Avast Doesn't Block XP Defender malware (ave.exe)
in [Anti-Virus]
|
From: Leythos on 5 Apr 2010 07:58 In article <cdWdnZdjHOWkUiTWnZ2dnUVZ8qCdnZ2d(a)bt.com>, BoaterDave(a)hotmail.co.uk says... > God sure moves in mysterious ways! > My guess is that he would ask you to take the off-topic things to email or some group where it fits - this is a anti-malware group. -- You can't trust your best friends, your five senses, only the little voice inside you that most civilians don't even hear -- Listen to that. Trust yourself. spam999free(a)rrohio.com (remove 999 for proper email address)
From: Beauregard T. Shagnasty on 5 Apr 2010 08:45 ~BD~ wrote: >> <snip> Asked and answered. Why don't you agree to meet your new chum PCButts for dinner this evening? -- -bts
From: Ant on 5 Apr 2010 08:48 "David Kaye" wrote: > What I'm getting at is that I use the best of off the shelf freebie programs > my customers would tend to download. As for updates, typically when I first > see them they have default Windows services turned on, so that they are up to > date on Windows updates, What about non-MS updates? > I'm using IE8 Version 8.0.6001.18702. That should be reasonably safe, hence the importance of checking 3rd party (non-MS) plugins and helper apps. > I know you mean well, but believe me, I already know about this stuff. I appreciate you have some clue and that's why I'm interested in how you got infected. If all your software was fully updated this drive-by infection should not have happened. If it was a new vulnerability, AKA a zero-day exploit, then I'm particularly interested in knowing what it was. When executable code runs via an exploit like a buffer overflow and code injection there's no guarantee that an otherwise securely configured OS can spot it. DEP (data execution prevention) can help prevent this kind of attack if available for the machine. > I noted the file date/time and have looked back on this. As I said, you need to examine the cached files to have any hope of finding the exploit. Of course, you will need to have an understanding of file formats and know what to look for. > The exploit appears > to have come from foxnews, officedepot, or officemax -- the time stamps are > within a few seconds of each other and show up right before the time stamp > that was written to the temp directory in my documents and settings tree. You see, my probing has caused you to give more information which then prompted someone else to reply with a link to a forum about the Faux News site infection. Although that discussion is a year old, the problem of legitimate sites serving up malware through adverts or hacked servers is still a real one. It appears those exploits were via buggy ActiveX controls which have all now been patched. >>More important is to find the vulnerable software component that >>allowed it to run. > > Yes. Also, since I was able to get this infection I suspect that I'll be > getting frantic calls this coming week from others. I'm getting tempted to > set people up as limited users, even though that creates headaches in itself > (such as the inability to run QuickBooks properly, which I mentioned before). You should at least disallow the automatic running of PDFs, look at tightening browser security settings, and perhaps change the browser to Firefox or Opera if they are not using IE 8. XP's default settings are no longer sufficient.
From: Ant on 5 Apr 2010 09:18 "~BD~" wrote: > David Lipman *has* > emailed me with evidence of 'catching out' hidden passwords in code used > by TRT/BCButts. I also had an email from TRT asking me to tell him/her > what DHL had said. > > My problem remains, though, in that there is no way I can be *100%* sure > which is telling the truth! You either accept what respected posters here (ACAV) say or you analyse the files yourself. I can say that I've also found evidence in butts' files that they were copied and altered by him in an attempt to conceal the real authors.
From: ~BD~ on 5 Apr 2010 09:19
Beauregard T. Shagnasty wrote: > ~BD~ wrote: >>> <snip> > > Asked and answered. > > Why don't you agree to meet your new chum PCButts for dinner this > evening? > That was a very juvenile response, Bts. Which part of this did you fail to comprehend? :- If you are quite certain of your facts then I believe you have a public *duty* - maybe in conjunction with all those who are in agreement with you - to bring about a prosecution of the offending individual. I cannot believe that help in not available to you in Obama's USA. "Put your money where your mouth is" comes to mind. As they say in the navy "Make it so!" -- Dave |