My Anti Spyware

How to remove Presto Tuneup (Uninstall instructions)

Presto Tuneup is fake optimization program (scareware) that uses fake alerts, false privacy risks, false system errors to trick you into buying the software. During installation, Presto Tuneup is set to start automatically when your computer starts. Immediately after launch, Presto Tuneup starts scanning the computer and list a variety of problems that will not be fixed unless you first purchase the scareware.

Presto Tuneup

While Presto Tuneup is running your computer will display fake warnings from your windows taskbar. All of these warnings are fake, so you can safely ignore them. Use the free instructions below to remove Presto Tuneup and any associated malware from your computer.
Continue reading How to remove Presto Tuneup (Uninstall instructions)…

How to remove Registry Defender Platinum (Uninstall instructions)

Registry Defender Platinum also known as RD Platinum is a rogue registry cleaning program that uses fake alerts and false registry problems to trick you into buying the fake software. The software is distributed through the use variety of malicious software, for example trojan Vundo. Once infected, your computer will display numerous fake alerts notifying you about Windows registry problems.

When installing, Registry Defender Platinum configures itself to run automatically every time, when you start Windows. Once running, the rogue will scan your computer and list a large amount of problems. Then, it said that you should purchase Registry Defender Platinum in order to fix them. Computer users are urged to avoid purchasing this bogus program!
Continue reading How to remove Registry Defender Platinum (Uninstall instructions)…

How to remove WinCodecPro trojan and wmptray.exe (fake media codec)

WinCodecPro is a fake video codecs pack that advertised as a pack that contains all the video codecs and uses scare tactics to trick you into buying the fake software. WinCodecPro distributed through the use trojans. Once infected with the trojan your computer will display large amount of alerts that tells you that your media player, system or codecs are corrupted and that you should purchase WinCodecPro in order to fix these problems. These alerts are fake and generated by the C:\Program Files\MediaSystem\wmptray.exe. The file is a main component for this trojan.

A few fake alerts that WinCodecPro trojan generates:

Warning
Fatal Error: Windows can’t play the following media formats: AVI;ASF;WMV;AVS;FLV;MKV;MOV;3GP;MP4;MPG;MPEG;MP3;AAC;WAV;WMA;CDA;FLAC;M4A;MID. Update your video codec to resolve this issue.

Warning
Media codec has been destroyed. Risk of losing all your audio video files high. To resolve this issue, update your media codec immediately.

Warning
Critical media error! Your media driver is unstable. Video driver is corrupt and can no longer save your monitor settings. Driver is in critical mode. To restore your media drivers, update your video codec immediately.

Warning
Fatal Error: Can’t play audio video files. Update your video codec immediately to resolve this issue.

Warning
Internal error! Media player has been corrupted. Immediately update your video codec to resolve this issue.

Ignore these fake alerts and use the free instructions below for removing the WinCodecPro trojan, wmptray.exe and any associated malware from your computer.
Continue reading How to remove WinCodecPro trojan and wmptray.exe (fake media codec)…

How to remove Security toolbar 7.1

Security Toolbar 7.1 is an adware program that also installs rogue security applications and display false alert on compromised computer.

Security toolbar symptoms.

• False pop-up saying you that “Your computer is infected”.
• Browser been hijacked to other websites.
• Fake Windows Security Center popup messages.

Continue reading How to remove Security toolbar 7.1…

Found first Christmas malware

F-Secure reported about malware runs using fake Christmas Cards as the lure.
Example:

A Dear friend has sent you an ecard from http://www.123Greetings.com
Your ecard will be available with us the next 30 days.
…
To view your card,CLICK HERE
…

After run this ecard file x-mas.exe you got Zapchast mIRC-based backdoor.

Read more: Merry Christmas and so on

October malware toplist by viruslist.com

# Greediest Trojan targeting banks: This month’s leader is a modification of Trojan-Spy.Win32.Banker.ezn, which targets 45 banks. This seems positively modest in comparison to last month’s leader, which set its sights on 134 banks simultaneously.
# Greediest Trojan targeting payment systems: Backdoor.Win32.Xhaker.c is very equitable in its approach – it attacks three e-payment systems and three plastic card systems.
# Greediest Trojan targeting plastic cards: See above.
# Stealthiest malicious program: The number 10 seems to be in favour at the moment – this month’s winner, Backdoor.Win32.Hupigon.mrv, is packed with ten different packers, just as last month’s leader was.
# Smallest malicious program: In spite of its tiny 17 bytes, Trojan.BAT.DeltreeY.a packs a punch and wins the October nomination.
# Biggest malicious program: Once again, a hefty representative of the Haradong family wins out – Trojan.Win32.Haradong.ct weighs in at 244MB, slightly larger than its close relative Haradong.bj, last month’s winner in this category.
# Most malicious program: Backdoor.Win32.Rbot.ejs, like so many past winners of this category, disables security solutions by deleting them from memory and from the registry.
# Most common malicious program in mail traffic: Email-Worm.Win32.Netsky.q retains its persistent presence in this category for the third month running, and made up 20.11% of all malicious programs in mail traffic in October.
# Most common Trojan family: In spite of an impressive 563 modifications, Trojan-Spy.Win32.Banker’s numbers are following last month’s trend, with figures just over 100 down on September’s.
# Most common virus/ worm family: Email-Worm.Win32.Zhelatin (a.k.a the Storm worm) continues to reign in this category for the second month running, with 38 modifications in October.

