Cheers for FREE Avast

[David]

To anyone who is not seeing the forest for a couple of trees:

Thank you for this clarification, I apologise if I jumped on you too
hard but it is vital that, if you are having a problem, that you
define matters correctly.

I admit, I made a mistake. I admit I confused Zone Alarm (the firewall,
with e-trust, the firewall). I don't know if (or why) that confusion
matters?

It matters because you were blaming the wrong program. I jumped at you
because you were blaming a Firewall for not doing the job of an AV
program. If you had said e-trust AV I doubt if any of the respondents
would have jumped on you but would, instead, have tried to get you to
try any other AV program.

Correct terminology is vital for accurate communication and, in my
opinion, this also includes correct spelling and grammar. Your
spelling and grammar are fine, I'm not flaming you about this; just
mentioning it as part of a general crusade for better communication.

Again, the reason for confusing the two: I had run ZA for years -- The
e-trust firewall and AV came on a disc with an W2k SP4 disc. The GUI
for the firewall is identical to that of ZA. It sure looked like ZA!
Further, when I attempted to upgrade to "ZA" it said I already had it on
my machine? So, I called e-trust, ZA - Sorry!

Regardless, I was running a firewll, an AV, S&D, Webroot - as resident
scanners and did system scans every day with one of the apps.

It seems as if the e-trust AV is the main culprit in your case. I now
know not to use that program and so do all the readers on this group.

I use AVG and I have heard Avast is also excellent. Trojans can be
very difficult to detect especially if you happen to cop it in the
first hours after its release.

I also ran Xsoftspy (free) as a sweep and none of them even hinted as to
why I was having 'new sites pop-up' for the past several weeks. _I knew
it was not the fault of Firefox as it was still 'blocking'!_

It wasn't until Sysinternals task manager indicated I had an .exe
running that I had a clue to what my problem was.

Excellent program.

No, Hijackthis failed
to eliminate the trojan, I understand that is not it's "job". They were
helpful, but their advise suggested the solution to eradicate it might
demand a re-install.

Excellent program too but even the experts can get it wrong sometimes.

So? Several 'security' apps failed me and I doubt if the it is fair to
expect the average user to analyze their system with a more
sophisticated task manager or Hijackthis.

It seems to me to be a failure of the AV program rather than anything
else.

If we expect the average user" to do very little then that is just
what happens. If we expect him/her/it do do a little more then
he/she/it will normally rise to the challenge.

----> Face it, not using IE or OE, --- running AV and a few anti-weird
stuff apps is being done by ---- Oh, less than 5% of the users?

It's gradually increasing.

Make sure that you give e-trust a blast from both barrels and advise
Zone Labs of your concerns regarding the look and feel of a product
that is aping their interface but is clearly inferior.

Best of luck for the future.

 

[Slip Kid]

Thank you for this clarification, I apologise if I jumped on you too
hard but it is vital that, if you are having a problem, that you
define matters correctly.

Humility on Usenet. Mark the date.

Then again, my problem wasn't (I dioubt it anyway) with the firewall. I
had multiple apps that should have prevented the invaders - I wasn't
depending on the firewall for that.

It matters because you were blaming the wrong program. I jumped at you
because you were blaming a Firewall for not doing the job of an AV
program. If you had said e-trust AV I doubt if any of the respondents
would have jumped on you but would, instead, have tried to get you to
try any other AV program.

No, I questioned if the same outfit that made the sorry AV was doing any
better with their firewall. No, It wasn't ZA, but e-trust managed to
lose my confidence in their firewall because of the behavior of their AV.

Correct terminology is vital for accurate communication and, in my
opinion, this also includes correct spelling and grammar. Your
spelling and grammar are fine, I'm not flaming you about this; just
mentioning it as part of a general crusade for better communication.

Other than confusing the 'name' of the software, I think my message was
direct. Multiple apps failed to do what they were designed to do.

It seems as if the e-trust AV is the main culprit in your case. I now
know not to use that program and so do all the readers on this group.

Not so sure? I didn't depend on it to stop trojans. I guess AV does?
Then again, AV software has now become more comprehensive.

I use AVG and I have heard Avast is also excellent. Trojans can be
very difficult to detect especially if you happen to cop it in the
first hours after its release.

I don't recall the exact dates of these two variants? I belive they are
at least a year old.

Excellent program.

Yes, I was lucky taskmanager became corrupted1 I can't believe MS
doesn't at least have a more sophisticated version for their servers.

Excellent program too but even the experts can get it wrong sometimes.

The trojan still is popin up in "temp" directories. Most of the people
I spoke with concurred it was a persistan variety. At least it isn't
active.

It seems to me to be a failure of the AV program rather than anything
else.

