"Malware Defense" Virus and Avast?

[(PeteCresswell)]

Just got off the phone with somebody whose PC had become infected
with the "Malware Defense" virus.

They had Avast up and running all the time - but I suspect that
it was an outdated version of the Avast application, albeit with
auto updating of signatures turned on.

If that's true, would the latest Avast application have caught
the virus?

Does anybody have a URL that points to a site that tries to
install "Malware Defense" - So I can try it on a test PC to see
if it gets blocked?

 

[David H. Lipman]

Just got off the phone with somebody whose PC had become infected
with the "Malware Defense" virus.

They had Avast up and running all the time - but I suspect that
it was an outdated version of the Avast application, albeit with
auto updating of signatures turned on.

If that's true, would the latest Avast application have caught
the virus?

Does anybody have a URL that points to a site that tries to
install "Malware Defense" - So I can try it on a test PC to see
if it gets blocked?

"Malware Defense" ius NOT a virus.

It a fake anti malware rogue that is apurely a trojan.

Any URL that provides a download will change in a matter of hours or per day.

 

[FromTheRafters]

Just got off the phone with somebody whose PC had become infected
with the "Malware Defense" virus.

They had Avast up and running all the time - but I suspect that
it was an outdated version of the Avast application, albeit with
auto updating of signatures turned on.

As I'm sure you know already, they're always outdated. )

If that's true, would the latest Avast application have caught
the virus?

With each new polymorphic form, it will be hit or miss no matter what
program you use.

Does anybody have a URL that points to a site that tries to
install "Malware Defense" - So I can try it on a test PC to see
if it gets blocked?

They don't stay put very long, and they change both the form of the
executable itself *and* the form of the delivery method(s) used.

Do you suspect a software exploit was used, or just the usual social
engineering trickery?

 

[(PeteCresswell)]

Per FromTheRafters:

They don't stay put very long, and they change both the form of the
executable itself *and* the form of the delivery method(s) used.

Do you suspect a software exploit was used, or just the usual social
engineering trickery?

If "social engineering trickery" means the user clicked on
something they thought was harmless, I'd say that's the one. They
reported that they were looking for real estate and drilling down
into listing realtor sites over-and-over again... and noticed the
appearance of the malware's screens coincident with one of the
realtor sites.


Downloaded both Kaspersky's and MalwareBytes' solutions.

Couldn't get MalwareBytes' installer to come up. Seemed like it
tried, and then quit - maybe the malware was taking some sort of
active measures against it.

Finally got Kaspersky running and now the PC seems trojan-free.

I see what people say about Kaspersky's UI not being the
greatest. It's supposed tb running in "Safe" mode (i.e. VGA
screen) but it's window is a good 25% too large to fit in a VGA
window).


On another note, since I was fooling around with it anyway, I had
MalwareBytes do a full system scan on my own PC (protected by
up-to-date Avast). It found "Rogue.WinDefender" installed as
C:\Windows\System32\Drivers\fwHookDrv.sys.

Ran Avast's full system scan immediately, and it found nothing.

Googled "fwHookDrv", and it sounds to me like there's not much
wiggle room there: it really is malware in and of itself (i.e.
not a legitimate file that was hijacked).

Can anybody comment? Seems like it would be a significant hole
in Avast if fwHookDrv really were patently malware.


I'm considering resumption of my discontinued practice of
re-imaging every time I even *think* something is fishy.

 

[David H. Lipman]

Per FromTheRafters:

If "social engineering trickery" means the user clicked on
something they thought was harmless, I'd say that's the one. They
reported that they were looking for real estate and drilling down
into listing realtor sites over-and-over again... and noticed the
appearance of the malware's screens coincident with one of the
realtor sites.

Downloaded both Kaspersky's and MalwareBytes' solutions.

Couldn't get MalwareBytes' installer to come up. Seemed like it
tried, and then quit - maybe the malware was taking some sort of
active measures against it.

Finally got Kaspersky running and now the PC seems trojan-free. >

When that happens, rename it to such as; PeteCresswell.com

If it installs but you can't run Malwarebytes, go to...
"C:\Program Files\Malwarebytes' Anti-Malware"

COPY mbam.exe TO pete.com

 

[(PeteCresswell)]

Per David H. Lipman:

When that happens, rename it to such as; PeteCresswell.com

If it installs but you can't run Malwarebytes, go to...
"C:\Program Files\Malwarebytes' Anti-Malware"

COPY mbam.exe TO pete.com

Thanks.

Would that suggest that "Malware Defense" is taking some sort of
action against "mbam.exe"?

 

[David H. Lipman]

Per David H. Lipman:

Thanks.

Would that suggest that "Malware Defense" is taking some sort of
action against "mbam.exe"?

