1 reply to this topic

[SpySentinel]

hxxp://www.virusremover2008.com/



More Info

Installation
When the program is executed, it creates the following files:

* %ProgramFiles%\VirusRemover2008\VRM2008.exe - (detected as VirusRemover2008)
* %ProgramFiles%\VirusRemover2008\Viruses.bdt - (clean file)
* %SystemDrive%\VirusRemover2008.lnk
* %SystemDrive%\Documents and Settings\Administrator\Desktop\VirusRemover2008.lnk
* %SystemDrive%\Documents and Settings\All Users\Start Menu\Programs\VirusRemover2008
* %SystemDrive%\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\VirusRemover2008.lnk


Next, the program creates the following registry entry so that it executes whenever Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"VirusRemover2008" = "%ProgramFiles%\VirusRemover2008\VRM2008.exe"

It also creates the following registry entries:

* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"ActivationCode" = "36"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"CookieParams" = "29"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"InfectionCount" = "4"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"InstallDate" = "16"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"LastDetectTime" = "[RANDOM HEXIDECIMAL STRING]"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"LastScanTime" = "[RANDOM HEXIDECIMAL STRING]"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"TotalScanCount" = "4"
* HKEY_LOCAL_MACHINE\SOFTWARE\VirusRemover2008\"UpdateEnabled" = "1"


It also creates the following registry subkeys:

* HKEY_LOCAL_MACHINE\SOFTWARE\{5222008A-DD62-49c7-A735-7BD18ECC7350}
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VirusRemover2008

[Marty111]

domain reported to registrar we shall see what happens