Search found 151 matches

by Quads
Mon Sep 29, 2014 3:03 am
Forum: Malware
Topic: Win32/Poweliks
Replies: 36
Views: 103668

Re: Win32/Poweliks

Does anyone know if after using FRST to remove this key for Poweliks on a Win 7 x64 OS HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} If the Registry key has to be repaired to [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] @="Thum...
by Quads
Fri Aug 29, 2014 5:45 pm
Forum: Malware
Topic: Win32/Poweliks
Replies: 36
Views: 103668

Re: Win32/Poweliks

The Registry key(s) have a null in, That is why FRST, Roguekiller etc struggle in removing the key(s) even if they say they have done so. A test I did with Poweliks on my system (no VM or SandBox etc), Took longer due to me just testing FRST and Roguekiller a few weeks ago. There can alsways be new ...
by Quads
Tue Aug 05, 2014 7:23 am
Forum: Malware
Topic: Win32/Poweliks
Replies: 36
Views: 103668

Re: Win32/Poweliks

Possibly an Poweliks key in FRST log and not Za as MBAM /MBAR detected as

InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION

From 5 days ago.

Quads
by Quads
Tue Apr 22, 2014 10:48 pm
Forum: Malware
Topic: WinNT/Pigeon
Replies: 36
Views: 18408

Re: WinNT/Pigeon (W32.Mezit!inf)

Attached is a file in it's folder path (From FRST) that is detected as Mezit!inf

Quads
by Quads
Sat Apr 12, 2014 3:34 am
Forum: Malware
Topic: WinNT/Pigeon
Replies: 36
Views: 18408

Re: WinNT/Pigeon

This looks like one also

http://www.bleepingcomputer.com/forums/ ... inf/page-2

w64viknokinf is seen as Zekos so that would mean that w64viknokbinf is the same family just a change

Quads
by Quads
Tue Jan 07, 2014 7:27 am
Forum: Malware
Topic: WinNT/Pigeon
Replies: 36
Views: 18408

Re: Audio ads malware

Another two

C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0510464 ____A (Microsoft Corporation) 1F911C2BBAD194A6FE4801EE868BABF9

* C:\Windows\System32\rpcss.dll : 510,464 : 07/13/2009 07:41 PM : e2653bd02019ced856a18e3d0316a8a4


Quads
by Quads
Tue Jan 07, 2014 2:28 am
Forum: Malware
Topic: WinNT/Pigeon
Replies: 36
Views: 18408

Re: Audio ads malware

Here is another in a log

C:\Windows\System32\rpcss.dll
[2011-07-07 10:52] - [2010-11-20 07:27] - 0512512 ____A (Microsoft Corporation) BF9B8B9F08430C19DAFD87457DACA6E0


Quads
by Quads
Mon Jan 06, 2014 11:33 pm
Forum: Malware
Topic: WinNT/Pigeon
Replies: 36
Views: 18408

Re: Audio ads malware

I do not have the files with the MD5 's just seeing in logs, and once the rpcss.dll gets swapped the audio stops C:\Windows\System32\rpcss.dll --a---- 510464 bytes [00:00 14/07/2009] [01:41 14/07/2009] 43DFB333BCAA083F047677B2850C9B2C C:\Windows\System32\rpcss.dll [2009-07-13 17:00] - [2009-07-13 18...
by Quads
Mon Jan 06, 2014 9:57 pm
Forum: Malware
Topic: WinNT/Pigeon
Replies: 36
Views: 18408

Re: Audio ads malware

rpcss.dll,

There is more than one MD5 for the patched rpcss.dll

Quads