Avast WEBforum
Other => General Topics => Topic started by: Avastfan1 on March 04, 2009, 12:18:05 PM
-
Dear Avast Forum Gurus,
Can anyone attest to the effectiveness and veracity of Dr.Web Cure.It?
Following the numerous recommendations from "Tech" on this forum, I decided to download it and let it run.
It found nothing except a 'possible.script.virus' in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg.
I believe this is a false positive.
An upload and scan with virustotal didn't find any virus. Only Dr. Web on virustotal registered a hit.
A search of the Dr.Web forum returned no matches.
Can anyone offer any insight on this?
A full scan with the latest definition files from MBAM, SuperantiSpyware, Spybot, Blacklight, Rootalyzer, Avast bootscan, Micro$oft MRT, ZA Anti-spyware and a HJT log (analysed at www.hijackthis.de) revealed absolutely nothing.
Thanks,
Avastfan1
-
Most probably a false positive into a reg file used by Spybot. Don't worry, specially that you already tested it into virustotal.
Dr Web on-demand scanning is a possibility when you have been infected with malware file infectors.
-
Hi Tech,
This is only partially true. DrWebCureIt is nice to have on a USB stick, always use the latest downloaded version of launch.exe from the Internet, download with a clean machine. It is good for additional scanning, because it is a non-resident scanner and can be used in combination with resident avast.
In the case of destructive file infectors like the latest virut infections, there is no other solution than format and reinstall. Or you should upon infecting change to SafeMode where the virus is not active and start to repair there, but because virut is randomly infecting and re-infects completely as some tiny trace of it is left (back-ups, reinfected files) I have no reports as where it has been accomplished.
Here it is virus against anti-malware, where anti-malware has NO CHANCE. Throw the towel, over and out, total recal, hard to tell the truth, so better SafeHex and prevent infections: do not download risky files like keygens, illegal proggies etc,
polonus
-
Polonus, how is avast against Virut? No chance? :'(
-
Can anyone attest to the effectiveness and veracity of Dr.Web Cure.It?
Following the numerous recommendations from "Tech" on this forum, I decided to download it and let it run.
It found nothing except a 'possible.script.virus' in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg.
I believe this is a false positive.
An upload and scan with virustotal didn't find any virus. Only Dr. Web on virustotal registered a hit.
You need only to look at the location to see it isn't a false positive as such, more a mis-named detection and it isn't a confirmed detection either (see below), as it is located in the Backup folder of S&D, so this is a recovery file, a .reg file is a registry merge file.
e.g. when S&D deleted something it didn't like in the registry it creates a backup so that you can restore the registry entry, it does that by creating a .reg file, which you would run and merge that registry entry back into the registry.
So DrWeb CureIt doesn't like it either, which isn't too surprising, as the .reg file would look like a script to edit the registry, see example image.
I don't fully know exactly what DrWeb actually looks for as it would have to determine if the script is malicious, but the key word in all of this is 'possible'.script.virus
DrWeb is a handy tool for both detection and repair of some of these file infecters.
Uploading a .reg file to VT I wouldn't think would get any hits as the content in its, a registry key, isn't infected.
-
Hi malware fighters,
@Tech
No... in the case that some of your executables are infected, you may as well say goodbye to your system and have to FFR (f-disk- format - reinstall).
What I like to emphasize on is how they can improve against the way of infecting - run as System via WinLogOn infecting from loaded running in mem. In a specific way it knows how to pass the Windows File Protection scheme, and we have only MS to report on that issue lately, av vendors have left users in the dark about this a great deal, and been very silent about the circumvention of WFP, and I like to hear if it is possible to harden against this circumvention, the mods were clear about this - in the case an infection there is no known remedy (not yet or never?). So better prevent infection through the normal methods, upgrade, patch your OS and third party software, use normal user rights for normal online activities, use in browser protection like NoScript in Flock or Fx, and abstain from risky online activities like downloads (keygens, cracks, p2p etc), that is the main line for the moment, and this story was confirmed by "essexboy" and "miekiemoes",
P.S. A way to prevent the circumventing of Windows File Protection is to hide the files in question and make them "hidden" to the virus andf not to the OS (there is software that does this), if this can be accomplished will be my question to the av-developers....
@ Avastfan1 upoload your questionable file (you think it could be a False Positive) to virustotal.com and see what they find and report that here as a link, as they found nothing it shows it is a heuristic find (virustotal does not report these) and that makes the possibility of a FP even greater, or it is more recent,
polonus
-
He did upload it to VT.
