Removed: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe (FakeAV – XP Internet Secutiry)

I use UnHackMe for cleaning adware and viruses from my friend's computers, because it is extremely fast and effective.

Download free e-book [PDF]: "How to Easily Remove Malware with UnHackMe"


Solved! The issue has been fixed!
5 Stars (5 / 5)


Malware: SecurityScanner.exe

Removed: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe

—————————————————————————————————————————-
Detected by UnHackMe:

Item Name: .exe
Author: Unknown
Related File: “C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “%1″ %*
Type: Main File Extensions

Item Name: pw.exe
Author: Unknown
Related File: C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\PW.EXE
Type: Running Processes

Removal Results: Success
Number of reboot: 1

—————————————————————————————————————————-
How to quickly detect malware presence?

Registry: HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe””

Registry: HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”

Registry: HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\
Value: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe””

Files: C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe
—————————————————————————————————————————-
Classification:

Antivirus Version Last Update Result
F-Secure 9.0.16160.0 2010.11.13 -
Kaspersky 7.0.0.125 2010.11.13 Packed.Win32.Katusha.o
Microsoft 1.6301 2010.11.13 Rogue:Win32/FakeRean
NOD32 5617 2010.11.13 a variant of Win32/Kryptik.IDG

—————————————————————————————————————————-

MD5 56397ff0ad771a8454950a3f42d156d0

SHA1 3842b63e264a8cfa21e8b36b22de05c39fd51700

SHA256 45b7cf72538ae574278d5dda6948605aec04112a4a808c5d2052902e20db8fee

—————————————————————————————————————————-


Installation
When the program is executed, it creates the following registry subkeys and values:

———————————-
Values added:6
———————————-
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\EnableFirewall: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DoNotAllowExceptions: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\DisableNotifications: 0×00000001
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions: 0×00000000
HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0×00000001
HKCU\Software\Microsoft\Windows\Identity: 0×19228448

———————————-
Values modified:18
———————————-
(-) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “C:\Program Files\Mozilla Firefox\firefox.exe”
(+) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\open\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe””
(-) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: “”C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”
(+) HKLM\Software\Clients\StartMenuInternet\FIREFOX.EXE\shell\safemode\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Mozilla Firefox\firefox.exe” -safe-mode”
(-) HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “C:\Program Files\Internet Explorer\iexplore.exe”
(+) HKLM\Software\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command\: “”C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe””
(-) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\Name: “iexplore.exe”
(+) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\Name: “pw.exe”
(-) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\ID: 0x48ACC122
(+) HKLM\Software\Microsoft\DirectDraw\MostRecentApplication\ID: 0x4750998C
(-) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\AntiVirusOverride: 0×00000001
(-) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000000
(+) HKLM\Software\Microsoft\Security Center\FirewallOverride: 0×00000001
(-) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000002
(+) HKLM\System\CurrentControlSet\Services\SharedAccess\Start: 0×00000004
(-) HKCU\Software\Clients\StartMenuInternet\: “FIREFOX.EXE”
(+) HKCU\Software\Clients\StartMenuInternet\: “IEXPLORE.EXE”

———————————-
Files added:2
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\opRSK
C:\Documents and Settings\Administrator\Local Settings\Application Data\pw.exe

———————————-
Files deleted:1
———————————-
C:\sand-box\SecurityScanner.exe

———————————-
Files [attributes?] modified:1
———————————-
C:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

———————————-
Total changes:28
———————————-

—————————————————————————————————————————-
Recommended software:
UnHackMe anti-rootkit and anti-malware
http://www.unhackme.com
RegRun Security Suite (Good choice for removal and protection)
http://www.regrun.com


I use UnHackMe for cleaning ads and viruses from my friend's computers, because it is extremely fast and effective.




1. Download UnHackMe for free

UnHackMe removes Adware/Spyware/Unwanted Programs/Browser Hijackers/Search Redirectors from your PC easily.

Free Download

UnHackMe is compatible with most antivirus software.
UnHackMe is 100% CLEAN, which means it does not contain any form of malware, including adware, spyware, viruses, trojans and backdoors. VirusTotal (0/56).
System Requirements: Windows 2000-Windows 8.1/10 32 or 64-bit. UnHackMe uses minimum of computer resources.

2. Double click on UnHackMe_setup.exe

You will see a confirmation screen with verified publisher: Greatis Software. Verified Publisher Greatis Software

Once UnHackMe has installed has installed the first Scan will start automatically

Review the detected threats

3. Carefully review the detected threats!

Click Remove button or False Positive.

Enjoy!

  • hotfixremove

    The post is usefull, thank you.