perfect defender 2009

[garrett]

Three days ago, I found this suspicious file: PDInstall2009.exe on the web site:  www.defXXXender-review.com.
I analysed that with "virus total", and I noticed that it is infected with Win32/Pernefed which is probably a rogue antivirus.
Then, I found here a topic "Spyware.ISpynow" dated 29 november where www.defenderXXX-review.com. is reported as a fake site.
So I wonder why it hasn't been added yet to the avast! database ?
I think Avast! is a great program, but I fear is a bit slow in adding new definitions file

[rdmaloyjr]

Try using RogueRemover FREE to remove Win32/Pernefed.

[DavidR]

If you use firefox with the WOT (Web of Trust) Add-on this is what you see if you even try to visit this site, see image.

[garrett]

Fortunately, I have not been infected by this malware, because  I tested it on virus total before running the exe file.
I'm just curious to know why Avast! does not recognize this rogue av, considering that there is a topic about it in this forum.

[DavidR]

There are many 'different variants' of these fake alert/rogue programs and they need samples to analyse and include.

Send the sample to virus@avast.com zipped and password protected with the password in email body, a link to this topic might help and undetected malware/rogue  in the subject.

Or you can also add the file to the User Files (File, Add) section of the avast chest (if it isn't already there) where it can do no harm and send it from there (select the file, right click, email to Alwil Software). No need to zip and PW protect when the sample is sent from chest. Send it from the User Files section of the chest (select the file, right click, email to Alwil Software).

This process has been modified in the latest version to make it easier, it doesn't actually get emailed, but transferred when the next avast auto (or manual) update is done.

[Mihai Iepure]

This process has been modified in the latest version to make it easier, it doesn't actually get emailed, but transferred when the next avast auto (or manual) update is done.

Is there a method of verifying if the sample from the Virus Chest has been sent to Alwil team or not?

[Lisandro]

Is there a method of verifying if the sample from the Virus Chest has been sent to Alwil team or not?

Unfortunately not, we already complain *a lot* about it. It should have a column saying the file was submitted.

[DavidR]

This process has been modified in the latest version to make it easier, it doesn't actually get emailed, but transferred when the next avast auto (or manual) update is done.

Is there a method of verifying if the sample from the Virus Chest has been sent to Alwil team or not?

With the new system (either reporting as an FP on detection or submission from the chest), yes there is, one when you do an update, you should see the file being transferred, see image.

Also when you initiate the submission, there will be a file or files in the C:\Program Files\Alwil Software\Avast4\DATA\spool\suspic folder. Once they have been sent they will no longer be there . Also check the setup.log that also includes info that files have been uploaded.

This example of the log relates to submissions, obviously I didn't have any files for submission.

08.12.2008   13:53:25.000   1228744405   package   Submit: files 0, bytes 0, time 0 ms
08.12.2008   13:53:25.000   1228744405   package   Submit success: files 0, bytes 0, time 0 ms

[garrett]

Ok, thanks for the support. I have sent the file through the avast! chest.

[DavidR]

No problem, glad I could help.

Thanks for helping improve avast detections.

Welcome to the forums.

[Maxx_original]

this nasty should be detected with current VPS... also the access to the web page should be blocked..

[garrett]

well the current VPS detects the malware "trojan gen-other", but avast says that it cannot process the file. And the access to the web page is not blocked by network shield.

[Dio12]

Well I have a problem. From time to time appears a message on my computer saying that is for Windows Firewall saying I have a virus and if i press enable protection that thing directs me to that site. How do I get rid of it?

[DavidR]

It isn't from your windows firewall, it is a fake alert.

Start by using the tool rouge remover in the first reply.

Do not visit the site that is only likely to further compromise your system.

If you haven't already got this software (freeware), download, install, update and run it, preferably in safe mode and report the findings (it should product a log file).
1. SUPERantispyware On-Demand only in free version.
2. MalwareBytes Anti-Malware, On-Demand only in free version http://download.bleepingcomputer.com/malwarebytes/mbam-setup.exe, right click on the link and select Save As or Save File (As depending on your browser), save it to a location where you can find it easily later.