Here's another rogue anti-spyware application that was installed by exploiting a security hole:
Friday, 14 August 2009
Thursday, 13 August 2009
Advanced Virus Remover Rogue
Ran into this rogue anti-virus program a few days ago:
Today I ran into this rogue again. I captured a FreeFixer log where you can see the modifications Advanced Virus Remover did on the infected computer:
Update October 27, 2009
Today I ran into this rogue again. I captured a FreeFixer log where you can see the modifications Advanced Virus Remover did on the infected computer:
FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-10-27 18:15
System policies
HKCU\..\policies\system, DisableTaskMgr = 1
Transport service providers (3 whitelisted)
{3F8DAED5-1A15-44C0-A465-27536D3B3C98} - C:\WINDOWS\system32\winhelper.dll
{6DBCA3F0-ACCF-4F0E-8998-F976BB4FA56D} - C:\WINDOWS\system32\winhelper.dll
Registry Startups (3 whitelisted)
HKLM\..\Run, winupdate.exe = C:\WINDOWS\system32\winupdate.exe
HKCU\..\Run, Advanced Virus Remover = C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\WINDOWS\system32\winupdate.exe
C:\Program Files\AdvancedVirusRemover\PAVRM.exe
Application modules (70 whitelisted)
C:\WINDOWS\system32\winhelper.dll
Recently created/modified files
1 minute, c:\Program Files\AdvancedVirusRemover\PAVRM.exe
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\SetupAdvancedVirusRemover[1].exe
1 minute, c:\WINDOWS\system32\winhelper.dll
1 minute, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\dfghfghgfj[1].dll
1 minute, c:\WINDOWS\system32\winupdate.exe
..
Tuesday, 11 August 2009
Subscribe to:
Posts (Atom)