Avast WEBforum
Consumer Products => Avast Free Antivirus / Premium Security (legacy Pro Antivirus, Internet Security, Premier) => Topic started by: TG on September 11, 2004, 04:44:33 AM
-
Till yesterday I was prasing Avast and was spreading it to everyone I know, But last time I had a attack called wincore I was able to see the file. I scaned the file with Avast Home edition and but it said all is fine and i searched the net it was a virus/Trojan Trend Micro had a detail decription. I ignored it and formatted my System. Similarly yesterday I had a attack called ntsysmgr.exe it was due to some vernability of XP. My firewall started shouting but Avast was quite! I found the ntsysmgr.exe located in system32 folder and I scaned it with Avast!!! It said everything is fine! I checked my hosts file. I was hot by surprised the trojan had already entries to stop me from visiting the anti virus sites. I removed the entries. I checked the net for the virus information and found Norton and Trend had removal tools!
I downloaded the Norton, scaned the entire system and it detected the ntsysmgr.exe as W32.HLLW.Gaobot virus! So now I have decided to move to Norton inspite its a paid version and slow downs my machine drastically!
-
Me too, I send a sample mslti64.exe = worm Gaobot and nothing, avast not detected yet. ???
-
Nothing catches everything guys. Other av progs miss things that Avast catches. I definitely wouldn't base my decision of an av prog on 1 or 2 misses. When I switched from Norton to Avast...Avast found 5 trojans that Norton missed and let live happily on my computer.
-
You meantioned the vulnerability of WinXP. Try to sweep before your doors first and update the system...
Also submit the sample to Alwil team (virus at avast dot com) so they will add it to definitions. They cannot add something that they don't have the sample.
Wish you luck with "paid" Norton ;) ;D
-
It is an illusion to think there is a application that detects all malware. if you like(d) Avast there is no need to switch to Norton. Norton, as well as all other av aplications, don't detect everything as well.
You didn't tell us the whole story, but from what you told it looks like the main reason of the infection is the users behaviour.
-
...
Wish you luck with "paid" Norton ;) ;D
...
Yeah, good point my friend RejZor, hahaha... "PAID" version... maybe it's suppose to be paid, but we all know how many people is paying for Norton... no one goes from best freeware antivirus to some stupid paid version, worst system hog ever... simply, there is no common sense to do that...
No matter avast didn't catch that trojan/virus, whatever, I never received any single on my computer... Like Eddy said, it's almost 95% up to user. Don't open every stupid attachment, or start executable files without checking them manually first... how hard is to right-click downloaded file and choose SCAN (Some File) from the pull down menu ? Other thing, I guess at least 70% of us is using some online virus checker... just in case if avast! wasn't so quick with antivirus definitions update, Housecall is always there and it's not interfering with avast! in any way. Great backup scanner, and first online choice.
Cheers !
-
Sad to see that through your actions or rather inactions, you have left vulnerabilities un-patched when MS patched them ages ago. Many love to bash MS but at least they patched the vulnerability, you didn't patch your system. You have to take responsibility for your computer security, sh*t happens and when it does don't forget to apportion blame to all concerned.
This worm takes advantage of the following Windows vulnerabilities:
* IIS5/WEBDAV Buffer Overflow vulnerability
* Remote Procedure Call (RPC) Distributed Component Object Model (DCOM) vulnerability
For more information about these Windows vulnerabilities, please refer to the following Microsoft Web pages:
* Microsoft Security Bulletin MS03-026
* Microsoft Security Bulletin MS03-007
It also attempts to log on to systems using a list of user names and passwords. It drops a copy of itself into accessible machines.
This worm has backdoor capabilities. It executes commands sent in via Internet Relay Chat (IRC) and can be used to launch a Denial of Service (DoS) attack against specified target sites.
It terminates certain antivirus processes.
This worm runs on Windows NT, 2000, and XP.
If you leave the door open don't be surprised if you get burgled, so what happens when Norton lets you down (it has already slowed your system), ditch that and get another? There are many happy ex Norton users in these forums. Don't rush to judgement, it's your loss.
