Encyclopedia entry
Updated:
Mar 20, 2008
| Published:
Feb 29, 2008
Aliases
Win-Trojan/Pcsave.339456
(AhnLab)
-
PCSave
(McAfee)
Alert Level
(?)
High
Antimalware protection details
Microsoft recommends that you download the
latest definitions
to get protected.
Detection last updated:
Definition: 1.101.892.0
Released: Apr 05, 2011
|
|
Detection initially created:
Definition: 1.45.287.0
Released: Oct 07, 2008
|
Summary
Program:Win32/PCSave is a rogue antispyware application, that may be installed on a user's computer by other malware. The program may originate from the domain 'pcsave.co.kr'.
Symptoms
System Changes
The following system changes may indicate the presence of Program:Win32/PCSave:
- Presence of a Windows Desktop shortcut, similar to the one displayed below:
- Presence of a system tray icon, similar to the following:
- Presence of the following files and folders:
<system folder>\pcsave.zip
%ProgramFiles%\pcsave\config.ini
%ProgramFiles%\pcsave\dlist.da
%ProgramFiles%\pcsave\drivermanager.exe
%ProgramFiles%\pcsave\fb.dll
%ProgramFiles%\pcsave\filecheck.ini
%ProgramFiles%\pcsave\midas.dll
%ProgramFiles%\pcsave\ntfile.ini
%ProgramFiles%\pcsave\pcsave.exe
%ProgramFiles%\pcsave\pcsaveup.exe
%ProgramFiles%\pcsave\uninstall.exe
%ProgramFiles%\pcsave\update.ini
%ProgramFiles%\pcsave\img (folder)
%ProgramFiles%\pcsave\report (folder)
%ProgramFiles%\pcsave\value (folder)
Technical Information (Analysis)
Program:Win32/PCSave is a rogue antispyware application, that may be installed on the user's computer by other malware (identified as 'TrojanDownloader:Win32/WinDots'). The program may originate from the domain 'pcsave.co.kr'.
Installation
When executed, the installer for Program:Win32/PCSave may creates the following files and folders:
<system folder>\pcsave.zip
%ProgramFiles%\pcsave\config.ini
%ProgramFiles%\pcsave\dlist.da
%ProgramFiles%\pcsave\drivermanager.exe
%ProgramFiles%\pcsave\fb.dll
%ProgramFiles%\pcsave\filecheck.ini
%ProgramFiles%\pcsave\midas.dll
%ProgramFiles%\pcsave\ntfile.ini
%ProgramFiles%\pcsave\pcsave.exe
%ProgramFiles%\pcsave\pcsaveup.exe
%ProgramFiles%\pcsave\uninstall.exe
%ProgramFiles%\pcsave\update.ini
%ProgramFiles%\pcsave\img\
%ProgramFiles%\pcsave\report\
%ProgramFiles%\pcsave\value\
The registry is modified to execute a copy of Win32/PCSave as a Browser Helper Object (BHO) when a Web browser is launched:
Adds value: {F890B643-C3E4-4293-9FC0-E8159285CE6B}
To subkey:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
Adds value: (default)
With data: "%ProgramFiles%\pcsave\fb.dll"
To subkey: HKEY_LOCAL_MACHINE\Software\Classes\clsid\{F890B643-C3E4-4293-9FC0-E8159285CE6B}
The registry is modified to execute a copy of Win32/PCSave at each Windows start:
Adds value: pcsave
With data: "%ProgramFiles%\pcsave\pcsaveup.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Other registry values may be created during the installation of Win32/PCSave:
Adds value: pcsave
To subkey: HKEY_CURRENT_USER\Software
Adds value: pcsave
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\pcsave
Adds value: nopcsave
To subkey: HKEY_CURRENT_USER\Software
Analysis by Marian Radu
Prevention
Recovery
Program:Win32/PCSave may place an uninstaller entry in "Add or Remove Programs" in
Control Panel. The entry name may be called "PCSave" or similar. If an uninstaller is not available or if you do not want to use the uninstaller that is provided, use Microsoft Windows Defender or another up-to-date scanning and removal tool to detect and remove PCSave and other potentially unwanted software from your computer. For more information, see
http://www.microsoft.com/protect/products/computer/default.mspx.
