This was performed on a virtual machine
__________________________________________________________________________________ 
It was basically exactly the same as Windows Functionality Checker. Even the number of bad registry entries at KEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options was identical.
However, this time I managed to capture the loading screen of the FakeAV as seen to the right.
Unfortunately not much to report here as it was so identical to Windows Functionality Checker. Run RogueKiller first, rest should be very easy unless there is also rootkit activity.
___________________________________________________________________________________
 |
| RogueKiller |
¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] Protector-hbf.exe -- C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe -> KILLED [TermProc]
[SUSP PATH] Protector-hbf.exe -- C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe -> KILLED [TermProc]
¤¤¤ Registry Entries: 756 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Inspector (C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : ackwin32.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : Ad-Aware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : adaware.exe (svchost.exe) -> DELETED
Once again, chose not to copy/paste the entire log here due to its size. Full log can be obtained from: http://pastebin.com/HCW4nBhu
___________________________________________________________________________________
 |
| MBAM |
Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.
Files Detected: 3
C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Local Settings\Temp\RarSFX0\filesystemscan.exe (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Desktop\Windows Telemetry Center.lnk (Rogue.WindowsTelemetryCenter) -> Quarantined and deleted successfully.
___________________________________________________________________________________
 |
| MGtools |
"C:\Documents and Settings\All Users\Start Menu\Programs\"
window~2.lnk Feb 26 2012 848 "Windows Telemetry Center.lnk"
___________________________________________________________________________________
No comments:
Post a Comment