Av-comparatives April results

I would like to help you personally if I can. Could you contact me with your email address by PM so that we can work through the issues you're seeing? This is the first I've heard of a user having problems like this and I want to be sure you're fixed completely.

Thank you!

 

My first thought: What the heck is this guy doing to be infected 10 times in a week? There are no major 0-days out there, pretty much everything is patched solidly ATM. Either the user is horribly inept at things like patching Java and Flash, or is trolling or intentionally trying to get infected, or is just not choosing good sites to go to.

Next thought: Webroot VP of Development is directly offering to look into it. The legitimacy of the user's story can be easily verified if he accepts the offer of assistance, and any problems can be fixed. Not-accepting of the offer for whatever reasons will just kill the claims and we're set. Accepting the offer finds out what's up and how the user managed to successfully get infected ten times in a week when the average completely-clueless, unprotected web user might be seeing maybe one infection a week when surfing free porn and pirated games.

Good news on the above next thought: Just informing PrevxHelp of the keycode used on the computer that theoretically got horribly-infected is sufficient to figure out what happened in many cases, so there is unlikely to be any legitimate excuse for not getting help.

 

He/she may or may not be infected. This is why Wilder's discourages the posting of testing done by forum members. There is no way to know if the tests are legitimate and it's an easy way to spread FUD. In this case, Joe made a gracious offer to help, so we'll soon know the truth.

 

through normal web user and downloading i have been virus free fir a while now, i use webroot complete, malwarebytes on demiand and i have windows defender and firewall active also.
While the results are not good this product is great and will get sorted, the people on here are dedicated and go above and beyond to help.
there has been many other "test" and webrrot has come out very well.
So lets not throw this in the long grass lets get behind these people, and help and by the way if you search hard enough webroot is one of the cheapest securtiy product around.

 

Joe is a saint. I wouldn't even offer the punk help if he's already made up his mind that it's useless and he sounds like he's about to uninstall it anyway, but then again, I'm if I was in Joe's position, I'd have to assume professionalism.

And lol @ Comodo being the "only" good one...seriously? I'm not on board with a product that's never formally evaluated by any of the major organizations being called "the best" because it's really a "" product with different users reporting vastly different experiences. I for one am not too fond of Comodo overall. I respect them, but they can't even get their DNS service to be reliable. I had to switch to Norton.

 

I'm not trolling, maybe I was a bit too strong with my words though.

Just looking for a offshore vps basically, not a good scene to go looking for
I've found out. Hit some russian + other s sites and boom! Had my system r00ted, had reformat it was that bad.

I also downloaded a few files from downloadcrew.com I thought it was legit but I got hit with a few root kits so I think its full of malware.

I'm contacting webroot as we speak. I really like the product. honestly but webroot didn't pick up anything Comodo did however. And trust me I've got security up the wazzooo.

 

How in the world are you getting infected so often? If you bang on the side of a beehive you will stir things up.

 

No java, No flash, No adbobe reader. All browser up to date, all patches up to date.

Just got hit again, this what it looks like when someone installs a bot on your PC.

Comodo firewall showing port sniffing/easedropping. Just before my machine got infected.
http://i46.tinypic.com/2rrx5pz.png


http://i47.tinypic.com/202omp.jpg

Trusted Installer? Created by them, you can't disable it and it has write permisions. I delete all my user accounts/admin accounts & put 128 key passwords on them so they are bypassing UAC somehow.

Bot calling home, changed Host file to ;;1 calling port 445

http://i46.tinypic.com/jrpd13.png


Combofix picked up 3 files, I'm sending them to Pervix now. Must of ~ Snipped as per TOS ~ someone off

 

A scan log from WSA from your system right now would help actually find the problem. The three files that Combofix cleaned from your archive are just temporary files and not malicious.

 

I can't see any real problem from the screenshots... As far as I know TrustedInstaller is part of windows and its there to protect core system files. Probably a scan log will indeed help.

 

Well I don't know then, something re-wrote my file permissions, changed my host file and was trying to dial out. I'll try and upload the firewall log, this one guy hit me a few houndred times. Had quite a few rootkits/trojans lately, it's made me a bit on edge.

+ the RAT files they drop are usually encrypted from what I've read so you wont see it.

