Wednesday, January 18, 2012

Internet Security Guard


To help get connected remotely and to help remove this rogue enter this key (thanks to S!ri):
 U2FD-S2LA-H4KA-UEPB


Manual Instructions

Another fake MSE...  Internet Security Guard this time. This one is fairly straight-forward to remove. It disables task manager using an image file execution option. To get around this, we must rename taskmgr to something that Windows needs running to operate such as "winlogon.exe". The following command from the run box should suffice:

cmd /k copy "C:\windows\system32\taskmgr.exe" "%userprofile%\desktop\winlogon.exe" 

This will copy the task manager to the desktop and rename it to "winlogon.exe" which will allow it to run. Now kill the process. Run your favorite malware scanner (MalwareBytes' is mine) and you are all set. 





Files Created

C:\Documents and Settings\All Users\Application Data\<random>\<random>.exe
C:\Documents and Settings\Administrator\Desktop\Internet Security Guard.lnk
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Internet Security Guard.lnk
C:\Documents and Settings\Administrator\Start Menu\Programs\Internet Security Guard.lnk C:\Documents and Settings\Administrator\Start Menu\Internet Security Guard.lnk

Notable Registry Keys Infected

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Internet Security Guard
HKCR\SOFTWARE\Microsoft\Internet Explorer\SearchScopes | URL (Hijack.SearchPage) -> 
Bad: (hxxp://findgala.com/?&uid=8027&q={searchTerms})

There are 760 more keys made and 30 more values infected but they are all image file execution options or policies to disable either real AV or other fake AV so I will not be listing all of them here. :)


2 comments:

  1. Helo, you can try now the updated Emsisoft Internet Security Pack the complete program for 30 days download here: http://www.emsisoft.com/en/software/internetsecurity/?cbaffid=25593
    This seurity suite has the best firewall inside, the Online Armor.
    I hope that you like it.
    Thanks,
    Pedro Silva

    ReplyDelete