avast! miss(ed) some malware. VPS updated.

[Lisandro]

Some malware detected by AVG (Free, 7.10.321, 267.9.0/50) and Ewido Security Suite (Free, 3.5, #1333) but missed by avast! (Professional, 4.6.691, 0528-6)

Registry key: HKLM\SOFTWARE\Classes\CLSID\{FF8DA190-3574-11D4-8068-0060082AE372}
Malware: Spyware.BingoFun

Registry key: HKU\S-1-5-21-1417001333-796845957-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{C1E58A84-95B3-4630-B8C2-D06B77B7A0FC}
Malware: Spyware.NavExcel

File: \ToolbarCop 2.5.exe
Malware: Heuristic.Win32.Hijacker1

File: \MyCorkboard Screen Saver 1.00.99.exe/F0000014.DAT
Malware: TrojanDownloader.Small.Go

File: C:\WINDOWS\system32\Kaccjdmp.exe
Malware: Backdoor.Padodor.az

File: C:\WINDOWS\system32\Kaccjdmp.exe
Malware: Backdoor.Padodor.az

File: C:\WINDOWS\system32\Kaccjdmp.exe
Malware: Trojan horse  BackDoor.Generic.GAX

File: C:\WINDOWS\system32\Noflpjbp.dll
Malware: Trojan horse  BackDoor.Generic.GGC

File: TrojanDownloader.Agent.ho
Malware: C:\WINDOWS\system32\taras.exe

File: C:\WINDOWS\system32\sysinst54.exe
Malware: TrojanDownloader.Small.bcu

File: C:\WINDOWS\system32\sysinit32z.exe
Malware: TrojanDownloader.Small.bcv

File: C:\WINDOWS\system32\sys5622.exe
Malware: TrojanDownloader.Small.bct

File: C:\WINDOWS\system32\sys5620.exe
Malware: TrojanDownloader.Small.bct

File: C:\WINDOWS\system32\sys5350.exe
Malware: TrojanDownloader.Small.bcu

Other infected files created into C:\Documents and Settings\ ... \Local Configurations\Temp\
bszd5358.tmp; bszd5631.tmp; bszd7764.tmp

Samples sent to Alwil 

[Lisandro]

Otherwise:
False positive of Ewido: \RejZoR's AdBlock Filter.zip/RejZoR's AdBlock Filter/RejZoR's AdBlock Filter.zip/RejZoR's AdBlock Filter.txt

Sorry RejZor  :'(

[Lisandro]

Malware creates tons of infected files... avast! did not detect them (on-demand scanning did not detect too)  :'(
Files are replicant (about 2000 on different folders). In fact a terrible infection 
List on the attached file because it's too big for here.

[RejZoR]

Thx for the warning Tech, notified Ewido guys and i'm now waiting for them to fix the stuff.

Tech,can you tell me the detection name of Ewido on my AdBlock filterlist?

[RejZoR]

Ewido guys said that my latest filterlist isn't detected. Are you using the latest list or not?

[Lisandro]

Ewido guys said that my latest filterlist isn't detected. Are you using the latest list or not?

For sure... I`ll try again, but not know because I`m leaving on a work trip.
Just to note here:

Worst of all: avast! detect nothing!
Cleaning was only possible with AVG at Safe Mode! 
AVG did not miss any sample and AVG did not have any false positive. Perfect in this case.

[RejZoR]

Yeah i'm also worried about avast! a bit They add submitted samples way too slow unless they are really urgent.

[Lisandro]

Yeah i'm also worried about avast! a bit They add submitted samples way too slow unless they are really urgent.

You're worried? I'm terrified 
After one week and nothing changed, all files (samples) sent to Alwil were not added to the VPS database!  :'(
What's that? Is this the normal answer time? I'm terrified, really, the samples are detected by NAV, AVG and Trojan Hunter among others...

By the way, the secure Microsoft Antispyware did not detect them at the first time... So, why losing system resources with residents that does not detect anything? 


Scanning of selected files
------------------------------------------------------------------------------------------
Program will try to scan 13 selected file(s) in the Chest

...

