[EP_X0FF]

This malware starts additional thread, this thread performing delayed scanning of all running processes.
It makes first snapshot - this is white list, so before running sample start all what you need to investigate it behavior.
Then after few seconds it is doing next snapshot - if any new processes were found malware trying to terminate them.
For creating snapshots malware uses WMI.

[Jaxryley]

Thanks for the info and checking it out EP_X0FF. :)

Yes you can open Task Manager before installing the rogue and it will stay open or renaming any exe to firefox or opera should allow it run with this rogue active.

[Quads]

Thanks for the info and checking it out EP_X0FF. :)

Yes you can open Task Manager before installing the rogue and it will stay open or renaming any exe to firefox or opera should allow it run with this rogue active.

Had a PC with this rogue on approx 2 weeks ago PC was Windows 7.

I renamed the Hijackthis executable "iexplore.exe" ran Hijackthis, killed the processes and the 04 run entries worked.

Then mopped up the rest after with MBAM. as it can now run.

Quads

[Jaxryley]

Hi Quads, you can rename mbam.exe within Malwarebyte's Programs Folder to iexplore.exe/firefox.exe/opera.exe and it should run with Antivir Solution Pro active.

Another exe killer is Security Tool and it can still kill exes even when "Windows Management Instrumentation" service is set to stopped/disabled before installing.

Renaming to opera.exe doesn't work but iexplore and firefox still work.

I think the same mob make both rogues?

Security Tool.rar

Pass:
infected
(998.05 KiB) Downloaded 102 times

[Quads]

Hi Quads, you can rename mbam.exe within Malwarebyte's Programs Folder to iexplore.exe/firefox.exe/opera.exe and it should run with Antivir Solution Pro active.

Another exe killer is Security Tool and it can still kill exes even when "Windows Management Instrumentation" service is set to stopped/disabled before installing.

Renaming to opera.exe doesn't work but iexplore and firefox still work.

I think the same mob make both rogues?

Security Tool.rar

I know but it takes too long if I have a PC to repair (Not mine) that doesn't have the likes of MBAM installed, so I use my pre named copy of Hijackthis, run that to disable the rogue, and anything else found in the list bad to remove, BANG BANG.

Then I can install programs without being blocked or impeded in any way, so no double renaming required, once to just get a program installed,

Can't be bothered with longer ways.

Quads

[CloneRanger]

Windows AV scanner

I found various www's all hijacked with redirects to - hxxp://gnevonotole.servequake.com/main.php

Scanner results : Scanners did not find malware! - http://virscan.org/report/ef7fdc3c835c7 ... d963f.html

The scroll bar actually worked with this rogue !



Funny i don't even have Windows Defender installed



Zip PW = infected

[tomatto007]

This is a Security Tool - long known Fake AV ...

http://www.microsoft.com/security/porta ... curityTool

[SecConnex]

CloneRanger, it is found with VirusTotal: http://www.virustotal.com/file-scan/rep ... 1283793834

[CloneRanger]

Whoever moved it here, thanks ;) Edit i see EP_X0FF did ;)

@ tomatto007

Yes it's probably from the same stable, but a new variant.

@ DragonMaster Jay

Hi, i think the discrepancies between detects "might" be due to time differences ? When i scanned again later i got detects.

Also there "may" be different scan engine versions etc being used by VT & VO ?

Anyway i enabled Shadow Defender and ran it. Apart from one autostart entry i couldn't see anything else of note, and absolutely nothing running at all ? GMER found rootkit behaviour, but this could be due to SD ? I wasn't able to restart and see what might happen as SD was set to delete on shutdown. RkU v.508 failed to launch ? after which scvhost.exe went to 50%

HMPro detected the install file on my desktop, but Nothing else ! I didn't expect Avira to detect etc as it's not in their Defs yet. Not a peep from Prevx ?

Wierd, what is this rogue "supposed" to do, as it is on my comp anyway, it doesn't appear to do anything nasty ?

[EP_X0FF]

PC Defender v2

Fake antivirus, displaying detection windows with pr0n pictures (they all in html section in resources ;))
Contains special part for killing tools like Process Explorer, x64 compatible.

Seems to be new release from Misha script-kiddie author of previous PC Defender (see 1 post of this thread). GUI redesigned truly.

Also it displays Fake Blue Screen of Death, LOL

dropper installation
http://www.virustotal.com/file-scan/rep ... 1283847235

fake av itself
http://www.virustotal.com/file-scan/rep ... 1283847261

Runs itself from HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit key.

While installation sets special service to force reboot Windows after few seconds.

Pics! :)







"BSOD" source code

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<script type="text/javascript" src="init.js"></script>
</head>

<body style="margin:0px; background-color:#000084; color:#FFFFFF; cursor:url('BSOD.cur'); font-family:Lucida Console; font-weight:100; font-size:26;">
<span id="mainSpan">
A problem has been detected and Windows has been shut down to prevent damage to your computer.
<p></p>
The problem seems to be in your antivirus software.
<p></p>
ERROR_UNREGISTERED_VIRUS_PROTECTION_SOFTWARE
<p></p>
If this is the first time you've seen this Stop error screen AND you already registered your "PC Defender" software, restart your computer.
<p></p>
If problem continues, register your "PC Defender" software or contact service center.
<p></p>
Technical information:
<p></p>
*** STOP: 0x00C30FF5 (0xFD3094C2,0x00000001,0xFBFE7617,0x00000000)
<p></p>
*** SECUR32.DLL - Address 0xFBFE7617 base at 0xFBFE7617, Datestamp 4e4cca30
</span>
<script type="text/javascript" language="javascript">
var w = screen.width;
document.getElementById('mainSpan').style.width = w+'px';
</script>
</body>

</html>