ESS let in a rootkit

After many happy years protected with ESS/NOD32 and spruiking its virtues, one of my clients got infected a couple of weeks ago.

They were running up to date ESS 3 and on the 25th of May, installed something that infected them with a rootkit that was hooked into the networking system. ESS could no longer download updates and on further investigation, every major AV vendor website tried except Norman (at least 9, I tried eset, kaspersky, panda, symantec, sophos, mcafee, clamav, trend, avg) was affected and could not be accessed (something like a 503 error, invalid handle) but no other websites were. I had SysInspector on a USB stick, it would not run, neither would hijack this or MS/sysinternals rootkit detection. Norman malware cleaner would run but didnt find anything. Nothing in startup, no unsigned running processes under process explorer so symptomatic of a rootkit infection that was actively hiding itself. The only way out was a system restore back before the infection, uninstall ESS 3, install ESS 4, update and scan. A couple of infected files were found in the temporary internet files. My USB stick was not infected with an Autorun.

I have no idea what it was or where it came from (it began around installation of Real Player) or if it will happen again. Is ESS 4.2 going to provide better rootkit protection than 3? (I need to let my client know if they are protected again). What else can be done to weed out a root kit issue and what steps can be taken to clean one up if it gets in and blocks everything that may be used to get rid of it short of a re-format?

Regards
Ben

 

No AV will ever detect every single threat, especially when speaking about new born malware no matter what techniques are used (heuristics, gener. signatures, HIPS, cloud, etc), probably the only way to mitigate the chance of common users getting infected would be using sandbox for browsing or running unknown applications.

Please try creating a rescue media (cd/usb) and running a full scan after booting from the media.

 

Speaking of sandboxing, maybe in a future release of ESET. A inbuilt sandboxing feature would be nice.

KIS 2011 Has it built in

and we know Comodo already has it