From: David Kaye on
"Ant" <not(a)home.today> wrote:

>
>That's not very secure.

Regardless, I set up this computer to behave as much like my customers'
computers behave. In this way I can spot issues quickly. And it's been years
since this particular machine has had any kind of infection at all.

>Once malware gets in it often changes date stamps to match one of the
>system files.

Seldom, though. One of the easiest ways I've found to find the process
causing an infection is to use a tool like PrcView to look within processes
such as svchost, explorer, winlogon, etc and see the date stamps on the DLLs
called. Makes it super-simple to spot them.

>Since you appear to do this for a living you ought to know about
>securing your machine.

See my comments above.

>
>So did you kill it from task manager?

Actually, no. Because I immediately knew what it was, I shut down the
computer, booted from BART PE and manually copied back snapshots of the
registry.

>You can't rely on AV apps to protect a machine - they are a last ditch
>resort. None of them can detect everything because malware is re-
>packaged every day to avoid detection. The AV vendors are always
>trying to catch up.

This is where heuristic scanning comes in and why MBam can catch nearly
everything. I had the impression, reading from Avast's documentation and
various postings from people that Avast also had similar heuristic scanning.
Apparently not.

>You didn't say which browser was involved. Is it up-to-date? What
>plugins and other applicatiuons are used as helpers to view embedded
>content and are they sercurely configured and up-to-date? Think about
>Java (not javascript), PDF and Flash viewers, ActiveX components and
>other media players. Do you allow them to run automatically?

Again, this particular computer is set up to imitate real world scenarios as
are present in my customers' computers. Prior to the infection I had visited
several websites from Google links. I did not click on anything within those
web pages. I don't recall if there was a pdf among the stuff I looked at or
not. My machine is set up top warn about ActiveX, but not Java, Flash, or
pdfs. However, downloading of exe and dll files should be triggering
*something* to warn me.

As someone suggested, perhaps something else is being renamed as an exe.

I did notice one thing that may be a clue. I couldn't run exe files any
longer until I entered the exe extension in the filetypes section to replace
what had been there. This was after the registry rollback, so I'm not sure
where the exe reference was being pulled from. It should have reverted just
like all other registry entries.

So, indeed it could well be that ave.exe is really something non-exe that got
renamed and thus wasn't detected by Windows as being bogus. I have not saved
the ave.exe file to look at it. Perhaps I should have, but I had to use this
particular computer and just wanted to get rid of the malware.

From: Heather on

"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message
news:hp94gg$ekl$4(a)news.eternal-september.org...
> "Heather" <fergie(a)canada.invalid> wrote:
>
>>OK Shaggy......I will add to this cuz I have an obsession re correct time.
>>He has his Time Zone set wrongly.......right? As it is now Daylight
>>SAVING
>>Time (which he may not have checked off), it is only 4 hours different to
>>GMT........not 5.
>
> My time zone and my DST offset are NOT set wrong. I'm also a time geek
> and
> I'm aware that the U.S. now advances DST time 3 weeks ahead of when it
> used to
> start.

Hey David.....I am not arguing with you, but if all 3 of us are using ES and
your time is an hour ahead of the two of us........something is out of whack
on your end. It is 12:55 am as I type this.

Cheers......Heather


From: David Kaye on
"Heather" <fergie(a)canada.invalid> wrote:

>Hey David.....I am not arguing with you, but if all 3 of us are using ES and
>your time is an hour ahead of the two of us........something is out of whack
>on your end. It is 12:55 am as I type this.

I guess I'll just chalk it up to being a forward thinker.

From: Heather on

"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message
news:hp96ke$sld$1(a)news.eternal-september.org...
> "Heather" <fergie(a)canada.invalid> wrote:
>
>>Hey David.....I am not arguing with you, but if all 3 of us are using ES
>>and
>>your time is an hour ahead of the two of us........something is out of
>>whack
>>on your end. It is 12:55 am as I type this.
>
> I guess I'll just chalk it up to being a forward thinker.

8-))
>


From: The Central Scrutinizer on
"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message
news:hp85v4$ua4$3(a)news.eternal-september.org...
> "FromTheRafters" <erratic(a)nomail.afraid.org> wrote:
>
>>
>>Were you running as administrator at the time of the "attack"?
>
> Running XP Pro with a default user with admin privileges.

This will pretty much trump AV protection.