Follow:

 

Win32/PrivacyCenter


Microsoft security software detects and removes this threat.

Rogue:Win32/PrivacyCenter is a family of rogues that claims to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software in order to remove these non-existent threats.

Find out more about rogues from our Rogue information page.

Find out ways that malware can get on your PC.



What to do now

The following free Microsoft software detects and removes this threat:

Even if we've already detected and removed this particular threat, running a full scan might find other malware that is hiding on your PC.

Get more help

You can also see our advanced troubleshooting page for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following steps can help change these settings back to what you want:

Threat behavior

Rogue:Win32/PrivacyCenter is a family of rogues that claim to scan for malware and displays fake warnings of “malicious programs and viruses”. They then inform the user that they need to pay money to register the software to remove these non-existent threats.

We have received reports that this trojan has been distributed via fake search results, where users are redirected to sites that display fake scanners. These pages mistakenly report that your PC is infected to convince you to download Rogue:Win32/PrivacyCenter. We have also received reports that this trojan has been masquerading as a fake video codec. The pages and files used in this form of attack are highly variable, and change according to your location, browser, and operating system. This is an example of a fake online scanner that tries to convince you to download Rogue:Win32/PrivacyCenter:

Installation

Rogue:Win32/PrivacyCenter creates its files under these subfolders:

It changes the registry so that it runs every time Windows starts:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "agent.exe"
With data: "%ProgramFiles%\Privacy center\agent.exe"

It also creates an uninstall entry for itself called Privacy Center in the Add or remove programs section in Control Panel. However, this uninstaller doesn't actually remove the program. If you try to remove it using the uninstall entry, it removes it from the menu, but the threat remains in your PC and continues to run.

Rogue:Win32/PrivacyCenter changes the registry to so that it runs instead of explorer.exe in the default shell registry entry:

In subkey: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
With data: "%ProgramFiles%\Privacy center\pc.exe"

This prevents Explorer and the Windows Start menu from appearing when you start up your PC, and displays the trojan's interface instead:

Payload

Displays fake warnings

Rogue:Win32/PrivacyCenter shows fake scanning results and alerts you about bogus malware infections and other security risks on your PC. Should you try to use Privacy Center to remove one of these bogus infections by pressing the Enable filter button, you are notified that your license is out of date, that your PC has 0% Security, and that there are several privacy violations. You are then directed to a pay for licensing a number of bogus applications. Some examples of dialog boxes shown by Win32/PrivacyCenter are:

It might also make these registry changes to facilitate these displays:

In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\General
Sets value: "BackupWallpaper"
With data: "%SystemRoot%\web\wallpaper\bliss.bmp"

In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components
Sets value: "DeskHtmlVersion"
With data: "272"

In subkey: HKCU\Software\Microsoft\Internet Explorer\Desktop\Components\0
Sets value: "Source"
With data: "about:home"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72267F6A-A6F9-11D0-BC94-00C04FB67863}\iexplore
Sets value: "Type"
With data: "1"

Analysis by Matt McCormack


Symptoms

The following could indicate that you have this threat on your PC:

  • You see a dialog box like this on your desktop:

  • You have one or both of these folders:
  • When you start up your PC, you get this instead of your usual desktop:


Prevention


Alert level: Severe
This entry was first published on: May 18, 2010
This entry was updated on: Apr 17, 2014

This threat is also detected as:
  • Fake_AntiSpyware.BKN (AVG)
  • Win32/FakeAV.ACR (CA)
  • Win32/Adware.PrivacyComponents (ESET)
  • not-a-virus:FraudTool.Win32.PrivacyCenter (other)
  • not-a-virus:FraudTool.Win32.Agent.jn (Kaspersky)
  • FakeAlert-CP (McAfee)
  • Troj/PrvCnt-Gen (Sophos)
  • SpywareGuard2008 (Symantec)
  • Control Center (other)
  • Privacy Center (other)