here is a good one.

Defensewall would have shut it down and kept it from doing any damage. LUA with SRP would have kept it from executing in the first place.

 

yeap

 

Can Defensewall itself be installed with LUA and SRP in place?

 

Yep, that is how I am set up. My reasoning is that if I am doing anything while logged in as Administrator that I am still protected via Defensewall.

 

I'm missing something here?

With LUA and SRP in place it would have kept the rogue app from executing in the first place but if I go to install Defensewall then LUA and SRP would allow Defensewall to install

 

Sorry people for being off topic but couldn't stand without showing you all this norton spoofed Antivirus NORTEL

 

what the heck is that?

 

Ah, now I see where all you SRP - LUA users are coming from.

How utterly inconvenient!

Now to see if I can explain myself properly?

Using a full blown admin account with the right security tools you can run any and all apps be it malware or clean and be completely safe with the ability to see and learn what's going on within your system.

We are all different and if you're happy with the SRP - LUA setups then stick with it. Here I doubt I could or would use such a setup in a million years.

 

@TRJAM,

Here two goodies to assist when not using VM, but using an image as playground

RegFromAPP
http://www.nirsoft.net/utils/reg_file_from_application.html
You can set it up in a batch commmand and make it save the pre and post execution (installation) registry changes. Simple running the old reg file will set changed entries changes back, manually remove new entries. Usaually InCtrl (install which I am sure you know allready) and RegfromApp (executes) will give detailed insight.

SubinACL
Has the advantage that it loops through subkeys. Has a number of applications, one is to give the admin access/ownership to directories and registry hives
http://www.microsoft.com/downloads/...56-D8FE-4A91-93CF-ED6985E3927B&displaylang=en

@Franklin,

Would you please reveal how you discovered about the registry entry, very interesting to know your way of back tracking.

Thx in advance

Kees

 

When trolling through Threat Expert reports looking for live links I come across some samples that use that key to disable a lot of other legit security apps so I thought if the rogues can do it then why not fight fire with fire.

Will be trolling the TE reports as soon as I finish my other malware domain links and if I come across one that does will post or pm.

 

Franklin

RE your clever registry trick -

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe]
"debugger"="calcs.exe"


I found several Malware links of this, but unlike your example, there are clear breaks before * etc. Also your debugger etc is all bunched up together, below they are not ?


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tsc.exe]

* Debugger = "svchost.exe"

http://www.threatexpert.com/report.aspx?md5=db50541ff7a46ddeb64fbccdb3bea9d9


HKEY_LOCAL_MACHINE\Software\Microsoft\Windows nt\currentversion\image file execution options\tsc.exe\

* debugger = svchost.exe

http://home.mcafee.com/VirusInfo/VirusProfile.aspx?key=207978#none

 

Another TE link:
http://www.threatexpert.com/report.aspx?md5=3153d284f73f09fa8e8f0e23cd8b0228

@StevieO, maybe if you export the key they look like mine? Still seems to work ok.

If you set the debugger to cmd.exe or calc.exe then you need to set the full path ie: "C:\Windows\System32\cmd.exe"

A while ago I set cmd.exe as the debugger for Internet Antivirus Pro "IApro.exe" and every second or so a new cmd window would open with IAV Pro trying to auto restart after initially killing it through taskmanager.

Quite amusing to see.

 

Didn´t see this thread, sorry.

Please see my post Remove Fake Antivirus 1.40.

Regards,
Joakim