Let me begin by saying that I'm sorry for the long delay since the latest release of FreeFixer. Last year I started to work as a tools programmer at the game developer Avalanche Studios here in Stockholm, and although it was a great experience I had little to no time to work on my own projects. The good news is that I'm now back on full time on my own projects, and I'll put a lot of effort in adding new features to FreeFixer. My goal is to have something new for you every second week.
It has also been a while since I last scanned the net for malware that install by using
security holes. Yesterday I ran into a site that install a software component that
opens up a fake Windows Firewall alert message saying that you are infected with "Win32.Zafi.B".
If you click the link in the fake alert message you will land at www.defender-review.com
where the rogue anti-spyware program "Perfect Defender 2009" is promoted.
Another observation about this exploit is that it hides its main process, ocboo1892823.exe, from the user. This process is executing on the machine, but it does not appear in the Windows Task Manager, nor in any other program that enumerates processes using standard procedures. So, this is what is going on 2009:
FreeFixer v0.28 log http://www.freefixer.com/ Operating system: Windows XP Service Pack 1 Log dated 2009-01-08 21:31 Hidden processes pid: 1748, ocboo1892823.exe, C:\Documents and Settings\Roger\Application Data\Google\ocboo1892823.exe (remove) Registry Startups HKCU\..\Run, MSMSGS = "C:\Program\Messenger\msmsgs.exe" /background Processes (13 whitelisted) C:\Program\Messenger\msmsgs.exe C:\Program\hjt\HijackThis.exe C:\Program\FreeFixer\freefixer.exe Application modules (44 whitelisted) C:\Documents and Settings\Roger\Application Data\Google\sysspc.dll (remove)
If you run into this infection, check the items in red. You will be asked to reboot your machine since some files are in use. After the reboot, scan your computer again and remove any remaining items and your machine should be clean.
No comments posted yet.