A relative of mine has run into a rogue antivirus called Windows Protection Suite, I have run MBAM and Superantispyware which detected one file called the malware in the subject heading, I removed it and a further scan showed no more infections yet I know too well there maybe other nasties lurking that are as yet unknown to these antispyware apps, do you have any advice on how I can be sure I have fully removed the malware?
ps Malwarebytes detected a further infection the next day after updating it which was also a rogue antivirus but not the same one (I believe the first one triggered this to download at the same time) I removed this also but would like further assistance)
one last thing my relatives antivirus did block one infection at the time related to the krap family of viruses (I will get specifics next time I see their computer)
http://www.bleepingcomputer.com/virus-removal/remove-windows-protection-suite here is the information on how to remove it. but sens you have scanned with malwarebytes it should be gone. have you had any computer problems sens then after you had malwarebytes remove the infection? you could scan with hijackthis and post the result here so we can have look and see if your still infected.
I have seen no visible signs of malware since I removed it (from the scan it appears it hadnt been run just dropped on the computer awaiting someone to run it or maybe it had run but merely facilitated more malware to try and install which Kasperksy appears to have blocked). What other programs can I run to double check the system?
What other programs can I run to double check the system?
Dr.Web CureIt http://www.freedrweb.com/cureit/?lng=en
How Do I Use Dr.Web CureIt!? http://www.freedrweb.com/cureit/how_it_works/
Norman Malware Cleaner http://www.norman.com/support/support_tools/58732/en-uk
Download and save to desktop, and run from there ( fully updated when downloaded )
the programs are not installed so when the work is done you can just remove by drag and drop in resycle bin
Will try that next time I visit my relative. Do these rogues usually leave rootkits behind or MBR viruses its just that his computer has been blue screening recently although I cant be sure the two events are connected
Also I have two questions
Do these rogues harvest any data off the computer they infect or must this be given voluntarily when the scam screen asks for it?
What info is there on this blocked threat Krap.ae (Trojan generic), it is what Kaspersky blocked when the incident took place
They don’t so much leave rootkits behind, but more of them are coming masked by rootkits. So if you can find the fake AV, etc. then it may well not be being protected by rootkit or first the rootkit would have to be detected and removed.
The rogue in itself probably not, it is only trying to get you to run a scan, visit a site, buy it to clean up, etc. (which could result in fraudulent use of your credit card). But visiting any site or running a scan could be the preamble for downloading more malware and that could be almost anything.
don’t know, generic signatures/detections aren’t very detailed in specifics.
Cant be sure of the specifics but he was using facebook at the time, I dont believe he clicked anything dodgy as I inform him of the latest scams and stuff, wish I knew where it came from (ie source of infection)
ps wish I’d submitted it to the Kaspersky lab as the thing could be downloaded again at some point meaning more cleaning for me
Facebook and other social networking sites are big targets for malware and one other area is infected adverts/banners so it is difficult to say exactly what it might have been.
So it looks like a watching brief until you can get their and run those other applications.