Go Back   Technibble Forums > Technical Discussions > Security, Viruses and Trojans

  Technibble Sponsor

Reply
 
Thread Tools Display Modes
  #1  
Old 03-30-2012, 07:24 PM
Marius's Avatar
Marius Marius is offline
 
Join Date: Mar 2009
Location: South Africa
Posts: 174
Marius is on a distinguished road
Default a Great trick to "fool" a virus

If ever you get into a situation, and the virus on your pc is disabling MalwarBytes or SuperAntiSpyware, is to RENAME it to explorer.exe. Viruses ( in general ) will ALWAYS allow EXPLORER.EXE to run. This way, you fool the virus into thinking your antivirus is in fact the genuine "explorer.exe". Click on your renamed antivirus explorer.exe and you might just get your program to execute and do its job. To backup my statement, check here http://www.lifehacker.com.au/2011/02...-explorer-exe/

and here http://www.howtogeek.com/howto/43090...virus-malware/

DONT LET THE WANNABE'S tell you different
__________________
Don't stress to much...Today is Tomorrow's Yesterday - By: ME :)

Computer Specialist
Computer Forensic Analyst
Developer: Remote Access Control (Uvnc Plugin)
Reply With Quote
  #2  
Old 03-30-2012, 07:34 PM
Slaters Kustum Machines's Avatar
Slaters Kustum Machines Slaters Kustum Machines is offline
 
Join Date: Jun 2011
Location: Iowa
Posts: 1,159
Slaters Kustum Machines is on a distinguished road
Default

This is true. That is also why rKill comes in so many names and file types.
Reply With Quote
  #3  
Old 03-30-2012, 08:03 PM
PCX's Avatar
PCX PCX is offline
 
Join Date: Feb 2012
Posts: 2,789
PCX is just really nicePCX is just really nicePCX is just really nicePCX is just really nice
Default

This is why I have renamed all my rkill files to something completely different.
__________________
_

Did you run a FULL diagnostic?

Are you tired of getting defective iPhone screens? Try eTech. We used to send back boxes of defective iPhone screens to WGP, now we rarely get them.

"The smartest and most successful people in the world are those who surround themselves with smarter and more successful people than themselves"
Reply With Quote
  #4  
Old 03-30-2012, 09:04 PM
YeOldeStonecat's Avatar
YeOldeStonecat YeOldeStonecat is offline
 
Join Date: Nov 2011
Location: Southeast Connecticut
Posts: 7,851
YeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to beholdYeOldeStonecat is a splendid one to behold
Default

Checkout MalwareBytes Chameleon modes...it's a subdirectory in its program folder.

Or just rename The SAS or MWB exe files.
__________________
Resident "Geek on a Harley" doing IT in Southeast Connecticut
http://www.dynamic-alliance.com/
https://www.facebook.com/YeOldeStonecat
Reply With Quote
  #5  
Old 03-30-2012, 09:07 PM
othersteve othersteve is offline
 
Join Date: Feb 2010
Posts: 517
othersteve is on a distinguished road
Default

Other good names are winlogon.exe and iexplore.exe.
__________________
-Steve

Born a technician, though always willing to learn and improve. :)

Managing Editor, DigitalChumps.com
Senior Editor, Notebookcheck
Laptop Dude, PC Perspective
Owner/Sole Proprieter, Triple-S Computers
Reply With Quote
  #6  
Old 03-30-2012, 09:37 PM
Xander's Avatar
Xander Xander is offline
 
Join Date: Oct 2008
Location: Niagara region, Ontario
Posts: 6,796
Xander is just really niceXander is just really niceXander is just really niceXander is just really nice
Default

As good advice as now as when we first discussed it.

Definitely bears repeating for the new folks.
__________________
Xander St Catharines Computer Repairs

New here? Watch this and read this. Remember, it's not our problem, it's yours so ask your questions well.
e.g. Make/Model#, Win version/SP#, BSOD 0x#. Consider posting Event Viewer logs, Autoruns exports or something.
More info means better answers and less snark.

Don't be parasitic and only pose your own questions. Help others.
Never trust a "tech" with a hotmail address.


D7 question/idea/etc? Bring it to the D7 Forums.
Reply With Quote
  #7  
Old 03-30-2012, 09:47 PM
andcorptech andcorptech is offline
 
Join Date: Aug 2010
Posts: 432
andcorptech is on a distinguished road
Default

Another good tip on this topic is if you ever need to run something prior to logon ie combofix, rkill then you can boot in via a bootcd, make a copy of sethc.exe in System32 and copy in your file renaming it to sethc.exe. Boot back into windows and you can now execute that file by invoking sticky keys (press shift 5 times quickly). Also good to run cmd to reset passwords if needed
Reply With Quote
  #8  
Old 03-31-2012, 07:16 AM
Marius's Avatar
Marius Marius is offline
 
Join Date: Mar 2009
Location: South Africa
Posts: 174
Marius is on a distinguished road
Default

...If anyone tells you that viruses kills processes by detecting their PID, it is a "myth"...Run any program, write down the PID of the program...kill the program...RESTART the program...and you will notice Windows "assigned" a different PID to the exact same file you just opened...
...just thought i'd mention it
__________________
Don't stress to much...Today is Tomorrow's Yesterday - By: ME :)

Computer Specialist
Computer Forensic Analyst
Developer: Remote Access Control (Uvnc Plugin)

Last edited by Marius; 04-06-2012 at 06:09 AM.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 08:10 AM.


Powered by vBulletin®
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Technibble.com is based out of MELBOURNE, AUSTRALIA.