• Welcome to Tux Reports: Where Penguins Fly. We hope you find the topics varied, interesting, and worthy of your time. Please become a member and join in the discussions.

Re: Malware Defense virus

  • Thread starter mindydee113 via WindowsKB.com
  • Start date
M

mindydee113 via WindowsKB.com

Flightless Bird
thanks for the reply Paul. yes, i did come across the first link already. i
tried to follow the instructions but got a bit confused. it was telling me
to download MBAM, which i already have. it said to go to icon on desktop and
change the name to "explorer.exe", which i did. but i think that was a
mistake. i forgot what the original name was to go back and fix it. yes,
this part really confused me. launch MBAM, re-name it & then go back &
launch it again? it never said what to do if you already had it and it
wasn't doing the job? there is a link on that page for STOPzilla.com, i
thought about trying to download that and use it. couldn't hurt i guess. I
am still able to use internet just fine. i already have firefox, chrome,
rkill and MBAM on computer. i wasn't sure if rkill was working right as it
didn't give me any kind of prompts. just a black screen pops up quickly &
then it is gone just as quickly, is this how it works? a friend also told me
about a link for AVG virus protection that she swears by. i thought about
trying that? these constant pop ups are driving me nuts! lol

Paul wrote:
>> i need help, help, help! anybody? so here is what is going on. my computer
>> has been fine for a long time. i have a Compaq Presario laptop/Windows XP.

>[quoted text clipped - 26 lines]
>> out plainly, where to go and what to do, where to click, etc. thanks guys,
>> boy is this frustrating! :(

>
>So you've already read this page ?
>
>http://www.bleepingcomputer.com/virus-removal/remove-malware-defense
>
>You can always download some of the tools, burn a CD, and carry that CD
>over to the affected computer. You could put a copy of rkill, MBAM,
>Firefox or Opera browser, onto the CD and use those copies to install with.
>But you might still need a network connection on the affected computer,
>to get virus updates.
>
>*******
>
>If you're desperate, there is always this to try.
>
>http://devbuilds.kaspersky-labs.com/devbuilds/RescueDisk/
>
>23 Jun 2009 10:05:01 119701504 kav_rescue_2008.iso
>
>That file, is an ISO9660 file. You use a program like Nero, to parse
>the file and make a bootable CD from it. You don't just "copy" the file
>to a CD. The file is like a ZIP in a way, and the burner program needs to
>unravel it, to make a bootable CD from the contents.
>
>When you finish preparing the CD, you boot the infected computer
>with it. The first thing the CD does, is connect to Kaspersky and
>get 20MB of virus definitions (which are updated daily). After
>that, a menu will appear, and you can specify what partitions to
>scan. The drive letters are not the real drive letters, and
>Kaspersky just counts partitions C,D,E,F,G etc. They're not
>the real drive letters, which might be C, Q, T or whatever.
>If you're unable to figure out which partition is which,
>just tick all the boxes and scan the entire computer.
>
>The contents of that CD, are a pretty minimal Linux environment.
>There aren't enough libraries on the CD, to run other convenient
>tools. I tried to get Firefox running on there, while the
>scan was in progress, and the Linux version of Firefox wouldn't
>run. So the environment is not so fancy, that you have all
>the comforts of home.
>
>Good luck,
> Paul


--
Message posted via http://www.windowskb.com
 
P

Paul

Flightless Bird
mindydee113 via WindowsKB.com wrote:
> thanks for the reply Paul. yes, i did come across the first link already. i
> tried to follow the instructions but got a bit confused. it was telling me
> to download MBAM, which i already have. it said to go to icon on desktop and
> change the name to "explorer.exe", which i did. but i think that was a
> mistake. i forgot what the original name was to go back and fix it. yes,
> this part really confused me. launch MBAM, re-name it & then go back &
> launch it again? it never said what to do if you already had it and it
> wasn't doing the job? there is a link on that page for STOPzilla.com, i
> thought about trying to download that and use it. couldn't hurt i guess. I
> am still able to use internet just fine. i already have firefox, chrome,
> rkill and MBAM on computer. i wasn't sure if rkill was working right as it
> didn't give me any kind of prompts. just a black screen pops up quickly &
> then it is gone just as quickly, is this how it works? a friend also told me
> about a link for AVG virus protection that she swears by. i thought about
> trying that? these constant pop ups are driving me nuts! lol


The page says for rkill

"Once it is downloaded, double-click on the rkill.com in order to automatically
attempt to stop any processes associated with Malware Defense and other Rogue
programs. Please be patient while the program looks for various malware programs
and ends them. When it has finished, the black window will automatically close
and you can continue with the next step. If you get a message that rkill is an
infection, do not be concerned. This message is just a fake warning given by Malware
Defense when it terminates programs that may potentially remove it. If you run into
these infections warnings that close Rkill, a trick is to leave the warning on the
screen and then run Rkill again. By not closing the warning, this typically will
allow you to bypass the malware trying to protect itself so that rkill can terminate
Malware Defense . So, please try running Rkill until malware is no longer running.
You will then be able to proceed with the rest of the guide.

Do not reboot your computer after running rkill as the malware programs will start again."

So it does mention a black window opening, and that would be a temporary Command Prompt
window (as in MSDOS-like).

Based on the description, rkill is a program tailored for malware like "Malware
Defense", so presumably it is issuing a kill command to try to get the process
to stop running (thereby eliminating more of the defensive things the bad
program can do).

Renaming the MBAM executable, is an attempt to fool the malware into thinking you're
not about to run an AV program. Malware knows the names of AV programs, and will
prevent them from running. What surprises me, is that the malware doesn't check
for a signature on the file or some other means other than the name. Changing
the name of the program, before running it, seems too easy as a solution. But
that is what they seem to be suggesting - if you rename the MBAM executable,
the malware will let you run it. MBAM is supposed to be run in regular mode and
not safe mode. And in any case, you can't really afford to be changing modes (as
that requires a reboot, and then you'll have to do the rkill thing again).

If you're going to run rkill, if the malware will let you, try running Task Manager
(control-alt-delete thing). It shows the names of processes, and it would be interesting
to see if something is killed or not.

Some malware also disables Task Manager, and might even go after Sysinternals.com
Process Explorer program (an alternative). So malware can be very nasty, and
make it almost impossible to battle against it. Some day, a malware will be
created, which is equally deadly in both Windows and Linux, so we won't even
be able to boot into Linux and battle it.

Paul
 
M

mindydee113 via WindowsKB.com

Flightless Bird
hi Paul, i really appreciate your help. well, i went and tried something
different today. i was looking on Yahoo Answers and came across this page....
 
Top