Friday, 13 November 2009

Koobface "Locks" Computer With Captcha

Koobface is still going strong. Here you can see it in action. It "locks" the computer and asks the user to solve a captcha:

Koobface asking you to solve a captcha

I've pasted the FreeFixer log from the infected system. Everything is malware except freefixer.exe:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 01:55


Registry Startups (3 whitelisted)
HKLM\..\Run, sysldtray = c:\windows\ld15.exe
HKLM\..\Run, Captcha7 = rundll "C:\Program Files\captcha.dll",captcha
HKLM\..\Run, sysfbtray = c:\windows\freddy73.exe

Processes (19 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
c:\windows\freddy73.exe

Recently created/modified files
8 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\WEGR55JE\v2googlecheck[1].exe
8 minutes, c:\Program Files\captcha.dll
8 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\v2captcha[1].exe
20 minutes, c:\WINDOWS\zwer_1258158897.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\v2googlecheck[1].exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\v2captcha[1].exe
20 minutes, c:\WINDOWS\freddy73.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\O1EF052R\fb[1].73.exe
20 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\6CSRVCZ7\get[1].exe
21 minutes, c:\Documents and Settings\roger\Local Settings\Temporary Internet Files\Content.IE5\4HUF4TYN\ff2ie[1].exe
21 minutes, c:\WINDOWS\ld15.exe

End of FreeFixer log

Control Center Rogue

Yet another rogue. This one is promoted as a free video. If you install the "video", you will get the Control Center Rogue. It claims to detect lots of viruses on a clean system. It also replaces the default shell with cc.exe.



If you got this infection and want to start your default shell (explorer.exe) again, just press Ctrl + shift + ESC and the Task Manager will pop up. Open the File menu and select New Task. Type in explorer.exe and press enter. Now you can start FreeFixer to remove the ControlCenter malware. I've marked the malware files in red in the FreeFixer log below:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-14 00:30


Shell settings
HKCU\..\Winlogon, Shell = C:\Documents and Settings\roger\Application Data\CC\cc.exe

Registry Startups (3 whitelisted)
HKCU\..\Run, agent.exe = C:\Documents and Settings\roger\Application Data\CC\agent.exe

Processes (18 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\Documents and Settings\roger\Application Data\CC\agent.exe
C:\Documents and Settings\roger\Application Data\CC\cc.exe


End of FreeFixer log

Thursday, 12 November 2009

AntiAID

Another day, another faked anti-virus program. Today it's called AntiAID and claims to detect a bunch of malware on a clean computer:

AntiAid screnshot

I've pasted a FreeFixer log below and highlighted the malware files in red:
FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-12 10:22


Registry Startups (3 whitelisted)
HKCU\..\Run, 8enyqcv1.exe = C:\WINDOWS\system32\8enyqcv1.exe
HKCU\..\Run, AntiAID = C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe -min

Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\8enyqcv1.exe
C:\Program Files\AntiAID Software\AntiAID\AntiAID.exe

Recently created/modified files (29 whitelisted)
-123 minutes, c:\Program Files\AntiAID Software\AntiAID\AntiAID.exe

End of FreeFixer log

Wednesday, 11 November 2009

SystemWarrior Malware

Ran into a new faked anti-virus program today called System Warrior. It claims to have found lots of malware on a clean system:



I've pasted the FreeFixer log from the infected system below, and marked the malware items in red. Hopefully this will help you to remove SystemWarrior:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-11 14:51


Registry Startups (3 whitelisted)
HKLM\..\Run, SystemWarrior = "C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe" -min
HKCU\..\Run, zrn6.tmp.exe = C:\WINDOWS\system32\zrn6.tmp.exe

Processes (21 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\zrn6.tmp.exe
C:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe

Recently created/modified files (16 whitelisted)
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\Uninstall.exe
0 minutes, c:\Program Files\SystemWarrior Software\SystemWarrior\SystemWarrior.exe
0 minutes, c:\WINDOWS\system32\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\zrn6.tmp.exe
0 minutes, c:\Documents and Settings\roger\Local Settings\Temp\tbg5.tmp.exe


End of FreeFixer log

Monday, 9 November 2009

AntiMalware Rogue

Found another rogue today named "AntiMalware". It claims to have found 10 threats on a clean computer:



This rogue is located in C:\Program Files\AntiMalware\. Its executable file is named antimalware.exe.

Friday, 6 November 2009

BlockProtector

Ran into a new faked anti-virus program today. This time it's called BlockProtector and claims to have found 700+ "SPYWARE Objects":



Here's a FreeFixer log from the infected system. I've marked the malware files with red:

FreeFixer v0.49 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-06 22:55


Registry Startups (3 whitelisted)
HKLM\..\Run, BlockProtector.exe = C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe
HKCU\..\Run, gdm1F.tmp.exe = C:\WINDOWS\system32\gdm1F.tmp.exe

Processes (23 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\gdm1F.tmp.exe
C:\Program Files\BlockProtector Software\BlockProtector\BlockProtector.exe

Application modules (85 whitelisted)
C:\WINDOWS\system32\MSVCR71.dll

Recently created/modified files (27 whitelisted)
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\update\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.dll
2 minutes, c:\WINDOWS\SoftwareDistribution\Download\4f16665ac0e64727d0b09512c7b6d40c\tzchange.exe

End of FreeFixer log

Tuesday, 3 November 2009

McAfee + Adobe Reader 9

Looks like Adobe and McAfee have teamed up. Adobe Reader 9 bundles a McAfee component which can display the following message:



I think that most people gets pretty annoyed by this type of bundling.

Monday, 2 November 2009

BlockScanner Rogue

Ran into a new rogue today called BlockScanner:



Here's a FreeFixer log which shows what modifications the Block Scanner software did on the infected computer:

FreeFixer v0.48 log
http://www.freefixer.com/
Operating system: Windows XP Service Pack 2
Log dated 2009-11-02 13:03


Registry Startups (3 whitelisted)
HKLM\..\Run, 0079dcbc.exe = C:\WINDOWS\system32\0079dcbc.exe
HKCU\..\Run, goz21.tmp.exe = C:\WINDOWS\system32\goz21.tmp.exe
HKCU\..\Run, BlockScanner = C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe -min

Processes (20 whitelisted)
C:\Program Files\FreeFixer\freefixer.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\goz21.tmp.exe
C:\DOCUME~1\roger\LOCALS~1\Temp\nqn22.tmp.exe
C:\Program Files\BlockScanner Software\BlockScanner\BlockScanner.exe

Recently created/modified files (1 whitelisted)
3 minutes, c:\Program Files\BlockScanner Software\BlockScanner\uninstall.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nsu20.tmp\nsProcess.dll
3 minutes, c:\WINDOWS\system32\goz21.tmp.exe
3 minutes, c:\WINDOWS\system32\0079dcbc.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\nqn22.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\goz21.tmp.exe
3 minutes, c:\Documents and Settings\roger\Local Settings\Temp\rew1E.tmp.exe
..

Sunday, 1 November 2009

My Favorite Screeshots


Adobe Flash Player bundles McAfee Security Scan:



The winlogon86.exe malware displays a faked detection pop-up:



FreeFixer repairing broken Internet Access due to the winhelper86.dll malware:




Fixing the UserInit registry setting by booting directly from the Windows Vista installation DVD: