Panda Failure

[Gasp]

I've just been round to fix my friends computer after he reported it was playing up. When checking it, it was pretty obvious why he was experiencing so many problems. The computer was rammed with Malware, ss you'll see from the MBAM Log.

Interestingly the computer was running Panda Cloud AntiVirus & ThreatFire. After checking the ThreatFire log, it did pickup some suspicious files but they were allowed by the user. However Panda didn't detect anything. I even scanned some of the trojans directly with Panda and no results. And yes, the computer was online.

Some of the nasties:
Trojan.Vundo
Trojan.Hiloti
Trojan.Fraudpack
Trojan.Dropper
Worm.Allaple
Backdoor.Bot
Rootkit.Agent
Rootkit.TDSS
Malware.Trace
Spyware.Zbot
Rogue.YourProtection
Rogue.SpywareBot
Rogue.PrivacyConductor
Rogue.SecurePCCleaner
Rogue.RegistrySmart
Rogue.Multiple
Adware.MyWebSearch
Adware.180Solutions
Adware.Seekmo
Adware.ShopperReports
Adware.Zango

All the above were removed with MBAM and the computer booted fine.
When later uninstalled Panda only to find after rebooting a wall of BSODs.

I think a format / reinstall is going to be the fatest solution here now.

[dw426]

There may be more to this than is posted here, so I can't say much about Panda, but ouch. TDSS I can understand, as the last I checked VERY few apps caught this. 180Solutions, Zango, Vundo, these should be detected by a lot of apps by now. 180Solutions was being detected by Spybot when people still loved that app, so I don't know what to think of that.

[Brocke]

PCA is still young, version 1.1 soon will be beta will ofter alot more protection.

a BB, self protection, auto updates, etc.

[Gasp]

Yes but it should have got something surely? Plus, when I uninstalled it, it ~Snip~ the system up totally so a format is necessary anyway now.

[vojta]

Quote:

Originally Posted by Gasp

Yes but it should have got something surely? Plus, when I uninstalled it, it ~Snip~ the system up totally so a format is necessary anyway now.

Honestly, the system seemed to be quite ~Snip~ by the user:

Quote:

Originally Posted by Gasp

Some of the nasties:
Trojan.Vundo
Trojan.Hiloti
Trojan.Fraudpack
Trojan.Dropper
Worm.Allaple
Backdoor.Bot
Rootkit.Agent
Rootkit.TDSS
Malware.Trace
Spyware.Zbot
Rogue.YourProtection
Rogue.SpywareBot
Rogue.PrivacyConductor
Rogue.SecurePCCleaner
Rogue.RegistrySmart
Rogue.Multiple
Adware.MyWebSearch
Adware.180Solutions
Adware.Seekmo
Adware.ShopperReports
Adware.Zango

You don't catch all this at Wikipedia.

[PC__Gamer]

well, forgive me if im wrong, but this all seems a little theatre-like,

like its been acted out to show Panda's failings in these particular infections.

[Brocke]

Quote:

Originally Posted by PC__Gamer

well, forgive me if im wrong, but this all seems a little theatre-like,

like its been acted out to show Panda's failings in these particular infections.

i agree, all those infections, i mean they must be going to some shady sites.

[pbust]

I'm sorry but I find this a little hard to believe. Please send me the samples that were not detected by Panda in order to verify this claim.

[Brocke]

Quote:

Originally Posted by pbust

I'm sorry but I find this a little hard to believe. Please send me the samples that were not detected by Panda in order to verify this claim.

if he does post the results here please for all of to see.

thanks
Pbust

[Cudni]

Quote:

Originally Posted by Brocke

if he does post the results here please for all of to see.

thanks
Pbust

it would be interesting but somehow doubtful they will be forthcoming

Quote:

Originally Posted by Gasp

I think a format / reinstall is going to be the fatest solution here now.

[Noob]

Quote:

Originally Posted by Cudni

it would be interesting but somehow doubtful they will be forthcoming

Yeah, he already stated he deleted them with MBAM xD

[Gasp]

@PC__Gamer
theatre-like sites lol! He did say that he'd been looking at those "theatre-like" sites prior to the issues. Although I'd be suprised if they were all from pr0n sites.

@pbust
All the malware has been Quarantined and deleted successfully by MBAM so I don't think I am able to send this now. For future reference, how do you want me to submit the malware to you?

I un-installed Panda hoping to download and re-install a newer version but after doing the uninstall the computer BSODs at boot. Any ideas what caused this?

[zfactor]

i have been testing panda cloud and to be honest its not that bad. if it really did miss all of those imo there may have been a more underlying cause for it. yes panda cloud does miss some things but no way is it that bad.

[Gasp]

Quote:

Originally Posted by zfactor

i have been testing panda cloud and to be honest its not that bad. if it really did miss all of those imo there may have been a more underlying cause for it. yes panda cloud does miss some things but no way is it that bad.

If we assume something was blocking the internet connection that might explain part of it??

[Brocke]

Quote:

Originally Posted by Gasp

If we assume something was blocking the internet connection that might explain part of it??

well PCA does use a offline cache, but still all of those not even been seen by PCA its hard to believe.

[Gasp]

If the computer is offline and one of the trojans corrupted the signature files, would that knock off the panda protection?

[Ibrad]

Are you 100% sure Panda Cloud was running? Maybe some of the malware killed the protection service.

[pbust]

Gasp, do you know if the malware was on the system *before* Panda Cloud AV was installed? It could be any one of those you mentioned crippled the connection and/or prevented PCA from accessing its scanning servers. Did you run a full scan with PCA? If so, can you post the results? Also you mentioned the malware was quarantined by MBAM. Can you restore it and send it to me?

[Gasp]

Panda Cloud was installed on a new clean build of XP so no malware then. I am very sure Panda was running when I last checked. The system was running on spoof name servers which could explain a loss in connection to Panda Cloud.

The system isn't bootable or restorable its completely wrecked now with the BSODs.

[Gasp]

My friend (or maybe its his kids) has a history of opening unknown files on the internet and infecting his PC with all sorts of crap. Like I said the ThreatFire log confirmed that he had allowed some of the malware. I think what happened here is he's had a 0day drive-by download on a "theatre-like" site which he has allowed and run. This has either blocked his internet and corrupt the Panda signatures, or downloaded another app which has done this.

I am upgrading him to Windows 7 tomorrow so we can review his security. What would you recommend for someone which opens everything? I am tempted to use something like Returnil to return his system back to normal after every reboot. Or should I go for a free HIPs instead?

Limited User Account - This will stop him or his kids installing new apps/files.
Microsoft Security Essentials - Its free and very easy to use.
Malware Bytes - On-demand malware scanning.
SAS - On-demand malware scanning.
Comodo Time Machine - For when it all goes wrong again.

[andyman35]

Gasp.
I'd go with Returnil to save your friend from himself.It does seem that he managed to get an extraordinary amount of malware onto his system.It's no mean feat to get yourself that infected as I found out when running a VM without any security software to test CTM a while ago.

It seems unlikely that Panda (and Threatfire too) would fail so dramatically during normal usage,there must be more to it.

[dw426]

If you HAVE to go to a deny/allow approach, do it through LUA. HIPs in the hands of the less knowledgeable and/or uncaring is just as dangerous as malware itself.

[Konata Izumi]

no conficker?

[Gasp]

No why ?

[Gasp]

Quote:

Originally Posted by dw426

If you HAVE to go to a deny/allow approach, do it through LUA. HIPs in the hands of the less knowledgeable and/or uncaring is just as dangerous as malware itself.

How about if we went with Sandboxie or Geswall instead of the strong hips?