Stories of heroism and victory....against malware using KillSwitch :)

[Guest]

[kagun]

My colleague gave me his PC infected with trojan last night.
It disabled Task Manager, Registry Editor, Safe Mode and System Restore.
Tried HitmanPro with Force Breach. scanned but couldn't clean. Abort.
Tried to install Malwarebytes, get error during arround 50% install. Abort.
Started CCE, updated, full scan, found 125 threats, all related to problem. Cleaned, computer works.
Very old machine, XP SP2, 240MB Ram, 40ish GB HDD... Scan done of over 4 million files in 3 hours.
One false positive [heuristics high] for old printer driver file, submitted as false positive.
Verdict: Awesome! 

[panic]

My colleague gave me his PC infected with trojan last night.
It disabled Task Manager, Registry Editor, Safe Mode and System Restore.
Tried HitmanPro with Force Breach. scanned but couldn't clean. Abort.
Tried to install Malwarebytes, get error during arround 50% install. Abort.
Started CCE, updated, full scan, found 125 threats, all related to problem. Cleaned, computer works.
Very old machine, XP SP2, 240MB Ram, 40ish GB HDD... Scan done of over 4 million files in 3 hours.
One false positive [heuristics high] for old printer driver file, submitted as false positive.
Verdict: Awesome! 

Nice!!  It's not half bad, is it? 

Ewen :-)

[kagun]

It did the job what was supposed to do 

[Melih]

This is only the start of a one good cleaning product

we will continue to improve it!

Melih

[Tech]

Is there a way to test the capabilities of KillSwitch to kill running malware?
I mean, of course, something like disabling the resident antivirus and then running eicar test and kill it by KillSwitch? Is there any other way to test it?
Of course I can test KillSwitch with clean processes. But I can't kill protected processes for instance. KillSwitch does nothing against them.
I'm just thinking what will happen when I try to kill a resistant malware running :

[kagun]

Did you try right click>terminator option?

[Tech]

Did you try right click>terminator option?

To what? A clean process? It will work for sure.
What can it do against a protected process?

[kagun]

Go to services and stop avast service....
Then delete service.
Then go to processes and if still running, try again to terminate it.

[JoWa]

What can it do against a protected process?

Terminate it, the driver is loaded.
Right-click on the process you want to terminate, select Terminator. Run all and post the result here.
Thanks.

[Tech]

Go to services and stop avast service....
Then delete service.
Then go to processes and if still running, try again to terminate it.

Eh eh... It's not that easy... You can't terminate malware that easy... as you can't stop avast that easy...
Windows cannot stop avast service without user interaction. Malware can block this option...

[Tech]

Terminate it, the driver is loaded.
Right-click on the process you want to terminate, select Terminator. Run all and post the result here.
Thanks.

With driver loaded, you can't terminate any type of malware as you can't terminate the antivirus (that easy)...
I'm laughing on "process is terminated" message... The first run could only win at stage CH1. Then running each test individually get the "ok" status... But the process stays there, running, not a signal of being really killed.

[languy99]

I killed avast pretty easy. What I did is that I killed the UI first using terminator, then I used terminator to kill the service. It restarted a few times but after killing it two or three times it stopped restarting and it was gone for good.

[JoWa]

Thanks for the screenshot. Actually (Not available) for TP3 and TT3 indicates that the driver is not loaded.
From wj32, developer of Process Hacker:

You can clearly see "(Not available)" next to TP3 and TT3, which indicates the driver isn't loaded or can't be connected to.

[Tech]

I killed avast pretty easy. What I did is that I killed the UI first using terminator, then I used terminator to kill the service. It restarted a few times but after killing it two or three times it stopped restarting and it was gone for good.

Mine happened the same. avast indeed is being killed if you run more than once.

[knk2006]

I haven't seen a better killer than the terminator in D+, I've killed kaspersky with it , I would assume Avast! will fail easily...

[Tags:]