Arief Prabowo

Emsisoft Employee
  • Content Count

    4687
  • Joined

  • Last visited

  • Days Won

    43

Everything posted by Arief Prabowo

  1. Arief Prabowo

    Hidden Installer Behaviour

    Okay, I will move this to our support forum then.
  2. Arief Prabowo

    Hidden Installer Behaviour

    Did you see any entries related to Windows Update being blocked in our Logs? Without the complete logs and copy of the blocked files, it's hard to verify it. If you don't mind, I can forward this topic to our Support forum, so our support team can assist you to find out what was wrong.
  3. Arief Prabowo

    Hidden Installer Behaviour

    Hi there, I guess it's not from the Windows Update, but from another application. Maybe you running a setup at that time, or there's auto-update from external application that is running in the background. This alert indeed could happen sometimes with legitimate application, for example when the file is not digitally signed. However without the actual file, I can't verify it. It's not quarantined maybe because the file is already deleted by the setup process.
  4. Arief Prabowo

    Need Help

    Yes, it just default file naming issue and has been corrected.
  5. Arief Prabowo

    Paradise Ransoware (new variant)

    Hi, thanks for the information. In case the malware is not detected yet, you can upload it to our malware submissions forum.
  6. Arief Prabowo

    NemucodAES Variant

    Thank you for your submission. The malware file is already detected by Emsisoft.
  7. The Emsisoft malware research team has discovered a new outbreak of the Best Antivirus Software. Emsisoft Anti-Malware detects this malware as Rogue.Win32.BestAntivirusSoftware. Best Antivirus Software is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. Create new files: %AllUsersProfile%\Application Data\2a967e\ %AllUsersProfile%\Application Data\2a967e\Quarantine Items\ %AllUsersProfile%\Application Data\2a967e\BackUp\ %AllUsersProfile%\Application Data\2a967e\BASSys\ %AllUsersProfile%\Application Data\2a967e\22.mof %AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe %AllUsersProfile%\Application Data\2a967e\BAS.ico %AllUsersProfile%\Application Data\2a967e\bestantivirus.exe %AllUsersProfile%\Application Data\BASVS\ %AllUsersProfile%\Application Data\BASVS\BAYZS.cfg %AppData%\Best Antivirus Software\ %AppData%\Microsoft\Internet Explorer\Quick Launch\Best Antivirus Software.lnk %UserProfile%\Desktop\Best Antivirus Software.lnk %UserProfile%\Recent\DBOLE.tmp %UserProfile%\Recent\dudl.drv %UserProfile%\Recent\eb.exe %UserProfile%\Recent\energy.exe %UserProfile%\Recent\energy.sys %UserProfile%\Recent\exec.dll %UserProfile%\Recent\fan.exe %UserProfile%\Recent\fix.dll %UserProfile%\Recent\gid.dll %UserProfile%\Recent\PE.exe %UserProfile%\Recent\snl2w.tmp %UserProfile%\Recent\std.dll %UserProfile%\Recent\tjd.tmp %UserProfile%\Recent\cb.drv %UserProfile%\Recent\CLSV.exe %UserProfile%\Start Menu\Best Antivirus Software.lnk %UserProfile%\Start Menu\Programs\Best Antivirus Software.lnk %Temp%\scandsk211d_8001.exe Create/modify registry entries: HKEY_LOCAL_MACHINE\Software\Classes\BA2a9_8001.DocHostUIHandler Default = Implements DocHostUIHandler Clsid = {3F2BBC05-40DF-11D2-9455-00104BC936FF} HKEY_LOCAL_MACHINE\Software\Classes\clsid\{3F2BBC05-40DF-11D2-9455-00104BC936FF} Default = Implements DocHostUIHandler LocalServer32 = %AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe ProgID = BA2a9_8001.DocHostUIHandler HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run BAS = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /s Best Antivirus Software = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /s /d HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes URL = http://findgala.com/?