Jump to content

Recommended Posts

Just let people know about a dreadful infection that came from a company that cold calls and encourages people to visit www.ammey.com (the site is currently dead) for some security software.

Anyway the software tells the user that their machine has a fake windows license, and they need to buy one from the link their software takes them to.

That was removed without too much trouble. However it left behind something that took me *hours* to get rid of, and thats a bogus warning that pops up *before* vista logon, ie before the user enters their password.

The message is full screen with the windows vista graphic in the background, telling the user their machine has failed the genuine test and a user needs to buy a license otherwise it will shut down in 5 minutes, forcing the user to click ok.

Well, after running combofix, mse, malwarebytes, superantispyware, multi-av. gmer, tdds killer, autoruns, hijackthis etc and none of them picking anything up.

It dawned on me that this was the kind of message that can be implemented via local group policies on business etc.

I search the registry for references to the exact word, and there the little sod is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

legalnoticecaption

and

legalnoticetext

Deleted the contents of these registry items, machine running fine......

Hope that helps

Link to post
Share on other sites

< snip >

Well, after running combofix, mse, malwarebytes, superantispyware, multi-av. gmer, tdds killer, autoruns, hijackthis etc and none of them picking anything up.

It dawned on me that this was the kind of message that can be implemented via local group policies on business etc.

I search the registry for references to the exact word, and there the little sod is:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

legalnoticecaption

and

legalnoticetext

Deleted the contents of these registry items, machine running fine......

Hope that helps

Hey, you used my Multi-AV Scanning Tool, cool. S_THUM~11.GIF

For obvious business reasons those Local Policy keys are left alone.

Link to post
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
  • Staff

Due to the lack of feedback this topic is closed to prevent others from posting here. If you need this topic reopened, please send a Private Message to any one of the moderating team members. Please include a link to this thread with your request. This applies only to the originator of this thread.

Other members who need assistance please start your own topic in a new thread. Thanks!

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.