries added by my antivirus for scanning the file in discussion, and entries added to load files into Unlocker which I have installed for unlocking  problematic files which gives errors on deleting them as : “The file is in use by another program or user” or “Cannot delete file: Access is denied”.

Returning to my “Shredder” case, and without the option to right click ->delete the object or right-click -> Unlocker (to unlock and delete), I’ve tried to drag and drop it over Recycle Bin, but it isn’t worked. Secondly I’ve tried the Command Prompt :

del C:\Documents and Settings\%user%\Desktop\Shredder.exe

but without much success : the file simply won’t leave my Desktop, and running the above command gives the “The system cannot find the file specified” error. All this interesting enough, begun to be a challenge. I know that the settings and entries related to Context Menu are in the registry, so I begin to search the registry :

Run->regedit.exe and Ctrl+F to begin searching for “Shredder entry. After a lot of registry keys added by Tune Up Utilities Shredder component, a key attract my attention and I exported it, here it is :

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}]
@=”Shredder”
“Drop”=hex(7):22,00,43,00,3a,00,5c,00,50,00,72,00,6f,00,67,00,72,00,61,00,6d,\
00,20,00,46,00,69,00,6c,00,65,00,73,00,5c,00,57,00,69,00,6e,00,66,00,65,00,\
72,00,6e,00,6f,00,5c,00,50,00,43,00,20,00,43,00,6f,00,6e,00,66,00,69,00,64,\
00,65,00,6e,00,74,00,69,00,61,00,6c,00,5c,00,50,00,43,00,43,00,6f,00,6e,00,\
66,00,69,00,64,00,65,00,6e,00,74,00,69,00,61,00,6c,00,2e,00,65,00,78,00,65,\
00,22,00,00,00,2f,00,73,00,68,00,72,00,65,00,64,00,20,00,22,00,25,00,73,00,\
22,00,00,00,00,00,00,00

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\DefaultIcon]
@=”\”C:\\Program Files\\Winferno\\PC Confidential\\PCConfidential.exe\”,4″

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\InProcServer32]
@=”\”C:\\Program Files\\Common Files\\Winferno\\wse2007.dll\””
“ThreadingModel”=”Apartment”

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\Shell]

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\Shell\Open]

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\Shell\Open\Command]
@=”\”C:\\Program Files\\Winferno\\PC Confidential\\PCConfidential.exe\””

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\shellex]

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\shellex\DropHandler]
@=”{07D9182D-F50C-4F1D-8B2B-8DA37811C26B}”

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\shellex\PropertySheetHandlers]
@=”{07D9182D-F50C-4F1D-8B2B-8DA37811C26B}”

[HKEY_CLASSES_ROOT\CLSID\{EFE976D3-2E0A-4edf-984F-DA19AFA12B51}\ShellFolder]
“Attributes”=hex:00,01,00,00

As you can see, the key values are related to PC Confidential.exe, in Program Files\Winferno\PC Confidential. I have deleted the whole registry key with subkeys and values and after a Restart(Log Off works aswell) the icon suffered a transformation :

with a changed Context menu including this time the option to delete the file. I simply right click-> delete it, getting this icon off from my computer desktop.

If you do a Google search for PC Confidential 2008 keywords, you will find that it is a typical rogue software, masquerading as an antimalware and cleaning tool and generating a ton of false alerts and warnings, leading you to buy it. Users reports they have only problems running it, computer hangs up, slower Internet browsing, annoying pop-ups for upgrading to an upgraded version,  false scanning reports claiming the computer is at high-risk and the program must be purchased to get the problems solved. It’s a complete image of how a rogue antimalware–a malware itself  is behaving, with all the symptoms.

Under no circumstances this software must be not purchased, to avoid a lot of troubles as stealing  credit card details, or to prevent  future possible computer infections by using it. In my opinion this software is coming from an untrusted source and can “open the  gate” for other malware, e.g trojans, viruses or adware, using such methods to lock itself on the computer Desktop, the program lose the user trust. I finished the cleaning process by doing an whole computer scan with my trusted antivirus, it is a known fact that malware can drop or can be dropped by another malware programs.

Anyway, if you ever will get in this kind of trouble described here, the method posted above is solving your problem. And don’t forget, to prevent computer infections, don’t download and install all the games and programs found on the Internet, as my kids do all the time.