Read more: Malware Miscellany, October 2007

Safe surfing

Found new fake codec and new rogue antispyware

Sunbelt blog reported about new malwares.

DVDacess (hosted at inc-codec(dot)com)

is a Trojan horse that drops and executes a copy of Trojan-Zlob, a back door Trojan that allows the remote attacker to perform various malicious actions on the compromised computer.

VirusHeal (hosted at virusheal(dot)com)

a clone of rogue security product SpyHeal.

For protect your PC, add both domains in the your blocklist.
If you have problems with these malwares and can`t uninstall them, then try free spyware removal tool – smitfraudfix.

Related articles: How to remove malicious codecs.

Found new way for steal data encrypted using SSL/TLS

Russian malware authors are finding new ways to steal and profit from data which used to be considered safe from thieves because it was encrypted using SSL/TLS.

A single attack by a single variant compromises more than 5200 hosts and 10,000 user accounts on hundreds of sites.

• Steals SSL data using advanced Winsock2 functionality
• State-of-the-art, modularized trojan code
• Spread through IE browser exploits
• Undetected for weeks, months by many AV vendors
• Customized server/database code to collect sensitive data
• Customer interface for on-line purchases of stolen data
• Accounts compromised by stealing data primarily from infected home PCs
• Accounts at top financial, retail, health care, and government services affected
• Data’s black market value at least $2 million

There are two other known variants. New variants, similar attacks inevitable.

Read more here: Gozi Trojan

Top malwares sorted by category

1. Greediest Trojan Targeting Banks – this month, it’s Trojan- Spy.Win32.Banker.zd, which targets the clients of 33 banks. And just as we keep saying, the number of Trojans which target more than one bank is growing all the time.

2. Greediest Trojan Targeting E-payment Systems – The winner in this category is Trojan-Spy.Win32.Banker.z. This Trojan targets three plastic card systems, but also steals finance-related data from the customers of many banks. Apparently, its author prefers a comprehensive approach to making money.

3. Greediest Trojan Targeting Plastic Cards – The top malicious program in this category is Backdoor.Win32.Neodurk.13, which searches for access data for three plastic card systems, in addition to providing cybercriminals with remote control of victim computers, which is its main function.

4. Stealthiest Program – This category’s winner is a modification of Backdoor.Win32.Rbot.gen, which is packed by eight different compression utilities in the hope that this will prevent antivirus programs from detecting the malicious code.

5. Smallest Malicious Program – This category of malware was won by Trojan.BAT.DeltreeY.af, which is just 19 bytes in size. This is a primitive Trojan, which (as its name suggests) deletes folders on infected computers. Its targets include the Windows system directory; of course, if this gets deleted, you may end up with some serious problems.

6. Biggest Malicious Program – February’s “giant” is Trojan-Spy.Win32.Bancos.rv. It is 13 MB in size, and is a bit of an oddity – you might expect extensive functionality, which this Trojan doesn’t actually have.

7. Most Malicious Program – The winner from this category uses numerous methods to effectively combat antivirus protection installed on computers. February’s leader is Backdoor.Win32.Aebot.e, which uses a variety of methods to disable protection, including terminating processes in memory, stopping services and blocking updates. The malicious program terminates protection utilities by the dozen, including all kinds of firewalls, system monitoring utilities, antivirus products, etc.

8. Most Common Malicious Program in Email Traffic – In February 2007, the winner was Email-Worm.Win32.NetSky.t. Although this is a relatively old email worm, it still accounts for about 15% of all email traffic.

9. Most Common Trojan Family – We talk a lot about how the number of Trojans is on the increase. And Backdoor.Win32.Hupigon is a great example – in a single month we detected 368 modifications of this family.

10. Most common virus worm family – In February, the Warezov family was the most widespread among all virus and worm families. Samples of 118 different modifications were found in February alone.

