What the Hell!!!????

Which is totally irrelevant to the POINT, being that your blanekt statement that 'paid versions of AV are always better than free' is plain crap-crud, because *it* *DEPENDS*...

 

No, you really don't want more than one thing managing your hosts file (this is what spywareblaster does too)...

 

If by managing you mean that Spywareblaster protects the hosts file then yes but it does not update it

 

Plain crap-crud no. Free versions are usually crippled in some way in comparison to the paid version by the same vendor.

 

Coming back on-topic, one of our users just got hit with "Desktop Security 2010", which I guess is a variant of the XP AntiVirus family. ESET let it through, though in fairness it did seem to catch part of it as it flagged up some hits.

I've run a full clean using ESET 4.2.40 and it found some files which it quarantined. I then rebooted and ran another scan, and it found a couple more. I then rebooted - clean. I then rebooted again - clean.

I then installed MBAM, and it found all these:

Code:

Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org

Database version: 4087

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/05/2010 21:44:17
mbam-log-2010-05-10 (21-44-17).txt

Scan type: Quick scan
Objects scanned: 212934
Time elapsed: 10 minute(s), 24 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 7
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 3
Files Infected: 17

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{43bf8cd1-c5d5-2230-7bb2-98f22c2b7dc6} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{3446af26-b8d7-199b-4cfc-6fd764ca5c9f} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\{4776c4dc-e894-7c06-2148-5d73cef5f905} (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\idid (Trojan.Sasfix) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\forceclassiccontrolpanel (Hijack.ControlPanelStyle) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\uid (Malware.Trace) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell (Hijack.Shell) -> Bad: (Explorer.exe rundll32.exe nwfdtx) Good: (Explorer.exe) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Hijack.Userinit) -> Bad: (C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) Good: (Userinit.exe) -> Quarantined and deleted successfully.

Folders Infected:
C:\WINDOWS\system32\lowsec (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Start Menu\Programs\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Desktop Security 2010 (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\lowsec\local.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds (Stolen.data) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lowsec\user.ds.lll (Stolen.data) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Start Menu\Programs\Desktop Security 2010\Activate Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Start Menu\Programs\Desktop Security 2010\Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Start Menu\Programs\Desktop Security 2010\Help Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Start Menu\Programs\Desktop Security 2010\How to Activate Desktop Security 2010.lnk (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Desktop Security 2010\mfc71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Desktop Security 2010\MFC71ENU.DLL (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Desktop Security 2010\msvcp71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Desktop Security 2010\msvcr71.dll (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Desktop Security 2010\securityhelper.exe (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Local Settings\Temp\m.234B.tmp.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Start Menu\Programs\Desktop Security 2010.LNK (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Application Data\Microsoft\Internet Explorer\Quick Launch\Desktop Security 2010.LNK (Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Local Settings\Temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Local Settings\Temp\test.exe (Trojan.Agent) -> Quarantined and deleted successfully.

A fairly extensive list I think, given that ESET said we were clean. Hmmmm........



Jim

 

you already told us that you are not able to secure some system well...
https://www.wilderssecurity.com/showthread.php?t=267733

and you were told so many times to send Eset the samples.

 

Not sure what your point it, you seem to be standing on your soapbox. You've already proved in other threads that you don't know what you are talking about.

But that aside....

My point is that ESET said the system was completely clean, yet MBAM found lots of files (all of which had descriptiosn which matched the problem).

 

As you can see, there are mainly registry keys and folders listed in the log. ESET does not detect such benign stuff. What's more, it seems that MBAM also detected most likely legit Microsoft mfc libraries just because they were found in that malware folder

Besides those dlls, the only files suitable for submission are:
C:\Documents and Settings\Jamieleefarman\Local Settings\Temp\m.234B.tmp.exe
(Rogue.DesktopSecurity2010) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Local Settings\Temp\wrfwe_di.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Jamieleefarman\Local Settings\Temp\test.exe

Detection for m.234B.tmp.exe was added a couple of days ago so I wonder if it's a new variant. At least I couldn't find and get any new one from our sources.

 

I mean it did that even if i wasnt even using the computer.

Here's an example of 1 site that was blocked 94.75.233.9 - post.mobyhost.ru

So I guess there are lots of sites that are constantly polling our computers. Maybe port scanning.

It definitely isnt doing it as much after I installed that 'host' file.

 

It seems likely that you are still infected.

 

Sorry, plain crap-crud *yes*...

The OP did not *say* 'from the same vendor', now, did he? He made a very general statement that 'paid is better than free', which again, is pure crap-crud *because* *it* *depends*...

 

I stand corrected (thanks)... I've been using both it and Spybot for so long I forgot that it is actually Spybot that does this...

