Sysinternals Homepage
Forum Home Forum Home > Windows Discussions > Malware
  New Posts New Posts RSS Feed - Fake AV - Security Tool
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Fake AV - Security Tool

 Post Reply Post Reply
Author
Message
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Topic: Fake AV - Security Tool
    Posted: 15 February 2010 at 3:17pm
Trojan downloader.

http://www.virustotal.com/analisis/c962c407bd773325b9614ed37983066898de65834a18798dd9ab5af06c1d6cbd-1266220848



Written on CodeGear RAD Studio v12.0.3420.21218 by Russian crapware script-kiddies. Comming as video codec package.

While installing prints a lot of messages to the debug output

Quote 00000000    0.00000000    watchdog!WdUpdateRecoveryState: Recovery enabled.  
00000001    27.91488457    [1120] VCLFixPack patch installed: AppDeActivateZOrderFix    
00000002    27.91506958    [1120] VCLFixPack patch installed: PageControlPaintingFix    
00000003    27.91527176    [1120] VCLFixPack patch installed: GridFlickerFix    
00000004    27.91547203    [1120] VCLFixPack patch installed: SpeedButtonGlassFix    
00000005    27.91567039    [1120] VCLFixPack patch installed: DBNavigatorFix    
00000006    27.91577530    [1120] VCLFixPack patch installed: StringBuilderFix    
00000007    27.91599846    [1120] VCLFixPack patch installed: CancelHintDeadlockFix    
00000008    27.91612434    [1120] VCLFixPack patch installed: CDSDataConvertFix    
00000009    31.80923271    [1260] VCLFixPack patch installed: AppDeActivateZOrderFix    
00000010    31.80936241    [1260] VCLFixPack patch installed: PageControlPaintingFix    
00000011    31.80956459    [1260] VCLFixPack patch installed: GridFlickerFix    
00000012    31.80982399    [1260] VCLFixPack patch installed: SpeedButtonGlassFix    
00000013    31.81003571    [1260] VCLFixPack patch installed: DBNavigatorFix    
00000014    31.81013680    [1260] VCLFixPack patch installed: StringBuilderFix    
00000015    31.81027412    [1260] VCLFixPack patch installed: CancelHintDeadlockFix    
00000016    31.81040764    [1260] VCLFixPack patch installed: CDSDataConvertFix


Display a lot of popups from tray icon about viruses, trojans etc found on computer. After reboot blocks processes startup.

GUI



Immediately detections



New databases found! (on PC disconnected from any kind of network)



Control panel blocked



Strings recovered from unpacked executable.

Quote SOFTWARE\Borland\Delphi\RTL
kernel32.dll
Software\CodeGear\Locales
Software\Borland\Locales
Software\Borland\Delphi\Locales
WARNING!
successfully installed!
Crytical Error!
Unable to find resource for winlogon.exe
Resource ID is 0x40001213
exit
hxxp://supportwebcenter.com/
open
disabled
IEFrame
MozillaUIWindowClass
iexplore.exe
firefox.exe
wscntfy.exe
shutdown.exe
avcheck.exe
wuauclt.exe
soft_cleaner.exe
%PROCESSNAME%
%VIRUSNAME%
jjjj
jjjj
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)
http://
ffid=
Unknown
Windows NT 3
Windows NT 4
Windows 95
Windows 98
Windows ME
Windows 2000
Windows XP
Windows 2003
Windows Vista
Windows Seven
Progman
Control Panel\Desktop
Wallpaper
_Wallpaper
.exe
Software\Microsoft\Windows\CurrentVersion\Run
Key
Language
Count
.ini
.bat
:try
del "
if exist "
" goto try
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v
cmd.exe /c start
.exe
/install
exit
open
.exe
.ini
&sts=
Key
Language
Count
.ini
.lnk
Software\
Key
Grep
Count
AutoRun
MinRun
AutoScan
Language
Privacy
Update
Guard
Software\
localhost
inspectguide.com
_www.billingsoftwaresite.com


