win32/adware.SystemSecurity.AH

What is win32/adware.SystemSecurity.AH ?

NOD alerted and cleaned this threat but I am unable to find any relevant information on what this malware does or intends to do. How dangerous is it ?

Will the cleaning be enough or do I need to dig deeper and potentially go back via an image to avoid any remaining nasties sleeping somewhere?

 

Have you received any persistent Notification of cleaning of this threat?

If this ocurred only once, then the malware is locked inside quarantine

 

The threat is on the detections list. If it is quarantined, leave it or delete it

 

Yesterday one of my colleagues called me very anxious as she had some alerts on her pc - these alerts were not from NOD but some malware removal tool. After clarifying with her that she had not yet installed the MS patch (containing the official tool) and asking her to describe the alert, I believe she had some drive-by malware attack. Her email did not work, so she could not send a screenshot), task manager did not work, so we could not close IE that way.
At the end we shut down the system by turning it off.

This morning it booted normally and we did a scan with NOD coming up with this alert. Not sure why NOD did not jump in yesterday but at present not knowing how this thing operates, that maybe only part was cleaned and some of it may still be hiding waiting to be activated later. Any additional information will be appreciated.

 

Do you require further information that what I originally replied to your query ? Additional suggestions, if required, run a scan in safe mode, Run an online scan
Are you running the pre-release updates ? If you are not, perhaps you may consider doing this.

Thanks.

 

It sounds like a rogue av that made it to your colleague's computer. Security programs do not recognize 100% of new malware variants from the moment they are created which is why the vendors issue updates frequently to cover newly born malware. That said, there's still some gap between a new variant is made, detection is added by the vendor and an update is received by users. Whether or not there's a gap and how big the gap is depends on the quality of particular security software. Ysterday's engine update was aimed exactly at this - to cover new variants proactively even better and thus remove the gap completely.

As to what the rogue av does, we can't tell exactly as a malware analysis is carried out only for certain malware on a per-need basis simply because it's beyond any vendor to analyze every malware deeply given that dozens of thousands of malware pieces emerge on a daily basis and an analyzis of a particular threat can take minutes, hours or even several days. Basically what we can say about rogue tools is they display reports about non-existing malware on the user's computer and lure the user into purchasing it by offering "malware" removal option in the "full" version of the program.

 

Thanks Marcos,
I do realise that there will be gaps, no matter what you use. I am just surprised that doing a normal google, hardly anything comes up that provides info (apart from detection advice).

siljaline - I did see your post which kind of crossed with mine and I had seen it on the detection list but this did not answer my question. Yes, NOD detects it but I would have liked to learn more about how the threat works, what is installed and how cleanly it can get removed. For many malware, this info is available on the web and I was hoping someone more experienced than me had some more insight or could provide a link here.

Anyway, I have taken the safe route and used an older image to avoid any niggling worries.

 

Query the US based threat sense database Query with:

Code:

win32/adware.SystemSecurity.AH

Result: http://www.eset.com/us/threat-center/threatsense-updates/search?q=win32/adware.SystemSecurity.AH The results would indicate which virus database update detects this threat, I defer the remainder of your query to what Marcos commented.

Moot now since you have used a backup image, I hope this clarifies as these are the only results I can provide.