Windows Recovery is a scareware which masquerades as a system performance optimization tool. Belonging to the FakeSysdef trojan family, it comes in many names including HDD Defragmenter, Check Disk, Windows Repair, Windows Restore, Windows SafeMode, Windows Fix Disk and Windows Recovery. It uses a variety of fake warning alerts about non-existent errors in computer hard drive, memory and Windows registry to try and cheat gullible users. This rogue optimization software disables Windows Task Manager and Quick launch bar. It also hides All Programs, My Documents and Administrative Tools menu items to confuse and scare the victims.

After continuous bogus error messages, the system is forcibly restarted every few minutes. On restart the rogue software runs a scan automatically and declares finding of multiple errors. The desktop background is blanked and the unclose-able Windows Recovery window hogs the focus.

Desktop hijacked by WindowsRecovery

Scareware like WindowsRecovery are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

WindowsRecovery Removal (How to remove WindowsRecovery)

1. Boot in to Windows Safe Mode with networking
2. Download or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive. MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) and TDSSKiller – often this family of scareware comes bundled with the TDSS rootkit
3. Right click and save the file Fakesysdef_unhide.txt to your desktop. Rename the file from Fakesysdef_unhide.txt to Fakesysdef_unhide.cmd. This file will help to reveal the files and folders hidden by this rogue optimizer.
4. Run the TDSSKiller utility to check for the rootkit.
5. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
6. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
7. To unhide files and folders hidden by this rogue optimizer, double-click and run Fakesysdef_unhide.cmd.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as WindowsRecovery. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

WindowsRecovery Analysis

A rogue security software such as WindowsRecovery belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

This fake software hides the All Programs menu item in the Start menu and My Documents folder by running the following commands in the background:

• attrib +h “C:\Documents and Settings\malwarehelp.org\*.*
• attrib +h “C:\Documents and Settings\All Users\Start Menu\*.* ” /s /d

The trojan installer was about 552960 bytes in size. This scareware is detected by 27/ 42 (64.3%) of the antivirus engines available at VirusTotal. It is identified as:

• Win32:FakeSysdef-EG
• Trojan.Fakealert.20587
• Win32/FakeAV.RQY
• Generic FakeAlert.am
• Trojan:Win32/FakeSysdef
• Win32/Kryptik.MQP
• RogueAntiSpyware.UltraDefraggerFraud!rem
• TROJ_FAKEAV.SM10

Typical WindowsRecovery Scare Messages

The system has detected a problem with one or more installed IDE/SATA hard disks. It is recommended that your restart the system.

Critical Error
hard drive critical error. Run a system diagnostic utility to check your hard disk drive for error. Windows can’t find hard disk space. Hard drive error.

System Error
An error occurred while reading system files. Run a system diagnostic utility to check your hard disk drive for errors.

Windows – Delayed write filed
Windows was unable to save all the data for the file \System32\496A8300. The data has been lost. This error may be caused by a failure of your computer hardware.

Critical Error
Damaged hard drive clusters detected. Private data is at risk.

Critical Error
RAM memory usage is critically high. RAM memory failure.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

WindowsRecovery Associated Files and Folders

• C:\Documents and Settings\All Users\Application Data\17358644
• C:\Documents and Settings\All Users\Application Data\17358644.exe
• C:\Documents and Settings\All Users\Application Data\YbUyNeWOvrpYj.exe
• C:\Documents and Settings\malwarehelp.org\Desktop\Windows Recovery.lnk
• C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\~DF6CF1.tmp
• C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Windows Recovery\Uninstall Windows Recovery.lnk
• C:\Documents and Settings\malwarehelp.org\Start Menu\Programs\Windows Recovery\Windows Recovery.lnk
• C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\tmp3.tmp

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

WindowsRecovery Associated Registry Values and Keys

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0

• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags=0
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download\CheckExeSignatures=no
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\CertificateRevocation=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallPaper=1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes=/{hq:/s`s:/ogn:/uyu:/dyd:/c`u:/bnl:/ble:/sdf:/lrh:/iul:/iulm:/fhg:/clq:/kqf:/`wh:/lqf:/lqdf:/lnw:/lq2:/l2t:/v`w:/rbs:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\SaveZoneInformation=1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr=1
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\YbUyNeWOvrpYj=C:\Documents and Settings\All Users\Application Data\YbUyNeWOvrpYj.exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

WindowsRecovery Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• findchalk .org
• searchfew .org
• searchbite .org
• indexperie .org
• searchmoaning .org
• findadvertisem .org

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

WindowsRecovery Scareware — Screenshots

Note: The WindowsRecovery installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post WindowsRecovery Removal and Analysis appeared first on Malware Help. Org.

Similar in design and behavior to Antivirus soft and Antivirus Live rogues, this scareware aggressively displays a number of fake security alerts about network infiltration attempts and non-existent malware. Hijacks Internet Explorer by modifying the proxy settings and automatically opens porn websites every now and then. IE is allowed to visit only the sites related to this rogue.

Scareware like Antivirus Protection are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Desktop hijacked by Antivirus Protection Trial

Antivirus Protection Removal (How to remove Antivirus Protection)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

1. Boot in to Windows Safe Mode with networking
2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
5. Turn System Restore off and on.

