1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Re: Malware Defense virus

Discussion in 'Windows XP' started by mindydee113 via WindowsKB.com, Jan 15, 2010.

  1. thanks for the reply Paul. yes, i did come across the first link already. i
    tried to follow the instructions but got a bit confused. it was telling me
    to download MBAM, which i already have. it said to go to icon on desktop and
    change the name to "explorer.exe", which i did. but i think that was a
    mistake. i forgot what the original name was to go back and fix it. yes,
    this part really confused me. launch MBAM, re-name it & then go back &
    launch it again? it never said what to do if you already had it and it
    wasn't doing the job? there is a link on that page for STOPzilla.com, i
    thought about trying to download that and use it. couldn't hurt i guess. I
    am still able to use internet just fine. i already have firefox, chrome,
    rkill and MBAM on computer. i wasn't sure if rkill was working right as it
    didn't give me any kind of prompts. just a black screen pops up quickly &
    then it is gone just as quickly, is this how it works? a friend also told me
    about a link for AVG virus protection that she swears by. i thought about
    trying that? these constant pop ups are driving me nuts! lol

    Paul wrote:
    >> i need help, help, help! anybody? so here is what is going on. my computer
    >> has been fine for a long time. i have a Compaq Presario laptop/Windows XP.

    >[quoted text clipped - 26 lines]
    >> out plainly, where to go and what to do, where to click, etc. thanks guys,
    >> boy is this frustrating! :(

    >
    >So you've already read this page ?
    >
    >http://www.bleepingcomputer.com/virus-removal/remove-malware-defense
    >
    >You can always download some of the tools, burn a CD, and carry that CD
    >over to the affected computer. You could put a copy of rkill, MBAM,
    >Firefox or Opera browser, onto the CD and use those copies to install with.
    >But you might still need a network connection on the affected computer,
    >to get virus updates.
    >
    >*******
    >
    >If you're desperate, there is always this to try.
    >
    >http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
    >
    >23 Jun 2009 10:05:01 119701504 kav_rescue_2008.iso
    >
    >That file, is an ISO9660 file. You use a program like Nero, to parse
    >the file and make a bootable CD from it. You don't just "copy" the file
    >to a CD. The file is like a ZIP in a way, and the burner program needs to
    >unravel it, to make a bootable CD from the contents.
    >
    >When you finish preparing the CD, you boot the infected computer
    >with it. The first thing the CD does, is connect to Kaspersky and
    >get 20MB of virus definitions (which are updated daily). After
    >that, a menu will appear, and you can specify what partitions to
    >scan. The drive letters are not the real drive letters, and
    >Kaspersky just counts partitions C,D,E,F,G etc. They're not
    >the real drive letters, which might be C, Q, T or whatever.
    >If you're unable to figure out which partition is which,
    >just tick all the boxes and scan the entire computer.
    >
    >The contents of that CD, are a pretty minimal Linux environment.
    >There aren't enough libraries on the CD, to run other convenient
    >tools. I tried to get Firefox running on there, while the
    >scan was in progress, and the Linux version of Firefox wouldn't
    >run. So the environment is not so fancy, that you have all
    >the comforts of home.
    >
    >Good luck,
    > Paul


    --
    Message posted via http://www.windowskb.com
     
  2. Paul

    Paul Flightless Bird

    mindydee113 via WindowsKB.com wrote:
    > thanks for the reply Paul. yes, i did come across the first link already. i
    > tried to follow the instructions but got a bit confused. it was telling me
    > to download MBAM, which i already have. it said to go to icon on desktop and
    > change the name to "explorer.exe", which i did. but i think that was a
    > mistake. i forgot what the original name was to go back and fix it. yes,
    > this part really confused me. launch MBAM, re-name it & then go back &
    > launch it again? it never said what to do if you already had it and it
    > wasn't doing the job? there is a link on that page for STOPzilla.com, i
    > thought about trying to download that and use it. couldn't hurt i guess. I
    > am still able to use internet just fine. i already have firefox, chrome,
    > rkill and MBAM on computer. i wasn't sure if rkill was working right as it
    > didn't give me any kind of prompts. just a black screen pops up quickly &
    > then it is gone just as quickly, is this how it works? a friend also told me
    > about a link for AVG virus protection that she swears by. i thought about
    > trying that? these constant pop ups are driving me nuts! lol


    The page says for rkill

    "Once it is downloaded, double-click on the rkill.com in order to automatically
    attempt to stop any processes associated with Malware Defense and other Rogue
    programs. Please be patient while the program looks for various malware programs
    and ends them. When it has finished, the black window will automatically close
    and you can continue with the next step. If you get a message that rkill is an
    infection, do not be concerned. This message is just a fake warning given by Malware
    Defense when it terminates programs that may potentially remove it. If you run into
    these infections warnings that close Rkill, a trick is to leave the warning on the
    screen and then run Rkill again. By not closing the warning, this typically will
    allow you to bypass the malware trying to protect itself so that rkill can terminate
    Malware Defense . So, please try running Rkill until malware is no longer running.
    You will then be able to proceed with the rest of the guide.

    Do not reboot your computer after running rkill as the malware programs will start again."

    So it does mention a black window opening, and that would be a temporary Command Prompt
    window (as in MSDOS-like).

    Based on the description, rkill is a program tailored for malware like "Malware
    Defense", so presumably it is issuing a kill command to try to get the process
    to stop running (thereby eliminating more of the defensive things the bad
    program can do).

    Renaming the MBAM executable, is an attempt to fool the malware into thinking you're
    not about to run an AV program. Malware knows the names of AV programs, and will
    prevent them from running. What surprises me, is that the malware doesn't check
    for a signature on the file or some other means other than the name. Changing
    the name of the program, before running it, seems too easy as a solution. But
    that is what they seem to be suggesting - if you rename the MBAM executable,
    the malware will let you run it. MBAM is supposed to be run in regular mode and
    not safe mode. And in any case, you can't really afford to be changing modes (as
    that requires a reboot, and then you'll have to do the rkill thing again).

    If you're going to run rkill, if the malware will let you, try running Task Manager
    (control-alt-delete thing). It shows the names of processes, and it would be interesting
    to see if something is killed or not.

    Some malware also disables Task Manager, and might even go after Sysinternals.com
    Process Explorer program (an alternative). So malware can be very nasty, and
    make it almost impossible to battle against it. Some day, a malware will be
    created, which is equally deadly in both Windows and Linux, so we won't even
    be able to boot into Linux and battle it.

    Paul
     
  3. hi Paul, i really appreciate your help. well, i went and tried something
    different today. i was looking on Yahoo Answers and came across this page....
     

Share This Page