{"id":8965,"date":"2021-11-30T11:27:07","date_gmt":"2021-11-30T11:27:07","guid":{"rendered":"https:\/\/lgildv5i97.onrocket.site\/answers\/?post_type=question&#038;p=8965"},"modified":"2021-11-30T11:27:25","modified_gmt":"2021-11-30T11:27:25","slug":"is-redsn0w-a-trojan-is-my-computer-infected","status":"publish","type":"question","link":"https:\/\/computing.net\/answers\/security\/is-redsn0w-a-trojan-is-my-computer-infected\/38498.html","title":{"rendered":"Is Redsn0w A Trojan? Is My Computer Infected?"},"content":{"rendered":"<p>I downloaded redsn0w_win_0.9.10b5c (iPhone jail breaking sw) from redsn0w.us and ran it as Administrator as it states that is needed.<br \/>\nCOMODO scanned it and found no virus in it.<br \/>\nWhen I executed redsn0w COMODO reporter a number of actions that seems to show it has a malware payload. It changed a lot in the registry, for example registry for certs.<br \/>\nI ran a COMODO system scan which found nothing. I the ran online virus scanners which found no viruses.<br \/>\nI also uloaded the redsn0w file to virustotal which found now virus in it.<\/p>\n<p>Below excerpt from COMODO Internet Security Logs which shows redsn0w is doing very strange and probably very bad things.<br \/>\nIs my computer infected? Why does not the online AVs show anything?<\/p>\n<p>Defence+ Logs<\/p>\n<p>Date Created<\/p>\n<p>:<\/p>\n<p>2012-08-06 19:57:59<\/p>\n<p>Log Scope<\/p>\n<p>:<\/p>\n<p>Last 30 Days<\/p>\n<p>Records count<\/p>\n<p>:<\/p>\n<p>14<br \/>\nDate\/Time Application Action Target<br \/>\n8\/4\/2012 6:30:01 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files\\COMODO\\COMODO Internet Security\\cfp.exe<br \/>\n8\/4\/2012 6:34:16 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files\\COMODO\\COMODO Internet Security\\cfp.exe<br \/>\n8\/4\/2012 6:37:04 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files\\COMODO\\COMODO Internet Security\\cfp.exe<br \/>\n8\/4\/2012 6:54:29 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Windows\\System32\\dwm.exe<br \/>\n8\/4\/2012 6:54:35 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Windows\\explorer.exe<br \/>\n8\/4\/2012 6:54:52 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files\\Realtek\\Audio\\HDA\\RAVCpl64.exe<br \/>\n8\/4\/2012 6:55:14 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files (x86)\\EgisTec\\MyWinLocker 3\\x86\\mwlDaemon.exe<br \/>\n8\/4\/2012 6:55:37 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files\\COMODO\\COMODO Internet Security\\cfp.exe<br \/>\n8\/4\/2012 6:55:50 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files\\Windows Sidebar\\sidebar.exe<br \/>\n8\/4\/2012 6:56:17 AM C:\\Users\\Ola\\Downloads\\redsn0w_win_0.9.10b5c\\redsn0w.exe Access Memory C:\\Program Files (x86)\\VoipDiscount.com\\VoipDiscount\\voipdiscount.exe<br \/>\n8\/4\/2012 7:44:42 AM C:\\Windows\\System32\\services.exe Modify Key HKLM\\SYSTEM\\ControlSet001\\services\\USBAAPL64\\Type<br \/>\n8\/5\/2012 7:55:52 PM C:\\Program Files\\COMODO\\COMODO Internet Security\\cfp.exe Changes Defense+ Mode Safe Mode<br \/>\n8\/5\/2012 7:58:42 PM C:\\Windows\\System32\\rundll32.exe Create Process, Execute Image C:\\Program Files (x86)\\HP\\Digital Imaging\\bin\\HPSLPSVC64.DLL<br \/>\n8\/5\/2012 8:00:42 PM C:\\Windows\\System32\\rundll32.exe Create Process, Execute Image C:\\Program Files (x86)\\HP\\Digital Imaging\\bin\\HPSLPSVC64.DLL<br \/>\nEnd of The Report<\/p>\n<p>redsn0w_win_0.9.10b5c<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"inline_featured_image":false,"iawp_total_views":88},"question-category":[56],"question_tags":[],"class_list":["post-8965","question","type-question","status-publish","hentry","question-category-security"],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/question\/8965","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/question"}],"about":[{"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/types\/question"}],"author":[{"embeddable":true,"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/comments?post=8965"}],"wp:attachment":[{"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/media?parent=8965"}],"wp:term":[{"taxonomy":"question-category","embeddable":true,"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/question-category?post=8965"},{"taxonomy":"question_tags","embeddable":true,"href":"https:\/\/computing.net\/answers\/wp-json\/wp\/v2\/question_tags?post=8965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}