Jump to content

Malwarebytes

hxxp://www.windows-security-scanner.com/

Started by blackrep, Feb 03 2009 03:30 AM

3 replies to this topic

#1
blackrep
Posted 03 February 2009 - 03:30 AM

    New Member

  • Members
  • Pip
  • 22 posts
executable is at /install.exe off the link above

#2
Jaxryley
Posted 03 February 2009 - 04:50 AM

    Forum Deity

  • Malware Hunters
  • PipPipPipPipPipPip
  • 6,718 posts
  • Gender:Male
  • Location:West Aussie
  • Interests:Gardening and computers.
Nice find blackrep. :D

Throws up a warning then opens a website to download Antivirus XP Pro.
hxxp://antivirusxppro2009.com/?code=0000070

Both install.exe and SetupAntivirusXP.exe not hit by MBAM.

Quote

File Name : install.exe
File Size : 38938 byte
Scanner results : 11% Scanner(4/37) found malware!
Virscan

Quote

File Name : SetupAntivirusXP.exe
File Size : 1753088 byte
Scanner results : 8% Scanner(3/37) found malware!
Virscan

Posted Image

#3
Jaxryley
Posted 03 February 2009 - 04:57 AM

    Forum Deity

  • Malware Hunters
  • PipPipPipPipPipPip
  • 6,718 posts
  • Gender:Male
  • Location:West Aussie
  • Interests:Gardening and computers.
hxxp://www.windows-security-scanner.com/
Is actually entitled:
"MicrosoftAntivirus"
Online Windows security scanner

#4
Maniac
Posted 03 February 2009 - 07:22 AM

    I Love Andriana

  • Experts
  • PipPipPipPipPipPip
  • 10,161 posts
  • Gender:Male
  • Location:Bulgaria, EU
  • Interests:Information security and web development

View PostJaxryley, on Feb 3 2009, 06:57 AM, said:

hxxp://www.windows-security-scanner.com/
Is actually entitled:
"MicrosoftAntivirus"
Online Windows security scanner

Quote

----------------------------------
Values deleted:8
----------------------------------
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\LangID: 09 04
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9227: "My Documents"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9216: "My Computer"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-9217: "My Network Places"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@C:\WINDOWS\system32\SHELL32.dll,-8964: "Recycle Bin"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-21785: "Shared Documents"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-12693: "Favorites"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@shell32.dll,-21786: "Start Menu"

----------------------------------
Values added:2
----------------------------------
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@explorer.exe,-7024: "Internet"
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\@explorer.exe,-7025: "E-mail"