If you find the Internet Explorer is still being re-directed to the scareware website, remove the proxy settings as follows:

Open Internet Explorer, Click Tools menu and then click Internet options or open Internet options via control panel. In the Internet Options window, select the Connections tab. In the Connections tab, click on LAN settings.

In the Local Area Network (LAN) Settings window, click Advanced and clear the proxy address 127.0.0.1 and any number in the port box. It was 47392 in my case. Click Yes and OK your way out.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus Protection. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antivirus Protection Analysis

Antivirus Protection scareware blocks execution of most programs and Windows administrative tasks like Task manager, command prompt and Registry editor. It blocks execution of Chrome browser, Firefox was able to function normally.

A rogue security software such as Antivirus Protection belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan installer was about 410112 bytes in size. This scareware is detected by 30/ 41 (73.2%) of the antivirus engines available at VirusTotal. It is identified as:

• Trojan/Win32.FakeAV
• TR/Fake.Spypro.137
• Win32.FakeAlert.Spyp
• Rogue:Win32/FakeSpypro
• Win32/Adware.SpywareProtect2009
• W32/FakeAlert.CJZL

Typical Antivirus Protection Scare Messages

Windows Security Alert
Windows reports that computer is infected. Antivirus software helps to protect your computer against viruses and other security threats. /click here for the scan your computer. Your system might be at risk now.

Spyware alert
There are serious threats detected on your comupter. Your privacy and personal data may not be safe.

Antivirus software alert
INFILTRATION ALERT
Virus attack
Your computer is being attacked by an internet virus. It culd be a pasword-stealing attack, a trojan-dropper or similar.

Security alert
Virus alert!
Application can’t be started!
The file taskmgr.exe is damaged.
Do you want to activate your antivirus software now?

ATTENTION! SPYWARE ALERT
Vulnerabilities found.
your computer is infected by spyware – 34 serious threats have been found while scanning your files and registry. It is strongly recommended that your disinfect your computer and activate realtime secure protection against future intrusions.

Internet Explorer Waring – visiting this web site may harm your computer!
Most likely causes:
The website contains exploits that can launch a malicious code on your computer
Suspicious network activity detected
There might be an active spyware running on your computer

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus Protection Associated Files and Folders

• C:Documents and Settingsmalwarehelp.orgDesktopAntivirusProtectionTrial.exe
• C:Documents and Settingsmalwarehelp.orgLocal SettingsTemprfcsyghvuxlkdpuhxsik.exe
• C:WINDOWSPrefetchANTIVIRUSPROTECTIONTRIAL.EXE-2B2A38AC.pf
• C:WINDOWSPrefetchXLKDPUHXSIK.EXE-139348BD.pf

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus Protection Associated Registry Values and Keys

• HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownloadCheckExeSignatures=no
• HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerDownloadRunInvalidSignatures=1
• HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilterEnabledV8=0
• HKEY_CURRENT_USERSoftwareMicrosoftInternet ExplorerPhishingFilterEnabled=0
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyServer=http=127.0.0.1:47392
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionInternet SettingsProxyOverride=
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociationsLowRiskFileTypes=.exe
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachments
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionPoliciesAttachmentsSaveZoneInformation=1
• HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRungoygivxn=C:DOCUME~1MALWAR~1.ORGLOCALS~1Temprfcsyghvuxlkdpuhxsik.exe

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Antivirus Protection Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• antiviria .com
• antispydrome .net

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus Protection Scareware — Screenshots

Note: The Antivirus Protection installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post Antivirus Protection Removal and Analysis appeared first on Malware Help. Org.

This scareware uses the name of a legitimate security application to ply its trade upon unwary users. BitDefender 2011 scareware copies the logo and design elements of the well known bitdefender range of security products. Once installed, this rogue software blocks execution of legitimate programs with fake security alerts. These fake warning messages are very frequent making the desktop unusable.

BitDefender 2011 scareware adds a column to the Windows Task Manager, fraudulently marking legitimate processes as “Infected”. This rogue security software also hijacks the major browsers like Internet Explorer, Firefox, Chrome, Opera and Safari so that they are allowed to open in a fraudulent Internet Explorer Emergency Mode. It also blocks installation of security software to protect itself.

Scareware like BitDefender 2011 are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

BitDefender 2011 Removal (How to remove BitDefender 2011)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

1. Boot in to Windows Safe Mode with networking
2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as BitDefender 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

BitDefender 2011 Analysis

A rogue security software such as BitDefender 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

BitDefender 2011 severely restricts browsing. Major browsers like Firefox, Chrome, Opera and Safari are allowed to open only in a fraudulent internet explorer emergency mode. This is done by tampering with the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options. Many Websites are blocked and a fake security alert as below is displayed with a forged URL http://microsoft.com/#blacklist

This web site refused your connection as it was reported as malicious request. This can be caused by Viruses, Trojans or Malware found on your computer.