 

Well I guess I'm infected with the same thing you have then because my Winlogon.exe has TrustedInstaller as a permission. And my Wininit.exe also listens on port 41952.

I see zero evidence of an infection. Everything you've posted is normal. Looks like WSA has protected you well

 

Are your WSA settings maxed out...

 

I unistalled webroot and installed bitdefender. Has a much better firewall so far, thats one thing webroot needs to improve.

Sorry no logs I formated, but I know when I'm infected.

 

Lol... No comment.

 

No you don't. You've proven that quite categorically. All the 'evidence' you've presented is normal behavior and configuration of an uninfected system, based mainly on your inability to understand firewall activity/logs.

 

Since you refuse to provide reliable evidence and you are more trying to bash a product without seeking the proper recourse, please don't quote me in other threads and say things like "Webroot LOL".

 

Well, lets also add that no security tool can protect from those kind of "infections" not even Scomodo or Sbitdefender

But no need of raging at him, otherwise the poor OP will feel oblidged to get infected at any cost and this is obviously possible. No security is 100% bulletproof.

 

These results give better reading so what to AV comparatives do different


http://www.av-test.org/en/tests/test-reports/janfeb-2012/

 

I think everybody should understand that when reporting such strong claims then solid evidence should be also provided. This has been said plenty of times and some moderation policy where introduced to try to reduce this non helpful behavior.

From some of the information posted is clear OP has problems in interpreting signs of infections. May be its not OP fault but next time the OP should understand that by doing this he is damaging his and the product reputation since unfortunately there are many readers that will still beleive the OP regardless of lack of evidence and others that will for sure identify the OP as "just another troller".

"Av-comparatives April results" could we go back to the subject of the thread?

 

Have you studied up on ICMP and ICMP Reply? It's quite common in internet land and not necessarily malware phoning home. The malware you seem reluctant to prove you had.

 

Yes I know about ICMP, I'm not a expert but I can tell the difference between normal ICMP and Malware ICMP. which is trying to phone home to it's botnet master or your being attacked.

Anyway besides this incident fact is Webroot has not done the job, I used to rate it highly but it's just not up to scratch. Kaspersky & comodo both picked up stuff Webroot didn't which is sad because I really like the light weight product. But just having cloud AV doesn't work, something is very broken and the AV tests and my experience shows that.

 

And you can tell that how? The IPS change everytime and having a dynamic IP C&C means that it won't make a difference. Most malware does not phone home by IP but by obfuscated url where the IP is derived from over random ports and not the same port each time.

Your System is Clean.
I disagree with the statement by Mongol calling BitDefender a SitDefender. I consider BitDefender to be among the top, I am currently beta testing their 2013 line and the system performance is great and it's detection is also near the top on personal malware hunting. I especially like the ability to boot into damn small linux and perform system scan without the need to make a cd. But I digress. I also have WSA running on my Untangle UTM do to it's low system resource usage but I would not trust it solely by itself, not yet, not this version. Unfortunately I have bought 3 licenses of the software, currently have only activated 1 and I am hoping to active the 2nd one when the first one runs out. I am hoping and praying that Webroot will honor their last year and 2011 licenses for next year since I will wait another year for all the bugs to be worked out before changing more of my systems.

Currently, on my home network I am running Bitdefender 2013, Norton 2013 beta, KAV 2012, Eset 4.0, Malwarebytes, Emisoft Anti-Malware and WSA. From all of those WSA is the lightest and I like it as a 2ndary protection and for my Untangle UTM. I am running THe UTM as a VM so not too afraid of infection, the low probability of something infecting a *nix box and then breaking out of the VM is guarantee enough. However if something does break out then I hope that WSA will provide the extra layer of protection.


P.S.
OP, calling someone and "IDIOT" and pretending that you "KNOW WHAT YOU ARE SAYING and SEEING" without accepting friendly advice makes you into a 14 year old in my book.

 

No that's an ECHO REPLY to a PING REQUEST.

I.e. If you ran BITORRENT and any P2P and then disconnected, the last connecting client will continue knocking at your door seeing if the disruption of service was temporary or not and trying to reconnect.

 

I know I was infected, with out a doubt. I don't know what kind of malware it was but it was there.