----------------------------------
Values modified:11
----------------------------------
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 64 16 89 29 CC DC 9D 06 A9 0E 39 90 14 5A AE 1B 19 D5 AE 14 10 5E 1D E7 83 AA AA C8 BA F8 E2 5F E1 73 BC C1 62 65 E3 1D D7 D6 27 BB 90 70 EB 0B 05 24 A9 23 41 6F A0 8A F6 F3 DB 95 5C 51 32 3B F3 E8 89 6E CF 4B D9 EA F0 6A 7C 7B 32 1F D9 B6
HKLM\SOFTWARE\Microsoft\Cryptography\RNG\Seed: 89 55 54 A6 F6 CC 61 73 1C 20 75 D6 2A FF 36 67 6D 70 F5 D5 3A 9D 5D 4D 78 73 E8 33 4F D4 30 13 95 41 16 E0 52 85 6C 03 3B 96 96 94 4C FB DA 59 0C 4C 82 3F E5 7A 1B 0E DE 7B A6 21 81 18 5A E2 F8 CF 20 7A 3B 48 DA E9 A9 3B 88 14 CD 09 26 40
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x00000007
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed: 0x0000000D
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000004
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful: 0x00000006
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing: 1C 00 00 00 01 00 00 00 D9 07 02 00 02 00 03 00 07 00 0A 00 22 00 DF 01 06 00 00 00 14 96 56 21 95 B7 B1 46 85 F4 E7 37 A8 DC 09 AD 01 24 D0 30 81 6A D0 11 82 74 00 C0 4F D5 AE 38 F3 31 EE C4 68 47 D2 11 BE 5C 00 A0 C9 A8 3D A1 61 4E A2 EF 78 B0 D0 11 89 E4 00 C0 4F C9 E2 6E 62 4E A2 EF 78 B0 D0 11 89 E4 00 C0 4F C9 E2 6E 64 4E A2 EF 78 B0 D0 11 89 E4 00 C0 4F C9 E2 6E
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021493-0000-0000-C000-000000000046}\Enum\Implementing: 1C 00 00 00 01 00 00 00 D9 07 02 00 02 00 03 00 07 00 0B 00 2F 00 94 01 06 00 00 00 14 96 56 21 95 B7 B1 46 85 F4 E7 37 A8 DC 09 AD 01 24 D0 30 81 6A D0 11 82 74 00 C0 4F D5 AE 38 F3 31 EE C4 68 47 D2 11 BE 5C 00 A0 C9 A8 3D A1 61 4E A2 EF 78 B0 D0 11 89 E4 00 C0 4F C9 E2 6E 62 4E A2 EF 78 B0 D0 11 89 E4 00 C0 4F C9 E2 6E 64 4E A2 EF 78 B0 D0 11 89 E4 00 C0 4F C9 E2 6E
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing: 1C 00 00 00 01 00 00 00 D9 07 02 00 02 00 03 00 07 00 0A 00 23 00 B4 00 01 00 00 00 25 8C 5C 4D 75 D0 D0 11 B4 16 00 C0 4F B9 03 76
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\Component Categories\{00021494-0000-0000-C000-000000000046}\Enum\Implementing: 1C 00 00 00 01 00 00 00 D9 07 02 00 02 00 03 00 07 00 0B 00 30 00 73 00 01 00 00 00 25 8C 5C 4D 75 D0 D0 11 B4 16 00 C0 4F B9 03 76
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 05 00 00 00 80 00 00 00 10 8D 89 9B CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU: 05 00 00 00 82 00 00 00 A0 18 71 AC CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 05 00 00 00 4E 00 00 00 10 FA E5 9A CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_HVFPHG: 05 00 00 00 4F 00 00 00 E0 8F 1B AA CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 05 00 00 00 15 00 00 00 F0 A4 5C 76 CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:::{450Q8SON-NQ25-11Q0-98N8-0800361O1103}: 05 00 00 00 16 00 00 00 80 16 1D AA CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Fhccbeg\Zl Qbphzragf\vafgnyy.rkr: 05 00 00 00 08 00 00 00 30 77 AD 7C CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Qbphzragf naq Frggvatf\Fhccbeg\Zl Qbphzragf\vafgnyy.rkr: 05 00 00 00 09 00 00 00 A0 18 71 AC CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 45 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 AD B6 D1 ED 82 C9 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00 6F 00 6F 00 74 00 25 00 5C 00 54 00 45 00 4D 00 50 00 00 00 44 00 3B 00 2E 00 56 00 42 00 53 00 3B 00 2E 00 56 00 42 00 45 00 3B 00 2E 00 4A 00 53 00 3B 00 2E 00 4A 00 53 00 45 00 3B 00 2E 00 57 00 53 00 46 00 3B 00 2E 00 57 00 53 00 48 00 00 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 62 00 65 00 6D 00 00 00 00 00 00 00
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 46 00 00 00 47 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 C0 AD B6 D1 ED 82 C9 01 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 0A 00 02 0F 00 00 00 00 00 00 00 00 6F 00 6F 00 74 00 25 00 5C 00 54 00 45 00 4D 00 50 00 00 00 44 00 3B 00 2E 00 56 00 42 00 53 00 3B 00 2E 00 56 00 42 00 45 00 3B 00 2E 00 4A 00 53 00 3B 00 2E 00 4A 00 53 00 45 00 3B 00 2E 00 57 00 53 00 46 00 3B 00 2E 00 57 00 53 00 48 00 00 00 79 00 73 00 74 00 65 00 6D 00 33 00 32 00 5C 00 57 00 62 00 65 00 6D 00 00 00 00 00 00 00
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {0000013A-0000-0000-C000-000000000046} 0x401: 00 00 00 00 31 00 31 00 10 88 F8 78 CE 85 C9 01
HKU\S-1-5-21-1177238915-1383384898-1343024091-1003\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {0000013A-0000-0000-C000-000000000046} 0x401: 00 00 00 00 31 00 31 00 A0 67 39 AB CE 85 C9 01

----------------------------------
Files added:7
----------------------------------
C:\Documents and Settings\Support\Local Settings\Temp\in2.tmp
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\gate[1].htm
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\S3Q64TD1\warning[1].gif
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\desktop.ini
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO\winlogon[1].htm
C:\WINDOWS\system32\ahtn.htm
C:\WINDOWS\system32\warning.gif

----------------------------------
Files[attr]modified:9
----------------------------------
C:\Documents and Settings\Support\Cookies\index.dat
C:\Documents and Settings\Support\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\Support\Local Settings\Temp\loader_pm.exe
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\Support\NTUSER.DAT.LOG
C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
C:\WINDOWS\Prefetch\SVCHOST.EXE-3530F672.pf
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\userinit.exe

----------------------------------
Folders added:1
----------------------------------
C:\Documents and Settings\Support\Local Settings\Temporary Internet Files\Content.IE5\69ACHERO

----------------------------------
Total changes:38
----------------------------------

MBAM's heurestics are the best:

Quote

Malwarebytes' Anti-Malware 1.33
Database version: 1718
Windows 5.1.2600 Service Pack 3

2/3/2009 9:15:32 AM
mbam-log-2009-02-03 (09-15-32).txt

Scan type: Quick Scan
Objects scanned: 42368
Time elapsed: 1 minute(s), 32 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 5

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Failed to unload process.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Framework Windows (Trojan.FakeAlert) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Delete on reboot.
C:\WINDOWS\system32\userinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.

There's problem only with:

Quote

Memory Processes Infected:
C:\WINDOWS\system32\frmwrk32.exe (Trojan.FakeAlert) -> Failed to unload process.

Posted Image

My help is free, however, if you wish to make a small donation to show appreciation and to help me continue the fight against Malware, then click here Posted Image
Back to Newest Rogue Threats · Next Unread Topic →


1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Malwarebytes Forum
  2. Research Center
  3. Newest Rogue Threats

Products

About

Partners

Follow Us