Thursday, 13 August 2009

Advanced Virus Remover Rogue

Ran into this rogue anti-virus program a few days ago:


Update October 27, 2009


Today I ran into this rogue again. I captured a FreeFixer log where you can see the modifications Advanced Virus Remover did on the infected computer:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:15


System policies
HKCU\..\policies\system, DisableTaskMgr = 1

Transport service providers (3 whitelisted)
{3F8DAED5-1A15-44C0-A465-27536D3B3C98} - C:\WINDOWS\system32\winhelper.dll
{6DBCA3F0-ACCF-4F0E-8998-F976BB4FA56D} - C:\WINDOWS\system32\winhelper.dll

Registry Startups (3 whitelisted)
HKLM\..\Run, winupdate.exe = C:\WINDOWS\system32\winupdate.exe
HKCU\..\Run, Advanced Virus Remover = C:\Program Files\AdvancedVirusRemover\PAVRM.exe

Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\AdvancedVirusRemover\PAVRM.exe

Application modules (70 whitelisted)
C:\WINDOWS\system32\winhelper.dll

Recently created/modified files
1 minute, c:\Program Files\AdvancedVirusRemover\PAVRM.exe
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\SetupAdvancedVirusRemover[1].exe
1 minute, c:\WINDOWS\system32\winhelper.dll
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\dfghfghgfj[1].dll
1 minute, c:\WINDOWS\system32\winupdate.exe
..

No comments:

Post a Comment