Antivirus XP 2010

I am still seeing many of my customers who are on ESET smart security 4 becoming infected with the antivirus XP 2010 malware.

Why isn't eset detecting this yet? a number of free anti malware packages are picking it up just fine.

 

It would depend on the variant of the Rogue and how current it is.
Please be reminded that not all AV engines detect everything.
You may try the stand-alone removal tools Also see what to do with a current infection
The variants of this rogue are explained here You must be absolutely certain which variant it is and to proceed with any of the listed user guides with Expert Assistance!

 

Very easily cleaned up, we have lots of rigs come through with these variants, and having great success in cleaning them up using MalwareBytes, Microsoft Security Essentials, and in some cases where the end user brought it heavily on their system...Symantecs UnHookExec.inf too.

 

this seems to be a regular moan about eset nod32 (should that be noddingasleep32?)

 

That would be a regular moan of all the AV Vendors, as noted, nothing is infallible and able to detect and remove all. The ultimate responsibility falls on the user and her/his ability to surf safe.

 

But when we have dozens of machines come into our office for cleaning/repair each week, or when we go onsite to clients to clean/repair machines infected with these rogues.....we tend to get a good idea of what works, and what is....nodding asleep. Sheer volume and sheer repetition will show a trend of what works 'n what isn't working. I'm a longtime Eset reseller, we have a LOT of SMB clients that are running NOD32 from us....and sad to say, for the past couple of years since I've seen these rogue/fake alerts/scarewares on the rise..they're slipping past NOD. It's starting to get egg on our face as resellers because we recommended it over the prior product that our client was using.

And the kicker is....I reach for my USB thumb drive with free programs on it, and MalwareBytes as well as MSE...install, update....BAM...cleaning the rogue right off the bat. When one sees this time and time and time and time again...stuff starts to tick.

Gotten to the point...one of my larger clients that runs a 100 node network with NOD biz edition...for next years budget...I'm factoring in Microsoft Forefront for antivirus.

They've got to get their act together with these rogues. And I'm not alone in this, I have lots of other colleagues in my profession that are in the same boat, they're Eset resellers..and they're ripping their hair out in frustration as the product fails over 'n over with these recent waves of rogues.

Sorry but Eset has to get on the ball with these rogues. I know the rogues are coming out at the rate of 4, 5, 6 new variants a day...but again...proof here...when free products ARE detecting and cleaning these rogues..makes you wonder. And after dealing with a specific rogue so many dozen times I have it memorized, where it goes in the registry, what folders it makes on the hard drive, which exe files it plops in there...and after months of seeing it enough to memorize it, I see it slip past NOD...makes ya wonder....

 

I can't really speak to all of your points but I do agree that the Rogues are getting worse daily and harder to wipe.

There was even a case recently of a Rogue masquerading as the Avira site, unbelievable !

ESET, surely is aware of the situation and is on top of things.

We shall see when the Beta goes RTM this quarter, perhaps things will change then.

Appreciate your feedback from a reseller standpoint, I was not aware that you were a ESET reseller.

Regards,

 

YeOldeStonecat sums up my thoughts exactly.

Whilst I'm not an official eset reseller, I have usually recommended it to most of my customers and they are beginning to question my recommendation.
It's a bit embarrassing having to charge them for my time to clear up infections that have bypassed smart security and having to use free anti malware programs to do the job.

Surely if the free products can do it, Eset can bulid this into their products as well?

 

I'm a ESET reseller also and I have to agree that Antivirus 2010 is very frustrating. i've called eset to explain this and i get the usual - that having a av is no guarantee for preventing infection but come on guys - this is one of the most common infections today.

anyone have a recommendation for realtime protection again AV 2010 ?

 

The are no real-time alternatives to protect against Rogue software other than surfing safely, secure your Browser as best possible.

Watch your security Forum(s) for emeging threats, trends, etc.

Use a HOSTS File, as a security expert, I strongly advocate running one.

Many search engine poisoning URL's causing redirects to rogue sites are prevented via a HOSTS file.

 

Yesterday we saw dozens of variants detected only by ESET so no AV program will 100% protect you against every new variant.

 

I have computers come to me with any number of different reasonably 'proper' and 'good' AV solutions installed that have become infected with some latest version of a rogue/trojan or other malware exploit. AV* Free and AV* paid, McAf**, Syman*** Corporate, Nor***, etc. And yes ... it's been very very rare but ... twice users of NOD (one was user type "b" below and the other of type "c" below so it wasn't a complete surprise.)

I've been fortunate enough to get some computers with an almost brand new exploit and gotten a hold of the file and submitted it to Virus Total. From that first day on thru the next month I could see the first results come back with at first only 3 out of 40+ different AV scanners saying it's a bad file ending up with all 40+ agreeing at the end of a month that it's a bad file. In this one case the client had McAf** and it didn't catch or stop it (or perhaps the teen in the household actually clicked when they shouldn't have.) In this one case NOD was one of the 3 that was first to suspect it or identify it and VT's result from the other 37 or so including McAf** was nil - no known threat. It's a race, a cruel game, ... whatever you want to call it.

I used to be a solid fan of X AV solution, then after problems moved to Y and then realized NOD had many benefits that I was looking for ... it was also the time that I realized that brand X, brand Y and all the brands really have their work cut out for them just to stay on the forefront. Monitoring the user/support forums of just about ANY AV vendor will reveal that the "customers" of those products and the AV vendors themselves are all dealing with the same "race condition" problems more or less (good heuristics can play a big difference but still the bigger problem still exists for many new threats.) [Personally I like my AV to be unobtrusive, no advertising, FAST, frequently updating, 24/7 protection and updates, rate the tops in independent tests on speed, old threats and "new unseen threats" and really pretty low on false positives. - NOD/ESS have been that for me for the past few years.]

