"Malware Defense" Virus and Avast?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
Just got off the phone with somebody whose PC had become infected
with the "Malware Defense" virus.

They had Avast up and running all the time - but I suspect that
it was an outdated version of the Avast application, albeit with
auto updating of signatures turned on.

If that's true, would the latest Avast application have caught
the virus?

Does anybody have a URL that points to a site that tries to
install "Malware Defense" - So I can try it on a test PC to see
if it gets blocked?
--
PeteCresswell

Re: "Malware Defense" non-Virus and Avast?


Quoted text here. Click to load it

"Malware Defense" ius NOT a virus.

It a fake anti malware rogue that is apurely a trojan.

Any URL that provides a download will change in a matter of hours or per day.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Malware Defense" non-Virus and Avast?


Quoted text here. Click to load it

hehe... I knew THAT was coming!  :-)

--
        --- Everybody has a right to my opinion. ---

Re: "Malware Defense" Virus and Avast?

(PeteCresswell) wrote:
Quoted text here. Click to load it

As I'm sure you know already, they're always outdated. :o)

Quoted text here. Click to load it

With each new polymorphic form, it will be hit or miss no matter what
program you use.

Quoted text here. Click to load it

They don't stay put very long, and they change both the form of the
executable itself *and* the form of the delivery method(s) used.

Do you suspect a software exploit was used, or just the usual social
engineering trickery?


Re: "Malware Defense" Virus and Avast?

Per FromTheRafters:
Quoted text here. Click to load it

If "social engineering trickery" means the user clicked on
something they thought was harmless, I'd say that's the one. They
reported that they were looking for real estate and drilling down
into listing realtor sites over-and-over again... and noticed the
appearance of the malware's screens coincident with one of the
realtor sites.


Downloaded both Kaspersky's and MalwareBytes' solutions.

Couldn't get MalwareBytes' installer to come up.  Seemed like it
tried, and then quit - maybe the malware was taking some sort of
active measures against it.

Finally got Kaspersky running and now the PC seems trojan-free.

I see what people say about Kaspersky's UI not being the
greatest.  It's supposed tb running in "Safe" mode (i.e. VGA
screen) but it's window is a good 25% too large to fit in a VGA
window).


On another note, since I was fooling around with it anyway, I had
MalwareBytes do a full system scan on my own PC (protected by
up-to-date Avast).   It found "Rogue.WinDefender" installed as
C:\Windows\System32\Drivers\fwHookDrv.sys.

Ran Avast's full system scan immediately, and it found nothing.

Googled "fwHookDrv", and it sounds to me like there's not much
wiggle room there: it really is malware in and of itself (i.e.
not a legitimate file that was hijacked).

Can anybody comment?   Seems like it would be a significant hole
in Avast if fwHookDrv really were patently malware.


I'm considering resumption of  my discontinued practice of
re-imaging every time I even *think* something is fishy.
--
PeteCresswell

Re: "Malware Defense" Virus and Avast?


Quoted text here. Click to load it

When that happens, rename it to such as; PeteCresswell.com

If it installs but you can't run Malwarebytes, go to...
"C:\Program Files\Malwarebytes' Anti-Malware"

COPY mbam.exe TO  pete.com

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Malware Defense" Virus and Avast?

Per David H. Lipman:
Quoted text here. Click to load it

Thanks.

Would that suggest that "Malware Defense" is taking some sort of
action against "mbam.exe"?
--
PeteCresswell

Re: "Malware Defense" Virus and Avast?


Quoted text here. Click to load it

Malware often uses a laundry list of executable names that the malware, when in
memory,
blocks from being actually executed.  That list can contain the name of anti
malware
executables such as MBAM.EXE as well as; REGEDIT.EXE, TASKMAN.EXE, AUTORUNS.EXE
and
PROCEXP.EXE to name a few.  It may also block the execution of subsequent EXE
files.
That's why I suggested renaming/copying the files with the .COM extension.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Malware Defense" Virus and Avast?

Per David H. Lipman:
Quoted text here. Click to load it

Thanks.  That's kinda of what I figured.

Also may explain why TeamViewer went out the window when I was
trying to troubleshoot remotely.
--
PeteCresswell

Re: "Malware Defense" Virus and Avast?


Quoted text here. Click to load it

This is what can be deemed as malware self preservation techniques.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Malware Defense" Virus and Avast?


Quoted text here. Click to load it


The Install service does not run under Safe Mode.

--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Malware Defense" Virus and Avast?

Per David H. Lipman:
Quoted text here. Click to load it

That means I was probably lying in my last post about doing
everything in Safe Mode...   "Never trust a user" .... -)
--
PeteCresswell

Re: "Malware Defense" Virus and Avast?

Per Nobody > (Revisited):
Quoted text here. Click to load it

That's how I proceeded in all cases: Safe Mode.

Safe Mode did not seem to slow it down though.    

--
PeteCresswell

Re: "Malware Defense" Virus and Avast?


Quoted text here. Click to load it

Since Safe Mode loads a limited version of the OS, not all loading vectors are
used and
thus you have a chance that the malware is not loaded.

However, as I noted, the Install Service ("Windows Installer" aka; MSIServer),
is not
loaded in Safe Mode so and software that uses an Microsoft style .MSI file to
install will
not install in Safe Mode.



--
Dave
Multi-AV Scanning Tool - http://www.pctipp.ch/downloads/dl/35905.asp



Re: "Malware Defense" Virus and Avast?

The clock of life is wound but once,
And no man has the power to tell
Just when the hands will stop
    At late or early hour.
Now is the only time you own,
Live, Love, Toil with a will.
Place no faith in tomorrow,
For the clock may then be Still.

Anon.

Site Timeline