&uid=8001&q={searchTerms} HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation MSCompatibilityMode = 0x00000000 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Download CheckExeSignatures = no RunInvalidSignatures = 0x00000001 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer IIL = 0x00000000 ltHI = 0x00000000 ltTST =0x00005f9f PRS ="http://127.0.0.1:27777/?inj=%ORIGINAL%" RGF =0x00000001 HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes URL = http://findgala.com/?&uid=8001&q={searchTerms} HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MigrateProxy = 0x00000001 ProxyEnable = 0x00000000 UID = "8001" HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap ProxyByPass = 0x00000001 IntranetName = 0x00000001 UNCAsIntranet = 0x00000001 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Best Antivirus Software DisplayName = "Best Antivirus Software" DisplayIcon = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe,0" DisplayVersion = "1.1.0.1010" InstallLocation = "%AllUsersProfile%\Application Data\2a967e\" Publisher = "UIS Inc." UninstallString = "%AllUsersProfile%\Application Data\2a967e\BA2a9_8001.exe" /del" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agent.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentsvr.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\agentw.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alertsvc.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alevir.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\alogserv.exe Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV Debugger = "svchost.exe" HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AlphaAV.exe Debugger = "svchost.exe" many similar entries… Screenshots: To register and uninstall this rogue application, you can try the following serial number: U2FD-S2LA-H4KA-UEPB How to remove the infection of Best Antivirus Software (Rogue.Win32.BestAntivirusSoftware)? To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
  8. It will be sent to analysis team. If the file is indeed malicious, the signature will be added to our database.
  9. No, because it would highly impacting the computer performance.
  10. Because the File Guard is not looking up to AMN, and probably signature for that file is not added to database yet. Anyway, another user send me the same malware file yesterday and I've created signature for it, therefore it would be blocked by File Guard as well now.
  11. Hi there, the file quarantined automatically when I execute the file. What do you mean with auto remove?
  12. Thanks for letting us know.
  13. Since whitelisting the entire folder also didn't work, so I assume this is another issue. Unfortunately I'm also unable to replicate this issue. Therefore, I will move this to the appropriate forum so our OA developers can take a look at it.
  14. Hello, could you please tell me which Macrium file are being blocked by OA?
  15. From what I can see based on your story, I think there is suspicious thing on your machine but our product didn't detect anything. That's why I forward you to this forum. Our technical support team or the malware removal specialist team will analyze your issue, so they can make sure that, whether your PC is infected or not. That's why the initial guide post ask you to send us several files to analyze. In case there is a potential bug that was caused Emsisoft to terminate itself, the team will report their findings to the Developer Team, or if they found undetected malware they will forward the files to the Analysis team. But first, we have to make sure that your computer is perfectly clean from any malware infections. If EEK didn't find anything, then you don't need to send the EEK log file. Basically personal malware submission thread is a forum where user can send us samples of the undetected malware.
  16. Hello, welcome to our forum. Because your post is not relevant to malware submission, so I will forward this to the appropriate forum. Also, as mentioned by stapp, please follow this guide first. Thank you!
  17. Arief Prabowo

