False positive FakeBill.CourtCologne
Hi, upon scanning Spybot found two registry entries belonging to FakeBill.CourtCologne.
FakeBill.CourtCologne: [SBI $3A594AB3] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
FakeBill.CourtCologne: [SBI $3A594AB3] Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\explorer.exe
(In the log file they are the same, but the scan results show "(64 bit)" after one of them.)
When going to that location in the registry it only shows the default empty key, nothing else. Also, according to description at the bottom of my post it describes some e-mail attachment which I never opened or received and while I'm not an expert at computer security, I know that not opening unknown attachments is one of the basic security principles, and I probably wouldn't even open emails like that just based on sender and subject. Furthermore, explorer.exe works just fine on my computer. I've also scanned my computer with multiple tools, and they all came up clean.(Malwarebytes' Anti-Malware, SuperAntiSpyware, Emsisoft Emergency kit, Hitman Pro 3.5 and Kaspersky Rescue Disc.)
I'm on Win7 ultimate 64 bit, Spybot is up to date (1.6.2 (build: 20090126)) and has the latest definitions from last Wednesday.
Description: FakeBill.CourtCologne gets distributed via spam emails, stating that a huge bill has to be paid to the local court of cologne. If the user tries to take a closer look at the attached zip file he executes a link file which will install a disguised .exe file which creates an entry in the registry leading to an error during startup. The explorer.exe will no longer be executed during the startup process leaving the infected Windows not functional. In order to fix this you may use a BartPE CD or visit us at our forums http://forums.spybot.info for more detailed step by step instructions.
Reply With Quote
