Author Topic: Thinking of AvastPro - does Avast detect Qakbot??  (Read 8799 times)

0 Members and 1 Guest are viewing this topic.

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #15 on: May 28, 2009, 07:36:03 PM »
Uploading the zipped folder to virustotal will only find one detected file as that can't report on multiple files, so there is no certainty which of the files was detected.

However, the results would tend to indicate that this group would be detected, but the only way to be truly sure is to upload individual files, a pain, yes, but the only way to know 100%.

That is the problem there is no common naming convention and there are likely to be many aliases, the other issue is you don't know which file within the zip was detected by what AV, so there is an added level of confusion.

The other thing some AVs use generic signatures for some detections so you will see a generic rather than specific malware name. The avast Win32:Trojan-gen is generic signature (the -gen at the end of the malware name), so that is trying to catch multiple variants of the same type of malware and is a fine balance between detecting a new variant and detecting something valid as infected. So there will be no specific information for the detection.

VirusTotal just provides a scanning service to basically confirm or deny a detection, it doesn't give links to further information.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

PRG

  • Guest
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #16 on: May 28, 2009, 07:50:46 PM »
I'm a wee bit afraid to take a file out of the zip.  There logically shouldn't be any way that an exe or a dll can do anything just from being copied though, right?

Nevertheless, I got the answer I was seeking, I think - Avast can detect this infection, and hasn't been "sleeping" for 2+ years.

My reference to links to further information was from searching for the specific detection names on the specific AV vendor sites.  Symantec provides a pretty complete description of this malware (files, folder, some actions), but I still suspect a trigger file located elsewhere than the main folder, and as yet unidentified.

I am not utterly happy with what malwareremoval asked me to do :(

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #17 on: May 28, 2009, 09:29:58 PM »
If there is something that you aren't happy about say so and ask for more advice/information about what you aren't happy about or don't do it.

Whilst I have no formal malware removal training,  I felt they were a little quick to initially decide you needed to format, to me and many others that is a measure of last resort, which seems to have passed.

Though things seem to have slowed a little.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

PRG

  • Guest
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #18 on: May 28, 2009, 09:50:23 PM »
I'm mostly unhappy about rebooting without removing the identified malware and registry entry that I pointed out in my initial post.  I thought the delay might have been because Combofix was being updated to remove this, so I downloaded a fresh copy and ran it.  I really very badly want to run the identifying/scanning tools to see if we can ID the "trigger file" I suspect must exist.  I worry that it has probably now moved.  My assumptions and worries are based on my battle with Klez, and so may not apply.  However, I noted a new file noted near the bottom of the new HJT which also says it's missing now.

My experience with Klez was that with each removal and each reboot it moved and renamed itself.  There was also a random file that loaded with each boot, and could not be located by any means until/unless I "caught" it loading (with Ctl-Alt-Del during boot) and terminated it (and its siblings) successfully.  That's why I think it might have been what they call a root kit now.  No removal tool fixed it despite claiming to, it just changed from -d to -e to -g, etc.  The removal tools didn't find the "trigger".

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #19 on: May 28, 2009, 11:35:06 PM »
I don't really want to get involved in on-going clean-up in another forum for obvious reasons.

However, since a file is missing the registry entry is effectively inert, but should the file get restored the registry entry would be valid. Though whatever could restore it could also recreate the registry entry, but it won't hurt to fix it, now.

Presumably this is the one you are on about ?
O23 - Service: ZCBF - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\ZCBF.exe (file missing)

Whilst I found nothing on that file name at systemlookup.com as I did with your previous post, I also found no meaningful info on the file name and I'm always suspicious of files running from the Temp folder/s.

This one also looks suspect to me and a google search on it shows other forums saying it should be fixed:
O24 - Desktop Component 0: Ink Desktop - {80E95280-2D38-3CB8-A215-FB5F14C4343E}

- Panda Rootkit Cleaner - http://research.pandasoftware.com/blogs/images/AntiRootkit.zip.
- Trend Micro RootkitBuster - http://www.trendmicro.com/download/rbuster.asp
- F-Secure Blacklight may not always be available, http://www.f-secure.com/blacklight.
- RootRepeal, http://rootrepeal.googlepages.com/ RootRepeal is a new rootkit detector currently in public beta. Scroll down the page for the download link. Also see, http://www.malwarebytes.org/forums/index.php?showtopic=12709.
« Last Edit: May 28, 2009, 11:42:58 PM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

PRG

  • Guest
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #20 on: May 29, 2009, 12:53:38 AM »
You are absolutely correct about any sort of "involvement".  I think I'm just feeling a lack of conversation and brainstorming.  I thought I had made it sort of clear that I wanted to be more involved in the process.  It's hard just waiting and not running the purely diagnostic tools that might answer my questions.

Yes, that's the file I meant.  I took it as a sign that it might be moving itself around like Klez did with random file names.  The ink desktop observation is interesting - as we have tablets, I thought of it as likely ordinary.  That would be a great place to hide, though.

I like puzzles and problems.  Though I can get quite interested in my husband's race car work, he just can't quite get interested in my computer stuff, and my geek son moved out.  I wish my helper would just ask me to run some scanning/info tools and talk to me.  If I could find some how-it-works info on the tools, I would be tempted to do it myself.  But then, my malware experience is 10 years old. LOL.

Thank you for the rootkit scanners.  I keep eying my own laptop with great suspicion since transferring those nasty files.

I would love it if I had the option in Comodo to display domains instead of IP addresses, and then right click and say "block this domain".  That would be great.  I also wish Comodo would tell me which dll's and/or services are using each svchost like Process Explorer does.  Heck, I wish I could find a programmer to design a firewall to my user interface requests.  I think the ones that know enough to do it forget what the users don't know and might like to know.  Hey, it could even look up the port assignments reserved with IANA (I think it was) that I found recently.  Then if svchost - sub _qbot.dll was accessing private network via a port assigned to Outlook, I would think even an average person might say, "Hey, cut that out!" and block it.  Meanwhile, I'm looking everything up and going, OK, OK.  It's nuts!

Offline DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 88899
  • No support PMs thanks
Re: Thinking of AvastPro - does Avast detect Qakbot??
« Reply #21 on: May 29, 2009, 01:52:43 AM »
Combofix isn't purely diagnostic as you have see it has made some deletions.

Transferring files really isn't that much of a risk as they are inert, without a registry entry to start them or another element to run them, they sit dormant. You could put then in a password protected encrypted folder.

See, http://www.bleepingcomputer.com/tutorials/tutorial42.html#O24Diag, my concern being that there is no hit on the CLSID the bit between the { curly brackets }, when the example in this link and others I found are more specific (named).

Sorry I don't use Comodo, so I can't comment on that. You can do a whois on IP addresses to find the domain names.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 24.2.6105 (build 24.2.8918.824) UI 1.0.799/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security