Friday 6 November 2009

BlockProtector

Ran into a new faked anti-virus program today. This time it's called BlockProtector and claims to have found 700+ "SPYWARE Objects":



Here's a FreeFixer log from the infected system. I've marked the malware files with red:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-06 22:55


Registry Startups (3 whitelisted)
HKLM\..\Run, BlockProtector.exe = C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
HKCU\..\Run, gdm1F.tmp.exe = C:\WINDOWS\system32\gdm1F.tmp.exe

Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\gdm1F.tmp.exe
C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe

Application modules (85 whitelisted)
C:\WINDOWS\system32\MSVCR71.dll

Recently created/modified files (27 whitelisted)
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\update\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.exe

End of FreeFixer log

No comments:

Post a Comment