    malware scan results

    This forum section is used only to submit new malware. I assume you need removal help, so I will move this topic to the appropriate section.
  18. Thanks for the correction, the URL has been updated.
  19. The Emsisoft malware research team has discovered a new outbreak of the Windows Active HotSpot. Emsisoft Anti-Malware detects this malware as Rogue.Win32.ActiveHotSpot. Windows Active HotSpot is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase this fake program. Created files: %AppData%\guard-[random].exe %AppData%\result1.db %UserProfile%\Desktop\Windows Active HotSpot.lnk %AllUsersProfile%\Start Menu\Programs\Windows Active HotSpot.lnk Created/modified registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GuardSoftware= %AppData%\guard-[random].exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe Debugger = svchost.exe HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations LowRiskFileTypes = zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav; HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments SaveZoneInformation=00000001 HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings UID = [data] ip = [data] net = [data] Config = [data] Screenshots: Once infected this rogue will restart the machine automatically and try to lock the Windows, so you cannot open any other applications unless you activate it. To activate, click on question mark button, and select Register. Enter one of the following serial number: 0W000-000B0-00T00-E0001 0W000-000B0-00T00-E0002 0W000-000B0-00T00-E0003 How to remove the infection of Windows Active HotSpot (Rogue.Win32.ActiveHotSpot)? To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
  20. The Emsisoft malware research team has discovered a new outbreak of the Windows Cleaning Toolkit. Emsisoft Anti-Malware detects this malware as Rogue.Win32.CleaningToolkit. Windows Cleaning Toolkit is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase this fake program. Created files: %AppData%\guard-[random].exe %AppData%\result1.db %UserProfile%\Desktop\Windows Cleaning Toolkit.lnk %AllUsersProfile%\Start Menu\Programs\Windows Cleaning Toolkit.lnk Created/modified registry entries: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run GuardSoftware= %AppData%\guard-[random].exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe Debugger = svchost.exe HKEY_LOCAL_MACHINE\software\microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe Debugger = svchost.exe HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Associations LowRiskFileTypes = zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav; HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Policies\Attachments SaveZoneInformation=00000001 HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Settings UID = [data] ip = [data] net = [data] Config = [data] Screenshots: Once infected this rogue will restart the machine automatically and try to lock the Windows, so you cannot open any other applications unless you activate it. To activate, click on question mark button, and select Register. Enter one of the following serial number: 0W000-000B0-00T00-E0001 0W000-000B0-00T00-E0002 0W000-000B0-00T00-E0003 How to remove the infection of Windows Cleaning Toolkit (Rogue.Win32.CleaningToolkit)? To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
  21. Arief Prabowo

    Ghost in the machine

    Hi Patrick, welcome to the forum. Anyway, this section is for malware submission. Regarding your problem, spam is not always caused by malware, but if you want make sure whether your computer was infected by malware (spam bot) or not, or need help of malware removal, please go to this section: http://support.emsisoft.com/forum/6-help-my-pc-is-infected/ This post will be moved to that forum as well.
  22. The Emsisoft malware research team has discovered a new outbreak of the System Doctor 2014. Emsisoft Anti-Malware detects this malware as Rogue.Win32.SystemDoctor2014. System Doctor 2014 is a rogue scanner application. A rogue application tries to trick you by displaying false positive or misleading scan results report, which says that your computer has a problem, or infected with viruses or trojan, but you will not be able to fix it before you purchase. Create new files: %AppData%\[random]\ %AppData%\[random]\WindowsSecurityUpdate.exe %AppData%\[random]\[random].exe %AppData%\[random]\[random].ico %AppData%\[random]\[random].ini %AppData%\[random]\[random].log %UserProfile%\Desktop\System Doctor 2014 support.url %UserProfile%\Desktop\System Doctor 2014.lnk %UserProfile%\Start Menu\Programs\System Doctor 2014\ %UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014 support.url %UserProfile%\Start Menu\Programs\System Doctor 2014\Uninstall System Doctor 2014.lnk %UserProfile%\Start Menu\Programs\System Doctor 2014\System Doctor 2014.lnk Create new registry entry: HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Run SD2014 = “%AppData%\[random]\[random].exe”HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Uninstall\System Doctor 2014 DisplayName = “System Doctor 2014″ InstallLocation = “%AppData%\[random]\” NoModify = dword:00000001 NoRepair = dword:00000001 UninstallString = “%AppData%\[random]\[random].exe -uninstall” DisplayIcon = “%AppData%\[random]\[random].ico,0″ Screenshots: To register this rogue application you can try the following serial number: AA39754E-715219CE How to remove the infection of System Doctor 2014 (Rogue.Win32.SystemDoctor2014)? To delete this malware infection, please download and install Emsisoft Anti-Malware. Run a full scan on all drives and move all detected items to the quarantine.
  23. Alternatively you can check the file with VirusTotal and then just give me the scan report link.
  24. Hi, welcome to the forum. The file looks legitimate for me. Can you please attach the file here?
  25. Hello, this is malware submission forum. I will move this thread to the right forum.