So you contend? Again, it depends on how comprehensive an AV program
is? I never trusted them comepletely -- which is why I use 'specialty'
apps for more narrow threats.

If we expect the average user" to do very little then that is just
what happens. If we expect him/her/it do do a little more then
he/she/it will normally rise to the challenge.

A friend saw a survey which stated about 75% of computers are infected
with 'something'. I care less about 'them' than their ability to act as
a 'host' and propagate the epidemic. There are so many 'standard'
features which are included in OS's that are of less use/value - I
should think MS would feel more responsible for a much greater threat.
As IE & OE are the biggest targets? Yes, I believe in individual
responsibilty? But we also have health and safety laws. Try getting
your kid in school without vaccines! I believe it's come to the point
where an OS needs to be shipped with greater security. Well, at least a
firewall is now standard and a default.

It's gradually increasing.

I only rarely used OE or IE in the past ten years. Enough to become
'familiar' with them, a strictly 'professsional' requirement. Of the
score or so that I've turned on to 'Mozilla' - only a few knew about
it. Most were only worried/concerned about settings and stored
information migrating. Thunderbird has really impressed most
people...the browser requires a bit more work and some extensions to
fully exploit its benefits.

Make sure that you give e-trust a blast from both barrels and advise
Zone Labs of your concerns regarding the look and feel of a product
that is aping their interface but is clearly inferior.

It can't be a coincedence! Were/are they affiliated in any way? The
GUI is a clone. (Which came first?) Check out the screenshots - they
must be available. One and the same.

Best of luck for the future.

I knew luck was part of it? I'm less upset (no 'damage' was done, -- [I
hope]) than I am disappointed. Yes, it was only a single incident? But
I was using several apps. I never had a false sense of security, but
now I don't know what will give me any peace of mind.

 

[Slip Kid]

@bgtnsc04-news.ops.worldnet.att.net:



secure?_ _How many people are *not* using IE or OE, plus using a firewall,
AV and two or three anti-spy/anti-trojan,hijack, malware....?_

And what about those of us using more?

Not sure how to take that? Is that a veiled self-insult? Um, we with
several apps are stil getting slammed...

Heck even if you use 10 different AVS and antispyware you could still be
infected. Add on good user practises such as using only none-admin accounts
for ordinary use, and you can be pretty secure (say 99%), but never 100%.

Depending on how one 'defines' secure? This is my first in seven years.
I dare not gues the terebytes of bandwidth I've used in that time. or
the number of files I've accessed/downloaded. I'm sure I'm still well
over 99% 'succesful'.

Get used to it.

I was never cavilier. No, the apps weren't doing 'nothing'. They made
me aware of the threats. That's why I was surprised by a less than
'unique' varient taking root. It wasn't day two of of something new an
different.

Get over it, security software fails. There is way too much malware out
there to be covered by one. Using more than one, reduces the chances of
missing stuff, but isnt a 100% guarntee either.

Personally, I dont know why you were surprised , repeated unexpected
popups are a big giveaway that something is wrong.

I had just done some upgrading/teaking to Firefox. I thought my
prefs.js was damaged by my 'messing'. It didn't occur to me I had a
guest until I used Process Explorer and 'saw' the demon in action. No,
I didn't realize how lacking taskmanager was.

What? AFAIK none of the posters in this thread are remotely connected with
any of the security apps you mention, "covering of asses" seems
unnecessary.

I didn't imply a financial conflict. Rather, it appeared as each app
has a defender? In the end, (as I was running most of them) there
wasn't anyone left to point fingers at.

And yet you were infected. So this either means there was a lapse in your
user behaviour, or one of your apps fails or both. The former happens to
almost everyone and the latter happens to even the best apps.

If I 'excuted' an app without a investigating it's progeny? Yeah, that's
my fault. Sadly, I can only narrow it down to three or four apps ---
yeah, they were freeware.

My take is that you think you have done everything right ,and just want to
blame the security software you were using. Fair enough, that could even be
the truth, but on the other hand, user error also often plays a big role.
If you dont ever visit dubious sites, or download an install programs from
dubious sources, you need to rely less on security software to protect you.

If 'free' means software may be more dubious than not free? Mea culpa.

Note, I'm not saying this is true in your case, since I dont even know you.

I'm a skeptic! I don't visit 'risky' sites...

Welcome to the club. The rest of us already know that regardless of how
much security software you use, how knowledgable and smart you are, there
is always a chance you can get infected.

And I was only trying to give Avast come credit - only one app did not
'fail' me. I thought the subject line was optimistic? Positive!

It seems something good as come out of this espiode , if you realise this.

I know that I don't know. I'd hoped I was doing 'too much'.

many people went to the means I do and I not only ended up with a sick
machine? None of the apps (which let it in) found it, let alone got rid
of it?!

