Removed: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe (FakeAV – XP Internet Secutiry)

Malware: SecurityScanner.exe

Removed: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: .exe
Author: Unknown
Related File: “C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “%1″ %*
Type: Main File Extensions

Item Name: pw.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\PW.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe””

Registry: HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”

Registry: HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe””

Files: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2010.11.13 -
Kaspersky 7.0.0.125 2010.11.13 Packed.Win32.Katusha.o
Microsoft 1.6301 2010.11.13 Rogue:Win32/FakeRean
NOD32 5617 2010.11.13 a variant of Win32/Kryptik.IDG

—————————————————————————————————————————-

MD5 56397ff0ad771a8454950a3f42d156d0

SHA1 3842b63e264a8cfa21e8b36b22de05c39fd51700

SHA256 45b7cf72538ae574278d5dda6948605aec04112a4a808c5d2052902e20db8fee

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Values added:6
———————————-
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0×00000001
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0×00000001
HKCU\Software\Microsoft\Windows\Identity: 0×19228448

———————————-
Values modified:18
———————————-
(-) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “C:\Program Files\Mozilla Firefox\firefox.exe”
(+) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe””
(-) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: “”C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”
(+) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”
(-) HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “C:\Program Files\Internet Explorer\iexplore.exe”
(+) HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe””
(-) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\Name: “iexplore.exe”
(+) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\Name: “pw.exe”
(-) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\ID: 0x48ACC122
(+) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\ID: 0x4750998C
(-) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000001
(-) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000001
(-) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000004
(-) HKCU\Software\Clients\StartMenuInternet\: “FIREFOX.EXE”
(+) HKCU\Software\Clients\StartMenuInternet\: “IEXPLORE.EXE”

———————————-
Files added:2
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\opRSK
C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe

———————————-
Files deleted:1
———————————-
C:\sand-box\SecurityScanner.exe

———————————-
Files [attributes?] modified:1
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

———————————-
Total changes:28
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com

Fix it immediately!

Free Download

UnHackMe removes malware invisible for your antivirus!

One response on “Removed: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe (FakeAV – XP Internet Secutiry)

Leave a Reply