Avast Doesn't Block XP Defender malware (ave.exe)
in [Spyware]
|
From: Beauregard T. Shagnasty on 5 Apr 2010 08:45 ~BD~ wrote: >> <snip> Asked and answered. Why don't you agree to meet your new chum PCButts for dinner this evening? -- -bts
From: Ant on 5 Apr 2010 08:48 "David Kaye" wrote: > What I'm getting at is that I use the best of off the shelf freebie programs > my customers would tend to download. As for updates, typically when I first > see them they have default Windows services turned on, so that they are up to > date on Windows updates, What about non-MS updates? > I'm using IE8 Version 8.0.6001.18702. That should be reasonably safe, hence the importance of checking 3rd party (non-MS) plugins and helper apps. > I know you mean well, but believe me, I already know about this stuff. I appreciate you have some clue and that's why I'm interested in how you got infected. If all your software was fully updated this drive-by infection should not have happened. If it was a new vulnerability, AKA a zero-day exploit, then I'm particularly interested in knowing what it was. When executable code runs via an exploit like a buffer overflow and code injection there's no guarantee that an otherwise securely configured OS can spot it. DEP (data execution prevention) can help prevent this kind of attack if available for the machine. > I noted the file date/time and have looked back on this. As I said, you need to examine the cached files to have any hope of finding the exploit. Of course, you will need to have an understanding of file formats and know what to look for. > The exploit appears > to have come from foxnews, officedepot, or officemax -- the time stamps are > within a few seconds of each other and show up right before the time stamp > that was written to the temp directory in my documents and settings tree. You see, my probing has caused you to give more information which then prompted someone else to reply with a link to a forum about the Faux News site infection. Although that discussion is a year old, the problem of legitimate sites serving up malware through adverts or hacked servers is still a real one. It appears those exploits were via buggy ActiveX controls which have all now been patched. >>More important is to find the vulnerable software component that >>allowed it to run. > > Yes. Also, since I was able to get this infection I suspect that I'll be > getting frantic calls this coming week from others. I'm getting tempted to > set people up as limited users, even though that creates headaches in itself > (such as the inability to run QuickBooks properly, which I mentioned before). You should at least disallow the automatic running of PDFs, look at tightening browser security settings, and perhaps change the browser to Firefox or Opera if they are not using IE 8. XP's default settings are no longer sufficient.
From: Ant on 5 Apr 2010 09:18 "~BD~" wrote: > David Lipman *has* > emailed me with evidence of 'catching out' hidden passwords in code used > by TRT/BCButts. I also had an email from TRT asking me to tell him/her > what DHL had said. > > My problem remains, though, in that there is no way I can be *100%* sure > which is telling the truth! You either accept what respected posters here (ACAV) say or you analyse the files yourself. I can say that I've also found evidence in butts' files that they were copied and altered by him in an attempt to conceal the real authors.
From: ~BD~ on 5 Apr 2010 09:19 Beauregard T. Shagnasty wrote: > ~BD~ wrote: >>> <snip> > > Asked and answered. > > Why don't you agree to meet your new chum PCButts for dinner this > evening? > That was a very juvenile response, Bts. Which part of this did you fail to comprehend? :- If you are quite certain of your facts then I believe you have a public *duty* - maybe in conjunction with all those who are in agreement with you - to bring about a prosecution of the offending individual. I cannot believe that help in not available to you in Obama's USA. "Put your money where your mouth is" comes to mind. As they say in the navy "Make it so!" -- Dave
From: ~BD~ on 5 Apr 2010 09:50
Ant wrote: > "~BD~" wrote: > >> David Lipman *has* >> emailed me with evidence of 'catching out' hidden passwords in code used >> by TRT/BCButts. I also had an email from TRT asking me to tell him/her >> what DHL had said. >> >> My problem remains, though, in that there is no way I can be *100%* sure >> which is telling the truth! > > You either accept what respected posters here (ACAV) say or you > analyse the files yourself. I can say that I've also found evidence > in butts' files that they were copied and altered by him in an attempt > to conceal the real authors. > > You come across as a wise man who knows much about computing matters; I'm simply an observer of the people who post and how they interact. I do not have the skill to analyse files. On the website http://www.ms-mvp.org/ he/she says: "On this page you will find a few utilities I created and some created by others (Note: tools not created by me are the properties of the respected owner/author as listed below) to aid in the repair of compromised systems due to malware, spyware, viruses, and certain Trojans These tools were designed to work on Windows 2000/XP systems only unless otherwise stated in the product description." I may be blind, but cannot see where he/she is claiming tools as his/her own. If these tools do, actually, work - and their sole purpose is designed to help others, maybe the 'real authors' should grant an amnesty an/or join TRT in his/her effort to assist other people. Might that help? -- Dave |