Sophos

REFOG Personal Monitor

Aliases
  • Spyware.KGBSpy
  • Monitor.Win32.KGBSpy.bg
  • Monitor.Win32.KGBSpy.bh
  • Monitor.Win32.KGBSpy.bj
Category
Type
What to do
  • If you've received an alert for a blocked PUA or adware and decide that the application is not suitable for your workplace, then follow the instructions for removing PUAs.

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from December 2008 (4.36)
Protection available since 10 October 2008 17:52:51 (GMT)
Detected by Sophos Anti-Virus for Windows, version 7, and PureMessage for Microsoft Exchange.

More Information

"REFOG Personal Monitor" is a spyware application.

When "REFOG Personal Monitor" is installed the following folders are typically created:

<User>\Application Data\MPK\
<System>\MPK\

and the following links are created:

<System>\runkgb.lnk
<System>\runrefog.lnk

The following registry entry is changed to run <System>\MPK\MPK.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe,<System>\MPK\MPK.exe

The following registry entries are created to give <System>\MPK\Mpk.exe firewall access:

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\MPK\Mpk.exe
<System>\MPK\Mpk.exe:*:Enabled:TCP\IP

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List
<System>\MPK\MpkView.exe
<System>\MPK\MpkView.exe:*:Enabled:TCP\IP

Registry entries are set as follows:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
<System>\MPK\Mpk.exe
DisableNXShowUI

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
<System>\MPK\MpkView.exe
DisableNXShowUI

Registry entries are created under:

HKLM\SOFTWARE\Refog Software
HKCR\mpkreg

RSS|Atom
Get reports about the latest adware and potentially unwanted applications (PUAs) delivered to your computer