Just got an rogue infected laptop which patches exe’s, it’s called Antivirus Scan, killed the ■■■■ thing easily with KillSwitch, updated cce and now performing full system scan…
KillSwitch can even survive patching!
:-TU
Edit: Initiating full scan restarts the computer with rogue then active in memory again, thus patching killswitch, but at least cce is active and scanning…
What do you mean by “patching”?
You know, when you try to open an exe and instead rogue is activated/displayed on screen
EDIT: Well, I hate to say it, but after “cleaning” 3 trojan downloaders and restart, the virus was still there.
What cleaned the system was HitmanPro 3.5…
It also had proxy change detection [127.0.0.1:8074]…
:-X
I’m not in a position to judge but that " as far as I know " is not achieved using patching or whatever , I think it installs some sort of hooks. 
so that every time u try to run an application , the rogue intercepts it and run itself or shows a scanning progress window or whatsoever.
Yeah, but “technical” term is called patching 
I know it can be fixed using registry, I just wanted to see how it would do this way…
Even hitman had trouble starting so what I did was disable startup in msconfig, cleaned it with hitman, now using malwarebytes to finish the job and in the end norton power eraser, just to be sure…
simple, kill the malware with killswitch. Then do a custom scan with CCE and select everything other then scan memory ( so you don’t require a restart) and don’t scan for viruses ( because we want to scan for viruses). This should let you scan the system.
Well, too late for that now… :-[
Solid copy
Lima Charlie
This part I don’t understand well…
check everything in custom scan except “scan memory” and “don’t scan for viruses”
Got it… :-TU :-TU :-TU
Well, I just wanted to know how the malware was actually doing it in your case, since your use of the term “patching” was quite vague.
I’m not malware hunter, but I figure it is adding registry key to make EXE association with himself, makes a tie with it…
The fix could be here
http://www.dougknox.com/xp/file_assoc.htm
http://www.anvir.com/ has a bad web of trust rating. it says this site distributes rougeware. please check out this company thoroughly before whitelisting this company.
see the full raiting here:
http://www.mywot.com/en/scorecard/anvir.com#comment
click the long comments to extend them an show the full comment. if it’s in another language hit the translate button under the comment. you will have to extend the long comments to see the translate button under the comment
Actually, the WOT rating is good…
Yes, a few users have negative comments, but like Wikipedia, since absolutely anyone can give input, you need to view WOT with a certain amount of skepticism.
URLVoid only shows 1 detection out of 16 scanners.
i’m not saying wot is accurate. i’m just saying it should be checked out thoroughly brfore being whitelisted. a while back something called safeapp llc got put on the whitelist and if you google that, you will see a lot of safeapp sites with different names distributing malware. i just want comodo to get more aggressive with it’s whitelisting process
I'm not malware hunterI like to play with malware outside of a sandbox and virtual machine. sandbox and virtual Aware malware got nothing against my machines. Malware always show their face when I run it. :o ;D
I was testing CCE and KillSwitch with some malware samples, I installed this rouge and after reboot it won’t allow anything to be executed.
Hitman Pro : failed (renaming it also failed)
SAS Portable : failed (renaming did help me bypass the rogue but eventually it detected and abnormally terminated the process)
CCE : failed
GMER : partially failed coz sometimes it got caught by that rouge, after successful attempts I browsed through running processes but some how the target rogue process was not terminating.
KillSwitch : With name KillSwitch.exe it didn’t get executed so I renamed with some random name and after some attempts it got executed and I swiftly executed the terminator option for the target rogue process and then I manually deleted the malware.
To get around blocking with Hitman Pro you just need to launch it in Force Breach mode. To do this hold down left ctrl before starting Hitman Pro and keep it held down (including during the UAC prompt) until the Hitman Pro window appears. I have yet to find a sample that Force Breach can’t get past.
Rogues usually don’t run while in Safe Mode so performing the scan there is an option for the other products.
Thanks I never tried the force breach mode though, and regarding that rogue it did got executed in safe mode also
Finally got to see KillSwitch in action today ;D. Had a computer infected with “My Security Shield” (malware which prompts for payment to clean system, which isn’t really infected >:-D ).
So I thought I would give KS a go having previously done a full scan with McAfee VirusScan with up-to-date definitions which didn’t detect anything :embarassed:. KS found and highlighted the rogue process in memory, I pressed delete and voila… no more malware :). Thank you KillSwitch :-TU.
thats exactly why KillSwitch was designed
thanks for sharing that.