[Quads]

For (A) - go to PROGRAMFILES\Google\Desktop\Install, take ownership (replacing ALL access list) and erase directory.

Yes.

Just providing an example:

Code: Select all

swxcacls "c:\program files\Google\Desktop\Install" /reset

swxcacls can be downloaded from here: http://fstaal01.home.xs4all.nl/swxcacls-us.html

But any brute force removal tool (Avenger, Blitzblank, ComboFix, etc..) should do the job.

Combofix with script on XP does not remove the service or on folder location.

TDSSkiller sees the key

*etadpug ( UnsignedFile.Multi.Generic ) - skipped by user
*etadpug ( UnsignedFile.Multi.Generic ) - User select action: Skip

Quads

[EP_X0FF]

We need them, friend. They're willing to help, they did the best they can help and this is the quality that actually exists.

Main problem with all these home made "specialists" - mostly they are not willing to help and their level is too poor to do any real help, and they do not to learn anything -> why bother if they are already "pro". They just want to show off to other people their mad skills. VT full of such fake specialists, "analysts" with big "reputation points" values (they are liking each other - "trust me bro, I trust you!"). Actually they are a sort of malware - because these idiots doing malicious job - marking legitimate software as malware with idiotic conclusions and comments, sending tons of incorrect reports to AV vendors, forcing them to check out all these garbage while AV can spend all this time on researching real malware. So no, I disagree, I don't need all of them.

[R136a1]

We need them, friend. They're willing to help, they did the best they can help and this is the quality that actually exists.

Main problem with all these home made "specialists" - mostly they are not willing to help and their level is too poor to do any real help, and they do not to learn anything -> why bother if they are already "pro". They just want to show off to other people their mad skills. VT full of such fake specialists, "analysts" with big "reputation points" values (they are liking each other - "trust me bro, I trust you!"). Actually they are a sort of malware - because these idiots doing malicious job - marking legitimate software as malware with idiotic conclusions and comments, sending tons of incorrect reports to AV vendors, forcing them to check out all these garbage while AV can spend all this time on researching real malware. So no, I disagree, I don't need all of them.

Damn right!

Most (not all) of these self-proclaimed security experts are just seeking attention! To become good at something (and especially at computer security which can be at the beginning very dry and frustrating) it takes a lot of work (-> self-discipline), experience and time and most people aren't willing to go this way.

[Tigzy]

roguekiller release 8.6.5 (tomorrow) is able to remove run key, service key and files.

[BillyONeal]

Main problem with all these home made "specialists" - mostly they are not willing to help and their level is too poor to do any real help, and they do not to learn anything -> why bother if they are already "pro".

Most (not all) of these self-proclaimed security experts are just seeking attention! To become good at something (and especially at computer security which can be at the beginning very dry and frustrating) it takes a lot of work (-> self-discipline), experience and time and most people aren't willing to go this way.

There are many people as described, "experts" who populate various internet locations for the "glory." We used to have a (admittedly small) number of people who truly knew this kind of analysis and could teach people the ins and outs here. Those people have all left to work for anti-malware vendors.

If you want to improve the quality of volunteers then there need to be people to teach those volunteers. I know that's not an easy task, and I know most people won't be able to deal with it. But at this point there's no way for these people to even try. I can teach programming knowledge if that would be helpful. I can't teach malware analysis because I have no experience there.

I'm sure there are people at various places who would love to help make this better. But we're powerless to affect that kind of change right now.

Billy3

[rkhunter]

Another dropper of the newest modification.

SHA256: 215e37b2c56e74858f610aa6625c64f1b99f9e05f3261d2b4196b0246611a8c6
SHA1: a88ca24aeef56d692feff6fe0f0ac9df09a82796
MD5: cb2d6ea208bbd1e42fb69ceb461d2f72

https://www.virustotal.com/en/file/215e ... /analysis/

[unixfreaxjp]

We need them, friend. They're willing to help, they did the best they can help and this is the quality that actually exists.

Main problem with all these home made "specialists" - mostly they are not willing to help and their level is too poor to do any real help, and they do not to learn anything -> why bother if they are already "pro". They just want to show off to other people their mad skills. VT full of such fake specialists, "analysts" with big "reputation points" values (they are liking each other - "trust me bro, I trust you!"). Actually they are a sort of malware - because these idiots doing malicious job - marking legitimate software as malware with idiotic conclusions and comments, sending tons of incorrect reports to AV vendors, forcing them to check out all these garbage while AV can spend all this time on researching real malware. So no, I disagree, I don't need all of them.

It looks like I misunderstood I'd better read more carefully next time.
I thought you addressed to new comers who try to give their poor opinion by learning to analyze/
Yes VT community is highly compromised with the scores and trust stuff..

In this case, as per your explained, I completely agree with you.
Thank you for the kindly effort to explain. Very sorry for wasting space and time.

rgds!

[rkhunter]

another dropper of newest modification

28 / 45
https://www.virustotal.com/en/file/be04 ... /analysis/

[EP_X0FF]

Nice overview of latest Sirefef changes: http://www.symantec.com/connect/blogs/z ... resiliency, describing countermeasures which have been added against possible shutdown.

[N3mes1s]

Dropped from a url infected with CookieBomb

SHA256: 8db03cbe00517261540d59b9a6a47647519efb851c2b413f69d352409f1c6884
SHA1: ac3a85d746bd92418ea5905541b0aa954c3730a8
MD5: 33f394f2d041dd77d102779dccb9c7ac
File size: 204.0 KB ( 208896 bytes )
File name: successful_records.php?If=31312d3153
File type: Win32 EXE
Tags: peexe
Detection ratio: 5 / 46
Analysis date: 2013-08-22 14:05:17 UTC

https://www.virustotal.com/en/file/8db0 ... 377180317/