Many of the infected systems I see come about because:

a) Visitors came over to someone's house (holidays very common) and used the computer and were naive or may be even a bit abusive to the situation (many times teens but I don't mean to say that's always the case) and clicked on things that basically gave permission for the exploit to start (although I love it when I hear my clients say NOD/ESS and/or MBAM stopped them dead in their tracks!)

b) Some people like to go to the other side of the tracks into the dirtier side of the internet as a habit where trouble likely is waiting for them more than others. I've had to talk to a few people about how their 'habits' were costing them a bit of $$$ due to this. Some have changed, some have adopted using the extra security measures I've recommended. Some I think figure it's an expense they may have to pay twice a year. Note that for regular clients of mine that adopt most of the recommendations I give them (ESS or NOD, MBAM paid, SBS&D, SWB, HostMan or some Hosts file solution, some mailwashing program used all the time, regular updates of all, regular system updates including flash, pdf, java, office; autoplay disable and vaccination of autoplay devices, and education) do really well at staying clean and safe. [Same goes with clients that are running P2P with reckless abandon.]

c) Some few people can't help but to trade and forward pictures, videos, powerpoints, flash, etc. to all their friends, etc. And if they get too complacent or are presented with too convencing a message that they need a "new codec" to view the "funny", "heart warming", etc. stuff they like to send around ... well - if it's a brand-new exploit (that was my 1 case with NOD a couple years ago - the variation/exploit was only an hour or two old ... but fortunately NOD got copy of it and had a update and removal with in a hour or two later ... just an update or two of the signatures and a rescan - got lucky!)

d) And then sadly - there are many that are very very naive. They really think the "free" AV solution provided by their *kind* and *philanthropic* Internet Service Provider (yea right - at $50+ a month!) really must be the best thing on earth - so sad. Or that some other "free" solution is protecting them so amazingly well. Not that there aren't great free options out there but features/strengths/weaknesses vary for some and some are really not so good depending on the type of user you are. A once a day update and once a day scan for your mainline AV protection isn't going to cut it these days for most people that actually use their computer on the internet!

e) An even more sad variation of 'd' above ... either they thought they didn't need to renew their AV (save money, it still works, etc.) or a really sad variation of this (and I've had a few of these show up) the phone conversation goes like this:

Them: "Hi - I think I may have a computer problem. It may be infected. My AV program doesn't seem to be stopping all these popup's and 'threats' and it says I have many infections but my AV program differs from what these popup's are saying"

Me: "What to you see in the popup windows" (I'm looking for some clues)

Them: "WinAnti-Virus 2009" (or something like that.)

Me: "Yes - that's a problem! I'm curious - what's your current Anti-Virus program that you've been running before you got infected?"

Them: "Oh - well we have 'Security Tool' protecting our computer - at least until this happened." (I'm not kidding! ... I try to be respectful and not laugh or scream and ask my next question ...)

Me: "Ok - 'Security Tool'. And how long have you had this AV product 'protecting you'?"

Them: "Oh - three months or more."

Me: "Did you pay for it?"

Them: "Oh yes - we certainly did - that's why we can't figure out why it's failing us and things are really getting worse. The computer is almost unusable right now."

And get this (I'm not making this up) ...

Them: "We even called the 'tech support' phone number provided by 'Security Tool' for help. The fellows at the support center said they knew all about the problems and that a fix would be released in a week or sooner and not to worry about it. Just keep running the tool and wait a week."

$70 bucks or so by credit card paid to the criminals that actually make enough from the scam to fund and staff a fake "support center"!

Within the next day or so they had gotten the charges reversed, got new credit cards and gained an unfortunate education on the types of some criminal minds on the internet as well as time and money to get a clean, safe, properly secured computer (as best we can do these days.)

Ok - I don't want to say that perhaps any AV company can't be doing a better or worse job at times and at times need to rethink or improve. I've gotten over some pet peeves with eset a few times recognizing problems on others infected systems and not being effective at getting rid of them - meaning I need other tools. But other AV companies have special sections of their websites for 'special' removal tools and instructions as well.

Enough from me on this. I've gone on too long on this and successfully avoided doing things I really should be doing!

- Davidi

 

IMHO Rogues are totally out of control but we as users have to be in control of our actions because no AV or antimalware will catch 100% so we have to be smarter than them!

This is a very good list of Rogue security applications and it's always updated!

Website: http://roguedatabase.net/RogueDL.php

Gallery: http://roguedatabase.net/Gallery.php

Enjoy,

TH

 

Wow, that's quite a gallery - they must be getting close to running out of unique names for these things!

Funnily (not really) enough just this morning I was redirected to a site that was a fairly convincing (for a novice user, at least) mimic of an open My Computer window, with all sorts of virus alerts flashing away. I've submitted the url and the .exe it prompts you to download.

Obviously not a true indication, but i uploaded the file to VT and only 2 detected it as suspicious.

the problem i see if that people may have an antivirus installed but ay never have had an alert from it before, so when they see the fake alerts like this one they assume that is their antivirus doing it's job and follow instructions. Happened to my Dad, though luckily that was one that NOD32 recognised and stopped him from doing any damage.

 

... a few hours after submitting and the file is being detected as Win32/Adware.Antivirus2009 and NOD is now one of only 5 (of 41) that detect this threat.

I think that's pretty good service personally