From: David Kaye on
"Beauregard T. Shagnasty" <a.nony.mous(a)example.invalid> wrote:

>Ah. It seems I've posted "nearly an hour before you." How do you explain
>that everyone else sees your clock an hour in the future?
>
>Currently 11:57pm Eastern Daylight Time

I'm not sure. There is no setting on the user account at ES to adjust the
time. My computer's clock is set to Pacific (US & Canada) with allowance made
for DST. It adjusted correctly at the beginning of daylight time.

Lemme see. I have a program that calls an API routine for system time. Let's
see if it shows GMT correctly...

Okay, the routine calls the GetTimeZoneInformation and GetSystemTime
functions from the kernel32 library. The routines return an offset from GMT
as 7 hours, which is correct. Normally it would be 8 hours, but we're on DST
here in North America. Since Bush signed into law the advanced daylight time
law several years ago, starting DST 3 weeks ahead of the way it used to be
(and ending it 1 week later) it just might be that Eternal September is
assuming that we're not on DST here yet. This would account for their server
thinking GMT (UTC) is 8 hours ahead.

From: David Kaye on
"Heather" <fergie(a)canada.invalid> wrote:

>OK Shaggy......I will add to this cuz I have an obsession re correct time.
>He has his Time Zone set wrongly.......right? As it is now Daylight SAVING
>Time (which he may not have checked off), it is only 4 hours different to
>GMT........not 5.

My time zone and my DST offset are NOT set wrong. I'm also a time geek and
I'm aware that the U.S. now advances DST time 3 weeks ahead of when it used to
start.

To quote Wikipedia: "....Starting in 2007, most of the United States and
Canada observe DST from the second Sunday in March to the first Sunday in
November, almost two-thirds of the year.[30] The 2007 U.S. change was part of
the Energy Policy Act of 2005; previously, from 1987 through 2006, the start
and end dates were the first Sunday in April and the last Sunday in October,
and Congress retains the right to go back to the previous dates now that an
energy-consumption study has been done.[31] ...."

In fact, not only am I a time geek, but I've changed the registry entry to
sync my computer's clock with NIST every 6 hours instead of the default once a
week.


From: David Kaye on
"FromTheRafters" <erratic(a)nomail.afraid.org> wrote:

>It is possible for a trojan to drop a file named ave.exe that is for all
>practical purposes unique to that system. The filename means nothing.
>The thing that should be detected is the dropper itself - if you don't
>install it, you don't have to identify and remove it.

This may be the case given that the name displayed apparently adjusts itself
to the system in use. Thus for XP it's called something like "XP Defender"
and for Vista it's called "Vista Defender", etc. Also, whether it's called
Defender or any number of other names also seems to change.

Regardless, I should think that Avast's heuristics should have picked up some
of the telltale signs of the infection even if it didn't have the exact
definition in place.

I'm thiking of going back to ZoneAlarm since Windows firewall was so easy to
disable.

From: David Kaye on
"Ant" <not(a)home.today> wrote:

>
>That's not very secure.

Regardless, I set up this computer to behave as much like my customers'
computers behave. In this way I can spot issues quickly. And it's been years
since this particular machine has had any kind of infection at all.

>Once malware gets in it often changes date stamps to match one of the
>system files.

Seldom, though. One of the easiest ways I've found to find the process
causing an infection is to use a tool like PrcView to look within processes
such as svchost, explorer, winlogon, etc and see the date stamps on the DLLs
called. Makes it super-simple to spot them.

>Since you appear to do this for a living you ought to know about
>securing your machine.

See my comments above.

>
>So did you kill it from task manager?

Actually, no. Because I immediately knew what it was, I shut down the
computer, booted from BART PE and manually copied back snapshots of the
registry.

>You can't rely on AV apps to protect a machine - they are a last ditch
>resort. None of them can detect everything because malware is re-
>packaged every day to avoid detection. The AV vendors are always
>trying to catch up.

This is where heuristic scanning comes in and why MBam can catch nearly
everything. I had the impression, reading from Avast's documentation and
various postings from people that Avast also had similar heuristic scanning.
Apparently not.

>You didn't say which browser was involved. Is it up-to-date? What
>plugins and other applicatiuons are used as helpers to view embedded
>content and are they sercurely configured and up-to-date? Think about
>Java (not javascript), PDF and Flash viewers, ActiveX components and
>other media players. Do you allow them to run automatically?

Again, this particular computer is set up to imitate real world scenarios as
are present in my customers' computers. Prior to the infection I had visited
several websites from Google links. I did not click on anything within those
web pages. I don't recall if there was a pdf among the stuff I looked at or
not. My machine is set up top warn about ActiveX, but not Java, Flash, or
pdfs. However, downloading of exe and dll files should be triggering
*something* to warn me.

As someone suggested, perhaps something else is being renamed as an exe.

I did notice one thing that may be a clue. I couldn't run exe files any
longer until I entered the exe extension in the filetypes section to replace
what had been there. This was after the registry rollback, so I'm not sure
where the exe reference was being pulled from. It should have reverted just
like all other registry entries.

So, indeed it could well be that ave.exe is really something non-exe that got
renamed and thus wasn't detected by Windows as being bogus. I have not saved
the ave.exe file to look at it. Perhaps I should have, but I had to use this
particular computer and just wanted to get rid of the malware.

From: Heather on

"David Kaye" <sfdavidkaye2(a)yahoo.com> wrote in message
news:hp94gg$ekl$4(a)news.eternal-september.org...
> "Heather" <fergie(a)canada.invalid> wrote:
>
>>OK Shaggy......I will add to this cuz I have an obsession re correct time.
>>He has his Time Zone set wrongly.......right? As it is now Daylight
>>SAVING
>>Time (which he may not have checked off), it is only 4 hours different to
>>GMT........not 5.
>
> My time zone and my DST offset are NOT set wrong. I'm also a time geek
> and
> I'm aware that the U.S. now advances DST time 3 weeks ahead of when it
> used to
> start.

Hey David.....I am not arguing with you, but if all 3 of us are using ES and
your time is an hour ahead of the two of us........something is out of whack
on your end. It is 12:55 am as I type this.

Cheers......Heather