Yes, an updated variant of Zlob has been released. It installs the following files and registry entries.
C:\Windows\System32\baoohy.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{f43bfc6c-47cc-4798-8798-a0721b8ed7ab} = enviva
We have provided removal instructions for anybody unfortunate to have been infected by this trojan.
MediaTubeCodec has been updated. The codec installs a few of the following files.
C:\Windows\stfngdvw.dll
C:\Windows\sxfnewqb.dll
C:\Windows\fkdnrwsv.dll
C:\Windows\dwltqnmx.exe
We have provided removal instructions for anybody unfortunate to have been infected by this codec.
Trojan.Zlob has been updated again (yes, again). It installs the following files and registry entries.
C:\WINDOWS\System32\kknwg.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{d70e9b0f-aabc-4066-8176-c6de84d92fa1} = bimaculate
We have provided removal instructions for anybody unfortunate to have been infected by this trojan.
Once again, Zlob has a new component. It installs the following files and registry entries.
C:\WINDOWS\System32\375013\375013.dll
HKLM\SOFTWARE\Classes\TypeLib\{E63648F7-3933-440E-B4F6-A8584DD7B7EB}
HKLM\SOFTWARE\Classes\CLSID\{74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{74F7DB6B-86E9-4B91-9D9F-B0D954D7AA5B}
We have provided removal instructions for anybody unfortunate to have been infected by this trojan.
Zlob was once again updated by the malware authors. The new variant installs the follow files and registry entries.
C:\WINDOWS\System32\sozctue.dll
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler
{747e1fbe-b70f-441d-bbca-6e536c04924a} = hruska
We have provided removal instructions for anybody unfortunate to have been infected by this trojan.
A new rebranded version of VideoAccessCodec has been found, named MediaTubeCodec. Once installed, it delivers popup advertisements and hijacks search engine results. The codec installs a few of the following files and registry entries.
C:\Windows\aflqfkw.dll
C:\Windows\btpqkmo.dll
C:\Windows\ewrssvw.dll
C:\Windows\fvxqfwq.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CEB30BF4-A67C-40D3-AA8F-4F839B84F747}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad
aflqfkw = {2F0E6889-B50D-4FDD-9D6F-DFE89DB02E5F}
btpqkmo = {19B88BB2-FBD1-4D3E-A99B-AB96D58AAFCB}
We have provided removal instructions for anybody unfortunate to have been infected by this codec.
A new variant of Trojan.Zlob has been found by our security researcher, Bruce Harrison. The trojan installs the following files and registry entries.
C:\Windows\System32\lvhjtsa.dll
C:\Windows\System32\tdidrv32.sys
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tdidrv32.sys
We have provided removal instructions for anybody unfortunate to have been infected by this trojan.
A new Files Secure trojan is present. Below is the files and registry entries it creates. This trojan hijacks your search engine hits and recommends you purchase Files Secure. Removal instructions below.
C:\WINDOWS\ausctv32a.dll
HKLM\SOFTWARE\Classes\AppID\{CE0487CA-8B02-431E-BA63-D38844E020B5}
HKLM\SOFTWARE\Classes\AppID\ausctv32a.dll
HKLM\SOFTWARE\Classes\ausctv32a.Video
HKLM\SOFTWARE\Classes\CLSID\{CE0487CA-8B02-431E-BA63-D38844E020B5}
HKLM\SOFTWARE\Classes\Interface\{48D78BE5-CFB9-4B66-9AC4-96D4CF21DE06}
HKLM\SOFTWARE\Classes\TypeLib\{74D46BBA-5638-473A-83B6-97E7804A7411}
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{CE0487CA-8B02-431E-BA63-D38844E020B5}
We have provided removal instructions for anybody unfortunate to have been infected by this trojan or Files Secure.
While Bruce was doing his usual research last night, he discovered this new one - PCAntiVirusPro.
Here is the interface of the rogue application:
If you have seen any of the windows above on your computer, it is recommended that you follow these instructions. We have provided removal instructions for anybody unfortunate to have downloaded these applications.
Removal instructions for PCAntiVirusPro
Marcin Kleczynski
Bruce Harrison found a new rogue application today called RealAV (also called Real Antivirus). This program displays false positives in hopes that you purchase their decently (sarcasm of course) priced $89.95 software. They must be out of their minds.
If you have seen any of the windows above on your computer, it is recommended that you follow these instructions. We have provided removal instructions for anybody unfortunate to have downloaded these applications.
Removal instructions for RealAV
Marcin Kleczynski
Recent Comments