Author Topic: Dr.Web Cure.It  (Read 10091 times)

0 Members and 1 Guest are viewing this topic.

Avastfan1

  • Guest
Dr.Web Cure.It
« on: March 04, 2009, 12:18:05 PM »
Dear Avast Forum Gurus,

Can anyone attest to the effectiveness and veracity of Dr.Web Cure.It?

Following the numerous recommendations from "Tech" on this forum, I decided to download it and let it run.

It found nothing except a 'possible.script.virus' in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg.

I believe this is a false positive.

An upload and scan with virustotal didn't find any virus. Only Dr. Web on virustotal registered a hit.

A search of the Dr.Web forum returned no matches.

Can anyone offer any insight on this?

A full scan with the latest definition files from MBAM, SuperantiSpyware, Spybot, Blacklight, Rootalyzer, Avast bootscan, Micro$oft MRT, ZA Anti-spyware and a HJT log (analysed at www.hijackthis.de) revealed absolutely nothing.

Thanks,

Avastfan1

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Dr.Web Cure.It
« Reply #1 on: March 04, 2009, 01:09:43 PM »
Most probably a false positive into a reg file used by Spybot. Don't worry, specially that you already tested it into virustotal.
Dr Web on-demand scanning is a possibility when  you have been infected with malware file infectors.
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33489
  • malware fighter
Re: Dr.Web Cure.It
« Reply #2 on: March 04, 2009, 03:10:11 PM »
Hi Tech,

This is only partially true. DrWebCureIt is nice to have on a USB stick, always use the latest downloaded version of launch.exe from the Internet, download with a clean machine. It is good for additional scanning, because it is a non-resident scanner and can be used in combination with resident avast.
In the case of destructive file infectors like the latest virut infections, there is no other solution than format and reinstall. Or you should upon infecting change to SafeMode where the virus is not active and start to repair there, but because virut is randomly infecting and re-infects completely as some tiny trace of it is left (back-ups, reinfected files) I have no reports as where it has been accomplished.
Here it is virus against anti-malware, where anti-malware has NO CHANCE. Throw the towel, over and out, total recal, hard to tell the truth, so better SafeHex and prevent infections: do not download risky files like keygens, illegal proggies etc,

polonus
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Dr.Web Cure.It
« Reply #3 on: March 04, 2009, 03:20:49 PM »
Polonus, how is avast against Virut? No chance? :'(
The best things in life are free.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87289
  • No support PMs thanks
Re: Dr.Web Cure.It
« Reply #4 on: March 04, 2009, 04:05:52 PM »
Can anyone attest to the effectiveness and veracity of Dr.Web Cure.It?

Following the numerous recommendations from "Tech" on this forum, I decided to download it and let it run.

It found nothing except a 'possible.script.virus' in C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Backups\regLocal.reg.

I believe this is a false positive.

An upload and scan with virustotal didn't find any virus. Only Dr. Web on virustotal registered a hit.

You need only to look at the location to see it isn't a false positive as such, more a mis-named detection and it isn't a confirmed detection either (see below), as it is located in the Backup folder of S&D, so this is a recovery file, a .reg file is a registry merge file.

e.g. when S&D deleted something it didn't like in the registry it creates a backup so that you can restore the registry entry, it does that by creating a .reg file, which you would run and merge that registry entry back into the registry.

So DrWeb CureIt doesn't like it either, which isn't too surprising, as the .reg file would look like a script to edit the registry, see example image.

I don't fully know exactly what DrWeb actually looks for as it would have to determine if the script is malicious, but the key word in all of this is 'possible'.script.virus

DrWeb is a handy tool for both detection and repair of some of these file infecters.

Uploading a .reg file to VT I wouldn't think would get any hits as the content in its, a registry key, isn't infected.
« Last Edit: March 04, 2009, 04:07:39 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33489
  • malware fighter
Re: Dr.Web Cure.It
« Reply #5 on: March 04, 2009, 04:09:57 PM »
Hi malware fighters,

@Tech
No... in the case that some of your executables are infected, you may as well say goodbye to your system and have to FFR (f-disk- format - reinstall).
What I like to emphasize on is how they can improve against the way of infecting - run as System via WinLogOn infecting from loaded running in mem. In a specific way it knows how to pass the Windows File Protection scheme, and we have only MS to report on that issue lately, av vendors have left users in the dark about this a great deal, and been very silent about the circumvention of WFP, and I like to hear if it is possible to harden against this circumvention, the mods were clear about this - in the case an infection there is no known remedy (not yet or never?). So better prevent infection through the normal methods, upgrade, patch your OS and third party software, use normal user rights for normal online activities, use in browser protection like NoScript in Flock or Fx, and abstain from risky online activities like downloads (keygens, cracks, p2p etc), that is the main line for the moment, and this story was confirmed by "essexboy" and "miekiemoes",

P.S. A way to prevent the circumventing of Windows File Protection is to hide the files in question and make them "hidden" to the virus andf not to the OS (there is software that does this), if this can be accomplished will be my question to the av-developers....

