{"id":161935,"date":"2010-01-09T02:15:00","date_gmt":"2010-01-09T06:15:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-1752415853877486963"},"modified":"2010-01-09T02:15:00","modified_gmt":"2010-01-09T06:15:00","slug":"protecting-from-the-ccenter-malware-and-trojan","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/161935","title":{"rendered":"Protecting from the CCenter Malware and Trojan"},"content":{"rendered":"<p>A very common method of distributing <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_0\">malware<\/span> is disguising it as a useful program. Most common disguises, apart from games are &#8216;<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_1\">malware<\/span> removal programs&#8217;. This is the approach used by <span style=\"font-weight: bold;\"><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_2\">CCenter<\/span> <\/span>a.k.a. Control Center.<\/p>\n<p>If you find a process with the name<span style=\"font-weight: bold;\"> <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_3\">ccenter<\/span>.<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_4\">exe<\/span><\/span> running on your <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_5\">pc<\/span> means that your <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_6\">pc<\/span> has possibly been infected with a <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_7\">trojan<\/span> known as <span style=\"font-weight: bold; font-style: italic;\">infostealer.lemir.h.<br \/><\/span>Infostealer.Lemir.H is a Trojan horse program that attempts to steal passwords for the Legend of Mir 2 online game, but can be modified to steal other information.<\/p>\n<p><a onblur=\"try {parent.deselectBloggerImageGracefully();} catch(e) {}\" href=\"http:\/\/2.bp.blogspot.com\/_Hu1rpxRsqcU\/S0n5bmHY-bI\/AAAAAAAAAdk\/KP9ggccNAn8\/s1600-h\/malware.jpg\"><img decoding=\"async\" style=\"margin: 0px auto 10px; display: block; text-align: center; cursor: pointer; width: 320px; height: 265px;\" src=\"http:\/\/2.bp.blogspot.com\/_Hu1rpxRsqcU\/S0n5bmHY-bI\/AAAAAAAAAdk\/KP9ggccNAn8\/s320\/malware.jpg\" alt=\"\" id=\"BLOGGER_PHOTO_ID_5425141478627801522\" border=\"0\" \/><\/a><\/p>\n<p><strong><\/strong><\/p>\n<p>Apart from installing a <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_8\">trojan<\/span>, <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_9\">CCenter<\/span> intimidates people into buying the paid version of this program. Once it\u2019s installed <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_10\">CCenter<\/span> loads an imitation of system scan every time a computer is started. It also generates large amounts of counterfeit security alerts. All these alerts are designed only to trick people into taking the program as a legitimate and reputable tool. If clicked upon, the pop-ups demand paying for using <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_11\">CCenter<\/span>. <\/p>\n<p><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_12\">CCenter<\/span> has also been seen to redirect the web browser to malicious and fraudulent websites. Depending on version and programmer skill, it may also disable reputable security programs leaving the compromised machine open to future attacks.<\/p>\n<p><span style=\"font-weight: bold;\">                   Here are the steps to manually remove <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_13\">CCenter<\/span>     <\/span><\/p>\n<ol>\n<li>Use &#8220;Add or Remove Programs&#8221; to remove the installation. However bear in mind that there may be hidden <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_14\">CCenter<\/span> files, running processes and registries in your computer, so <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_15\">CCenter<\/span> may recreate all other files after reboot.<\/li>\n<li>Stop and remove <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_16\">CCenter<\/span> processes:<\/li>\n<ul>\n<li><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_17\">ccagent<\/span>.<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_18\">exe<\/span><\/li>\n<li><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_19\">ccmain<\/span>.<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_20\">exe<\/span><\/li>\n<li><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_21\">uninstall<\/span>.<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_22\">exe<\/span><\/li>\n<\/ul>\n<li>Find and delete all <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_23\">CCenter<\/span> files found in %<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_24\">AppData<\/span>%\\<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_25\">CCenter<\/span>\\<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_26\">ccagent<\/span>.<span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_27\">exe<\/span><\/li>\n<\/ol>\n<p>There are other similar <span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_28\">Malware<\/span> programs in the wild. We will cover them in the following articles.<\/p>\n<p><span class=\"blsp-spelling-error\" id=\"SPELLING_ERROR_29\">Talkback<\/span> and comments are most welcome                                                          <\/p>\n<div class=\"blogger-post-footer\"><img width='1' height='1' src='https:\/\/blogger.googleusercontent.com\/tracker\/7196788127833928948-1752415853877486963?l=www.shortinfosec.net' alt='' \/><\/div>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"http:\/\/feeds.feedburner.com\/~r\/shortinfosec\/~4\/oDw5rvBT5QM\" height=\"1\" width=\"1\"\/><\/p>\n","protected":false},"excerpt":{"rendered":"<p>A very common method of distributing malware is disguising it as a useful program. Most common disguises, apart from games are &#8216;malware removal programs&#8217;. This is the approach used by CCenter a.k.a. Control Center. If you find a process with the name ccenter.exe running on your pc means that your pc has possibly been infected [&hellip;]<\/p>\n","protected":false},"author":5679,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-161935","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/161935","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/5679"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=161935"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/161935\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=161935"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=161935"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=161935"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}