The trojan dropper file was about 1242632 bytes in size. This scareware is detected by 19/ 41 (46.3%) of the antivirus engines available at VirusTotal. It is identified as:

• Trojan/Win32.FraudPack
• Trojan.FakeAV.LNN
• Trojan.Fakealert.20653
• Trojan.Win32.FraudPack.cshp
• Rogue:Win32/FakeXPA

Typical BitDefender 2011 Scare Messages

About Internet Explorer Emergency Mode
Your PC is infected with malicious software and browse couldn’t be launched.
You may use Internet Explorer in Emergency Mode – internal service browser of Microsoft Windows system with limited usability.
Notice: some sites refuse connection with Internet Explorer in Emergency Mode. In such case system warning page will be showed to you.

Attention! Your web page request has been cancelled.
This web site refused your connection as it was reported as a malicious request.
This can be caused by Viruses, Trojans or Malware found on your computer.
In ordr to resend your request to the website, press Resend request (please note, this action may cause a permanent block of your computer by the requested website)
In order to activate your security software, please press Fix Now ( recommended)

Google Redirect Virus activity detected
Google Redirect Virus is an application which was designed to have harmful functionality and is utilized to ensure a PC user’s entire network is compromised and possibly endangered. This term Trojan refers to the fact this particular malware, Google Redirect virus is installed under deceptive pretences, infiltrating the
user’s PC without their approval or knowledge.

NetPumper Send Reports Blocked
Once installed on your machine, Netpumper may start monitoring your web browsing habits, such as what pages you usually load and what search terms you usually type in the search page. NetPumper may also deliver excessive pop-up advertisements even when you are not browsing the Internet. NetPumper has also an ability to slow down your computer performance by using yur hard drive recources in order to deliver advertisements on your computer screen.

Security Center Alert
To help protect your computer, Security Center has blocked some features of this program
Sft.dez.Wien is a virus attempts to spread itself by attaching to a host program and can damage hardware, software or data in the process. This worm can be blocked from firewall and antivirus software.

VirtuMonde activity tracked
Virtumonde is an adware program that tends to monitor your Internet browsing habits and may display targeted advertisements onto your computer screen. Virtumonde may also create a malicious DLL file in order to log your keystrokes and send the recorded information to a third party website. Virtumonde is an unwanted application and recommended to be removed.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

BitDefender 2011 Associated Files and Folders

• C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\BitDefender 2011.lnk
• C:\Documents and Settings\All Users\Start Menu\BitDefender 2011\Uninstall.lnk
• C:\Documents and Settings\malwarehelp.org\Desktop\BitDefender 2011.lnk

• C:\WINDOWS\system32\iesafemode.exe
• C:\WINDOWS\Prefetch\BITDEFENDER.EXE-0571D06A.pf
• C:\WINDOWS\Prefetch\BITDEFENDER.EXE-06B296CB.pf
• C:\WINDOWS\Prefetch\MSCONFIG.EXE-1EF1EA0F.pf

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

BitDefender 2011 Associated Registry Values and Keys

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\chrome.exe\Debugger=iesafemode.exe -sb
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\firefox.exe\Debugger=iesafemode.exe -sb
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe\Debugger=iesafemode.exe -sb
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\opera.exe\Debugger=iesafemode.exe -sb
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\safari.exe\Debugger=iesafemode.exe -sb

• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\BitDefender 2011=C:\Program Files\BitDefender 2011\bitdefender.exe
• HKEY_CURRENT_USER\Control Panel\Desktop\ForegroundLockTimeout=0
• HKEY_CURRENT_USER\Software\EVA86D\
• HKEY_CURRENT_USER\Software\Mon86D
• HKEY_CURRENT_USER\Software\Mon86D\ebggddkhod=AGT
• HKEY_CURRENT_USER\Software\Mon86D\ebggeddf=EVA
• HKEY_CURRENT_USER\Software\Mon86D\ebgglcofkc=ABCEVA
• HKEY_CURRENT_USER\Software\Mon86D\ebggbc={EA520B3F-F2F1-41E0-AD9F-C818F032C581}
• HKEY_CURRENT_USER\Software\Mon86D\ebggddnf=0
• HKEY_CURRENT_USER\Software\Mon86D\ebgglceeac=C:\Program Files\BitDefender 2011\bitdefender.exe
• HKEY_CURRENT_USER\Software\Mon86D\ebggfdlh=BitDefender 2011

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

BitDefender 2011 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• http://secure.supersoftstore. com
• http://windows-networks. com/
• http://secure.ordersunsprotection. com/

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

BitDefender 2011 Scareware — Screenshots

Note: The BitDefender 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post BitDefender 2011 Removal and Analysis appeared first on Malware Help. Org.

Antivirus AntiSpyware 2011 is rogue security application, similar to Internet Security 2010, Security essentials 2010, Security essentials 2011 etc., Once installed, this scareware produces frequent fake security warnings about non-existent malware and network intrusions. This rogue software pops up a security alert and blocks execution of legitimate programs. The fake security alerts come in a variety of shapes and colors designed to cheat the unwary users.

