Stories of heroism and victory....against malware using KillSwitch :)

[languy99]

simple, kill the malware with killswitch. Then do a custom scan with CCE and select everything other then scan memory ( so you don't require a restart) and don't scan for viruses ( because we want to scan for viruses). This should let you scan the system.

[kagun]

Well, too late for that now....

simple, kill the malware with killswitch.

Solid copy

Then do a custom scan with CCE and select everything other then scan memory ( so you don't require a restart)

Lima Charlie

and don't scan for viruses( because we want to scan for viruses)

This part I don't understand well...

[languy99]

check everything in custom scan except "scan memory" and "don't scan for viruses"

[kagun]

Got it.... 

[wj32]

Yeah, but "technical" term is called patching ;-)

Well, I just wanted to know how the malware was actually doing it in your case, since your use of the term "patching" was quite vague.

[kagun]

I'm not malware hunter, but I figure it is adding registry key to make EXE association with himself, makes a tie with it....
The fix could be here  
http://www.dougknox.com/xp/file_assoc.htm

[trscsaeg]

Not sure they have a whitelist like ours or have the ability to "show untrusted processes" only. (patented)..

http://www.anvir.com/ has a bad web of trust rating. it says this site distributes rougeware. please check out this company thoroughly  before whitelisting this company.

see the full raiting here:

http://www.mywot.com/en/scorecard/anvir.com#comment

click the long comments to extend them an show the full comment. if it's in another language hit the translate button under the comment. you will have to extend the long comments to see the translate button under the comment

[HeffeD]

http://www.anvir.com/ has a bad web of trust rating. it says this site distributes rougeware. please check out this company thoroughly  before whitelisting this company.

see the full raiting here:

http://www.mywot.com/en/scorecard/anvir.com#comment

click the long comments to extend them an show the full comment. if it's in another language hit the translate button under the comment. you will have to extend the long comments to see the translate button under the comment

Actually, the WOT rating is good...

Yes, a few users have negative comments, but like Wikipedia, since absolutely anyone can give input, you need to view WOT with a certain amount of skepticism.

URLVoid only shows 1 detection out of 16 scanners.

[trscsaeg]

Actually, the WOT rating is good...

Yes, a few users have negative comments, but like Wikipedia, since absolutely anyone can give input, you need to view WOT with a certain amount of skepticism.

URLVoid only shows 1 detection out of 16 scanners.

i'm not saying wot is accurate. i'm just saying it should be checked out thoroughly brfore being whitelisted. a while back something called safeapp llc got put on the whitelist and if you google that, you will see a lot of safeapp sites with different names distributing malware. i just want comodo to get more aggressive with it's whitelisting process

[jay2007tech]

I'm not malware hunter

I like to play with malware outside of a sandbox and virtual machine.  sandbox and virtual Aware malware got nothing against my machines.  Malware always show their face when I run it. 

[icr]

I was testing CCE and KillSwitch with some malware samples, I installed this rouge and after reboot it won't allow anything to be executed.
Hitman Pro : failed (renaming it also failed)

SAS Portable : failed (renaming did help me bypass the rogue but eventually it detected and abnormally terminated the process)

CCE : failed

GMER : partially failed coz sometimes it got caught by that rouge, after successful attempts I browsed through running processes but some how the target rogue process was not terminating.

KillSwitch : With name KillSwitch.exe it didn't get executed so I renamed with some random name and after some attempts it got executed and I swiftly executed the terminator option for the target rogue process and then I manually deleted the malware.

[Arkose]

I was testing CCE and KillSwitch with some malware samples, I installed this rouge and after reboot it won't allow anything to be executed.
Hitman Pro : failed (renaming it also failed)

To get around blocking with Hitman Pro you just need to launch it in Force Breach mode. To do this hold down left ctrl before starting Hitman Pro and keep it held down (including during the UAC prompt) until the Hitman Pro window appears. I have yet to find a sample that Force Breach can't get past.

Rogues usually don't run while in Safe Mode so performing the scan there is an option for the other products.

[icr]

To get around blocking with Hitman Pro you just need to launch it in Force Breach mode. To do this hold down left ctrl before starting Hitman Pro and keep it held down (including during the UAC prompt) until the Hitman Pro window appears. I have yet to find a sample that Force Breach can't get past.

Rogues usually don't run while in Safe Mode so performing the scan there is an option for the other products.

Thanks I never tried the force breach mode though, and regarding that rogue it did got executed in safe mode also

[Graham1]

Finally got to see KillSwitch in action today . Had a computer infected with "My Security Shield" (malware which prompts for payment to clean system, which isn't really infected ).

So I thought I would give KS a go having previously done a full scan with McAfee VirusScan with up-to-date definitions which didn't detect anything . KS found and highlighted the rogue process in memory, I pressed delete and voila... no more malware . Thank you KillSwitch .

[Melih]

Finally got to see KillSwitch in action today . Had a computer infected with "My Security Shield" (malware which prompts for payment to clean system, which isn't really infected ).

So I thought I would give KS a go having previously done a full scan with McAfee VirusScan with up-to-date definitions which didn't detect anything . KS found and highlighted the rogue process in memory, I pressed delete and voila... no more malware . Thank you KillSwitch .

thats exactly why KillSwitch was designed

thanks for sharing that.