Actually there are quite a few paranoids like myself that go beyond what
you do, backed up with knowledge and experience,and there are many who do
less than you. And so far, so good.

My conclusion is that it is probably a greater challenge than current
software is equiped to defend against. It isn't an 'organic' threat and
I probably believed I only needed to have the proper vaccines in order.

Believe me, we are all vulnerable though some of us are less so.
I wouldnt be so arrogant though to think that because I run a couple of
security softwware and run alternative browsers, there isn't room for
improvement.

I wasn't ever smug? But I encouraged people to not be lax - - I'm not
sure I set a good example (at the least) or lost some cred.

To be honest I dont know what your point is, other than to moan about how
your security software failed you. That is assuming if it wasnt a case of
PBKAC.

The initial point was to 'reward' Avast with some exposure. I merely
wanted to show how it prevailed over a number of other defenders.

Firewall is any good!

And when AVAST fails what will you do then? . As for your question
about ZA.. It's adequate though I think it lacks the component monitoring
of the pro version so it fails to recognise malware phoning home, when it
intergretes itself to IE as a BHO.

I think users 'best friend' is netstat! Just check once in a while and
'see' if you are communicating with someone you don't intend to. You do
know about that? At the root: [A good combo is: netstat -a -n]

netstat /?

Displays protocol statistics and current TCP/IP network connections.

NETSTAT [-a] [-b] [-e] [-n] [-o] [-p proto] [-r] [-s] [-v] [interval]

-a Displays all connections and listening ports.
-b Displays the executable involved in creating each
connection or
listening port. In some cases well-known executables host
multiple independent components, and in these cases the
sequence of components involved in creating the connection
or listening port is displayed. In this case the executable
name is in [] at the bottom, on top is the component it
called,
and so forth until TCP/IP was reached. Note that this
option
can be time-consuming and will fail unless you have
sufficient
permissions.
-e Displays Ethernet statistics. This may be combined with
the -s
option.
-n Displays addresses and port numbers in numerical form.
-o Displays the owning process ID associated with each
connection.
-p proto Shows connections for the protocol specified by proto;
proto
may be any of: TCP, UDP, TCPv6, or UDPv6. If used with
the -s
option to display per-protocol statistics, proto may be
any of:
IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, or UDPv6.
-r Displays the routing table.
-s Displays per-protocol statistics. By default,
statistics are
shown for IP, IPv6, ICMP, ICMPv6, TCP, TCPv6, UDP, and
UDPv6;
the -p option may be used to specify a subset of the
default.
-v When used in conjunction with -b, will display sequence of
components involved in creating the connection or listening
port for all executables.
interval Redisplays selected statistics, pausing interval seconds
between each display. Press CTRL+C to stop redisplaying
statistics. If omitted, netstat will print the current
configuration information once.

 

[Aaron]

Not sure how to take that? Is that a veiled self-insult? Um, we with
several apps are stil getting slammed...

Take it as you will. Yes, I have read of cases where people far more
knowledgable than you or me, and running better quality software and
still getting 'slammed'.

Depending on how one 'defines' secure? This is my first in seven
years.
I dare not gues the terebytes of bandwidth I've used in that time.
or
the number of files I've accessed/downloaded. I'm sure I'm still well
over 99% 'succesful'.

Nice run and Good for you! Then why all this moaning about how your
software failed you?

I had just done some upgrading/teaking to Firefox. I thought my
prefs.js was damaged by my 'messing'.

No offense, but this statement makes you sounds a lot more inexperienced
than you probably are. Even the basest newbie knows that unexplained
popups are a bad sign. Or perhaps you were lulled by a false sense of
security? Never occured to you, that even with 2 antispyware apps, you
could have something slip through?

It didn't occur to me I had a

guest until I used Process Explorer and 'saw' the demon in action.
No, I didn't realize how lacking taskmanager was.

Somewhat confused since you said the trojan "wacked" your taskmanager, I
intrepreted it as meaning your taskmanager couldnt start. Correct?
If so, that's another sign of something BAD.

I didn't imply a financial conflict. Rather, it appeared as each app
has a defender? In the end, (as I was running most of them) there
wasn't anyone left to point fingers at.

Hardly, point fingers at whoever you like. The point is security software
fails. If you think AVAST is going to be 100% accurate , you will be in
for a surprise.

If I 'excuted' an app without a investigating it's progeny? Yeah,
that's my fault. Sadly, I can only narrow it down to three or four
apps --- yeah, they were freeware.


If 'free' means software may be more dubious than not free? Mea culpa.

I would say 'free' but closed source programs are a slight risk.
Espically for freeware that no one has heard of before.

