Ecops (Ransom Trojan) - 02.25.2012 - Analysis and Removal
This was performed on a virtual machine This is a trojan that infects the following files: C:\Windows\explorer.exe C:\Windows\system32\dllcache\explorer.exe The Company Name of both explorer.exe files...
View ArticleWindows Telemetry Center (FakeAV) - 02.26.2012 - Analysis and Removal
This was performed on a virtual machine __________________________________________________________________________________ Same family as Windows Functionality Checker and Security Antivirus. It was...
View ArticleSmart Fortress 2012 (FakeAV) - 02.29.2012 - Analysis and Removal
This was performed on a virtual machine __________________________________________________________________________________ Smart Fortress 2012 is an improvement of Smart Protection 2012. You may have...
View ArticleWindows 8 Consumer Preview - Windows Smart Partner (FakeAV) - 03.03.2012 -...
This is the new Metro UI in Windows 8 I figured I should start experimenting with Windows 8. What better way to learn Windows 8 than infecting the OS with a Fake Antivirus and then removing it? :-D I...
View ArticleZeroAccess Authors Are Now Faking Company Name: Iomega
In a previous post I mentioned that ZeroAccess authors were faking the Company name: Oak Technologies Inc. Well, they have changed who they want to disguise their malicious .dll files to the company...
View ArticleBest Virus Protection (FakeAV) bundled with RLoader (Rootkit) - 03.08.2012 -...
This was performed on a virtual machine. __________________________________________________________________________________ Looks similar to Microsoft Security Essentials, a legitimate antivirus. It...
View ArticlePanda Security Creates ZeroAccess Cleaning Tool (Yorkyt.exe) - Removes Abnow...
Panda Security has created an AntiZeroAccess tool that works very well compared to others I have tested in the past. In fact, it practically removed every trace of ZeroAccess minus 2-3 dormant files....
View ArticleGEMA - Germany (Ransom Trojan) - 03.29.2012 - Analysis and Removal
Once you are infected with GEMA, you will be prompted a white screen with text that reads: "Please wait while the connection is beeing established." and then the German translation......
View ArticleGimemo - France - Gendarmerie Nationale (Ransom Trojan) - 04.01.2012 -...
__________________________________________________________________________________ HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows|Load...
View ArticleTobfy - Germany (Ransom Trojan) - 04.07.2012 - Analysis and Removal
Hijacks HKCU\Software\Microsoft\Windows\CurrentVersion\Run "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" "" "" "" + "(Default)" "" "" "File not found: C:\Documents and...
View ArticleWindowsSecurity (Ransom Trojan) - 04.13.2012 - Analysis and Removal
Creates this registry value: HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell points to the malicious that was run. Creates a bad value under this key:...
View ArticleGVU - Germany (Ransom Trojan) - 04.16.2012 - Analysis and Removal
__________________________________________________________________________________ FRST HKLM\...\Run: [5kS43ADO0bzprWo] C:\Documents and Settings\thisisu\Application Data\soundblaster_fx648.exe [x]...
View ArticleRannoh - Canada (Ransom Trojan) - 05.04.2012 - Analysis and Removal
Figure 1.a __________________________________________________________________________________ This is very similar to Gendarmerie Nationale (French) in the sense that the bad files are practically...
View ArticlePolice Nationale Francaise - France (Ransom Trojan) - 05.14.2012 - Analysis...
__________________________________________________________________________________ Easy way to defeat: If on XP: Press F8 upon boot to get to the Windows Advanced Options Menu From the list, choose...
View ArticleGimemo Ransom - Germany - "Please wait while the connection is beeing...
This list will be maintained. I will try to organize them in chronological order ______________________________________________________________________________ flint4ytw.exe -...
View ArticleWeelsof - Metropolitan Police - United Kingdom (Ransom Trojan) - 05.22.2012 -...
________________________________________________________________________________ FRST HKLM\...\Run: [voitjxghtvngqbu] C:\Documents and Settings\All Users\Application Data\jhdmxqskgvmtxilxyiwh.exe...
View ArticleLive Security Platinum (FakeAV) - 06.02.2012 - Analysis and Removal
Proceeds Security Sphere 2012, Smart Protection 2012, and Smart Fortress 2012 _______________________________________________________________________________ RogueKiller ¤¤¤ Bad processes: 1 ¤¤¤ [SUSP...
View ArticleZeroAccess CLSID variant versus ComboFix
http://www.youtube.com/watch?v=B0sY_1ZXxTU http://youtu.be/B0sY_1ZXxTU
View ArticleCrapRemover - Introduction and Demonstration
CrapRemover will remove unwanted browser hijacks such as Babylon, Facemoods, Funmoods, Searchqu, iClaro and many others that I see populating forums of the anti-malware community. See the following...
View Article