An upload and scan with virustotal didn't find any virus. Only Dr. Web on virustotal registered a hit.
-
av vendors have left users in the dark about this a great deal, and been very silent about the circumvention of WFP, and I like to hear if it is possible to harden against this circumvention, the mods were clear about this - in the case an infection there is no known remedy (not yet or never?).
Well... some acknowledgment from Alwil team will be good... Maxx?
P.S. A way to prevent the circumventing of Windows File Protection is to hide the files in question and make them "hidden" to the virus andf not to the OS (there is software that does this), if this can be accomplished will be my question to the av-developers....
Which is this software? Is it easy to use?
-
Hi Tech,
But these programs aren't free, like this: file protectors...
Maybe someone knows of a free one.
pol
-
But these programs aren't free
:'( :'(
-
But these programs aren't free, like this: http://www.filedudes.com/Protect_Folder_98-download-15018.html
According to WOT this site is "used for the distribution of "rogue" security or other such applications".
-
Scorecard for filedudes.com is,Used for the distribution of rogue or fake software.Comment by H.P.Hosts.But I allways download from makers site were possible anyway.I find you get a up to date and genuine product that way.
-
Hi folks,
I have taken off the link, despite the fact that Exploit Prevention Labs LinkScanner gives it the all green:
Congratulations! LinkScanner Online did not find any exploits. The direct links goes to:
hxxp://www.everstrike.com/
but the general idea is a file protector that hides the file from anyone other than the user and programs. But all the genuine programs for this are paid versions, others might be questionable.
Someone knows of a good free alternative to do this job, or avast added the functionality to protect against the access point of this kind of file infector...
@George Yves - obscure mentioned link also, will ye?
@all
Here is an extensive description of how the virus is defeating Windows File Protection:
http://woodmann.cjb.net/forum/blog.php?b=36
This has not been discussed again since 2007, but still it is very actual!
polonus
-
If you can stop the main infector before it starts to run on your system then Virut is not a problem. The latest sample uploaded to virustotal was detected as Virut by Avast. But once it is in then the problems start, Dr Web can cure the infected files that it finds but it is a buggy virus and does not fully infect some files. Dr Web now has a live cd for this type of infection which runs outside of windows. I have used it once with good effect, but unfortunately Virut corrupted a fair quantity of system files by not infecting them properly. So we ended up having to reformat, but it was a good practice
-
Hi essexboy,
That is reassuring info for those that are not infected. Still leaves the questions about the power of using "Sys debug" surpassing "full Admin" - so malware can come to run using some sort of "Super User" rights.
Why no av vendor addressed this and what about this mysterious interrupt Int 0x2C? What about this?
A similar raising of rights was patched by Microsoft (else a user using "normal user rights" would have run the same risks of those with "Full Admin's", but the above mentioned hack had not been addressed, rather dangerous hole, I presume?
Damian
-
Dear Avast Forum Gurus,
Firstly, thank-you all for the detailed and prompt response. The fact that experts have replied above and confirmed the 'false-positive' view is fantastic.
I am still undecided about Dr.Web Cure.It. Tech has outed himself (herself?) as a supporter whereas I see caution from other forum gurus. The comments from Polonus and DavidR are also insightful.
Perhaps I should further research the program. I must say I didn't find the Dr. Web Cure.IT forum very helpful. Admittedly it was only a quick look but the quality of the posts seemed to pale into insignificance compared to the Avast forum.
Thanks for the information and keep up the cracking work lads!
Avastfan1
-
And Avastfan1 this is to be avoided:
Avoid gaming sites, pirated software, cracking tools, key-gens, and peer-to-peer (P2P) file sharing programs. They are a security risk which can make your computer susceptible to a smörgåsbord of malware infections, remote attacks, exposure of personal information, and identity theft. Many malicious worms and Trojans spread across P2P file sharing networks, gaming and underground sites. Users visiting such pages may see innocuous-looking banner ads containing code which can trigger pop-up ads and malicious Flash ads that install viruses, Trojans and spyware. Ads are a target for hackers because they offer a stealthy way to distribute malware to a wide range of Internet users. The best way to reduce the risk of infection is to avoid these types of web sites and not use any P2P applications. Read P2P Software User Advisories and Risks of File-Sharing Technology. So I would go for Firefox with NoScript installed and active and the AdBlockPlus extension to block the ads and banners you do not want to show,
Be safe and secure online,
is the wish and command of,
polonus
-
Tech has outed himself (herself?)
Himself for sure...