To help get connected remotely and to help remove this rogue
enter this key (thanks to S!ri):
U2FD-S2LA-H4KA-UEPB
Manual Instructions
Another fake MSE...
Internet Security Guard this time. This one is fairly straight-forward
to remove. It disables task manager using an image file execution option. To get around this, we must rename taskmgr to something
that Windows needs running to operate such as "winlogon.exe". The
following command from the run box should suffice:
cmd /k copy
"C:\windows\system32\taskmgr.exe"
"%userprofile%\desktop\winlogon.exe"
This will copy the task manager to the desktop and rename it
to "winlogon.exe" which will allow it to run. Now kill the process.
Run your favorite malware scanner (MalwareBytes' is mine) and you are all set.
Files Created
C:\Documents and Settings\All Users\Application
Data\<random>\<random>.exe
C:\Documents and Settings\Administrator\Desktop\Internet
Security Guard.lnk
C:\Documents and Settings\Administrator\Application
Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk
C:\Documents and Settings\Administrator\Start
Menu\Programs\Internet Security Guard.lnk C:\Documents and
Settings\Administrator\Start Menu\Internet Security Guard.lnk
Notable Registry
Keys Infected
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Internet
Security Guard
HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes | URL
(Hijack.SearchPage) ->
Bad: (hxxp://findgala.com/?&uid=8027&q={searchTerms})
There are 760 more keys made and 30 more values infected but
they are all image file execution options or policies to disable either real AV
or other fake AV so I will not be listing all of them here. :)
No comments:
Post a Comment