 

paid programs when it comes to antivirus ARE better than free for more reasons than not there is no it depends. if you choose to use a free product more power to you. but just be aware that when it comes to antivirus itself a free version is going to be lacking in what paid offers. think of it this way. which would you rather have on a house. just a lock on the door(no deadbolt) that anyone that knows how to get into a lock can break into? or a deadbolted lock that is nearly impossible to get through. while a regular lock is fine it doesn't provide as secure of an environment as the deadbolt does. a free program is fine IF you have no other alternative. but to trust it like you would something that is complete. no. keep in mind that I have used BOTH PAID AND FREE PRODUCTS and I am not a fool.

 

Ok, so you are now officially on the record that Macafee is better than MSE?

I'm really glad that you aren't anywhere near *my* networks.

 

I haven't used Mcafee since I had 98se lol and quite frankly there are better products out there. considering that I haven't had anything Major in several years and the last time I had a test done the product I ran protected everything completely without the need for anything else... yeah im glad im not anywhere near your networks too because for one thing if I had a choice. NOTHING would have the chance to get in except for what you let in XD

also I will add to the "it depends" statement what product you choose whether it be paid or not is up to you. although the best thing to do is look at the detection rates. Macafee has been on the low end of that scale fora long time in what it lets slip through. while no antivirus program is perfect. there are those that are high end and those that aren't. (aim for the best protection possible.) as prevention is a heck of a lot better than removing an infection that it should have caught in the first place. like I have said. I have used both free and paid antivirus scanners ranging from AVG free and avast as well as Avira on the free scale. to Mcafee (98 only) Eset and Kaspersky. Eset and Kaspersky are the best I have encountered so far.

 

Whatever that means... lol

 

All AV needs help !!!!!

Signature-based antivirus is not enough NOW, will not be enough in future TOO

Pay for the better, add sandboxing protection and hope...

Read this !! PWN2KILL challenge, 15 AV failed, Eset NOD32 and Kaspersky included
http://www.esiea-recherche.eu/data/iawacs2010/pwn2kill/pwn2killdebrief.pdf

 

Sandbox is fine for 32 bit systems but it will not work on a 64 bit operating system

 

>> Signature-based antivirus is not enough NOW

ofc not - its only one wheel.

>> Sandbox is fine for 32 bit systems but it will not work on a 64 bit operating system

thats not true. it has not the same full power as on 32bit but it works.

 

not unless it is specificialy developed for 64 bit. in fact something like sanboxie specificaly says it won't work in a 64 bit environment because it asks for access to the kernel. on a 64 bit system you have Kernel mode patching which is the same reason that it statates that on avast antivirus the boot up scan will not run on 64 bit systems. when something says when you try to run it in a sandbox environment thaty the application may crash... that isn't exactly running as well as it would in 32 bit. things can not modify the Kernel as easily in a 64 bit structure as they can in a 32 bit because it is already patched against it. that is how it is developed.

 

You are right about the kernel patching, but sandboxie works with Vista/Win7 x64. Quote from the sandboxie website: "Starting with version 3.44, Sandboxie offers full support for 64-bit editions of Windows Vista with Service Pack 1, and Windows 7. The 64-bit edition of Sandboxie is somewhat disadvantaged in terms of security compared to the 32-bit edition of Sandboxie"

For more details:
http://www.sandboxie.com/index.php?NotesAbout64BitEdition

So as Brummelchen said "it has not the same full power as on 32bit but it works"

-gan

 

I wondered about that I am glad they are finaly working on a 64 bit version of that would be worthwhile to try out. but it kind of sounds like in a way it does the same thing that can be done under a virtual machine environment.....

 

It's all about timing, and luck when it comes to getting these. I've honestly uploaded or found some fake av's that nobody is detecting.. So many programs install legitimately to the same areas that most these fake avs do. They install in a manner which is hard for heuristics to detect since they really are just like any other program. Does not matter if you are local user or local admin.. Local users will infect their own user profile, local admin will just infect all the local profiles, and maybe add more hosing of the OS..

What you would learn if you studied zero day infections is that the fastest way these get blocked is by cloud based url reputation, and blocking. Signatures take time, and cannot be rushed. (Poor Mcafee users). It's much easier to block the URL, take time to develop proper removal mechanisms.

 

No doubt... The days of depending upon one thing to stop all are done.. Especially now that malware makers are getting tons of financial backing, and it's not just people doing it to prank..

 

if you want something to work fully you want it to work as best as it can. not "the same as full power but still works." that may work when you are talking about something like putting used parts into a computer system but if something that is supposed to be security in mind needs to work at full power not half. while programs like that are being developed for 64 bit systems too. a 64 bit system is more secure in its structure even just out of the box than a 32 bit system is as it can not be bypassed as easily.