Quote:
Originally Posted by silkytail
lol...
all pwprotector does is look for processes that has following strings in image names every 15 seconds and tries to kill them
"updata.exe"
"mkrecorder"
"keycapture"
"capture.exe"
"babiw.exe"
"g_server"
"latent.com"
"qmacro.exe"
"按键精灵"
"时空游侠"
"变速精灵"
"变速齿轮"
"完美世界挂机"
"autoclick"
"scriptexpert"
|
Greetings to all! First of all i want to apologize for mine bad english. But before laughing at something you should better apply brain and make some search for what parent application owns this processes. So let`s took a short look at this buddies:
1)
"updata.exe"
Name: system updata
Filename: updata.exe
Fix updata.exe errors: Try a Registry Scan
Command: updata.exe
Description: Added by the Troj/Lineage-C password-stealing Trojan for the online game Lineage.
File Location: %System%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP and Vista.
2)
mkrecorder
3)
keycapture

Dunno how you can use it in pw boting

It`s just records you mouse and keyboard inputs and o nothing with it at all. At least we don`t know does it send all information to author or not.
4)
capture.exe
Name: capture
Filename: capture.exe
Fix capture.exe errors: Try a Registry Scan
Command: C:\Windows\System32\capture.exe
Description: Added by the Troj/Theef-B keylogging Trojan.
File Location: %System%
Startup Type: This startup entry is started automatically from a Run, RunOnce, RunServices, or RunServicesOnce entry in the registry.
HijackThis Category: O4 Entry
Note: %System% is a variable that refers to the Windows System folder. By default this is C:\Windows\System for Windows 95/98/ME, C:\Winnt\System32 for Windows NT/2000, or C:\Windows\System32 for Windows XP and Vista.
5)
babiw.exe Dunno what the heck it is, search results tels me nothing
6)
g_server
Backdoor.Win32.Hupigon.nh
Other versions: .a, .fdnv
Detection added Nov 04 2005 04:28 GMT
Update released Nov 04 2005 06:23 GMT
Description added Oct 18 2006
Behavior Backdoor
7)
latent.com
Name: [not used]
Filename: Latent.com
Fix Latent.com errors: Try a Registry Scan
Command: C:\Latent\Latent.com
Description: Added by the Troj/Agent-ADU password-stealing Trojan.
File Location: C:\Latent\Latent.com
Startup Type: This programs starts by appending itself to the Userinit registry key.
HijackThis Category: F0, F1, F2, F3 Entry
Sorry for messing up with words, but i think we all must say thx to Korean or Vietnam programmers for such a kind useful tool they gave us for free. And as i know russian enthusiasts discovered that defense from hacks are client-injected.

. So please be accurate while using software listed below.
P.s: sorry for necro-posting =(.