Rogue ... antivirus 2009

Everytime I go to that page a new rogue is recomended to me Lol!!!1

I can keep getting infected with my sandboxed browser all day long for what is worth (actually it is not ).

 

I Would have posted screens of logs of SAS but I was tired and looked to be to many files to capture.I Am not sure because my knoweledge is so so.I did not see any thing that stood out to be horrifying but perhaps your self and aigle can confirm.I know when I was done testing It was running on my system try and I could open the program and scan the pc like any AV.when I looked In program files I did not see it but the user appdata roaming Its was there.They way it looked to me as geswall had stopped it from registry but still put files in the appdata and 1 In memeory.I also noted there was No termination warning.If you can please confirm.

 

I'll test GesWall tomorrow... Maybe the left files are untrusted... do you see the little "G" in the file icons?

I tested that page with SandboxIE (and bookmarked it, just in case)... It was a scary experience...I can imagine a non-geek innocently googling for an antivirus and that mess firing up on his/her screen... I can imagine the PANIC...

 

Yes the G was there,So does that mean No damage to confidential area?All the same this little sucker was running in memory.Note I turned on returnil before hand after reboot I re scanned with SAS nothing found.

 

It's a nasty, annoying *blank blank* and there are a number of different flavors. Whether they're the same with different name or all different, I don't know and am not anxious to find out.

Just the thought that my wife got whacked with it and we still have no absolutely clear idea where it came from (we suspect email, but not sure) is worrisome.

Sandboxie is always on, both on our laptops and desktops now. She finally consented to downloading it, and I explained that she only has to click the kite rather than browser icon. I explained, too, that she could leave her email on the server rather than download until I figure out how to use email with Sandboxie. I use a couple of free mail services and download nothing, so never bothered looking into that aspect of Sandboxie. The most troublesome thing, if it came via email, it came through an account she only uses for business. Nobody but customers or potential customers have it, although these days that doesn't mean garbage can't slip in. The spam is unusually bad lately here.

 

If the little G was there, then those files where harmless. They are set as untrusted, which means they have limited rights. They can't do real damage to your computer. And can't access confidential areas at all. That's one big differnece between geswall and sandboxie...with sandboxie, you see the files trapped and you can delete the sandbox. With geswall, the files are on your real computer, but as long as they have that little G, it's like they where trapped.
Think about it this way:
Sandboxie is a prision. GesWall is a police officer next to bad guys 24/7.

 

Right, the mistakes are often not too obvious but easily missed.

Like most any kids, she will learn quickly and easily if I sit down with her and step her through some possible scenarios, as I do on occasion like the other night. She at least is able to recognize when something doesn't "look right" when she's surfing and will ask for assistance if necessary.

 

That makes sense nice analogy.I also just looked at Geswall Settings, I was on trial of the pro. I was thinking thirty day trial I forget it was 15 days and expired and reverted back to free opps,I do not recall seeing a reminder or anything maybe I missed It. That I think would explain the no termination option and just may change the whole outcome.I will purchase the pro the free seem some what crippled Now that I am looking at It.But like you said No damage but would been happy if it terminated the rogue.

 

Chuck, I certainly feel your and anyone else's pain who had to deal with that #^$#& nuisance of a program. I have already had to clean three workstations at work from that crap. One user claims that it popped up on the MSN start page. I have been advising people at work as soon as they see any *Antivirus 200* variant to immediately close the browser. Even clicking 'cancel' installs the malware.

I have been playing around with the link Noway provided on my laptop. As long as you cancel via either of the two security windows that pop up it shouldn't install at least on Vista. I also installed Sandboxie and approved the installation. I did notice that even after closing the sandbox the icon was still in the systray with it's service still running. It tried to connect to the internet but I blocked it. I then ran SAS which identified 1 memory and 3 files belonging to Rogue.Olibex-Installer. Interestingly while SAS was scanning OneCare popped up a warning saying that it had quarantined Trojan:Win32/Killav.gen!A that it detected in the malware's uninstall.exe file. So even using it's uninstaller would install a trojan on your computer.

Another observation was when I refreshed that page I got a pop up for downloading a codec similar to Zlob's method of infection.

 

Does this mean that Sandboxie is ineffective at containing this malware?
Worrisome.

 

I don't really know as I haven't used SB that much to fully understand it. I am hoping some SB experts here will comment on it.

Here are some screenshots from that experience:

 

Did you scan after deletion of sandboxie what was your results.I Did not see the same as you in the screens but I also do not remember how to use sandboxie that well it has been 6 months or better I have last used it.

 

I was just going to ask if it stayed around after the sandbox was deleted. I don't like seeing that the icon was sitting in the systray after the sandbox was closed, or even while sandboxie was open for that matter.

 

Well when I ran it in the sandboxie for a little while then deleted its contents,I followed up with SAS scan it found nothing.I just updated SAS today followed another scan it says clean.Also Drweb cureit says clean.

maybe peter can jump in here when he finds time since he know sandboxie very well.

 

Yes the icon was there been when I deleted the box it vanished.that worried me to as well.

 

Djohn, I now see your and Chuck's point. I didn't think to take notice of where SAS found the malware so I just checked (screenie below). If I deleted the "box" would that rogue service went with it? [EDIT: going by your last post, Djohn, I see that it does go away as well]. I do not understand if all of this is in "the box" how did the service install to begin with?

EDIT:

 

I've tested this 3 times agianst SandboxIE. Infection is fully contained. You must be carefull though, since you can accidentally recover the downloaded exe from the sandbox, which makes you vulnerable. I deal with this scenario forcing apps to run sandboxed from my desktop (default download location)

 

Thanks hurst.

 

I liked the prison, police officer comparison, since I retired after almost 25 yrs as a police officer. It fits. Both do the job, and both are very effective.

Since my desktop computer hasn't seen much work lately since getting the laptop, I've once again removed Sandboxie and installed GesWall on it. I've tried it before but for whatever reason, just never developed a fondness for it. I'll see if I can change that opinion.

I'm curious about one thing with GesWall. With Sandboxie, you can run/test some programs just in the sandbox - similar I guess to a virtual environment. Can that be done with GesWall?

 

I'm not used to GesWall. Tried it once and ditched it because I didn't undestand it. Then I started to use SandboxIE.
Now I think I can understand GesWall a litlle better. But I haven't used it yet, so I really can't tell what you can or can't do.
I've set up a test PC with GesWall, so I can start getting used to it.

Maybe trjam, aigle or Kees will stop by this thread and share a little of their knowledge on GesWall

 

I am about the same way with Defensewall. I have used it in the past and even bought a licence for it but I don't 100% understand what I can and can't do with it.

 

Then why don't you ask your questions at support forum?

 

I have been studying things up there also, Ilya! Between both places I am starting to get a handle on how far I can push things with DW.

 

DefenseWall should take care of it no problems.

Anyone tested it with ThreatFire running? (or will it not pick it up as it behaves like a legitimate AV)

 

It will take care of it when you hit the big red button.