Malwarebytes Forum > Protection System rogue targets MalwareBytes

Full Version: Protection System rogue targets MalwareBytes

Malwarebytes Forum > Updates and Alerts > Security Alerts

YoKenny1

Sep 4 2009, 12:27 PM

QUOTE

Protection System rogue targets MalwareBytes

Patrick Jordan drew our attention to this rogue security product this morning.

Rogues, of course, are fake anti-malware products that confuse victims into believing they are legitimate security software, when actually they infect their computers or do nothing for the purchase price. The "Protection System" rogue takes this confusion one step further by actually searching for a LEGITIMATE anti-malware application on the victim's computer and tricking him into uninstalling it.

http://sunbeltblog.blogspot.com/2009/09/pr...ue-targets.html

prairie dog

Sep 5 2009, 02:52 AM

Here is another article on this as well

QUOTE

September 4, 2009 - 4:26 P.M.

By Michael Horowitz

Tom Kelchner at Sunbelt Systems reports on malicious software (the Protection System "rogue") that issues a phony alert trying to trick a Windows user into uninstalling MalwareBytes' Anti-Malware.

The phony message reads

"There is unauthorized antivirus software detected on your computer. It is recommended you to remove it, other it could conflict with Protection System. Press OK to remove MalwareBytes' Anti-Malware_is1".

Conflict indeed. This is the ultimate compliment for an anti-malware program.

armedandsafe

Sep 26 2009, 11:45 PM

Just got off the phone with my son, who is not computer savvy at all. He got hit with a rogue "You are infected" virus. I had him do the normal things to get rid of it and found it is a real nasty. It has apparently intercepted the keyboard, because it brings up its own responses to any key you hit while in MBAM, Norton or AVG. It has disabled system restore and is bringing up not only the small screen warning, but, sometimes, a full screen display, with no way out. The only way we could get rid of that screen was the 3-finger action and task manager.

It kills MBAM as soon as it has scanned for 5 seconds. It kills Norton as soon as it starts to scan. It won't let AVG load to scanner page.

Frustratin, as he lives too far away for me to go get hands on. I decided to post this here to give you guys a heads up.

Pops

noknojon

Sep 28 2009, 08:48 AM

Thanks for posting armedandsafe -

If your son can log on here (even in safe mode with networking) there may be a way we can help -
If not there will be local specialists who deal in this sort of problem - Some even log into this forum to get help -

Best of luck to both of you -

armedandsafe

Sep 28 2009, 06:09 PM

My daughter is a nerd (IT Tech at ITT) and I am an ex nerd. I think we got it cleaned. I was mostly wanting to get the news up here that it was killing the anti-viri processes. Scanning these pages, I now realize that you guys already knew of this problem and how to fix it.

His system will not make an internet connection while in safe mode, for some reason.

Thank you. I'm glad I found this site. It is very helpful. I passed it on to my daughter, also. With 90 some odd machines, 4 networks and clumsy students, she needs all the help she can get.

Pops

QUOTE (noknojon @ Sep 28 2009, 01:48 AM)

Best of luck to both of you -

alexeck

Jan 24 2010, 01:56 AM

QUOTE (prairie dog @ Sep 4 2009, 09:52 PM)

Here is another article on this as well

Funny thing is when clicking to remove malwarebytes, it generated a message that gave a registered version of the rogue.

Jaxryley

Jan 25 2010, 11:20 AM

Malware Defense also starts MBAM's uninstaller.

Click to view attachment

Hitting "No" then getting a scan down with MBAM get's rid of it no probs.

CODE

1/25/2010 7:14:34 PM
mbam-log-2010-01-25 (19-14-30).txt

Scan type: Quick Scan
Objects scanned: 98425
Time elapsed: 2 minute(s), 0 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 2
Files Infected: 20

Memory Processes Infected:
C:\Program Files\Malware Defense\mdefense.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\extrac64_cab.exe (Rogue.Installer.Gen) -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\malware defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Malware Defense (Rogue.MalwareDefense) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\H8SRT (Rootkit.TDSS) -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\malware defense (Trojan.FakeAlert) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\extrac64_cab.exe (Trojan.Downloader) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\malware Defense (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Start Menu\Programs\malware Defense (Rogue.MalwareDefense) -> No action taken.

Files Infected:
C:\Program Files\Malware Defense\mdefense.exe (Trojan.FakeAlert) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\extrac64_cab.exe (Rogue.Installer.Gen) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\dhdhtrdhdrtr5y (Rogue.Installer.Gen) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\H8SRT3848.tmp (Rootkit.TDSS.Gen) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\H8SRT691c.tmp (Rootkit.TDSS.Gen) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\H8SRTb6c3.tmp (Rootkit.TDSS.Gen) -> No action taken.
C:\Program Files\malware Defense\help.ico (Rogue.MalwareDefense) -> No action taken.
C:\Program Files\malware Defense\md.db (Rogue.MalwareDefense) -> No action taken.
C:\Program Files\malware Defense\mdext.dll (Rogue.MalwareDefense) -> No action taken.
C:\Program Files\malware Defense\uninstall.exe (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Start Menu\Programs\malware Defense\Malware Defense Support.lnk (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Start Menu\Programs\malware Defense\Malware Defense.lnk (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Start Menu\Programs\malware Defense\Uninstall Malware Defense.lnk (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Local Settings\Temp\winhlp64.exe (Trojan.Downloader) -> No action taken.
C:\Documents and Settings\Ven\Desktop\Malware Defense.lnk (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Desktop\Malware Defense Support.lnk (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\Ven\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Defense.lnk (Rogue.MalwareDefense) -> No action taken.
C:\Documents and Settings\All Users\Desktop\nudetube.com.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\pornotube.com.lnk (Rogue.Link) -> No action taken.
C:\Documents and Settings\All Users\Desktop\youporn.com.lnk (Rogue.Link) -> No action taken.

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.