Removed: asectool.exe, scan.dll (FakeAV – Advanced Security Tool 2010)
Malware: a32.exe
Removed: C:\Documents and Settings\Administrator\Application Data\asectool.exe
C:\Documents and Settings\Administrator\Application Data\scan.dll
—————————————————————————————————————————-
Detected by UnHackMe:
Item Name: {80c10400-59cb-4c79-97ce-cc693103afca}
Author: Microsoft Corporation
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\SCAN.DLL
Type: Browser Helper Objects
Item Name: shell
Author: Unknown
Related File: “C:\Documents and Settings\Administrator\Application Data\asectool.exe” /sn
Type: User Shell
Item Name: AdvSecTool
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\ASECTOOL.EXE
Type: Registry Run
Item Name: asectool.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\APPLICATION DATA\ASECTOOL.EXE
Type: Running Processes
After first reboot detected by UnHackMe:
Removal Results: Success
Number of reboot: 1
—————————————————————————————————————————-
How to quickly detect malware presence?
Registry: HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\InprocServer32\
Value: “C:\Documents and Settings\Administrator\Application Data\scan.dll”
Registry: HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\0\win32\
Value: “C:\Documents and Settings\Administrator\Application Data\scan.dll”
Registry: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdvSecTool
Value: “”C:\Documents and Settings\Administrator\Application Data\asectool.exe”"
Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value: “”C:\Documents and Settings\Administrator\Application Data\asectool.exe” /sn”
Files:
C:\Documents and Settings\Administrator\Application Data\1tmp.bat
C:\Documents and Settings\Administrator\Application Data\asectool.exe
C:\Documents and Settings\Administrator\Application Data\scan.dll
C:\Documents and Settings\Administrator\Application Data\secmof.tmp
C:\Documents and Settings\Administrator\Desktop\Advanced Security Tool 2010.LNK
C:\Documents and Settings\Administrator\Start Menu\Advanced Security Tool 2010.LNK
—————————————————————————————————————————-
| Antivirus | Version | Last Update | Result |
|---|---|---|---|
| F-Secure | 9.0.15370.0 | 2010.08.29 | Trojan.Generic.KD.29071 |
| Kaspersky | 7.0.0.125 | 2010.08.29 | Trojan.Win32.FakeAV.dum |
| NOD32 | 5407 | 2010.08.29 | a variant of Win32/Kryptik.GJY |
—————————————————————————————————————————-
Additional information
MD5 : f1af0c9e3c6be3bc77d1e9de3bcd5914
SHA1 : ef66384faa535809c515117855440f129bfd1882
SHA256: 76e7d2139b02cd30da3757437ebca74fdebdf8883b93f892f642a7e8b2192f3b
—————————————————————————————————————————-
Installation
When the program is executed, it creates the following registry subkeys and values:
———————————-
Keys added:28
———————————-
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\InprocServer32
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\ProgID
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\Programmable
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\TypeLib
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\VersionIndependentProgID
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\0
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\0\win32
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\FLAGS
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\HELPDIR
HKLM\Software\Classes\BrcWizApp.BrcWiz
HKLM\Software\Classes\BrcWizApp.BrcWiz\CLSID
HKLM\Software\Classes\BrcWizApp.BrcWiz\CurVer
HKLM\Software\Classes\BrcWizApp.BrcWiz.1
HKLM\Software\Classes\BrcWizApp.BrcWiz.1\CLSID
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
HKCU\Software\Advanced Security
———————————-
Values added:34
———————————-
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\VersionIndependentProgID\: “BrcWizApp.WinInet”
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\TypeLib\: “{58b4e0f5-f122-4c02-b038-c482d998486a}”
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\ProgID\: “BrcWizApp.BrcWiz.1″
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\InprocServer32\: “C:\Documents and Settings\Administrator\Application Data\scan.dll”
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\InprocServer32\ThreadingModel: “Apartment”
HKLM\Software\Classes\CLSID\{80c10400-59cb-4c79-97ce-cc693103afca}\: “BrcWiz Class”
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\: “{58B4E0F5-F122-4C02-B038-C482D998486A}”
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\TypeLib\Version: “1.0″
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid32\: “{00020420-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\ProxyStubClsid\: “{00020420-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{4B66E1DF-4DE3-4CDA-83B5-11673EADAB0B}\: “_IBhoAppEvents”
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\: “{58B4E0F5-F122-4C02-B038-C482D998486A}”
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\TypeLib\Version: “1.0″
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid32\: “{00020424-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\ProxyStubClsid\: “{00020424-0000-0000-C000-000000000046}”
HKLM\Software\Classes\Interface\{9692BE2F-EB8F-49D9-A11C-C24C1EF734D5}\: “IBhoApp”
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\0\win32\: “C:\Documents and Settings\Administrator\Application Data\scan.dll”
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\HELPDIR\: “C:\Documents and Settings\Administrator\Application Data\”
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\FLAGS\: “0″
HKLM\Software\Classes\TypeLib\{58B4E0F5-F122-4C02-B038-C482D998486A}\1.0\: “WinInet 1.0 Type Library”
HKLM\Software\Classes\BrcWizApp.BrcWiz\CurVer\: “WinInetApp.BrcWiz.1″
HKLM\Software\Classes\BrcWizApp.BrcWiz\CLSID\: “{80c10400-59cb-4c79-97ce-cc693103afca}”
HKLM\Software\Classes\BrcWizApp.BrcWiz\: “BrcWiz Class”
HKLM\Software\Classes\BrcWizApp.BrcWiz.1\CLSID\: “{80c10400-59cb-4c79-97ce-cc693103afca}”
HKLM\Software\Classes\BrcWizApp.BrcWiz.1\: “BrcWiz Class”
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{80c10400-59cb-4c79-97ce-cc693103afca}\NoExplorer: 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations\LowRiskFileTypes: “”.exe;”"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\AdvSecTool: “”C:\Documents and Settings\Administrator\Application Data\asectool.exe”"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “”C:\Documents and Settings\Administrator\Application Data\asectool.exe” /sn”
HKCU\Software\Advanced Security\fstart: “0″
HKCU\Software\Advanced Security\UpdateDate: “20-08-2010″
HKCU\Software\Advanced Security\Minimize: “0″
HKCU\Software\Advanced Security\Autorun: “1″
HKCU\Software\Advanced Security\Scan: “1″
———————————-
Values modified:2
———————————-
(-) HKLM\Software\Microsoft\Security Center\AntiVirusDisableNotify: 0×00000001
(+) HKLM\Software\Microsoft\Security Center\AntiVirusDisableNotify: 0×00000000
(-) HKCU\Software\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Cache: 10 01 00 /…/ 00 00 00
(+) HKCU\Software\Microsoft\Windows\CurrentVersion\Controls Folder\Presentation Cache: 10 01 00 /…/ 00 00 00
———————————-
Files added:6
———————————-
C:\Documents and Settings\Administrator\Application Data\1tmp.bat
C:\Documents and Settings\Administrator\Application Data\asectool.exe
C:\Documents and Settings\Administrator\Application Data\scan.dll
C:\Documents and Settings\Administrator\Application Data\secmof.tmp
C:\Documents and Settings\Administrator\Desktop\Advanced Security Tool 2010.LNK
C:\Documents and Settings\Administrator\Start Menu\Advanced Security Tool 2010.LNK
———————————-
Files [attributes?] modified:1
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
———————————-
Total changes:71
———————————-
—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com
Comments
Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!
- Remember: the best way to remove rootkits is from the outside!