Scareware like Antivirus AntiSpyware 2011 are commonly installed when users are redirected to fake online scanner pages, fraudulent porn sites, illegal cracks/warez sites and fake ‘video codec required’ pages distributed throughout the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Desktop hijacked by Antivirus Antispyware 2011

Antivirus AntiSpyware 2011 Removal (How to remove Antivirus AntiSpyware 2011)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

1. Boot in to Windows Safe Mode with networking
2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus AntiSpyware 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antivirus AntiSpyware 2011 Analysis

A rogue security software such as Antivirus AntiSpyware 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan installer file was about 2603016 bytes in size. According to ThreatExpert, this file “is protected with Themida in order to prevent the sample from being reverse-engineered. Themida protection can potentially be used by a threat to complicate the manual threat analysis (e.g. the sample would not run under the Virtual Machine).”

This scareware is detected by 17/ 41 (41.5%) of the antivirus engines available at VirusTotal. It is identified as:

• Trojan/Win32.ADH
• TR/FraudPack.csig
• Trojan.Win32.FakeAV.ctol
• Win32/Adware.SecurityEssentials.AB
• Trojan.DownLoader2.39788

Typical Antivirus AntiSpyware 2011 Scare Messages

The proactive system found several active vulnerablilities on your computer. Your system is at risk of being damaged by existing viruses. This can lead to PC freezes, crashes, erratic behavior and data loss.

CRITICAL ERROR
Running of application is impossible!
A problem has been detected and the application has been shut down to prevent damage to your computer. Running of notepad.exe is impossible due to the Net-Worm.Win32.Mytob.t activity. Perform the full system scan without delay to solve the issue.

System warning!
Continue working in unprotected mode is very dangerous. Viruses can damage your confidential data and work on your computer. Click here to protect your computer.

Critical system error!
Critical system error ocured! Your system is infected with the last version of Trojan-Spy.HTML.Visapass.a, Website access passwords might be stolen from Internet Explorer, Mozilla Firefox, Opera, Outlook. It is highly recommended to click YES button to scan and remove threats.

Your computer is being attacked from a remote machine!
Block Internet access to your computer to prevent system infection.

Spyware threat detected!
Your system is vulnerable to Internet attacks.
Spyware may damage systems files, monitor your internet usage or intercept any data you send over the internet.
It is strongly recommended for you to remove detected threats. Do not ignore this alert message!

Your system is infected with the Spydot.facebook,error.exe. Your website access passwords for socail networks, Icq and Skype might be stolen and used by third parties. It is highly recommended to click YES button to scan and remove threats.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus AntiSpyware 2011 Associated Files and Folders

• C:\Documents and Settings\All Users\Application Data\Antivirus AntiSpyware 2011\872.mof
• C:\Documents and Settings\All Users\Application Data\Antivirus AntiSpyware 2011\AS2011.exe
• C:\Documents and Settings\All Users\Application Data\Antivirus AntiSpyware 2011\wewekds\wethrazuds.cfg
• C:\Documents and Settings\malwarehelp.org\Application Data\Microsoft\Internet Explorer\Quick Launch\Antivirus AntiSpyware 2011.lnk
• C:\Documents and Settings\malwarehelp.org\Desktop\Antivirus AntiSpyware 2011.lnk
• C:\WINDOWS\Prefetch\AA2011.EXE-077BB82B.pf
• C:\WINDOWS\Prefetch\AS2011.EXE-22AB0EF7.pf
• C:\WINDOWS\Prefetch\MOFCOMP.EXE-01718E95.pf

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus AntiSpyware 2011 Associated Registry Values and Keys

• HKEY_CURRENT_USER\SOFTWARE\SE2010
• HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wethrazuds.cfg

• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AA2011.DocHostUIHandler
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AA2011.DocHostUIHandler\Clsid
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS2011.DocHostUIHandler
• HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AS2011.DocHostUIHandler\Clsid
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0
• HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Hardware Profiles\Current\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable=0

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Antivirus AntiSpyware 2011 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• get-se2011.com
• http://shopsoftwaresecurity.com

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus AntiSpyware 2011 Scareware — Screenshots

Note: The Antivirus AntiSpyware 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post Antivirus AntiSpyware 2011 Removal and Analysis appeared first on Malware Help. Org.

Antivirus Clean 2011 is a fraudulent security software that displays fake Windows warning messages about non-existent malware infections to scare the victim to purchase a license. This scareware actually phishes for the credit card data instead of just scamming the user for a subscription. The secure payment page to which the user is taken on clicking an activation link is in reality a web page designed to capture credit card data.

Scareware like Antivirus Clean 2011 are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Antivirus Clean 2011

Antivirus Clean 2011 Removal (How to remove Antivirus Clean 2011)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

1. Boot in to Windows Safe Mode with networking
2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as Antivirus Clean 2011. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

Antivirus Clean 2011 Analysis

A rogue security software such as Antivirus Clean 2011 belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

At present this rogue is just phishing for personal and credit card data. On clicking Register or Activate button, the victim is taken to a phishing page to elicit information including credit card security code.

The rogue installer file was about 1539594 bytes. It is detected by 28/ 42 (66.7%) of the antivirus engines available at VirusTotal.

