Windows Work Checker – Fake AntiVirus

June 13, 2011 by NightWatcher
Filed under: FakeAV 
: Solved!

Fix it immediately:

The file ilfqig.exe is a part of Fake Antiviral software.
You must delete the file ilfqig.exe immediately!
Delete the file ilfqig.exe without delay!
Kill the process ilfqig.exe and remove ilfqig.exe from the Windows startup.

Malware Analysis of “Windows Work Checker”
Executed: freesystemscan.exe
Removed: ilfqig.exe. Full path: C:\Documents and Settings\Administrator\Application Data\Microsoft\ilfqig.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: shell
Author: Unknown
Related File: C:\Documents and Settings\Administrator\Application Data\Microsoft\ilfqig.exe
Type: User Shell

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
Value: “C:\Documents and Settings\Administrator\Application Data\Microsoft\ilfqig.exe”

Files:
C:\Documents and Settings\Administrator\Application Data\Microsoft\ilfqig.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16440.0 2011.06.10 Trojan.Generic.KDV.247254
Kaspersky 9.0.0.837 2011.06.10 Trojan.Win32.FakeAv.dlam
Microsoft 1.6903 2011.06.09 Rogue:Win32/FakePAV
NOD32 6194 2011.06.10 probably a variant of Win32/Adware.PrivacyGuard201
0.AZ

—————————————————————————————————————————-

MD5 7229e733486b1dadcc8bb74b155fdc8a

SHA1 aa40b8b4e5b692e190ecca7627284b85a53598fb

SHA256 c98126dbe79b1cec8011874bab760387d08b4d44e3fb431422f9bd31650ec54d

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Keys added:8
———————————-
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe

———————————-
Values added:13
———————————-
HKLM\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect: 0×00000000
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwserv.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastsvc.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastui.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msascui.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe\Debugger: “svchost.exe”
HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore\DisableSR : 0×00000001
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\SysCert: DB 07 06 00 05 00 0A 00 0D 00 0B 00 26 00 44 03
HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\WarnOnHTTPSToHTTPRedirect: 0×00000000
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell: “C:\Documents and Settings\Administrator\Application Data\Microsoft\ilfqig.exe”

———————————-
Files added:1
———————————-
C:\Documents and Settings\Administrator\Application Data\Microsoft\ilfqig.exe

———————————-
Files deleted:1
———————————-
C:\sand-box\freesystemscan-1.exe

———————————-
Total changes:23
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


Recommended: UnHackMe anti-rootkit and anti-malware

Premium software: RegRun Security Suite (Good choice for removal and protection)

Written by

Malware Hunter.

Tags: Fake AntiVirus, Windows Work Checker

Comments

Tell me what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!

You must be logged in to post a comment.