miercuri, 21 decembrie 2022

Windows Security & Control

 Windows Security & Control is yet another rogue security application , it is also a clone from the following rogues : Windows System Optimizator , Windows Optimization Center and Windows Optimization & Security

As we look at those clones , they are much intended to infect like other clones it blocks applications , invade safemode disable system restore and disable legitimate microsoft security essentials including real time protection 


The program nothing founds only an imaginary system error and viruses by also implant itself at startup to stop the errors is to purchase key or patch the program to stop errors.

The virus use the fake microsoft security essentials alert and install but at next restart the virus replace the shell with himself.

Even if you dont know the virus hide itself in %appdata% with a random of characters it can be :

tvvdeo.exe

dxkovi.exe

frdkiu.exe

xhbvkt.exe

dnvavl.exe

jhtmch.exe

ixrojp.exe

lsjqxr.exe

udsydv.exe

lcvecw.exe

bcgtmj.exe

dvedrq.exe

yhgkbq.exe

lfkrwf.exe

ghqnrt.exe

Even if you dont heart they are the same application but randomized letters 

The virus is called SecurityScanner.exe and had an md5 hash : 7dde6427dcf06d0c861693b96ad053a0

Once registered it stop blocking applications and let use legitimate antivirus to remove it

Thanks to Ender's show (File captured on 2017)

joi, 15 decembrie 2022

Windows Optimization & Security

Windows Optimization & Security is another Bogus antivirus program clone of Windows System Optimizator and Windows Optimization Center

He may look like this : (Source Forum malwarebytes)


Is another rogue faking microsoft security essentials alert pushing into installing the windows optimization and security by fake setup installers.

He may release his own icon in taskbar and desktop when registered.He use a brute way to hide itself from delete file he create a copy of itself in %appdata% but for now he didnt use protect.exe filename also it use random names and hide itself.

He may hijack the winlogon shell in resulting almost difficulty to remove in safe mode by this rogue when closed explorer but his alerts and blocking apps still remain :





Example of random file .exe it may look like : C:\Documents and Settings\{username}\Application Data\payjxv.exe

It also disable System restore and blocking windows defender and kill the windows defender process with its own commands.

It also disable UAC user account control and spread the commands to kill microsoft security essentials :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore]

"DisableSR="1"

You can reset the value of DISABLESR to 0 re enabling the system restore ability

WINLogon shell hijacked

[HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]

"Shell"="'C:\Documents and Settings\{username}\Application Data\payjxv.exe'"

When you get this you can change back to explorer.exe and delete the file in cause

MD5 of the virus for curious : 03f4360a1503e369199dbaee4afa5f28

ESET-NOD32 A Variant Of Win32/Adware.PrivacyGuard2010.AD

Microsoft : Rogue:WIN32/Fakepav

In this evolution of fakepav it increase its ability per every cloned family. Test the virus at the risk

Thanks to Virusshare.

For removal press here https://forums.malwarebytes.com/topic/72980-removal-instructions-for-windows-optimization-security/

luni, 12 decembrie 2022

Windows System Optimizator (FakePAV)

 Windows System Optimizator is a rogue and a clone of Windows Optimization CENTER

He looks like that 

He had same payload and properties.


MD5 OF the rogue for curious members : 5dba7986f2f058888182a11dc8245e59

Once registred he stops blocking programs and allow users to use a remover for this rogue application.

Thanks to Enigmasoft , malware reseacher cracking rogue from the sky!

Use a virtual machine but use sandboxie if you not sure.

Windows Optimization Center

Windows Optimization Center is a bogus fake antivirus software after the PrivacyGuard2010 Fiasco the large clones and familities are easy spread by fake movies.
Once the user download the fake movie like movie.avi.exe it had a hidden executable extension.

When started it display a fake microsoft security essentials alert blocking apps like Procexp regedit taskmgr cmd and other possible applications.







By getting forced to clean computer apply actions and scan online it recommend to install the bogus software






After the Reboot it replace explorer.exe the logon shell with the rogue using random characters or in this first version of the large rogues from Fake PAV it goes as protect.exe
When protected mode started the interface start to fake its own viruses privacy issues software and perfomance problems



Possible fake scan and sound the windows logon sound everytime

            
The rest of the interface and its own fake results even after buying didnt resolve anything.








Errors about "outdated license"


And in this about section it attempt to convince users that the product is not malicious even in sites and malware blogs containing the product



Blocking taskmgr iexplore regedit cmd and other programs but not limited to explorer and mstha the component by this malware
Fake alert in pop up
In his delimited way to block programs but a simple trick would help if this virus is not capable also to invade the Safe mode with networking and safe mode simple except the safe mode with command prompt.
Once registred or hacked with a loader renames as csrss.exe the virus stop blocking and activated the full version
Fake optimization i'm sure


The virus also says that the license expire in 2023 and 2024 but this cannot expire in any date

When registred it deploy the shortcut on desktop



MD5 For sample : 34e73a4663cd17112ef5ca618ac3cb34
Test ON VIRTUALMACHINE but when infected the activator or registry hacks may save your host PC


marți, 6 decembrie 2022

WindowsTool

 WindowsTOOL is a fake optimizer program or Hard drive repair program that issues annoying errors claiming that your HDD and ram are damaged and block several programs to running.

Image of his interface is looks like this 

This program as double click the virus seems to install a dll sillently and after 15 minutes trigger a payload.


Task Manager disabled upon running :
The Dll injected with several payloads and blocks certain programs like media player to act like a hard drive damaged and block most of programs from running
As you can see a fake windows error no disk displaying 
Upon Clicking on Cancel Try Again or Continue it gives more fake error about low disk space delay write failed and other:
By having those errors it stimulate a blue screen crash or a crash error to force reboot the pc .Upon reboot it display a fake safe mode with an error pop up display about windows boot failure/


By Pressing Ok button you will get into the disk diagnostics 


You cant close the disk repair until you press start so there is no way to exit this windows until you install a repair program
Now we had a rogue called Windows Tool infected no? But hard drive repair family                        

He can fix the fake safemode and replace back with the original wallpaper so the rogue it act like he repair in a fake safemode those errors bring back explorer.


He can repeat the procedure of payload showing the fake errors and at a time to crash the pc and repeat the alerts :

Until it add this error as detected : A problem detected while reading system files
You are forced to activate this program to "fix your hard drive"



Cant also uninstall the rogue only if activated and resolved and erased the payload injected in dll

Signs of a infected Payload fakesysdef in this variant is C:\Documents And Settings\(user)\Application data\R*.dll
It can put random mix of characters and inject
You need to activate this rogue so doing that :
Valid code is remembered inside of this document
Activated and well done
All errors fixed and once registred the payload dll is deinjected in this windows
:)
Enable all modules
Disable taskmanager persists but payload erased so you need to disinfect with mbam to avoid reinstalling itself when uninstall
This is a fake defragmenter stay away from fakesysdef family unlesss you had vmware virtual pc 2007 or a reserved computer or virtual box.

MD5 of the payload file is : 3df332fbfce7c3ce4846c95a06ca4656
The code used to defeat the rogue is 8475082234984902023718742058948