Security Shield

Does NOD protect against Security Shield fake AV Virus and if so, where could I check that? Is there a list of detected threats?

 

the update log is here
Security shield is in the list.

 

ESET is very good at detecting rogue AVs proactively and reacts immediately to newly emerging variants.

 

thanks for the link - I had forgotten where to find it.

As for the inclusion, that's what I had expected. What I don't understand is that this morning on one of the pc, the fake shield popped up without NOD getting active. When I ran a scan, it immediately alerted to the malware in operating memory and cleaned it by deleting.

Now in this case it was bloody obvious that something is wrong, so my colleague called me but without the fake shield appearing, what would have happened? Was this not yet active despite showing up?

 

You need to be certain that this is the same Rogue which affects you currently, if this is the case the following guide should help.
http://forums.malwarebytes.org/index.php?showtopic=107641

If no joy, please try ESET's ERAR, Rogue removal tool.

 

thanks Siljaline,

I actually used SuperAntispyware (showing only cookies and 1 FP) and mbam first without result but it was Nod that actually picked up the item in memory when I initiated a scan and cleaned it. What baffles me though is that I had to start a scan to get action when the malware obviously had somehow been downloaded by the user. Why did the real-time protection from NOD (my resident AV) not kick in when that happened?

 

Because real-time protection doesn't perform memory scans. Memory is scanned during startup scans which are run upon a computer startup and after an update as well as during on-demand scans. I'd bet the file is now detected by all protection modules as well.

 

Ok - Let me see if I understand this now and please correct me if I am wrong:

The person logged on that morning and his system was clean as the start-up scan did not alert. He then opened his email and possibly went surfing and either way caught this virus. The virus appeared on the screen and a that stage only was in memory.

Did it do anything at that point?

My colleague noticed the fake alert and called me and we disconnected the pc and cleaned it. NOD's scan deleted the item from memory and further scans have not shown up anything.

Is it likely that the pc is clean now? At what point would the malware have installed more deeply? Would that have happened if the colleague had clicked on one of the options (Remove all threats now / continue unprotected). If he had done so, would the real-time protection of NOD have kicked in?

 

I don't think that rogue AVs carry out dangerous actions. Many of them even don't register in the run keys and merely create a shortcut on the desktop and wait until the user clicks on it. Even then they only display some fancy gui with misleading warnings or errors.