Rogue Paladin antivirus defeated Avira?

With my aunt's computer restarting when it's about to load the desktop, I did a Windows repair install. Finally got it to work and lo and behold Paladin Antivirus icon has replaced Avira Personal. MBAM icon was nowhere to be found either. Now my question, is this rogue software so powerful that it was able to install itself without Avira or MBAM stopping it? Could it have been the user's fault (knowing she isn't that tech savvy)? But still, isn't that the reason why Avira and MBAM was there, to prevent installation of these kinds of rogue software/s. I will reformat her computer and will probably replace Avira with Avast Free. Any tips on how this disaster can be prevented in the future? Thanks in advance for replies!

 

Sandboxie,or Geswall which are both free.

Secure the browser,things will be easier to control,and malware like this will have a hard time getting installed,period.

 

Hello,

The text below was found at Wikipedia:

hxxp://en.wikipedia.org/wiki/Rogue_security_software

After the reading, you may have an idea of how Rogue AVs infect computers.

Regarding switching AVs, I would advise you to stick with whatever you are using. No AV is 100% bulletproof and all of them at any given time will let Rogue AVs to slip through and infect your machine.

Your best bet in this case is like the other poster wrote. Usa a Sandbox program to encapsulate your browser [Sandboxie, Geswall, ZA ForceField, etc] and mitigate the attack of Fake AVs. Also try to patch or get the latest versions of Adobe Flash Palyer, Adobe Reader and Java Runtime. These three are the top 3 applications being exploited right now since the also install browser plugins and for the bad guys an unpatched vulnerability on any software installed on your computer is like a house without locks in a bad neighborhood.


Regards,

Carlos

 

Hi,

In Configuration | General | Extended Threat Categories | Possible Fake Software has to be enabled.

 

Ive seen a trojan dropper that brings tdl3, Paladin and Vundo along for the ride. Most AVs are useless against these threats until they have a signature for them - due to the frequency with which they're re-encrypted, it's a losing battle for AVs.

 

This rogue prompts to uninstall MBAM at install. Hitting the cross or not going through with the uninstall then MBAM will run and get rid of Paladin AV.



http://forums.malwarebytes.org/index.php?showtopic=39132&hl=paladin

 

A classic HIPS, such as Malware Defender, will serve to prevent downloads/installs that are not expressly allowed by the user.

Prevx's Safe Online does a superb job of protecting against rogues, as well as against keyloggers.

Firefox's NoScript extension adds an extra layer of protection against drive-by scripts.

Of course, no security app will fully protect against a careless or ill-informed computer user. For a fail-safe in such cases, one must resort to imaging software.

 

use LUA

 

This is a very good read indeed .

 

ooooooooooooppps

 

What a useless and insulting comment you have made. If you dislike this thread, why bother reading it?

 

DefenseWall makes all internet facing applications untrusted by default, which means they cannot touch critical system areas (Ilya claims it's stronger protection than LUA).

To make Paladin (or another rogue) trusted, your grandma would have to do it manually (right-click>DefenseWall HIPS>Change status to trusted), which I doubt she would.

 

With LUA and Avast 5 which with its behavior blocker monitoring critical areas like registry etc. this can be preventable.

 

Much much appreciation for all the help. Certainly very informative. Thanks all. BTW, pardon the noobie question, what is LUA?

 

Limited User Account

 

Oh !! Will do just that. Thanks again to everyone for your replies!

 

i have seen that you are always ready to comment my comments in an unfriendly manner. First of all learn to respect someones point of view. Avira never needs any advocate here especially not here in this great forum and i do not need anyone to tell me weather to like or support something . If i am wrong mods can work it out. Please bellgamin do not attack my posts . if you do not like them do not bother reading.

 

Before this turns into a slanging match,I think someone ' may ' have already answered your question

My concern is why is this not switched on by default ? and if it was on, would it have blocked it ?