FakeSysDef

FakeSysDef Description

The FakeSysDef family of rogue defragmenter programs is a dangerous group of fake security applications that forms part of a well-known online scam. What makes the FakeSysDef family of rogue defragmenter programs particularly dangerous is that they will usually be associated with a Master Boot Record (MBR) rootkit, such as TDL4 that can be quite difficult to remove. Malware analysts have been keeping track of malware in the FakeSysDef family of rogue defragmentersecurity programs since 2010. Some examples of the dozens of clones of FakeSysDef rogue security programs include System Recovery, WinHDD, Windows Fix Disk, Windows 7 Recovery, Windows Diagnostic, Windows Disk, Windows Repair, Windows Recovery, Windows Safe Mode, and System Repair. Despite their names, make no mistake about it, rogue security programs from the FakeSysDef family are not connected in any way with Microsoft or with any kind of legitimate security application. These fake security programs are designed to take over your computer system until they managed to scam you and take your money. Rogue defragmenter programs fromthe FakeSysDef family will often continue to profit from the infected computer by using the included Master Boot Record rootkit.

How the FakeSysDef Scam Works

Most of the rogue defragmenter programs in the FakeSysDef family follow the same basic premise in order to scam their victims. Programs in the FakeSysDef family pretend to be legitimate defragmenters or system optimization utilities. After invading the victim's computer system with the aid of a dropper Trojan and common Trojan delivery methods, rogue defragmenter programs from the FakeSysDef family will pester the victim with a constant stream of error messages, fake system alerts and pop-up notifications. Rogue defragmenter programs from the FakeSysDef family pretend to run a system scan (which is nothing more than an animation) and then display a list of alarming problems on the infected computer. Many of these problems, such as failure to detect a hard drive or extreme CPU overheating are impractical and even laughable in most cases. However, the technical language in the alerts may be enough to alarm inexperienced or gullible computer users. The next step in the FakeSysDef scam involves convincing the computer user that a "full version" of the rogue security program in question is needed. The victim is taken to a website where he/she will then enter his/her credit card information. ESG security researchers strongly recommend against paying for any of the rogue defragmenter programs. This family of fake security programs has absolutely no way of fixing a hard drive, optimizing your system or removing malware. Once a "full version" of this dangerous malware is purchased, all the victim will receive in exchange will be a rootkit infection and the chance of identity theft or credit card fraud.

Aliases: W32/FakeSysDef.PGE!tr [Fortinet], TR/FakeSysdef.A.737 [AntiVir], Trojan-FakeAV.Win32.FakeSysDef.pge [Kaspersky], TROJ_GEN.F47V0227, Troj_Generic.HVXDM, Dropper.Generic6.BILT [AVG], Virus.Win32.Injector [Ikarus], a variant of Win32/Injector.VWV, Trojan.Win32.A.Capper.39936, Trojan/JboxGeneric.niu, Trojan.Generic.KD.716362 (B), TR/Rogue.KD.716362.5 [AntiVir], Trojan.Win32.FakeSysdef.oza (v), Trojan.Zbot!PP8tSAUIThM and Trojan.Win32.Jorik.Zbot.fre [Kaspersky].

