A forum for reverse engineering, OS internals and malware analysis 

Search found 40 matches

 Go to advanced search

Re: MCShield

 by wealllbe20 ¦  Wed Apr 24, 2013 6:13 pm ¦  Forum: Tools/Software ¦  Topic: MCShield ¦  Replies: 9 ¦  Views: 15569

seems like the @="@SYS:DoesNotExist" registry entry would suffice unless you expect your file specified in the autorun file to actually run.

I believe there is also a way to make desktop.ini run a file automatically as well...

Re: Trojan-PSW.Win32.Agent.acrw

 by wealllbe20 ¦  Fri May 11, 2012 2:54 pm ¦  Forum: Malware ¦  Topic: Trojan-PSW.Win32.Agent.acrw ¦  Replies: 2 ¦  Views: 3154

Sorry Ep that is all I have.


 by wealllbe20 ¦  Fri May 11, 2012 1:55 pm ¦  Forum: Malware ¦  Topic: Trojan-PSW.Win32.Agent.acrw ¦  Replies: 2 ¦  Views: 3154

Keylogger according to TE with a very different type of dll injection. I usually do High-level anaylsis on files. This one I am unable to. Very different type of dll injection. Able to inject itself inside ANY ARK tool I run. Upon removal I get a winlogon 21A bsod. Upon replacement get a checksum mi...

Re: Trusteer Rapport is really secure?

 by wealllbe20 ¦  Wed Feb 29, 2012 10:33 pm ¦  Forum: Tools/Software ¦  Topic: Trusteer Rapport is really secure? ¦  Replies: 12 ¦  Views: 20459

Looks, as though he unloaded a portion of the software while it was still running inside the browser..

The software looks as though it never detected being partially unloaded and seemed to still function as normal..
Also has no protection against such an attack.

Well, that's my guess anyway.

Prevent untrusted memory read/dump

 by wealllbe20 ¦  Thu Jan 05, 2012 4:30 pm ¦  Forum: User-Mode Development ¦  Topic: Prevent untrusted memory read/dump ¦  Replies: 5 ¦  Views: 6181

I was wondering if anybody has any example code in the userland of course on how to prevent a process or thread from reading the memory of another thread or process.

Any ideas?

Re: Popureb rootkit

 by wealllbe20 ¦  Tue Jul 12, 2011 1:56 pm ¦  Forum: Malware ¦  Topic: Popureb rootkit ¦  Replies: 24 ¦  Views: 23231

Quads wrote:One thing after cleaning the MBR, removing files and registry entries I found in XP at least the Start Menu customize Browser setting doesn't want to go back to Firefox or Chome to be the selected pinned browser.
Even after setting firefox or chrome as the default browser?

Re: Popureb rootkit

 by wealllbe20 ¦  Tue Jun 28, 2011 10:14 pm ¦  Forum: Malware ¦  Topic: Popureb rootkit ¦  Replies: 24 ¦  Views: 23231

rootkit is crap! it had trouble loading mbr code, finally did. detected as unknown bootcode in esage bootkit remover. restarted machine did not fix mbr code. system restart=no ran dos version of tesdisk off of bootable cd ran fix mbr portion of testdisk. system restart=yes always says windows finish...

Re: Virus hides all files/folders on system.

 by wealllbe20 ¦  Tue May 10, 2011 7:09 pm ¦  Forum: Malware ¦  Topic: Virus hides all files/folders on system. ¦  Replies: 10 ¦  Views: 12867

*Update* "Not A Virus" but malware also has potential to remove all user start menu shortcuts (*.lnk) As well as changing many registry entries I fixed 90% by running dial-a-fix The only one it did not fix was: Hive: HKEY_CURRENT_USER Key: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced...

Re: Fireball for ThreatFire

 by wealllbe20 ¦  Fri Feb 11, 2011 4:29 pm ¦  Forum: Tools/Software ¦  Topic: Fireball for ThreatFire ¦  Replies: 4 ¦  Views: 16260

I Wish their were more antimalware reviews like this 1.


can you image something like this being in pcworld.

All they ever really talk about is how good the detection rate is with old malware samples.

Re: Long File Paths

 by wealllbe20 ¦  Fri Feb 11, 2011 4:22 pm ¦  Forum: General Discussion ¦  Topic: Long File Paths ¦  Replies: 6 ¦  Views: 6625


I have seen this never really thought about it always did a subst z: c:\"enter the long file path here"

and scanned z:

wonder if this simple trick could help developers....