Used Delphi modules
Quote st_new [MainUnit]
  OleServer [ImplicitUnit]
  Variants [ImplicitUnit]
  VarUtils [ImplicitUnit]
  Windows [WeakUnit, OrgWeakUnit]
  Types [ImplicitUnit]
  SysInit
  System
  SysConst [ImplicitUnit]
  SysUtils [ImplicitUnit]
  Character [ImplicitUnit]
  RTLConsts [ImplicitUnit]
  Math [ImplicitUnit]
  StrUtils [ImplicitUnit]
  ImageHlp [ImplicitUnit]
  Controls [ImplicitUnit]
  DwmApi [ImplicitUnit]
  UxTheme [ImplicitUnit]
  SyncObjs [ImplicitUnit]
  Classes [ImplicitUnit]
  ActiveX [ImplicitUnit]
  Messages [WeakUnit, OrgWeakUnit, ImplicitUnit]
  TypInfo [ImplicitUnit]
  CommCtrl [WeakUnit, OrgWeakUnit, ImplicitUnit]
  Themes [ImplicitUnit]
  Graphics [ImplicitUnit]
  Consts [ImplicitUnit]
  Registry [ImplicitUnit]
  IniFiles [ImplicitUnit]
  Forms
  StdActns [ImplicitUnit]
  ComCtrls [ImplicitUnit]
  CommDlg [WeakUnit, OrgWeakUnit, ImplicitUnit]
  ShlObj [WeakUnit, OrgWeakUnit, ImplicitUnit]
  UrlMon [WeakUnit, OrgWeakUnit, ImplicitUnit]
  WinInet [WeakUnit, OrgWeakUnit, ImplicitUnit]
  RegStr [WeakUnit, OrgWeakUnit, ImplicitUnit]
  ShellAPI [WeakUnit, OrgWeakUnit, ImplicitUnit]
  ComStrs [ImplicitUnit]
  Printers [ImplicitUnit]
  WinSpool [WeakUnit, OrgWeakUnit, ImplicitUnit]
  ActnList [ImplicitUnit]
  Menus [ImplicitUnit]
  ImgList [ImplicitUnit]
  Contnrs [ImplicitUnit]
  GraphUtil [ImplicitUnit]
  ZLib [ImplicitUnit]
  ListActns [ImplicitUnit]
  StdCtrls [ImplicitUnit]
  ExtCtrls [ImplicitUnit]
  Dialogs [ImplicitUnit]
  HelpIntfs [ImplicitUnit]
  MultiMon [ImplicitUnit]
  Dlgs [WeakUnit, OrgWeakUnit, ImplicitUnit]
  WideStrUtils [ImplicitUnit]
  ToolWin [ImplicitUnit]
  RichEdit [WeakUnit, OrgWeakUnit, ImplicitUnit]
  Clipbrd [ImplicitUnit]
  FlatSB [ImplicitUnit]
  Imm [WeakUnit, OrgWeakUnit, ImplicitUnit]
  OleConst [ImplicitUnit]
  ComObj [ImplicitUnit]
  ComConst [ImplicitUnit]
  OleCtrls [ImplicitUnit]
  AxCtrls [ImplicitUnit]
  StdVCL [ImplicitUnit]
  pngimage [ImplicitUnit]
  pnglang [ImplicitUnit]
  DBCtrls [ImplicitUnit]
  VDBConsts [ImplicitUnit]
  DBConsts [ImplicitUnit]
  DBPWDlg [ImplicitUnit]
  DB [ImplicitUnit]
  WideStrings [ImplicitUnit]
  DBCommonTypes [ImplicitUnit]
  FMTBcd [ImplicitUnit]
  SqlTimSt [ImplicitUnit]
  DateUtils [ImplicitUnit]
  MaskUtils [ImplicitUnit]
  DBLogDlg [ImplicitUnit]
  Buttons [ImplicitUnit]
  Mask [ImplicitUnit]
  DBClient [ImplicitUnit]
  Provider [ImplicitUnit]
  DataBkr [ImplicitUnit]
  MidConst [ImplicitUnit]
  Midas [ImplicitUnit]
  DBCommon [ImplicitUnit]
  DSIntf [ImplicitUnit]
  uFormManager
  uTypes
  uSetup
  uInetThread
  ufrmMsgBox2
  ufrmMain
  ufrmAlert
  ufrmMsgBox1
  uSkinButton [ImplicitUnit]
  uSkinControl [ImplicitUnit]
  uSkinCaptionControl [ImplicitUnit]
  uConsts
  ufrmBSOD
  TlHelp32 [WeakUnit, OrgWeakUnit, ImplicitUnit]
  md5
  ufrmBrowser
  MSHTML [ImplicitUnit]
  SHDocVw [ImplicitUnit]
  Gauges [ImplicitUnit]
  ufrmPopup
  uSkinGroupBox [ImplicitUnit]
  ufrmUpdateInfo
  ufrmUpdate
  ufrmInfectedSoftware
  ufrmRegistration
  PsAPI [WeakUnit, OrgWeakUnit, ImplicitUnit]
  ufrmHarmfull
  ufrmFirewall
  ufrmActivate
  XPMan [WeakUnit, OrgWeakUnit, ImplicitUnit]
  uFilesThread
  uSkinCheckBox [ImplicitUnit]
  uCryptIniFile
  VCLFixPack
  Grids [ImplicitUnit]
  DBGrids [ImplicitUnit]