This scareware is detected as:

• VirTool:Win32/Obfuscator.EK
• Gen:Packer.Morphine.anGfaCM0glh
• W32/Heuristic-210!Eldorado
• Trojan.Win32.FakeAV.cnkc
• Bloodhound.Morphine

Typical Antivirus Clean 2011 Scare Messages

Your computer is in danger!
Antivirus Clean 2011 has detected some serious threats to your computer!
These viruses need to be eliminated immedeately! Please click this icon to remove threats.

Your system is infected!
Your computer is compromised by hackers, adware, malware and worms!
Antivirus Clean 2011 can remove this infection. Please click this icon to remove threats.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

Antivirus Clean 2011 Associated Files and Folders

• C:\Program Files\Antivirus Clean 2011\avc2011.exe
• C:\Program Files\Antivirus Clean 2011\avservice.exe
• C:\Program Files\Antivirus Clean 2011\avsetup.exe

• C:\Program Files\Antivirus Clean 2011

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

Antivirus Clean 2011 Associated Registry Values and Keys

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AntivirusClean=C:\Program Files\Antivirus Clean 2011\avc2011.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\avservice=C:\Program Files\Antivirus Clean 2011\avservice.exe
• HKEY_CURRENT_USER\Software\WinRAR SFX\C%%Program Files%Antivirus Clean 2011%=C:\Program Files\Antivirus Clean 2011\

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

Antivirus Clean 2011 Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• http://crimsonscratch.square7. ch

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

Antivirus Clean 2011 Scareware — Screenshots

Note: The Antivirus Clean 2011 installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post Antivirus Clean 2011 Removal and Analysis appeared first on Malware Help. Org.

Yes! malware can even run in safe mode and safe mode with networking. A common devious method is to inject a malware process into legitimate Windows processes like userinit.exe, explorer.exe etc., These processes are loaded as part of the core drivers and services that Windows loads during a safe mode boot.

According to a McAfee blog, The services and drivers that load in Safe Mode are listed under the following registry key(s):

• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootMinimal
• HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSafeBootNetwork

If malware gains control of the system, it can add its entry under the above key(s) to load during a Safe Mode boot.

One recent example would be the CleanThis Scareware. This malware tampers with the WinlogonShell key in the Windows registry to annoy users even in safe mode. The tampered key looks like this:

• HKEY_CURRENT_USERsoftwareMicrosoftWindows NTCurrentVersionWinlogonShell = C:Documents and Settingsmalwarehelp.orgApplication Datagog.exe

In this case restoring the default shell value should disable this malware process on restart. But this malicious process also blocks execution of registry editor among other programs to protect itself. A workaround would be to use a .inf file to change the registry.

• Right click and save the file shell_restore.inf, make sure that you are saving the file with a .inf extension.
• Right click the downloaded file shell_restore.inf and choose the option for install. This will restore the default Windows Shell which prevents the scareware from running at boot.
• Restart to unload the malware executable from memory.

Note: It can be dangerous to run .inf files downloaded from an untrusted source.

Another trick to defeat this tactic is to boot in safe mode with command prompt. This will start Windows with only core drivers and launches the command prompt. Here is a short how-to, to run Malwarebytes’ Anti-Malware in safe mode with command prompt:

• Use an alternate computer to download MalwareBytes’s Anti-Malware (mbam-setup.exe) and the Malwarebytes’ Anti-Malware Malware definitions (mbam-rules.exe) to a removable drive like CDs, DVDs or USB flash drives.
• Boot in to Windows Safe Mode with Command Prompt Using F8 key.

 



• At the command prompt type ‘explorer.exe‘ and press the Enter key, wait for Windows Explorer to open. Now in ‘My Computer’ browse to your removable drive.

 


• Install MalwareBytes’s Anti-Malware and Malwarebytes’ Anti-Malware Malware definitions from your removable drive. Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
• Reboot into normal mode, Launch, Update and scan again with MalwareBytes’s Anti-Malware.

The tips above should help you to get started, when trying to clean malware that starts in safe mode. Have you used any other method to clean such malware? Please share it in the comments below.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post Malware runs even in safe mode – Cleaning Malware appeared first on Malware Help. Org.

MS Removal Tool is similar in design and behavior to the System Tool rogue. It uses yellow system alert messages to get itself installed. MS Removal Tool blocks execution of most programs and Windows administrative tasks like Task Manager, Command prompt, Registry editor etc., presumably to protect itself and at the same time to scare the user to purchase a fraudulent subscription.

Once installed on the victim’s system, the MS Removal Tool rogue security software proceeds to close other applications and generates fake system security warnings about non-existent malware. The malware creates a random named folder and file in \All Users\Application Data\ folder. The last five characters always ended in 07003 in this variant, presumably the affiliate code. E.g: C:\Documents and Settings\All Users\Application Data\dHdGiAkCkEi07003\dHdGiAkCkEi07003.exe

One of the Mutex created reads Don’t stop me! I need some money!

MS Removal Tool Fake System Scan

Scareware like MS Removal Tool are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed through out the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

MS Removal Tool Removal (How to remove MS Removal Tool)

MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) was able to remove this infection.