Thanks to viruslist.com

Found new fake codecs – SilverCodec and BrainCodec

Sunbelt blog and Bleepingcomputer reported about two new fake codecs: SilverCodec and BrainCodec

This is so new in fact, that though the BrainCodec has its own domain and its own braincodec.107.exe, they forgot to change the web site itself. As you can see the web site is still showing the layout and image for Gold Codec.

Links: Silver, Gold… but you’re not getting platinum, scumbags
From precious metals to body parts?

More fake codec sites

As always, DO NOT download these fake codecs.

They do not improve video or audio, and installing them under the premise of “free video” or any other reason is a very bad idea.

MovieCodec

TV Codec

WatchFree

SuperCodec

Perfect Codec

Related articles: How to remove malicious codecs.

SpamThru Trojan – malware who detects and removes another malware

Like many viruses and trojans, SpamThru attempts to prevent installed anti-virus software from downloading updates by adding entries into the %sysdir%\drivers\etc\hosts file pointing the AV update sites to the localhost address. In the past, we’ve also seen malware which tries to uproot other competing malware on an infected system by killing its processes, removing its registry keys, or setting up mutexes which fool the other malware into thinking it is already running and then exiting at start.

SpamThru takes the game to a new level, actually using an antivirus engine against potential rivals. At startup, SpamThru requests and loads a DLL from the control server. This DLL in turn downloads a pirated copy of Kaspersky AntiVirus for WinGate from the control server into a concealed directory on the infected system. It patches the license signature check in-memory in the Kaspersky DLL in order to avoid having Kaspersky refuse to run due to an invalid or expired license. Ten minutes after the download of the DLL, it begins to scan the system for malware, skipping files which it detects are part of its own installation. Any other malware found on the system is then set up to be deleted by Windows at the next reboot.

Read more about SpamThru Trojan : SpamThru Trojan Analysis

New malware poses as Windows Genuine Advantage Validation Notification

A new piece of very nasty malware has been recently discovered on spyware help forums, first here and again here. The file name is wgavn.exe and it creates a service named “Windows Genuine Advantage Validation Notification”, as seen in this line in the HijackThis log.

O23 – Service: Windows Genuine Advantage Validation Notification (wgavn) – Unknown owner – C:\WINDOWS\system32\wgavn.exe

Suzi tested it on her virtual machine running XP Pro, totally unpatched. On execution, wgavn.exe creates a folder, C:\Windows\etc\, that contains a file named services.exe. Wgavn.exe copies itself to the \System32\ folder as shown in the HijackThis line above.

On her virtual machine, it disabled the following: WinPatrol, an anti-spyware program, a third party firewall, VMware Tools, VMware User Process, and VPCUserServices by changing the values of the Run keys in HKEY_LOCAL_MACHINE. Another researcher reported it disabled the Windows firewall and System Restore.

Wgavn.exe immediately attempted to contact several different IP addresses. The ISP is being notified in an attempt to investigate these sites and IPs. At this time, it’s unknown how the two users who posted the HijackThis logs got infected with this. The sample has been submitted to anti-malware vendors but as of earlier today was poorly detected. Kaspersky is now detecting it as Backdoor.Win32.IRCBot.st, and another AV at VirusTotal detected it as Backdoor.Win32.IRCBot.BV.

Thanks to Suzi Turner, her post about it.

SMS text messages used to spread malware/keylogger

CA has received reports of Win32/Bambo.CF being distributed via SMS text messages sent to mobile phones, enticing people to visit a malicious website. The messages may contain the following:

Thanks for subscribing to *****.com dating service. If you don’t unsubscribe you will be charged $2 per day.

The text message then directs the recipient to visit a website in order to unsubscribe from the service and avoid being charged. This website contains a fake dating service page, which entices users to enter their phone number, at which point it attempts to load an executable file called “unregister.exe“. The web page instructs users to click the “Run”
button on each warning page that Windows displays, to allow the program to execute. If the program is run, it installs the Win32/Bambo.CF trojan.

Please see below for examples of fake dating service pages displayed by the malicious website.

Anyone loading the webpage and following the instructions in the message will pick up the trojan, which CA has named Win32/Bambo.CF. The keylogger looks for passwords and other information which it sends via emails and perhaps through other means.

Thanks CA SecurityAdvisor.

More fake codecs – nvidcodec, media-codec

Found new fake codec – nvidcodec. The codec is malicious programecs that deliver popup advertisements and hijack search engine results. Some AV vendors detected the codec as Trojan.Downloader.Zlob
Continue reading More fake codecs – nvidcodec, media-codec…