Protecting over 200 million PCs, Macs, & Mobiles – more than any other antivirus

June 29th, 2010

Defense center and a piece of luck

One of our users sent us a sample of rogue AV for analysis. He didn’t attach further informations and the binary was heavily obfuscated, so I decided to give it a shot inside a virtual machine. A virtual image of clean (freshly installed) Win XP was used to run it and this screen appeared:

Oooh, my clean OS is so much infected? Even well known windows libraries? Of course not! These “infected” files are randomly selected during first run of the fake-scan. Names of these files are stored in registry to keep them constant between sessions. The intention of this rogue is absolutely clear-cut: the authors want to scare you and get your money for the paid version that claims the ability to fix all the (fake) problems. They’re constantly nagging you with additional warnings, such as:

which is in fact pretty ridiculous, because the VM is fully disconnected from network. Almost anything you click leads you to buy the product. Since my VM has never been connected to internet, I started to think that I’m not a lucky guy and this famous product will always remain in a demo mode. I was really, really sad and in this unsettled state of mind I simply put my hands on a keyboard and accidentaly pressed some keys (believe me, it wasn’t my will). My accidental touch with keyboard generated this screen:

Doesn’t it look like an act of pure accidentality? Look, when a monkey can write Shakespeare’s plays (, why couldn’t I write this. When I noticed the text – – I pushed the “Activate” button, believing it must be something mystic (and I generally like the idea of free antiviruses). Defense center restarted itself.

Woooow, what a piece of luck! Awesome! Defense center seems to run in full mode now. Let’s click the ok button.

Fantastic! No more nags. All shields on and there’s also a number to their live support. That’s something what’s definitely worth to try. Now I’m really satisfied and I’ll probably suggest the user who sent us the file to keep this great software on his PC and activate it like I did.

Ok, without kidding – Defense center is a typical rogue software and its presence on your system is unwelcome. This article only describes what happens when you register such application. To be honest – this rogue is not that aggresive and can be easily terminated from Task manager (and similar tools), however it’s still a fraud and you should spend your money somewhere else.

  • Pingback: Mewaspadai Rogue Antivirus – Bhyllabus

  • yanto chiang

    Hi Michal,

    Nice article to share with us and other user, it would very useful information to share.

    And is it possible to describe how this malware work in terms of attacking the user in their machine?


  • Michal Krejdl

    @yanto chiang
    We received the file without any context, but I expect a similar way to other rogues. Black SEO -> exploit/redir/iframe -> download -> run.

  • Deborah

    Well, my laptop is infected with Defense Center. No, I didn’t install it. And Avast did not catch it. Avast isn’t even aware of it.

    I’ve used to remove viruses, trojans, etc., but my laptop is still infected.

    Could you provide some steps to remove it from the machine?

  • Michal Krejdl

    All samples of Defense center that arrived at our viruslab are detected as Win32:FakeAV-AMD [Trj]. Check whether your avast! and its virus definitions are up to date. Btw: I can suggest you to start a thread on our forums (, which is a better place to solve such issues ;-)

  • Hanziness

    Oh my god, look at the “registered” message, looks like they were in a hurry when they were writing the text :)

    Like these:
    “THANKS for purchasing and REGISTRATION Defense Center” – They couldn’t write a “Thank you”, and Registration could be “registering”
    “Do not use Defense CenterTOGETHER with other antivirus softwares” – missing “space” between the Center and the Together words

    And everyone can detect a rogue from it’s “skin”, all the rouge screens I saw had “Vista-like” backgrounds, buttons, the Windows Security warning’s images (on Vista or Win7 – or a bit modified) and some Windows Images (“X” signs, question marks). Also, The “drawed” text has got some precision problems.

    Another thing: on the last image, you have ALL “protection” enabled but it keeps saying “Your computer is not protected”

    I didn’t had rogue av on my system since I’ve got my computer but I don’t want to “try” them out :)

    Thank you for informing us from this new “defense” :)
    Keep up the good work! ;)

  • Michal Krejdl

    They’re not native English speakers IMO, but I might be wrong.

    The last screenshot was taken before I clicked “Remove threats” button in main window, that’s the reason of the “unprotected” state. When I clicked the “Remove threats” button, the rogue started to simulate a disinfection (it tried to fool me with a “deletion” of system binaries, which remained untouched in fact) and after a reboot the “unprotected” message disappeared.

  • Hanziness

    Oh, I understood :)
    Thank you

  • mario

    @Michal Krejdl
    hello i know this comment is off topic and all but help me i need help on how do I reset the notepad file on my computer for the WebShield settings so it don’t show any infected thing that is on the notepad file do I just delete the notepad file or what please help

  • yanto chiang

    Michal Krejdl :
    @yanto chiang
    We received the file without any context, but I expect a similar way to other rogues. Black SEO -> exploit/redir/iframe -> download -> run.

    Hi Michal,

    Thanks for your kindly information,

    yanto chiang

  • spg SCOTT

    Did you try the phone number? :D

    Not having encountered the fake AV when installed myself, I have encountered those you have been infected sites…

    I’m on linux, browsing to a site I know is infected, when it tells me that my pc is infected, and it will scan it…All of a sudden, my linux VM has become windows, with a whole compliment of trojans and such…It then had me download the install file for the scanner to install on my system…but alas it didn’t work…oh well, I’ll just stick with the infections… :D

  • http://N/A Stan Osborne

    My other computer is infected. The virus freezes the system about 1/3 of the way thru a thorough system sweep. (I’m using home user Avast.) Is there a way that I can direct my anti-virus sys. to do a sweep in the blue screen (before Windows is active.) I have a PC running windows 8, the latest version of Avast home edition. The computer in question has been down for 4 days. My daughter tells me that she received an e-mail warning about an infected “ADOBE” software update. Like the article about phony anti-virus programs, I too have fought with this “self-inflicting” solution.

  • Michal Krejdl

    @spg SCOTT
    Nope, becuase no issues occured since I registered the product – there’s no reason to call a support :P :D

    BTW: if anyone could try it, it might be quite funny

  • Michal Krejdl

    @Stan Osborne
    Again – visit our forums, it’s a better place to discuss such issues.

  • http://comoborraravsecurity alex

    como saber si lla no esta en mi computadora, av security lla que avast no lo podia localizar al escanear la computadora, y lo que hice use superantispyware y fue lo que lo localizo a av security y lo borro soy nuevo en esto y quisiera saber que aser en esos casos como borrar programas con mala intencion no detectados por avast

  • Lisandro

    Funny :)

  • Jo

    Please, please, do NOT let this popup on my screen again!!!

  • Purchase Antivirus

    That computer is really messed up lol!

  • Pingback: Defense center and a piece of luck | Security Antivirus Virus

  • Rob Mitchell

    I had a client PC infected with Defence Center. I don’t know if it was the payload of Defence Center or not, but the PC also had a rootkit – \windows\system32\drivers\disk.sys had a rootkit.

    In addition to the Defence Center popup, running netstat -A showed hundreds of outbound connections to various web advertisements, leading me to conclude the rootkit was being used for Clickfraud to run up advertising revenues for the bad guy who had his payload put on the rootkit.

    Had to turn off System Restore to prevent reinfection, delete all old System Restores, then manually remediated disk.sys with a known good file from another system in addition to using standard manual removal techniques (kill the process, delete all temp files, analyze autoruns to locate the infector, rename the executable to disable it, delete after reboot).

    This client did not have Avast! but a competing product (one of the big names in the USA) sitting fat, dumb and happy and thinking all was well while the system was pwned by the malware.