CurePCSolutions, ads .exe to files

[JjJames]

Hi JjJames,

 

...

 

 

Hi,

 

Thx a milion for searching.

 

Unfortunatly i have already tried Spyware doctor, but it didnt recover my files.

 

And again, unfortunatly, i have already deleted the dll. I did this to stop the annoying popup, tis was before i found out my files were changed.

 

But, maybe the dll file of one of the other victims of the adware here can help, they have a different name but since they do the same thing, maybe they are the same dll's, just with a different name.

 

And about the other pc, i'll give it a try tomorrow, i have to install windows on it. afterwards I'm also going to try with the CurePCsolutions software(on that old pc). there is nothing on that pc, so it doest have anyting to break.

[ipl_001]

Hi JjJames,

 

As you already noticed, there are just quite a few Google links with the "CurePCSolutions" search key... just pctools, some topics (3 cases) on Zebulon, 1 topic on trojaner-board (nothing posted recently), a blog speaking about Spyware Doctor, some other topics in Czech Republic and in arabic countries.

 

This makes me more and more think about encryption for a ransom!

 

I doubt the DLL files of other comps could be useful become were I the hijacker, I would choose a random encryption key so that the key of a system would not be available for another system!

 

I still keep a look at discussions on the Internet and I intend to post on American boards to get help from them!

[JjJames]

Hi JjJames,

 

...

 

I'll keep looking on the net. Since it seems pretty new, maybe some more cases will show up.

 

This is the adress they give:

Visit our Support section for answers to frequently asked questions. Technical Support hours are 8:30am - 5:30pm PST, Monday - Friday

Cure Lab Inc. 121 Street Surrey BC V3X 2K8 Canada

 

Something tells me the adress wont be correct

 

Thx,

JjJames

[Mark]

Hi guys

 

I haven't read through this entire topic, but being from Canada, I decided to check that address out. It does look bogus

 

There is a "121st Street" in Surrey (British Columbia), but the postal code points to another street (60th avenue). They haven't included the "door number" or phone number either, so that raises a red flag. The only "Cure Lab" found with Google is in Massachusetts(US) with another office in California.

 

Good luck to both of you

[ipl_001]

Hi JjJames, Qc001, hi everyone,

 

Qc001 -> thanks for your post!

 

I posted on Spyware Warrior, where Eric L. Howes lists the rogue websites and programs (I looked into the list but didn't find CurePCSolutions):

- my post -> http://www.spywarewarrior.com/viewtopic.php?p=146372

- Eric L. Howes Rogue list -> http://www.spywarewarrior.com/rogue_anti-spyware.htm

 

Yahoo! provides much more links than Google but mainly to crack websites. However, CC is speaking about CurePCSolutions in a general discussion -> http://www.castlecops.com/p869054-www_upda...te_dot_com.html

 

Pctools (a member) posted at SWW about Spyware Doctor removing the malware -> http://www.spywarewarrior.com/viewtopic.php?p=145482#145482

[Mark]

Hey guys,

 

Found an interesting writeup at Dr.Web's (it's for an older variant though) :

 

http://info.drweb.com/show/2747

 

This seems to be a new variant of this "Trojan.Encoder" type infection. Dr.Web released a special tool (decoder) for the older one (bottom of article). They now detect this new one as "Trojan.Encoder.10" (from post #16 ^^).

 

This sure sounds like "ransomware"...

 

James, I think you should contact the folks at Dr.Web from this link :

http://support.drweb.com/new/

 

I am hopeful they will have a tool out soon

Modifié le 17 décembre 2006 par Qc001

[Thanos]

Hi Qc001,ipl_001,JjJames

 

I'm also going to try with the CurePCsolutions software(on that old pc). there is nothing on that pc, so it doest have anyting to break.

Unfortunately, it won't cure anything....if you scan your hardrive with CurePCsolutions it'll display false positives,and won't provide any information about what it found... then it'll ask for payment to clean that non-existent "spywares"/"adwares."(as will do any other rogue antispyware product as listed here ! > http://spywarewarrior.com/rogue_anti-spyware.htm#notes)

I tested it on my own computer. Take a look at the picture >

 

 

I'd advise you to contact the people at Dr.Web as Qc001 told you

 

best regards

[JjJames]

Hi Qc001,ipl_001,JjJames

...

 

Hi,

you're right, I tried in too on my old pc, and indeed, although it also recognises the files it changed.

 

and i'm mailing Dr.web right now

 

I'll post any reply they give here.

 

JjJames

[Thanos]

ok JjJames , thanks a lot for the feedback

[Mark]

Hi guys,

 

James : any news from Dr.Web yet ? Did you submit an encrypted file for analysis there ?

 

If you haven't heard anything by now, maybe we could try something...

 

Let us know how things are going with the computer, and we'll look at our options