1. Boot in to Windows Safe Mode with networking
2. Download MalwareBytes’s Anti-Malware Free edition (mbam-setup.exe) or from a clean computer download and copy to a removable drive like CD, DVD or USB flash drive.
3. Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
4. Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
5. Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as MS Removal Tool. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

MS Removal Tool Analysis

A rogue security software such as MS Removal Tool belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan file was about 319488 bytes in size. It was detected by 11/ 43 (25.6%) of the antivirus engines available at VirusTotal.

This scareware is detected as:

• Trojan.Generic.KD.170369
• Trojan.Fakealert.20556
• W32/FakeAlert.LO.gen!Eldorado
• FakeAlert-SecurityTool.bf
• a variant of Win32/Kryptik.MAR
• Trojan.Agent/Gen-RogueLoad

Typical MS Removal Tool Scare Messages

Warning: Your computer is infected
Windows has detected spyware infection!
Click this message to install the last update of Windows security software…

MS Removal Tool Warning
Intercepting programs that may compromise your privacy and harm your system have been detected on your PC.
Click here to remove them immediately with MS Removal Tool

Warning!
Application cannot be executed. The file filename.exe is infected.
Please activate your antivirus software.

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

MS Removal Tool Associated Files and Folders

• C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003
• C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003\oGcMaMjAlJj07003.exe
• C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\aC555.exe
• C:\Documents and Settings\malwarehelp.org\Local Settings\Temp\aC555.tmp

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

MS Removal Tool Associated Registry Values and Keys

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce\oGcMaMjAlJj07003=C:\Documents and Settings\All Users\Application Data\oGcMaMjAlJj07003\oGcMaMjAlJj07003.exe

Manually editing the registry is NOT recommended.

MS Removal Tool Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• http://194.28.113. 214
• http://69.50.195. 77
• http://msantispam-srv2. com
• http://69.50.209. 220

Note: Visiting the domains mentioned above may harm your computer system.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

MS Removal Tool Scareware — Screenshots

Note: The MS Removal Tool installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post MS Removal Tool Removal and Analysis appeared first on Malware Help. Org.

SpyEye banking trojan first made its appearance about a year back as a competitor to what is till then known as the king of all bots Zeus/Zbot. Security researchers believe that both bots have now joined hands to prey upon online banking users world-wide.

Similar to Zbot, SpyEye trojan is created using a specialized builder or kit. The kit contains tools to customize, create and control individual bots and botnets.

Trojan SpyEye requires a C&C (Command and control) server to which the bots (individual machines infected by spyeye trojan) connect for receiving instructions from the botnet owner.

Abuse.ch which is running a Zeus tracker, also has a project called SpyEye Tracker for tracking an monitoring SpyEye command and control Servers. At the time of this writing the tracker’s statistics are as follows:

• SpyEye C&C servers tracked: 230
• SpyEye C&C servers online: 61
• SpyEye C&C server with files online: 25
• Average SpyEye binary Antivirus detection: 29.72%

What is the danger of SpyEye trojan?

SpyEye Builder kit. Used by criminals to customize and control the trojan bot.

Similar to Zeus/Zbot trojan, SpyEye specializes in stealing valuable personal information from the victim’s computer. Some of the data it can be made to steal are:

• Online banking login username and passwords
• Credit card numbers, names and PIN numbers
• Social Security numbers
• FTP account names and passwords
• Complete ID profiles from form Auto-fill function of your browser

All these data can be stolen even if you communicate with sensitive web sites using SSL (HTTPS) encrypted connections.

How does a computer get infected with SpyEye trojan

This trojan must be manually installed. This is achieved in several ways. The popular ones seem to be through exploited web sites and downloadable email spam products. For example the victim may be downloading an illegal file like warez/crack files or what may proclaim to be a free screensaver. Beware! this trojan could hitch hike with one those programs and silently install itself in the background on an unprotected computer.

Symptoms/Indications of SpyEye infection

The victim will not see any visual indication of its installation. The only indication that you have SpyEye in your system may be when an antivirus software alerts you to its presence.

SpyEye trojan dropper is detected as Win-Trojan/Spyeyes, Trojan.Siggen, TSPY_SPYEYE, BScope.Trojan-Dropper by different antivirus vendors.

Trojan SpyEye silently sits in the background till the victim visits a sensitive Website like his bank site. It then captures valuable data using a keylogger. The trojan can be customized by its master to automatically steal and transfer money using the captured data or use it otherwise.

SpyEye Associated Files and Folders

It is difficult to manually identify its files and registry keys as it hides them from regular Windows explorer, Task Manager and Registry editor using rootkit techniques.

Executable name of the bot can be customized.

