Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

General discussion

VIRUS \ Spyware ALERTS - November 11, 2008

Nov 10, 2008 1:17PM PST

Discussion is locked

- Collapse -
Troj/Dloadr-BZE
Nov 11, 2008 4:10AM PST
- Collapse -
Troj/Agent-IFK
Nov 11, 2008 4:11AM PST
- Collapse -
Troj/Agent-IFJ
Nov 11, 2008 4:12AM PST
- Collapse -
Troj/Agent-IFI
Nov 11, 2008 4:13AM PST
- Collapse -
Mal/Emogen-N
Nov 11, 2008 4:14AM PST
- Collapse -
W32/AutoRun-NZ
Nov 11, 2008 6:17AM PST
- Collapse -
Troj/FakeAV-GI
Nov 11, 2008 6:19AM PST

Category Viruses and Spyware

Type Trojan

Troj/FakeAV-GI is a Trojan for the Windows platform.

When Troj/FakeAV-GI is installed the following files are created:

<Current Folder>\delself.bat
<System>\brastk.exe
<System>\dllcache\beep.sys
<System>\dllcache\figaro.sys

The file brastk.exe is detected as Mal/Heuri-E and the files beep.sys and figaro.sys are detected as Mal/FakeAle-C.

The file delself is not malicious and may be deleted.

The following registry entries are created to run brastk.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
brastk
<System>\brastk.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
brastk
<System>\brastk.exe

http://www.sophos.com/security/analyses/viruses-and-spyware/trojfakeavgi.html?_log_from=rss

- Collapse -
Troj/Dloadr-BZH
Nov 11, 2008 6:20AM PST
- Collapse -
Troj/Dloadr-BZG
Nov 11, 2008 6:21AM PST
- Collapse -
Troj/Dloadr-BZF
Nov 11, 2008 6:22AM PST
- Collapse -
Troj/BHO-HZ
Nov 11, 2008 6:23AM PST

Category Viruses and Spyware

Type Trojan

Troj/BHO-HZ is a Trojan for the Windows platform.

Troj/BHO-HZ includes functionality to access the internet and communicate with a remote server via HTTP.

The following registry entry is created to run Troj/BHO-HZ on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
jlqqbbbrwxxxslumx
<System>\regsvr32.exe /s "<pathname of the Trojan DLL>"

The Troj/BHO-HZ DLL is registered as a COM object and Browser Helper Object (BHO) for Microsoft Internet Explorer, creating registry entries under:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA87206E-6649-68E8-4F44-0D518AC007E3}
HKCR\CLSID\{AA87206E-6649-68E8-4F44-0D518AC007E3}

Registry entries are created under:

HKCU\Software\{184C47A0-3CF1-2931-3F0C-3539E5A842D0

http://www.sophos.com/security/analyses/viruses-and-spyware/trojbhohz.html?_log_from=rss

- Collapse -
Troj/BHO-HY
Nov 11, 2008 6:24AM PST
- Collapse -
IMS Ads
Nov 11, 2008 6:25AM PST

Aliases Adware-ISM
AdBand.E.1
Win32.AdBand.e

Category Adware or PUA

Type Unspecified PUA

IMS Ads is a potentially unwanted application for the Windows platform.

IMS Ads replaces web page banner ads with its own ads.

Banners by IMS Ads read:
Ads by ISM and not from the website you are visiting.

IMS Ads creates registry entries under the following keys:
<HKCU>\software\microsoft\internet explorer\explorer bars\
<HKCU>\software\microsoft\windows\currentversion\explorer\browser helper objects\

IMS Ads also installs itself under the following classids:
875a1348-7674-42aa-adac-b4f36a004a2d
1bac9a2a-4755-43c3-a430-d3512c5b8a4e

http://www.sophos.com/security/analyses/adware-and-puas/imsads.html?_log_from=rss

- Collapse -
Sus/AutoInf-B
Nov 11, 2008 6:27AM PST