-
1.Thank yu guys for your reply. What is the problem with MS is if a used had to format his HDD and reinstall the XP then he needs to start over again for updates! My Update manager is on! But even before I update the system i was hit by the Trojan. My last submission of Wincore is yet pending no updated signature is available their.
2.Honestly I hate Norton and paying too! But what is important is my data on the drive. I do know that no AV can be 100% perfect! but I atleast expect that Avast should catch the Virus 50% time when I'm hit! and 2 times i was hit and 2 times it failed!
3. Updating windowsXP is a joke! My update manager keeps downloading and patching the system all the time! But again what if you had to format again? If you do then you have to start over again patching the system. Good thing was I had a good firewall that alerted me!
4. Most important thing! If the package I install is not protecting my needs and is ready to catch the things I'm not getting hit by what is the use of it? Norton sucks! It has drastically slow down my system! But I'm much secure than Avast!
-
Also I dont use IE nor I use Outlook and I dont open every dam attachment not I download any dam thing! I'm very careful when it comes to downloading since my data on machine is pretty important for me. The Trojs that i was hit by were XP vernabilities and they can hit anyone who's XP is not constantly patched!
I use Firefox and Thunderbird and to all guys here using IE and Outlook trust me switch to Firefox and Thunderbird it will reduce your threat of Virus, Spam vernabilities by many many percentages!
-
So, you have an unpatched xp machine and you're wondering why you're getting infected?
-
No! Getting infection on XP is a pretty common thing! I'm wondering for Avast even when I found the exact file Avast was unable to detect it! Later i moved those 2 files to Desktop [cool.exe and ntsysmgr.exe] right clicked on them and asked Avast to scan them and still Avast was saying they are clean! no virus found! same files when installed Norton immediately were removed by Norton!
-
Did you try sending them to avast for checking?
As people said above, there is no 100% protection
Also avast provides email, phone, and forum support to free aswell as paying customers, nortan is somewhat unfriendly to the paying customer anless you are a big company.
Another thing, when Nortan fails to detect 1 - 2 virus(es), are you going to change you anti-virus again and waste more money?
--lee
-
You didn't tell us the whole story, but from what you told it looks like the main reason of the infection is the users behaviour.
can you say "PEBKAC" ? ::)
-
TG, there is no excuses for this lack of detection...
Can you send cool.exe and ntsysmgr.exe files for Alwil to analysis (virus at avast.com)?
Anyway, we can discuss your avast configurations...
For instance, you said, right clicking the files and scanning them. Well, you should know the differences between the Home version and the Quick scanner of avast, for instance. It's not an excuse. Just differences between programms. :-\
-
TG wrote:
...
...
3. Updating windowsXP is a joke! My update manager keeps downloading and patching the system all the time! But again what if you had to format again? If you do then you have to start over again patching the system. Good thing was I had a good firewall that alerted me!
...
...
There is very good solution for that problem. It's called AutoStreamer and you can download it from here:
http://mhtools.knoware.nl/raptor/autostreamer/AutoStreamer.zip (http://mhtools.knoware.nl/raptor/autostreamer/AutoStreamer.zip)
Interesting thing is Slipstreaming of Windows XP (no matter is it Home Edition or Pro or even Corporate edition) and SP2. It's unbelievable easy for use, just follow instructions on screen. When you slipstream it into one ISO file, you can burn it on CD and after that you have your copy of Windows XP (Home or Pro edition) + SP2 included. As soon as you finish installing your Windows from that CD (assuming that you're going to perform clean-install after format sometimes in the future, as you mentioned above), SP2 is already installed. No need to wait untill it's downloaded and installed every single time you want to install Windows again... IMHO, unbelievable simple... however - best tool ever !
Cheers !
-
But if this agobot is so old, and a lot of AV programs catch it, why avast doesn't?
I've already sent samples for them, one in September 8th and the other on the 9th, zipped.
What happened to them? It's already 11/9 and no new updates happened.
-
But if this agobot is so old, and a lot of AV programs catch it, why avast doesn't?
Maybe a variant, polimorphism or whatever... I'm not a virus expert. Again, I'm not apologizing (I'm not from avast team ;D), just telling you that could be a problem of configuration, the user must know how the programm (and its parts) works, etc.