The name of the executable file can be customized to anything by the criminals. The default entry cleansweep.exe is the most commonly seen name. Typically, SpyEye trojan installs itself and its encrypted configuration file named config.bin in C:\.exe\.exe

• C:\cleansweep.exe\cleansweep.exe
• C:\cleansweep.exe\config.bin

According to Microsoft, some of the file names seen are:

• cleansweep.exe
• windowseep.exe
• systemhost.exe
• mssetupers.exe
• msixxxxxxx.exe
• systemrxxt.exe
• malacuxatx.exe
• windowsxxx.exe
• portwexexe.exe
• bofabotxxx.exe
• cxlacuxatx.exe
• googlemaps.exe
• windowsdvd.exe
• ciaxxxxxxx.exe
• onweretetr.exe
• moneyxmexx.exe
• wlcwlcwlcw.exe
• shitspykid.exe
• rundllxxxx.exe
• jdsfjsdijf.exe
• usxxxxxxxx.exe
• inetserver.exe
• intelcored.exe
• bbbxxxxxxx.exe
• defenderxx.exe
• bootstartx.exe
• mdnsrespon.exe
• winstackxx.exe

SpyEye Associated Registry Values and Keys

A hidden registry key is created so that the malware runs at every system restart>

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\cleansweep.exe=C:\cleansweep.exe\cleansweep.exe

Tampers with system internet settings by modifying these keys:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableHttp1_1=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyHttp1.1=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPostRedirect=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnIntranet=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1409
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1609
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0 1406
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Lockdown_Zones\1 1406

How to remove SpyEye – SpyEye Removal

Run a full-system scan with an up-to-date antivirus and optionally an antimalware product to find and remove Zeus (Zbot) infection.

Recommended free antivirus software:

• Avira AntiVir Personal – FREE Antivirus
• AVG Anti-Virus Free Edition
• avast! antivirus Home Edition
• Microsoft Security Essentials

Alternatively an online malware scanner like Trend Micro HouseCall or Windows Live OneCare safety scanner may also be used to scan your system for bot infection. More Online Anti-virus Scanners.

Recommended free antimalware software:

• MalwareBytes’s Anti-Malware – Direct Download
• SuperAntiSpyware

Related: Is your PC part of a Zombie Botnet? Check now!

Sources of Information

• Microsoft Malware Protection Center
• Security Center | Norman
• Symantec Security Response

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post Find and Remove SpyEye Banking Trojan appeared first on Malware Help. Org.

]]>

FireEye Malware Intelligence Lab: An overview of Rustock – “As you might have seen in the news, the largest spam botnet, Rustock, was recently taken down in a collaborated, coordinated way. All parties involved were bound by a sealed federal lawsuit against the John Doe’s involved, but now that the case has been unsealed, it’s time to talk about a few of the details.”

How to turn off Data Execution Prevention (DEP) – 4sysops – “Data Execution Prevention (DEP) is a security feature of the CPU that prevents an application from executing code from a non-executable memory region. This is supposed to prevent buffer overflow attacks from succeeding.”

Java updates may include annoying McAfee scanner – Computerworld – “Windows users who install the latest Java security patches may end up with a little more security than they bargained for, at least that’s the risk they take if they don’t pay close attention to the installation process.”

ConsumerMan: Who’s tracking you online? – “Don’t look now, but you’re being tracked — some might say stalked — whenever you go online. Information about the sites you visit, the things you buy and the topics you search is used to build a detailed profile about you. In most cases, this is done without your knowledge or consent.”

How to stop your boss spying on you at work – How-to – Techworld.com – “Privacy may be dead, but that doesn’t mean you have to enjoy having your every electronic move tracked by your nosy manager.”

Errata Security: A brief introduction to web "certificates" – “The company Comodo is what’s called a “Certificate Authority”. A hacker tricked them into issuing “certificates” for companies like Microsoft and Google. This would allow anybody who could tap the network between you and those websites to decrypt otherwise encrypted traffic. This somebody would have to somebody in-line with the network, like a hacker next to you in a coffee shop, or the Iranian government wiretapping the ISP. This document explains how SSL is protects against such attacks, and how the bogus Comodo certificates defeat those protections.”

Protect your privacy: what happens to your data? – “When criminals obtain your e-mail address, credit card, or Social Security Number, your information enters an underground economy where it’s sold, bought, and (maybe) eventually used in a crime.”

Advt
Limited period offer!
Genuine Security software at discounted rates!

Author: Shanmuga

Copyright © 2005 – 2012, malwarehelp.org

The post Recommended Reads – 26 March 2011 appeared first on Malware Help. Org.

CleanThis scareware uses the Fake Security Essentials Alert to download itself on to the victim’s computer. Once installed, this rogue software proceeds to restart the system automatically, on restart access to the desktop is completely blocked. Taskbar is hidden, right click is disabled and the fake scan is run identifying non-existent malware. You cannot close it or kill it using the Task manager. CleanThis malware manages to run even safe mode and safe mode with networking.

Scareware like CleanThis are commonly installed when users are redirected to fake online scanner pages or fake ‘video codec required’ pages distributed throughout the Web by cyber criminals using blackhat SEO techniques, Spam and Malicious flash advertisements.

