Rogue:Win32/PrivacyCenter is a family of rogues that claim to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software to remove these non-existent threats.
We have received reports that this trojan has been distributed via fake search results, where users are redirected to sites that display fake scanners. These pages mistakenly report that your PC is infected to convince you to download Rogue:Win32/PrivacyCenter. We have also received reports that this trojan has been masquerading as a fake video codec. The pages and files used in this form of attack are highly variable, and change according to your location, browser, and operating system. This is an example of a fake online scanner that tries to convince you to download Rogue:Win32/PrivacyCenter:
Rogue:Win32/PrivacyCenter creates its files under these subfolders:
It changes the registry so that it runs every time Windows starts:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "agent.exe"
With data: "%ProgramFiles%\Privacy center\agent.exe"
It also creates an uninstall entry for itself called Privacy Center in the Add or remove programs section in Control Panel. However, this uninstaller doesn't actually remove the program. If you try to remove it using the uninstall entry, it removes it from the menu, but the threat remains in your PC and continues to run.
Rogue:Win32/PrivacyCenter changes the registry to so that it runs instead of explorer.exe in the default shell registry entry:
In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%ProgramFiles%\Privacy center\pc.exe"
This prevents Explorer and the Windows Start menu from appearing when you start up your PC, and displays the trojan's interface instead:
Displays fake warnings
Rogue:Win32/PrivacyCenter shows fake scanning results and alerts you about bogus malware infections and other security risks on your PC. Should you try to use Privacy Center to remove one of these bogus infections by pressing the Enable filter button, you are notified that your license is out of date, that your PC has 0% Security, and that there are several privacy violations. You are then directed to a pay for licensing a number of bogus applications. Some examples of dialog boxes shown by Win32/PrivacyCenter are: