Simple Trick to Defeating Fake Anti-Virus Malware

Discussion in 'General & Off-topic' started by dragonbite, Feb 10, 2011.

  1. dragonbite

    dragonbite Well-Known Member

    Aug 30, 2008
    Likes Received:
    I thought since Jeff's Security meeting presentation was canceled for February, this is an appropriate article to post about.

    :punch Fake Anti-Virus malware is malware that looks like your anti-virus, but isn't! Often it blocks your genuine malware from running but this article covers a couple easy ideas to get around this anti-malware's tricks. :help

    Some are as simple as when the message comes up, move it aside and try running your anti-virus again. Some malware only brings up the message the first time you try and scan for the virus. :angry

    Another is to rename the anti-malware program to "explorer.exe" because chances are the malware needs this running and so will allow it to run not realizing it is actually the penicillin to take care of this infection! :Wave

    The article goes on to other methods, using live CDs and such to scan and clean your system. I'm keeping this in mind for the next time I have to clean up my parent's computer. ;)

  2. snh

    snh Well-Known Member

    Oct 6, 2008
    Likes Received:
    Good post.

    I use a combo of EasyCleaner2.0, Sysinternals utilities, and liveCDs such as Trinity Rescue Kit and Clonezilla. You would be suprised how much garbage on XP EasyCleaner can remove. Unfortunately, I have not and do not know if it runs on Win7. My wife's Win7 laptop seems remarkably stable, so maybe Win7 does not need the scrubbing XP did. Another note about EasyCleaner is that it is not a resident program or service. Start it, run it, close it, and that's it - no monitoring, which is perfect.

    Much of the grief I've seen in systems recently has to do with browser add-ons, especially any Google related ones, so if a piece of malware is stuborn to remove, ditch and reload IE's browser add-ons and that will help.

    As far as prevention, elevated URL blocking has saved us here at home. Basically, I have IE set to ask for a password for every site/page/domain not already whitelisted. It gets annoyng sometimes when a page has 20 calls to Facebook, but in the end I think it's worth it. Maybe pages won't work under this scheme, and that's fine. If a site has to pull it's content (javascript, other included libraries) from 20 undisclosed servers to render, then it's probably not a page to visit.

    I've found using ClearCloudDNS has spared a lot of pain at work by blocking malicious sites and downloads. Unliked OpenDNS, it merely blocks based on potential harm to your system, not your soul.

    One way to check if you're infected (on XP) is to set a restore point in System Restore. If System Restore reports that is has been (mysteriously) turned off or it won't let you set a restore point, then your system is indeed infected.



Share This Page