Desktop hijacked by CleanThis Rogue security software

CleanThis Removal (How to remove CleanThis)

Download the following from an alternate computer and copy to a removable drive like CD, DVD or USB stick:

• Download MalwareBytes’s Anti-Malware Free edition(mbam-setup.exe)
• Right click and save the file shell_restore.inf, make sure that you are saving the file with a .inf extension.
• Boot in to Windows Safe Mode with Command Prompt



• At the command prompt type “explorer.exe” and press the Enter key, wait for Windows Explorer to open. Now from Windows start button access My Computer and browse to your removable drive.
• Right click the downloaded file (shell_restore.inf) and choose the option for install. There will not be any visual confirmation/notification. This will restore the default Windows Shell which will prevent the scareware from running at boot.
• Restart in normal mode.
• Double-click mbam-setup.exe to start the installation. Proceed with installation following the prompts. Make sure that the following option is checked when you finish the installation: Update Malwarebytes’ Anti-Malware.
• Once the update is completed, Launch Malwarebytes’ Anti-Malware and select Perform full scan in the Scanner tab. When the scan is completed, click “Show results“, confirm that all instances of the rogue security software are check-marked and then click “Remove Selected” to delete them. If prompted restart immediately to complete the removal process.
• Turn System Restore off and on.

You should now be clean of this rogue.

The full version of Malwarebytes’ Anti-Malware performs brilliantly against scareware such as CleanThis. The real-time component of the paid version includes dynamic blocking of malicious websites, servers and prevents execution of malware. It would caution you before most rogue security software could install itself. Please consider purchasing the Malwarebytes’ Anti-Malware Full version for additional protection.

CleanThis Analysis

A rogue security software such as CleanThis belongs to a family of software products that call themselves as antivirus, antispyware or registry cleaners and often use deceptive or high pressure sales tactics and deliberate false positives to convince users into buying a license/subscription. They are often repackaged and renamed. They do not actually remove malware instead many of them add more malware of their own. They need to be removed immediately from your system.

The trojan dropper file was about 619520 bytes in size. It was detected by 21/ 42 (50.0%) of the anti-virus engines available at VirusTotal.

This scareware is detected by the following aliases:

• Trojan/Win32.FakeAV
• Win32:Malware-gen
• Trojan.Win32.FakeAV.bmbd
• Rogue:Win32/FakePAV
• a variant of Win32/Adware.FakeAntiSpy.AA

The following behavior was observed:

• Changes the size of the desktop wallpaper, disables right click on desktop. Taskbar is hidden.
• Drops a file named gog.exe in the application data folder of the current user ( Example: C:\Documents and Settings\malwarehelp.org\Application Data\gog.exe)
• Tampers with Windows registry and adds itself to the Winlogon\Shell key, so that it starts with Windows even in safe mode. (Example: HKEY_CURRENT_USER\software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = C:\Documents and Settings\malwarehelp.org\Application Data\gog.exe)

Typical CleanThis Scare Messages

CleanThis has detected security threats on your PC. To remove please install the heuristic module. click here to install heuristic module.

Current settings don’t allow unprotected startup. Please check your settings.

Database update failed! Outdated viruses databases are not effective and can’t guarantee adequate protection and security for your PC! Click here to get the full version of the product and update the database!

Users should not fall for the false alerts of system infection and buy the scareware to ‘clean’ the system. If you purchased one by entering your credit card number at a rogue software website, it would be prudent to:

• Immediately contact the bank that issued the card and dispute the charges.
• Request them to not allow any further transaction and cancel the card. You may also request them to issue a new card with a different number.

CleanThis Associated Files and Folders

• C:\Documents and Settings\malwarehelp.org\Application Data\1.gif
• C:\Documents and Settings\malwarehelp.org\Application Data\completescan
• C:\Documents and Settings\malwarehelp.org\Application Data\gog.exe
• C:\Documents and Settings\malwarehelp.org\Application Data\install
• C:\Documents and Settings\malwarehelp.org\Desktop\Clean This.lnk

Some of the file names may be randomly generated. The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine.

CleanThis Associated Registry Values and Keys

• HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell=C:\Documents and Settings\malwarehelp.org\Application Data\gog.exe
• HKEY_CURRENT_USER\Control Panel\Desktop\WallpaperStyle=0
• HKEY_CURRENT_USER\Control Panel\Desktop\Pattern=
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\GeneralFlags=0
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperStyle=0
• HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\General\Wallpaper=%APPDATA%\1.gif
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnPost=0
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnonBadCertRecving=0

The term malwarehelp.org or malwarehelp in the above entries denotes the name of the Windows user account in the test machine. Manually editing the registry is NOT recommended.

CleanThis Associated Domains

This scareware was observed accessing the following domains during installation and operation:

• configure-network-online .com

Note: Visiting the domains mentioned above may harm your computer system.

Malwarebytes’ Anti-Malware should take care of the scareware completely. If you have difficulty in removing any other malware that might have creeped in with CleanThis, checkout Kaspersky Virus Removal Tool and Kaspersky Rescue Disk.

If you are unable to get rid of this scareware, please visit one of the recommended forums for malware help and post about your problem.

CleanThis Scareware — Screenshots

CleanThis Scareware — Video

Note: The CleanThis installation and removal was tested on a default installation of Windows XP SP3. The content provided in this article is not warranted or guaranteed by Malware Help. Org. The content provided is intended for entertainment and/or educational purposes. I am not liable for any negative consequences that may result from implementing any information covered in this article. The above information is correct at the time of my testing, it might change with time and or under different testing conditions.

Limited period offer!
$10.00 Off avast! Internet Security Version 7

The post CleanThis Removal and Analysis appeared first on Malware Help. Org.