win32/adware.SystemSecurity.AH

Discussion in 'ESET NOD32 Antivirus' started by beethoven, Apr 13, 2011.

Thread Status:
Not open for further replies.
  1. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    What is win32/adware.SystemSecurity.AH ?

    NOD alerted and cleaned this threat but I am unable to find any relevant information on what this malware does or intends to do. How dangerous is it ?

    Will the cleaning be enough or do I need to dig deeper and potentially go back via an image to avoid any remaining nasties sleeping somewhere?
     
  2. toxinon12345

    toxinon12345 Registered Member

    Joined:
    Sep 8, 2010
    Posts:
    1,200
    Location:
    Managua, Nicaragua
    Have you received any persistent Notification of cleaning of this threat?

    If this ocurred only once, then the malware is locked inside quarantine
     
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    The threat is on the detections list. If it is quarantined, leave it or delete it
     
  4. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    Yesterday one of my colleagues called me very anxious as she had some alerts on her pc - these alerts were not from NOD but some malware removal tool. After clarifying with her that she had not yet installed the MS patch (containing the official tool) and asking her to describe the alert, I believe she had some drive-by malware attack. Her email did not work, so she could not send a screenshot), task manager did not work, so we could not close IE that way.
    At the end we shut down the system by turning it off.

    This morning it booted normally and we did a scan with NOD coming up with this alert. Not sure why NOD did not jump in yesterday but at present not knowing how this thing operates, that maybe only part was cleaned and some of it may still be hiding waiting to be activated later. Any additional information will be appreciated.
     
  5. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Last edited: Apr 14, 2011
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It sounds like a rogue av that made it to your colleague's computer. Security programs do not recognize 100% of new malware variants from the moment they are created which is why the vendors issue updates frequently to cover newly born malware. That said, there's still some gap between a new variant is made, detection is added by the vendor and an update is received by users. Whether or not there's a gap and how big the gap is depends on the quality of particular security software. Ysterday's engine update was aimed exactly at this - to cover new variants proactively even better and thus remove the gap completely.

    As to what the rogue av does, we can't tell exactly as a malware analysis is carried out only for certain malware on a per-need basis simply because it's beyond any vendor to analyze every malware deeply given that dozens of thousands of malware pieces emerge on a daily basis and an analyzis of a particular threat can take minutes, hours or even several days. Basically what we can say about rogue tools is they display reports about non-existing malware on the user's computer and lure the user into purchasing it by offering "malware" removal option in the "full" version of the program.
     
  7. beethoven

    beethoven Registered Member

    Joined:
    Dec 27, 2004
    Posts:
    1,043
    Thanks Marcos,
    I do realise that there will be gaps, no matter what you use. I am just surprised that doing a normal google, hardly anything comes up that provides info (apart from detection advice).

    siljaline - I did see your post which kind of crossed with mine and I had seen it on the detection list but this did not answer my question. Yes, NOD detects it but I would have liked to learn more about how the threat works, what is installed and how cleanly it can get removed. For many malware, this info is available on the web and I was hoping someone more experienced than me had some more insight or could provide a link here.

    Anyway, I have taken the safe route and used an older image to avoid any niggling worries.
     
  8. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Query the US based threat sense database Query with:
    Code:
    win32/adware.SystemSecurity.AH
    Result: http://www.eset.com/us/threat-center/threatsense-updates/search?q=win32/adware.SystemSecurity.AH The results would indicate which virus database update detects this threat, I defer the remainder of your query to what Marcos commented.

    Moot now since you have used a backup image, I hope this clarifies as these are the only results I can provide.

     
Thread Status:
Not open for further replies.