Sunday, February 26, 2012

Windows Telemetry Center (FakeAV) - 02.26.2012 - Analysis and Removal

 This was performed on a virtual machine
 __________________________________________________________________________________
Same family as Windows Functionality Checker and Security Antivirus.

It was basically exactly the same as Windows Functionality Checker. Even the number of bad registry entries at KEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\currentversion\image file execution options was identical.


However, this time I managed to capture the loading screen of the FakeAV as seen to the right.

Unfortunately not much to report here as it was so identical to Windows Functionality Checker. Run RogueKiller first, rest should be very easy unless there is also rootkit activity.

___________________________________________________________________________________
RogueKiller





¤¤¤ Bad processes: 2 ¤¤¤
[SUSP PATH] Protector-hbf.exe -- C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe -> KILLED [TermProc]
[SUSP PATH] Protector-hbf.exe -- C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe -> KILLED [TermProc]

¤¤¤ Registry Entries: 756 ¤¤¤
[SUSP PATH] HKCU\[...]\Run : Inspector (C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : a.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : aAvgApi.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : AAWTray.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : About.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : ackwin32.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : Ad-Aware.exe (svchost.exe) -> DELETED
[IFEO] HKLM\[...]\Image File Execution Options : adaware.exe (svchost.exe) -> DELETED

Once again, chose not to copy/paste the entire log here due to its size. Full log can be obtained from: http://pastebin.com/HCW4nBhu
___________________________________________________________________________________
MBAM





Registry Values Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegedit (Hijack.Regedit) -> Data: 0 -> Quarantined and deleted successfully.

Files Detected: 3
C:\Documents and Settings\thisisu\Application Data\Protector-hbf.exe (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Local Settings\Temp\RarSFX0\filesystemscan.exe (Rogue.WindowsSmartPartner) -> Quarantined and deleted successfully.
C:\Documents and Settings\thisisu\Desktop\Windows Telemetry Center.lnk (Rogue.WindowsTelemetryCenter) -> Quarantined and deleted successfully.
___________________________________________________________________________________
MGtools





"C:\Documents and Settings\All Users\Start Menu\Programs\"
window~2.lnk  Feb 26 2012         848  "Windows Telemetry Center.lnk"
___________________________________________________________________________________

No comments:

Post a Comment