A forum for reverse engineering, OS internals and malware analysis 

Search found 151 matches

 Go to advanced search

Re: Win32/Poweliks

 by Quads ¦  Mon Sep 29, 2014 3:03 am ¦  Forum: Malware ¦  Topic: Win32/Poweliks ¦  Replies: 36 ¦  Views: 110010

Does anyone know if after using FRST to remove this key for Poweliks on a Win 7 x64 OS HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5} If the Registry key has to be repaired to [HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{AB8902B4-09CA-4bb6-B78D-A8F59079A8D5}] @="Thum...

Re: Win32/Poweliks

 by Quads ¦  Fri Aug 29, 2014 5:45 pm ¦  Forum: Malware ¦  Topic: Win32/Poweliks ¦  Replies: 36 ¦  Views: 110010

The Registry key(s) have a null in, That is why FRST, Roguekiller etc struggle in removing the key(s) even if they say they have done so. A test I did with Poweliks on my system (no VM or SandBox etc), Took longer due to me just testing FRST and Roguekiller a few weeks ago. There can alsways be new ...

Re: Win32/Poweliks

 by Quads ¦  Tue Aug 05, 2014 7:23 am ¦  Forum: Malware ¦  Topic: Win32/Poweliks ¦  Replies: 36 ¦  Views: 110010

Possibly an Poweliks key in FRST log and not Za as MBAM /MBAR detected as

InvalidSubkeyName: [HKLM\Software\Classes\CLSID\{73E709EA-5D93-4B2E-BBB0-99B7938DA9E4}\LocalServer32\ <*>] <===== ATTENTION

From 5 days ago.

Quads

Re: WinNT/Pigeon (W32.Mezit!inf)

 by Quads ¦  Tue Apr 22, 2014 10:48 pm ¦  Forum: Malware ¦  Topic: WinNT/Pigeon ¦  Replies: 36 ¦  Views: 19942

Attached is a file in it's folder path (From FRST) that is detected as Mezit!inf

Quads

Re: WinNT/Pigeon

 by Quads ¦  Sat Apr 12, 2014 3:34 am ¦  Forum: Malware ¦  Topic: WinNT/Pigeon ¦  Replies: 36 ¦  Views: 19942

This looks like one also

http://www.bleepingcomputer.com/forums/ ... inf/page-2

w64viknokinf is seen as Zekos so that would mean that w64viknokbinf is the same family just a change

Quads

Re: Audio ads malware

 by Quads ¦  Tue Jan 07, 2014 7:27 am ¦  Forum: Malware ¦  Topic: WinNT/Pigeon ¦  Replies: 36 ¦  Views: 19942

Another two

C:\Windows\System32\rpcss.dll
[2009-07-13 16:00] - [2009-07-13 17:41] - 0510464 ____A (Microsoft Corporation) 1F911C2BBAD194A6FE4801EE868BABF9

* C:\Windows\System32\rpcss.dll : 510,464 : 07/13/2009 07:41 PM : e2653bd02019ced856a18e3d0316a8a4


Quads

Re: Audio ads malware

 by Quads ¦  Tue Jan 07, 2014 2:28 am ¦  Forum: Malware ¦  Topic: WinNT/Pigeon ¦  Replies: 36 ¦  Views: 19942

Here is another in a log

C:\Windows\System32\rpcss.dll
[2011-07-07 10:52] - [2010-11-20 07:27] - 0512512 ____A (Microsoft Corporation) BF9B8B9F08430C19DAFD87457DACA6E0


Quads

Re: Audio ads malware

 by Quads ¦  Mon Jan 06, 2014 11:33 pm ¦  Forum: Malware ¦  Topic: WinNT/Pigeon ¦  Replies: 36 ¦  Views: 19942

I do not have the files with the MD5 's just seeing in logs, and once the rpcss.dll gets swapped the audio stops C:\Windows\System32\rpcss.dll --a---- 510464 bytes [00:00 14/07/2009] [01:41 14/07/2009] 43DFB333BCAA083F047677B2850C9B2C C:\Windows\System32\rpcss.dll [2009-07-13 17:00] - [2009-07-13 18...

Re: Audio ads malware

 by Quads ¦  Mon Jan 06, 2014 9:57 pm ¦  Forum: Malware ¦  Topic: WinNT/Pigeon ¦  Replies: 36 ¦  Views: 19942

rpcss.dll,

There is more than one MD5 for the patched rpcss.dll

Quads

Re: Malware in mexican ATM

 by Quads ¦  Tue Dec 31, 2013 1:17 am ¦  Forum: Malware ¦  Topic: Malware in mexican ATM ¦  Replies: 19 ¦  Views: 44068
  • 1
  • 2
  • 3
  • 4
  • 5
  • 16