Malware often uses a laundry list of executable names that the malware, when in memory,
blocks from being actually executed. That list can contain the name of anti malware
executables such as MBAM.EXE as well as; REGEDIT.EXE, TASKMAN.EXE, AUTORUNS.EXE and
PROCEXP.EXE to name a few. It may also block the execution of subsequent EXE files.
That's why I suggested renaming/copying the files with the .COM extension.

 

[(PeteCresswell)]

Per David H. Lipman:

Malware often uses a laundry list of executable names that the malware, when in memory,
blocks from being actually executed. That list can contain the name of anti malware
executables such as MBAM.EXE as well as; REGEDIT.EXE, TASKMAN.EXE, AUTORUNS.EXE and
PROCEXP.EXE to name a few. It may also block the execution of subsequent EXE files.
That's why I suggested renaming/copying the files with the .COM extension.

Thanks. That's kinda of what I figured.

Also may explain why TeamViewer went out the window when I was
trying to troubleshoot remotely.

 

[David H. Lipman]

Per David H. Lipman:

Thanks. That's kinda of what I figured.

Also may explain why TeamViewer went out the window when I was
trying to troubleshoot remotely.

This is what can be deemed as malware self preservation techniques.

 

[Nobody > (Revisited)]

Couldn't get MalwareBytes' installer to come up. Seemed like it
tried, and then quit - maybe the malware was taking some sort of
active measures against it.

Best way to install *any* anti-malware application is in SAFE mode when
dealing with an infected machine, and with the internet connection
physically disconnected (paranoia?)

Reboot/restart (again in SAFE mode), and run said application in
full-scan mode. It may take some time.

By doing it is SAFE mode; you usually (so far about 98% of the time);
you avoid the "hooks" the bastardware uses to stop real removal
applications when running in "full Windows mode".

I may be paranoid, but I always rename the MBAM (MalwareBytes)
executable installer as well. "Skunk.exe" works. (This (IIRC) is a tip
from MalwareBytes themselves). This may not work with other applications.

Just my opinion, but I'd retry MBAM again this way even tho Kaspersky
seemed to find and kill your bastardware. Each one "finds" things
differently, and a second opinion never hurts.

--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum

 

[Nobody > (Revisited)]

Malware often uses a laundry list of executable names that the malware, when in memory,
blocks from being actually executed. That list can contain the name of anti malware
executables such as MBAM.EXE as well as; REGEDIT.EXE, TASKMAN.EXE, AUTORUNS.EXE and
PROCEXP.EXE to name a few. It may also block the execution of subsequent EXE files.
That's why I suggested renaming/copying the files with the .COM extension.

Dave; I'd also (again) suggest doing both the install and the scan in
SAFE mode..


--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum

 

[David H. Lipman]

Best way to install *any* anti-malware application is in SAFE mode when dealing with an
infected machine, and with the internet connection physically disconnected (paranoia?)

Reboot/restart (again in SAFE mode), and run said application in full-scan mode. It may
take some time.

By doing it is SAFE mode; you usually (so far about 98% of the time); you avoid the
"hooks" the bastardware uses to stop real removal applications when running in "full
Windows mode".

I may be paranoid, but I always rename the MBAM (MalwareBytes)
executable installer as well. "Skunk.exe" works. (This (IIRC) is a tip from MalwareBytes
themselves). This may not work with other applications.

Just my opinion, but I'd retry MBAM again this way even tho Kaspersky seemed to find and
kill your bastardware. Each one "finds" things differently, and a second opinion never
hurts.

The Install service does not run under Safe Mode.

 

[(PeteCresswell)]

Per Nobody > (Revisited):

Reboot/restart (again in SAFE mode), and run said application in
full-scan mode. It may take some time.

That's how I proceeded in all cases: Safe Mode.

Safe Mode did not seem to slow it down though.

 

[(PeteCresswell)]

Per David H. Lipman:

The Install service does not run under Safe Mode.

That means I was probably lying in my last post about doing
everything in Safe Mode... "Never trust a user" .... -)

 

[David H. Lipman]

Per Nobody > (Revisited):

That's how I proceeded in all cases: Safe Mode.

Safe Mode did not seem to slow it down though.

Since Safe Mode loads a limited version of the OS, not all loading vectors are used and
thus you have a chance that the malware is not loaded.

However, as I noted, the Install Service ("Windows Installer" aka; MSIServer), is not
loaded in Safe Mode so and software that uses an Microsoft style .MSI file to install will
not install in Safe Mode.

 

[Nobody > (Revisited)]

The Install service does not run under Safe Mode.

May have been true on earlier versions, but as of about a month ago, I
had a long-distance phone assist and did it in safe mode. The worst part
was getting said friend to tap the F8 key at the right time. I knew he
had it in safe mode because he commented on the weird screen.



--
"Shit this is it, all the pieces do fit.
We're like that crazy old man jumping
out of the alleyway with a baseball bat,
saying, "Remember me motherfucker?"
Jim “Dandy” Mangrum