Technical Information

File System Details

FakeSysDef creates the following file(s):
# File Name Size MD5 Detection Count
1 %ALLUSERSPROFILE%\Anwendungsdaten\URdEIoPdlrOf.exe 294,912 4c9929524ba309d75c408c9a80750665 19
2 %ALLUSERSPROFILE%\Datos de programa\eknXhqrKnsXlF.exe 301,568 be52e7e38b9b467c51972cc841e7e487 15
3 %ALLUSERSPROFILE%\Anwendungsdaten\XHnASFcJrnlLmYD.exe 294,912 e56e762f2e90c996dccd13411c910e6c 12
4 %ALLUSERSPROFILE%\Dati applicazioni\AMjpXjqDLxjl.exe 300,544 34281f199b526205535309cff287a9fe 12
5 %ALLUSERSPROFILE%ODJvPpaotTb.exe 294,912 a35e808f5866d1b5de1cf31c8dcea26f 9
6 %ALLUSERSPROFILE%\Dati applicazioni\jdSnJsadxcWFCe.exe 297,984 29e8b46c3d92b92a0ea64289fe66764f 9
7 %ALLUSERSPROFILE%rbpbjipvqhrr.exe 299,008 97b0d56dde618dd297203291b06ec545 9
8 %ALLUSERSPROFILE%XPVnElAMsonvcMj.exe 301,568 289c511dd277e046e3da62ce43fb49f8 8
9 %ALLUSERSPROFILE%xwqnxyxepcug.exe 300,032 4b8f337c8cd53fea7cb35511069d07ce 7
10 %ALLUSERSPROFILE%vjqeiipbxglly.exe 294,912 5538819bd8a99d544547754318bc3d9f 6
11 %ALLUSERSPROFILE%bgPqKOKVwPQv.exe 296,448 d206f84768ea72998aed1f851433b1c6 6
12 %ALLUSERSPROFILE%LEyOUApFFHXwn.exe 297,984 d1e1e3f9ae62a7e1a619dcc7d9245008 6
13 %ALLUSERSPROFILE%okjlroutvcya.exe 299,008 fbd750d0a801f621130b836daae32324 5
14 %ALLUSERSPROFILE%yejptgssgaxp.exe 303,104 a1c5a8aa1ba6d5ed2eb25d61d4f0126f 5
15 %ALLUSERSPROFILE%\Application Data\CBeVxEyIguxw.exe 299,520 3a7194a1586591b6d1d70b4f2ac176f7 4
16 %ALLUSERSPROFILE%qrxslipmyxvfmye.exe 299,520 d1d14cccc83221d9514f3340fedc5e53 4
17 %ALLUSERSPROFILE%\Datos de programa\MRvvplxYWheRr.exe 300,544 8cc290bd8d6c401b0718ccb67333fb1b 4
18 %ALLUSERSPROFILE%ellporskarvhs.exe 301,568 006c636e1bee4ae2830dc33b35991131 4
19 %ALLUSERSPROFILE%SyxlJvVkCVeuBSP.exe 301,568 3117eef55b0ee060df4bee5286522236 4
20 %ALLUSERSPROFILE%jtxnkwkrmurfpk.exe 294,912 d9cb33073a80e7f50c8e507fffb1bc09 3
21 %ALLUSERSPROFILE%dttiyfmkftuqpj.exe 298,496 d1ac34449b856c8cba42e7febf1ec2ba 3
22 %ALLUSERSPROFILE%KxEKSHyFtVVY.exe 300,032 e4380b5b02d432a677bcf1ceaed3e038 3
23 %ALLUSERSPROFILE%qlgpacrvkixcre.exe 305,152 1e2b74845aab419e78a9e63758863482 3
24 %ALLUSERSPROFILE%yintxdfmjessfn.exe 301,568 d020f69d6216c4a14f9c15928b89474f 2
25 %ALLUSERSPROFILE%\Application Data\wBFvnHvxiqUJ.exe 455,680 83787f90afa8f1f5c6901bce7a11326f 1
26 %TEMP%148247.exe 296,960 807f4514320ea1577d1a7d28299e35b6 1
27 %ALLUSERSPROFILE%ltCNsxmSemgqBwD.exe 297,984 a767bed0fee596706f9556d9dd6cea51 1
28 %USERPROFILE%gppmxkbsscdiwpjyih.exe 305,152 7bd18d1dd6236ed83fbf2f254eb66d69 1
29 %ALLUSERSPROFILE%\Datos de programa\egidPXEnjJF.exe 305,152 ff47d228034fc136af3c44c64b33c72e 1
More files

Related Posts

Site Disclaimer

Enigmasoftware.com is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.


HTML is not allowed.