Avast Doesn't Block XP Defender malware (ave.exe)
in [Spyware]
|
From: David Kaye on 4 Apr 2010 01:46 "Ant" <not(a)home.today> wrote: > >That's not very secure. Regardless, I set up this computer to behave as much like my customers' computers behave. In this way I can spot issues quickly. And it's been years since this particular machine has had any kind of infection at all. >Once malware gets in it often changes date stamps to match one of the >system files. Seldom, though. One of the easiest ways I've found to find the process causing an infection is to use a tool like PrcView to look within processes such as svchost, explorer, winlogon, etc and see the date stamps on the DLLs called. Makes it super-simple to spot them. >Since you appear to do this for a living you ought to know about >securing your machine. See my comments above. > >So did you kill it from task manager? Actually, no. Because I immediately knew what it was, I shut down the computer, booted from BART PE and manually copied back snapshots of the registry. >You can't rely on AV apps to protect a machine - they are a last ditch >resort. None of them can detect everything because malware is re- >packaged every day to avoid detection. The AV vendors are always >trying to catch up. This is where heuristic scanning comes in and why MBam can catch nearly everything. I had the impression, reading from Avast's documentation and various postings from people that Avast also had similar heuristic scanning. Apparently not. >You didn't say which browser was involved. Is it up-to-date? What >plugins and other applicatiuons are used as helpers to view embedded >content and are they sercurely configured and up-to-date? Think about >Java (not javascript), PDF and Flash viewers, ActiveX components and >other media players. Do you allow them to run automatically? Again, this particular computer is set up to imitate real world scenarios as are present in my customers' computers. Prior to the infection I had visited several websites from Google links. I did not click on anything within those web pages. I don't recall if there was a pdf among the stuff I looked at or not. My machine is set up top warn about ActiveX, but not Java, Flash, or pdfs. However, downloading of exe and dll files should be triggering *something* to warn me. As someone suggested, perhaps something else is being renamed as an exe. I did notice one thing that may be a clue. I couldn't run exe files any longer until I entered the exe extension in the filetypes section to replace what had been there. This was after the registry rollback, so I'm not sure where the exe reference was being pulled from. It should have reverted just like all other registry entries. So, indeed it could well be that ave.exe is really something non-exe that got renamed and thus wasn't detected by Windows as being bogus. I have not saved the ave.exe file to look at it. Perhaps I should have, but I had to use this particular computer and just wanted to get rid of the malware.
From: Heather on 4 Apr 2010 00:56 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp94gg$ekl$4(a)news.eternal-september.org... > "Heather" <fergie(a)canada.invalid> wrote: > >>OK Shaggy......I will add to this cuz I have an obsession re correct time. >>He has his Time Zone set wrongly.......right? As it is now Daylight >>SAVING >>Time (which he may not have checked off), it is only 4 hours different to >>GMT........not 5. > > My time zone and my DST offset are NOT set wrong. I'm also a time geek > and > I'm aware that the U.S. now advances DST time 3 weeks ahead of when it > used to > start. Hey David.....I am not arguing with you, but if all 3 of us are using ES and your time is an hour ahead of the two of us........something is out of whack on your end. It is 12:55 am as I type this. Cheers......Heather
From: David Kaye on 4 Apr 2010 02:04 "Heather" <fergie(a)canada.invalid> wrote: >Hey David.....I am not arguing with you, but if all 3 of us are using ES and >your time is an hour ahead of the two of us........something is out of whack >on your end. It is 12:55 am as I type this. I guess I'll just chalk it up to being a forward thinker.
From: Heather on 4 Apr 2010 01:08 "David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp96ke$sld$1(a)news.eternal-september.org... > "Heather" <fergie(a)canada.invalid> wrote: > >>Hey David.....I am not arguing with you, but if all 3 of us are using ES >>and >>your time is an hour ahead of the two of us........something is out of >>whack >>on your end. It is 12:55 am as I type this. > > I guess I'll just chalk it up to being a forward thinker. 8-)) >
From: The Central Scrutinizer on 4 Apr 2010 02:19
"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message news:hp85v4$ua4$3(a)news.eternal-september.org... > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote: > >> >>Were you running as administrator at the time of the "attack"? > > Running XP Pro with a default user with admin privileges. This will pretty much trump AV protection. |