Nailed By Total WIN 7 Security Fake AV

Win 7 x64 SP1, Comodo 5.x.x.1355 Firewall - Safe Mode & Defense+ - Safe mode Limited, Avast 6.x, MalwareBytes Pro 1.51

Don’t know how I got infected with this ■■■■■■. Thank goodness for Emmisoft AntiMalware. It appears to be one of three anti-malware products that can detect these fake AVs. The other two are McAfee Enterprise and Norton.

Anyway I got rid of it. My question here deals with Defense+. Below I have posted the registry keys these fake AVs appear to target. Got this from www2.malwarehelp.org. I reviewed the registry keys that Defense+ is protecting. I did not see any refs. to HKEY_CLASSES_ROOT. Am I correct that Defense+ is not protecting this key?

Total Win 7 Security Associated Registry Values and Keys

HKEY_CLASSES_ROOT.exe\DefaultIcon
HKEY_CLASSES_ROOT.exe\shell
HKEY_CLASSES_ROOT.exe\shell\open
HKEY_CLASSES_ROOT.exe\shell\open\command
HKEY_CLASSES_ROOT.exe\shell\runas
HKEY_CLASSES_ROOT.exe\shell\runas\command
HKEY_CLASSES_ROOT.exe\shell\start
HKEY_CLASSES_ROOT.exe\shell\start\command

HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655
HKEY_CURRENT_USER\Software\Classes.exe
HKEY_CURRENT_USER\Software\Classes.exe\DefaultIcon
HKEY_CURRENT_USER\Software\Classes.exe\shell
HKEY_CURRENT_USER\Software\Classes.exe\shell\open
HKEY_CURRENT_USER\Software\Classes.exe\shell\open\command
HKEY_CURRENT_USER\Software\Classes.exe\shell\runas
HKEY_CURRENT_USER\Software\Classes.exe\shell\runas\command
HKEY_CURRENT_USER\Software\Classes.exe\shell\start
HKEY_CURRENT_USER\Software\Classes.exe\shell\start\command
HKEY_CURRENT_USER\Software\Classes\secfile
HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon
HKEY_CURRENT_USER\Software\Classes\secfile\shell
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open
HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas
HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start
HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet IEXPLORE.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

HKEY_CLASSES_ROOT\.exe\DefaultIcon HKEY_CLASSES_ROOT\.exe\shell HKEY_CLASSES_ROOT\.exe\shell\open HKEY_CLASSES_ROOT\.exe\shell\open\command HKEY_CLASSES_ROOT\.exe\shell\runas HKEY_CLASSES_ROOT\.exe\shell\runas\command HKEY_CLASSES_ROOT\.exe\shell\start HKEY_CLASSES_ROOT\.exe\shell\start\command
These are not protected
HKEY_CURRENT_USER\Software\Microsoft\Windows\Identity=1117626655 HKEY_CURRENT_USER\Software\Classes\.exe HKEY_CURRENT_USER\Software\Classes\.exe\DefaultIcon HKEY_CURRENT_USER\Software\Classes\.exe\shell HKEY_CURRENT_USER\Software\Classes\.exe\shell\open HKEY_CURRENT_USER\Software\Classes\.exe\shell\open\command HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas HKEY_CURRENT_USER\Software\Classes\.exe\shell\runas\command HKEY_CURRENT_USER\Software\Classes\.exe\shell\start HKEY_CURRENT_USER\Software\Classes\.exe\shell\start\command
These are protected: *\Software\Classes\.*\*
HKEY_CURRENT_USER\Software\Classes\secfile HKEY_CURRENT_USER\Software\Classes\secfile\DefaultIcon HKEY_CURRENT_USER\Software\Classes\secfile\shell HKEY_CURRENT_USER\Software\Classes\secfile\shell\open HKEY_CURRENT_USER\Software\Classes\secfile\shell\open\command HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas HKEY_CURRENT_USER\Software\Classes\secfile\shell\runas\command HKEY_CURRENT_USER\Software\Classes\secfile\shell\start HKEY_CURRENT_USER\Software\Classes\secfile\shell\start\command
Protected
HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet IEXPLORE.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command “C:\Users\malwarehelp_org\AppData\Local\ave.exe” /START “C:\Program Files\Internet Explorer\iexplore.exe”

The term malwarehelp.org in the above entries denotes the name of the Windows user account in the test machine.

Protected.

In short. You are right the HKEY_Classes_Root is not protected.

Given the fact that it could write to protected keys it is likely to have slipped in when you were installing a program that had this malware with it.

See any negatives for manually adding protection in Defense+ for HKEY_CLASSES_ROOT.exe? I don’t.

can you post a D+ log for us?

I have no idea.

Nothing in the logs. Emmissoft AM caught the temp file before it executed.

It was while I was researching this Trojan that I came across the above manual removal info. Thought I would check out Defense+ default registry protection to verify that it would be protected against these fake AVs (rogues) that seem to be appearing on the web at an exponential rate.

Was surprised to see that Defense+ does not protect these two keys;

HKEY_CLASSES_ROOT.exe
HKEY_CLASSES_ROOT\exefile

If a hacker wanted to immobilize a PC or extrot it’s owner as noted in this thread, those are the first two registry keys they would go after.

Under Execution Control Setting …set “treat unrecognized files as”… to BLOCKED
…problem solved.

Or just go with the CIS.
I just spent a month throwing hundreds of malware (many rouge AVs) at CIS
and several other Internet Security suites and CIS was as good or better than the rest.