Detections
Quote Dialer    MSVIDEO.DLL    Exploit.HTML.Ascii.f    This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page.  It is 1614 bytes in size. It is not packed in any way.
Malware    actxprxy.dll    Virus.Win32.CTX.6886    This is a Win32 parasitic virus. It uses polymorphic and Entry Point Obscuring mehods (see below).  It is not a dangerous nonmemory resident parasitic polymorphic Windows virus. It searches for PE EXE files (Windows Portable Executable files) in current directory (except drive root directory),...
Dialer    cacls.exe    Exploit.HTML.Ascii.e    This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page.  It is 1315 bytes in size. It is not packed in any way.
Malware    cmsetACL.dll    Virus.DOS.Lenin.943    It is not a dangerous nonmemory resident parasitic virus. It searches for EXE files and writes itself to the end of the file. While infecting it does not alter the EXE entry registers, but inserts CALL FAR instruction into file entry point and alters EXE relocation table. Depending on its...
Spyware    cryptdlg.dll    Trojan-PSW.Win32.LdPinch.rn    This Trojan belongs to a family of Trojans written with the aim of stealing user passwords. LdPinch is designed to steal confidential information. The Trojan itself is a Windows PE EXE file approximately 17KB in size, packed using UPX.  When installing, the Trojan copies itself to the Windows system...
Worm    diskcopy.dll    Worm.Win32.Bizex    This worm uses the Internet instant messaging system ICQ to spread via the Internet.  The worm sends ICQ users a message with a URL, which is linked to a file which contains procedures to automatically download and execute the malicious component of the worm on the victim computer.  Propagation On...
Trojan    dot3gpclnt.dll    Trojan.Win32.DNSChanger.gn    This Trojan downloads other files via the Internet and launches them for execution on the victim machine without the user’s knowledge or consent.  It is an HTML page which contains Visual Basic Script.  It is 1445 bytes in size.
Backdoor    fdeploy.dll    Backdoor.Win32.Poison.h    This Trojan provides a remote malicious user with access to the victim machine.  It is a Windows PE EXE file.  The file is 5,040 bytes in size.  Installation  When launched, the Trojan copies its executable file to the Windows system directory:  %System%\com.exe  It also creates the following...
Worm    fontsub.dll    Worm.SunOS.Sadmind    Text written by Costin Raiu, Kaspersky Labs, Romania  This is an Internet-worm that replicates between Sun Sparc computers running the Solaris/SunOS operating system, and attacks Microsoft IIS v4 and 5 Web servers. Cracked Micrsoft IIS servers will have their start page replaced with one that...
Trojan    iasads.dll    Trojan.BAT.FormatC.z    This Trojan has a malicious payload.  It is a BAT file.   It is 18 bytes in size.
Malware    ir41_qcx.dll    Virus.DOS.Segal.552    It is a harmless memory resident parasitic virus. It hooks INT 21h and writes itself to the end of EXE files that are executed. The virus does not manifest itself in any way. It contains the text:  -SEGAL(c)MM
Rogue    kbdhu.dll    Virus.DOS.Zerobug.1536.a    It is a memory resident not dangerous virus which inserts itself into COM-files beginning at their creating: the infector hooks INT 21h, f.3Ch, creates the file, writes its body into this file and returns the control back to the program that called this function. And then that program appends the...
Dialer    kbdno1.dll    Exploit.PHP.Inject.f    This exploit is designed to steal confidential information from Web application databases. It is a PHP file.  It is 1,610 bytes in size. It is not packed in any way. It is written in PHP.
Malware    mdminst.dll    Virus.DOS.Lct.599    This is a benign non memory-resident parasitic virus. Upon being executed, it searches for all COM files of the current directory, and writes itself to the end of the file. On December 25th, upon being executed, the virus immediately returns to DOS. The virus contains the text string:  *.COM...
Backdoor    mnmsrvc.exe    Backdoor.Win32.VanBot.bk    This Trojan can be used for remote administration of the victim machine. It provides a malicious user with the ability to perform operations via IRC. It is a Windows PE EXE file, and is 207,872 bytes in size.  Installation  When installing, the backdoor copies its executable file to the Windows...
Malware    mqutil.dll    Virus.DOS.Acapulco.1971    It's a not dangerous memory resident parasitic virus. It hooks INT 21h and writes itself at the end of COM- and EXE-files are executed. Sometimes it hooks INT 08h (timer) and plays several tunes.