@ Avastfan1 upoload your questionable file (you think it could be a False Positive) to virustotal.com and see what they find and report that here as a link, as they found nothing it shows it is a heuristic find (virustotal does not report these) and that makes the possibility of a FP even greater, or it is more recent,


polonus
« Last Edit: March 04, 2009, 04:15:50 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87289
  • No support PMs thanks
Re: Dr.Web Cure.It
« Reply #6 on: March 04, 2009, 04:26:23 PM »
He did upload it to VT.
Quote from: Avastfan1
An upload and scan with virustotal didn't find any virus. Only Dr. Web on virustotal registered a hit.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.12.6044 (build 22.12.7758.768) UI 1.0.741/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Dr.Web Cure.It
« Reply #7 on: March 04, 2009, 04:28:38 PM »
av vendors have left users in the dark about this a great deal, and been very silent about the circumvention of WFP, and I like to hear if it is possible to harden against this circumvention, the mods were clear about this - in the case an infection there is no known remedy (not yet or never?).
Well... some acknowledgment from Alwil team will be good... Maxx?

P.S. A way to prevent the circumventing of Windows File Protection is to hide the files in question and make them "hidden" to the virus andf not to the OS (there is software that does this), if this can be accomplished will be my question to the av-developers....
Which is this software? Is it easy to use?
The best things in life are free.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33489
  • malware fighter
Re: Dr.Web Cure.It
« Reply #8 on: March 04, 2009, 06:18:38 PM »
Hi Tech,

But these programs aren't free, like this: file protectors...

Maybe someone knows of a free one.


pol
« Last Edit: March 04, 2009, 07:49:14 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline Lisandro

  • Avast team
  • Certainly Bot
  • *
  • Posts: 67235
Re: Dr.Web Cure.It
« Reply #9 on: March 04, 2009, 06:57:25 PM »
But these programs aren't free
:'( :'(
The best things in life are free.

Offline George Yves

  • Avast Überevangelist
  • Massive Poster
  • *****
  • Posts: 4102
  • Help you I can
Re: Dr.Web Cure.It
« Reply #10 on: March 04, 2009, 07:29:39 PM »
But these programs aren't free, like this: http://www.filedudes.com/Protect_Folder_98-download-15018.html
According to WOT this site is "used for the distribution of "rogue" security or other such applications".
May the FOSS be with you!

cod head

  • Guest
Re: Dr.Web Cure.It
« Reply #11 on: March 04, 2009, 07:38:37 PM »
Scorecard for filedudes.com is,Used for the distribution of rogue or fake software.Comment by H.P.Hosts.But I allways download from makers site were possible anyway.I find you get a up to date and genuine product that way.

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33489
  • malware fighter
Re: Dr.Web Cure.It
« Reply #12 on: March 04, 2009, 07:53:02 PM »
Hi folks,

I have taken off the link, despite the fact that Exploit Prevention Labs LinkScanner gives it the all green:
Congratulations! LinkScanner Online did not find any exploits. The direct links goes to:
hxxp://www.everstrike.com/
but the general idea is a file protector that hides the file from anyone other than the user and programs. But all the genuine programs for this are paid versions, others might be questionable.
Someone knows of a good free alternative to do this job, or avast added the functionality to protect against the access point of this kind of file infector...

@George Yves - obscure mentioned link also, will ye?

@all
Here is an extensive description of how the virus is defeating Windows File Protection:
http://woodmann.cjb.net/forum/blog.php?b=36
This has not been discussed again since 2007, but still it is very actual!

polonus
« Last Edit: March 04, 2009, 08:33:45 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40603
  • Dragons by Sasha
    • Malware fixes
Re: Dr.Web Cure.It
« Reply #13 on: March 04, 2009, 10:13:34 PM »
If you can stop the main infector before it starts to run on your system then Virut is not a problem.  The latest sample uploaded to virustotal was detected as Virut by Avast.  But once it is in then the problems start, Dr Web can cure the infected files that it finds but it is a buggy virus and does not fully infect some files.  Dr Web now has a live cd for this type of infection which runs outside of windows.  I have used it once with good effect, but unfortunately Virut corrupted a fair quantity of system files by not infecting them properly.  So we ended up having to reformat, but it was a good practice

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33489
  • malware fighter
Re: Dr.Web Cure.It
« Reply #14 on: March 04, 2009, 10:26:00 PM »
Hi essexboy,

That is reassuring info for those that are not infected. Still leaves the questions about the power of using "Sys debug" surpassing "full Admin" - so malware can come to run using some sort of  "Super User" rights.
Why no av vendor addressed this and what about this mysterious interrupt Int 0x2C? What about this?
A similar raising of rights was patched by Microsoft (else a user using "normal user rights" would have run the same risks of those with "Full Admin's", but the above mentioned hack had not been addressed, rather dangerous hole, I presume?

Damian
« Last Edit: March 04, 2009, 10:29:53 PM by polonus »
Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!