I've already sent samples for them, one in September 8th and the other on the 9th, zipped. What happened to them? It's already 11/9 and no new updates happened.
Well, it's not so bad... Try any other antivirus company. It's summer holidays now. But, sorry, I feel your pain and don't want to give an answer for all your needs... It's a pity what happened. What can we do now?
-
Sasha
I agree with you. Just made one of those for a friend of mine who had to do a re-install of Win XP. After this clean install, there was only one minor update from MS. It even cured his problem of not having Avast! recognized by the security center.
-
TG, there is no excuses for this lack of detection...
Can you send cool.exe and ntsysmgr.exe files for Alwil to analysis (virus at avast.com)?
Anyway, we can discuss your avast configurations...
For instance, you said, right clicking the files and scanning them. Well, you should know the differences between the Home version and the Quick scanner of avast, for instance. It's not an excuse. Just differences between programms. :-\
Technical, can you clarify? What do you mean when you say differences between home version and quick scanner of Avast. Are you saying that the scan method used was incorrect?
Usually after downloading a file, I right click on it and have Avast scan it using the explorer extension. I also have Avast scan all created and modified files. Is this the incorrect procedure of checking a file?
-
Cochise, I can figure out two differences:
1. Sensibility
2. Report hability
Both programs react different, ashQuick.exe, for instance, cannot be configurated to scan other packers than ZIP and ARJ. Home version, on-demmand, could.
ashQuick.exe does not report 'password' protected files, you can try...
I think it's not a matter of correct or incorrect scanning method, but what are you scanning, in which extension (deep), what will be reported to you and so on. ;)
-
Well actually its not like that. My avast! Home Edition scans inside all archive types not just ZIP and ARJ. And its not tweaked in any way,its on default settings. It can even clean infected file from the archive.
ashQuick scans all files without virus targeting,content recognition and all archive types. Its not limited in any way even if its a free edition. Pro uses the same settings by default for Explorer Extension.
-
ashQuick scans all files without virus targeting, content recognition and all archive types. Its not limited in any way even if its a free edition. Pro uses the same settings by default for Explorer Extension.
I think not. :P
I need a confirmation from Alwil. :-\
-
I have tested with EICAR inside RAR. It was detected by ashQuick,belive me.
-
If i'm not mistaken, we've had a discussion about this once before. ???
-
I have tested with EICAR inside RAR. It was detected by ashQuick,belive me.
Agreed........
-
Same here...
-
But if this agobot is so old, and a lot of AV programs catch it, why avast doesn't?
There are 4000+ variants of agobot and similar network worms, and dozens come up every day, because the sourceCode was published on the net, so any script-kiddy can make their own and spread it..
As to being hit after formatting (while/before updating):
- the average time of infection of an unprotected PC is below 20 minutes..
- you MUST have all the ServicePacks and patches ready and have them APPLIED before EVER connectiong to the inet (after a reformat)
- and/or have a PROPERLY configured Firewall in place BEFORE connecting..
- Users of XP have it exceptionally easy now, as they can just apply ServicePack2 OFFLINE ;)
-
the sourceCode was published on the net, so any script-kiddy can make their own and spread it
Surely there must be people who remove such content (scrips) from the net so that people can't use them?
--lee
-
I've already sent samples for them, one in September 8th and the other on the 9th, zipped. What happened to them? It's already 11/9 and no new updates happened.
Maybe a variant, polimorphism or whatever... I'm not a virus expert. Again, I'm not apologizing (I'm not from avast team ;D), just telling you that could be a problem of configuration, the user must know how the programm (and its parts) works, etc.
Well, it's not so bad... Try any other antivirus company. It's summer holidays now. But, sorry, I feel your pain and don't want to give an answer for all your needs... It's a pity what happened. What can we do now?
I forgive, I only wanted to help the AVAST and to alert on this worm that he is so destructive, since I indicate it for all my friends. I do not want that they work in the holiday.
Thank's :'(
-
Atos, never mind 8)
Thanks God we have whocares here ;)