Tag Archives | quick scan

Antispyware Soft Rogue

Just a “head up”.  I’ve been dealing with this Rogue called “Antispyware Soft” all week.  Antispyware Soft completely takes over the users PCantispyware soft preventing them from opening anything or accessing the internet.  It’s really easy to get rid of, here’s how I do it.

  1. Start the PC in safemode with networking (or safemode).
  2. Install and Update MalwareBytes, then run a quick scan.  Remove anything found.  Reboot.
  3. AntiSpyware Soft has been removed.

You may need to do a little cleanup after this rogue has been remove:

  1. If your EXE’s are broken then run this
  2. If you can’t load any websites then follow these instructions
Continue Reading · 28

OS Specific Rogues – Vista Smart Security 2010

I was hammered with a new (sort of) rogue called Vista Smart Security 2010 this week.   As far as I know this an OS specific rogue because I only saw it on Vista boxes.   This rogue is easy to delete, however it comes with an agent that suppresses commercial anti-malware.

Vista Smart Security 2010

Vista Smart Security 2010

Here is the MBAM log (from my UBCD4WIN):

Scan type: Quick scan
Objects scanned: 109550
Time elapsed: 4 minute(s), 43 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 2
Files Infected: 2

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\SOFTWARE\AvScan (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Cognac (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\avsoft (Trojan.Fraudpack) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rjwpbgsg (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\pjrevdjn (Trojan.FakeAlert.Gen) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\omtgiuok (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\leccnidu (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jfneaspr (Trojan.FakeAlert.N) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Windows\System32\SYSTEM32 (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSTEM32\DRIVERS (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\Windows\System32\SYSTEM32\DRIVERS\rtl8187.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Windows\System32\SYSTEM32\DRIVERS\rtl8187B.sys (Trojan.Agent) -> Quarantined and deleted successfully.

If you don’t know how to build an UBCD4WIN you can download the free Dr. Web live CD which get’s rid of this rogue and it’s agent easily.

Continue Reading · 2

Internet Security 2010 Rogue, Winlogon2.exe and Other Fun Things for this Week…

I’ve been pretty busy this week with malware appointments and thought I’d share this weeks “note to self stuff”…

  1. A client calls me and says that they have a fake antivirus (internet security 2010 rogue) and now they can’t login to Windows
  2. When I arrive I load my UBCD4WIN and immediately:
    • Replace Atapi.sys.
    • Replace Userinit.exe.
    • Load the host registry and fix the winlogon key so that userinit points to c:\windows\system32\userinit.exe, (not winlogon2.exe).
    • Disconnect the network connection.
    • Reboot.
    • Load Malwarebytes and load the latest updates via usb stick.
    • Quick Scan with MBAM and remove anything found.
    • Reboot.
    • Load new AV (either Microsoft Security Essentials or Kaspersky Internet Security 2010)
  3. Perform misc cleanup stuff and then leave.
Continue Reading · 15