Backdoor    msoert2.dll    Backdoor.Win32.Kbot.al    This Trojan provides a remote malicious user with access to the victim machine.  It is a Windows PE EXE file.  It is 12787 bytes in size. Installation Once launched, the backdoor copies its executable file to the Windows system directory:  %System%\mssrv32.exe The backdoor then creates a service...
Adware    mtxclu.dll    Virus.DOS.Fire.2682    It's a harmless memory resident encrypted parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text strings:  Fire walk with me.
Backdoor    net1.exe    Backdoor.Win32.BO.a    This Trojan (also known as Back Orifice Trojan) is a network-administration utility that allows for the controlling of computers on the network. "'Back Orifice' is a remote administration system, which allows a user to control a computer across a tcpip connection using a simple console or gui...
Worm    oakley.dll    Net-Worm.Perl.Santy.a    This worm uses a vulnerability in phpBB, which is used to create forums and web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are vulnerable.  The worm is written in Perl, and is 4966 bytes in size.  Propagation  The worm creates a specially formulated Google search request....
Rogue    plustab.dll    Virus.DOS.HS.903    This is a dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of COM and EXE files (except AIDSTEST.EXE) that are executed. On December, 27th it erases the hard drive sectors. It also hooks INT 17h (printer) and sometimes prints rude messages in Russian.  The...
Worm    qcap.dll    Net-Worm.Win32.Lovesan.a    Lovesan is an Internet Worm which exploits the DCOM RPC vulnerability in Microsoft Windows described in MS Security Bulletin MS03-026.  Lovesan is written in C using the LCC compiler.  The worm is a Windows PE EXE file about 6KB (compressed via UPX - 11KB when decompressed).  Lovesan downloads and...
Adware    rdpwsx.dll    Virus.DOS.Fire.2682    It's a harmless memory resident encrypted parasitic stealth virus. It hooks INT 21h and writes itself to the end of COM- and EXE-files that are executed. It contains the internal text strings:  Fire walk with me.
Adware    sclgntfy.dll    Virus.DOS.Piz.2025    It is a dangerous memory resident parasitic encrypted virus. It hooks INT 1Ch, 21h, and writes itself to the end of COM and EXE files that are accessed. Under debugger the virus erases the CMOS. Sometimes it displays the message:  +---++   + +-+   ++ +--+ +   + |   ||  ++  -++ ++| +--  |   | +...
Spyware    setver.exe    Trojan-PSW.Win32.LdPinch.rn    This Trojan belongs to a family of Trojans written with the aim of stealing user passwords. LdPinch is designed to steal confidential information. The Trojan itself is a Windows PE EXE file approximately 17KB in size, packed using UPX.  When installing, the Trojan copies itself to the Windows system...
Dialer    taskkill.exe    Exploit.HTML.Ascii.p    This exploit uses a vulnerability in Internet Explorer (CVE-2006-3227) to run on the victim machine. It is an HTML page.  It is 1872 bytes in size. It is not packed in any way.
Backdoor    tftp.exe    Backdoor.Win32.Agobot.a    Backdoor.Agobot (also known as PhatBot) is a Trojan program which provides the author/ user with remote access to the victim machine. It is managed via IRC. It has a wide range of functionalities:    will not work with a debugger running or under Vmware it can run both as a standard application and...
Adware    usrsvpia.dll    Virus.DOS.Cheeba.1683    This is a memory resident harmless virus which infects COM and EXE files by standard manner. It infects the memory only if the INT 13h vector points to memory area with address lesser than address of the first MCB. The virus changes the first 5 bytes into INT 13h, 21h, 22h handlers to instruction...
Worm    vjoy.dll    Net-Worm.Perl.Santy.a    This worm uses a vulnerability in phpBB, which is used to create forums and web sites, to spread via the Internet. phpBB versions lower than 2.0.11 are vulnerable.  The worm is written in Perl, and is 4966 bytes in size.  Propagation  The worm creates a specially formulated Google search request....
Worm    wmpshell.dll    Net-Worm.Win32.CodeRed.a    CodeRed (aka Code Red, Bady) is an Internet worm that replicates between Windows 2000 servers running Microsoft's IIS (Internet Information Services) and the Microsoft Index Server 2.0 or the Windows 2000 Indexing Service. It does this by exploiting a bug known as "Unchecked Buffer in the Index...
Adware    wshisn.dll    Virus.DOS.Guevara.1918    It is a very dangerous memory resident parasitic virus. It hooks INT 21h and writes itself to the end of .COM and .EXE files that are executed. On 10th, 20th and 30th of any month the virus erases the hard drive sectors, displays an image of Che Guevara and the text:  TE GUSTA ESTAR BLOQUEADO A...

Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Status: Offline
Points: 559
Post Options Post Options   Thanks (0) Thanks(0)   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 15 February 2010 at 4:26pm
I find that awful.Shocked
 
To tell the TRUTH, we have 'Remove Fake Antivirus' tool last version v1.61 also: http://freeofvirus.blogspot.com/search/label/Removal%20Tool   MBAM also ...Smile
 
Hopefully ...
 
 
P.
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2010 at 3:47am
Without self-protection this crapware will simple kill both on start. It scans visible top-level windows each second and if they are not before crapware start - terminates applications.
Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Status: Offline
Points: 559
Post Options Post Options   Thanks (0) Thanks(0)   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 16 February 2010 at 8:58am
This 'crap' going nowhere, somebody help me ...Cry yeeeeah ...
 
'I'm getting random popups out of nowhere' ...LOL
 
I'm depressed ... Faster and faster to nowhere ... Help me now before it's too late!..Cry
 
But, yep, I'm still staying alive.LOL .. one man takes on the world in an epic battle for truth and justice!..
Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Status: Offline
Points: 559
Post Options Post Options   Thanks (0) Thanks(0)   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2010 at 10:50am
OK., hopefully we have the good removal guides of fake antiviruses, for example from BleepingComputer.com!
 
 
 
 
etc etcClap
 
I'm happy to be of help. We are not abandoned ...
Back to Top
bootsect View Drop Down
Senior Member
Senior Member
Avatar

Joined: 24 December 2009
Status: Offline
Points: 747
Post Options Post Options   Thanks (0) Thanks(0)   Quote bootsect Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2010 at 10:54am
It will be a perfect spammer from you PROROOTECT
Back to Top
PROROOTECT View Drop Down
Senior Member
Senior Member
Avatar

Joined: 06 April 2008
Location: Fort Lee, NJ ..
Status: Offline
Points: 559
Post Options Post Options   Thanks (0) Thanks(0)   Quote PROROOTECT Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2010 at 11:01am
Me - spammer?Shocked Why me?Shocked
 
Others consider every day.
 
 
P.Tongue
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down