No viruses found!  :'(

[Starfighter]

Just curious Tech -- did you first suspect something was wrong with your computer (suspected malware) so you first scanned it with avast!, it found nothing, so then you uninstalled it and then installed AVG to see if it could detect problems? 

What a nightmare!  I trust it's all sorted out for you now.   

[DavidR]

@ Tech
Are you still browsing using an account with administrator privileges. If so this also gives admin privileges to the virus and allows virtually unrestricted functionality, creation/editing/deletion of files in the system folders, creating registry keys, etc.

Browsing (email, etc.) with a restricted permissions should reduce the impact of this first day/undetected virus scenario.

Security Tips & Tricks - DropMyRights

[RejZoR]

Layered defense,limited user accounts and other crap is not something that i would take as an excuse for slow adding of samples...

[Lisandro]

Just curious Tech -- did you first suspect something was wrong with your computer (suspected malware) so you first scanned it with avast!, it found nothing, so then you uninstalled it and then installed AVG to see if it could detect problems?  What a nightmare!  I trust it's all sorted out for you now.   

I was browsing. I stupid click and a Trojan was downloaded and installed. avast! can't recognize it, does not have signatures for it. So, no provider did anything to protect me. Microsoft Antispyware failed miserably too. Firewall did not alarmed me until next boot but virus use some kind of 'workaround' to get access to Internet. I think the same procedure that some anti-piracy features use: they use a HTTP protocol of the browser and by-pass the firewall. I can't understand as the firewall should alarmed me that a program was being called by other one. But, you know, this is a virus and they make it.

Less than one minute after a 'freeze', I've got a BSOD. I think this was the virus strategy to not being detected and force the user to boot.
Next boot, infection, nightmares and so on.
I've booted in Safe Mode and used on-line scanning. All scannings confirmed the infection, except avast!
Run AVG to send the infected files to an USB drive. Get clean. Confirmed on-line scanning
Boot. Tested the USB drive with avast! on-demand scanning. Nothing was detected.  :'(

@ Tech
Are you still browsing using an account with administrator privileges. If so this also gives admin privileges to the virus and allows virtually unrestricted functionality, creation/editing/deletion of files in the system folders, creating registry keys, etc.

I'm now using DropMyRights with easy... (well, right now, I'm on Linux  ).
I hope I've listen your advice before... It's doing perfectly its job: Browsing (email, etc.) with a restricted permissions should reduce the impact of this first day/undetected virus scenario..

[Lisandro]

Layered defense,limited user accounts and other crap is not something that i would take as an excuse for slow adding of samples...

It's what I'm trying to say...  :'(

[DavidR]

It is not an excuse, for slow adding of samples, rather a means of protecting people from the damage that can be done before you even get a sample to send.

There is no where in my post that I offered this up as some form of excuse, more to reduce what happened to Tech "Files are replicant (about 2000 on different folders). In fact a terrible infection" happening to others. An ounce of prevention is better than a pound of treatment.

[TAP]

I stupid click and a Trojan was downloaded and installed. avast! can't recognize it, does not have signatures for it. So, no provider did anything to protect me. Microsoft Antispyware failed miserably too. Firewall did not alarmed me until next boot but virus use some kind of 'workaround' to get access to Internet. I think the same procedure that some anti-piracy features use: they use a HTTP protocol of the browser and by-pass the firewall. I can't understand as the firewall should alarmed me that a program was being called by other one. But, you know, this is a virus and they make it.

Hi Tech,

If you have so-called "Host Intrusion Prevention System/Behavior Blocking" installed on your computer, this nightmare infection should not be happend, I think.

Behavior Blocking doesn't rely on signature in order to stop malware but contrary, it analyzes/stops general behavior of all applications (including malware). I've used Behavior Blocking featured in Kerio Personal Firewall and it has saved me several time when avast! and others security apps failed to do their job.

When malware downloaded into a disk and it wants to run, Kerio blocks it and asks me. When malware wants to start or launch other apps (e.g. IE) to do something, Kerio blocks it and asks me. You have the full control over any apps (including malware) installed on you computer.

Kerio has no advaned Host Intrusion Prevention System/Behavior Blocking as Prevx but it can be last line of layered defence for you.