Even for others, do we actually know that freeware even though highly
recommended by regulars here is actually safe? Running adware/spybot
scans + AV of choice to declare something clean helps, but you still
can't be sure.

So we all use freeware, our risk profile will be slightly higher, so what
it's a risk that one chooses freely.

And I was only trying to give Avast come credit - only one app did
not 'fail' me. I thought the subject line was optimistic? Positive!

Did not fail you YET you mean

I know that I don't know. I'd hoped I was doing 'too much'.

7 years is a good run. It had to end. In the grand scheme of things,
whether you are "doing too much" would depend on how valuable your
computer is.

My conclusion is that it is probably a greater challenge than current
software is equiped to defend against.

Okay no need to get overly dramatic. So you got infected once in 7 years.
Combination of perhaps bad luck, user error and security software failure
nailed you. This doesn't mean the sky is falling.

I wasn't ever smug?

IMHO your posts reeks of it. With all that jazz about how less than 5% do
what you do and all the security software you run ,and YET you got
infected... On the other hand ,so do mine.

But I encouraged people to not be lax - - I'm not
sure I set a good example (at the least) or lost some cred.

So you discovered that the internet is a dangerous place, even with all
your security apps. Remember, the bad guys are always working to
circumvent your defences. But because most users are exposed only to the
"defending" part of computer security it's easy to I think get lulled
into a false sense of security that because they run x,y,z, they are 100%
safe.

The initial point was to 'reward' Avast with some exposure. I merely
wanted to show how it prevailed over a number of other defenders.

For *that* case. I have no doubt, in other cases, AVAST will fail, while
others succeed. Still anecdotal evidence is not enough in most cases to
determine if one AV is better than another, though of course for most
people it's all they have to go on.

Stories of how they junked X for Y, cos Y detected something X didn't,
unfortunately don't consider the evidence for when X detected something Y
didnt.

Before you start seeing me as a defender of ZA+etrust, I should add, I
don't like either of them and my suspicion is Antivir and AVAST both
outperform Etrust in most cases.

Firewall is any good!

And when AVAST fails what will you do then? . As for your
question about ZA.. It's adequate though I think it lacks the
component monitoring of the pro version so it fails to recognise
malware phoning home, when it intergretes itself to IE as a BHO.

I think users 'best friend' is netstat! Just check once in a while
and 'see' if you are communicating with someone you don't intend to.
You do know about that? At the root: [A good combo is: netstat -a -n]

<Netstat commands snipped>

Netstat is nice but not sufficient I think. Much nicer tools , such as
sysinternals TCPview, Activeports etc etc as well as firewall logs of
most firewall, provide you with more information, including mapping of
processes to ports , as well as a dynamic view as opposed to a static one
provided by netstat

But that's not the point. From the POV of netstat and most other port
mappers, any malware intergreted as a BHO in IE, or an extension in
firefox, will be shown connecting outwards as part of the internet
explorer or firefox process.

You do know about that?

 

[Slip Kid]

Take it as you will. Yes, I have read of cases where people far more
knowledgable than you or me, and running better quality software and
still getting 'slammed'.

I'm less knowledgeable than informed! I am quite confused and to the
classification of threats! I merely thought I require multiple means to
protect myself. I imagine the classes of threat is well defined? It
isn't clear to me how to specifically deal with 'each' class. It went
from 'viruses' to 'everything else'.

Nice run and Good for you! Then why all this moaning about how your
software failed you?

How does a Subject: Cheers for FREE Avast set me up for anything but a
person who is pleased to have found a solution. My 'moaning' was more a
result that I not only took more than 'necessary' measures, I was left
with the conclusion that an 'aged' threat had not been detected by them.
Yes, I was disappointed in the software...I was more at a 'loss' of
what more I could do.

No offense, but this statement makes you sounds a lot more inexperienced
than you probably are. Even the basest newbie knows that unexplained
popups are a bad sign. Or perhaps you were lulled by a false sense of
security? Never occured to you, that even with 2 antispyware apps, you
could have something slip through?

It could be argued that with five different applications, my suspicion
was that the prefs.js was a more logical reason for the popups. When I
didn't see a problem with the script (I first switched from the Mozilla
Suite to Firefox...not a fix) I ran the Process Explorer. In a sense I
believed I was proving the negative. I tried to find out why I was
getting popups "in spite' of the lack of the proggies finding a hint of
changes to my system. Newbies and hypochondriacs are often well taken
care of... I did have some grounds for not suspecting an invader,
rather thinking it was the 'popup' prevention of Mozilla which was at
fault. Again, that was the only 'symptom' and until Mozilla it was
part of the routine. So, I did not associate popups with an invader as
it was never the case before.

It didn't occur to me I had a



Somewhat confused since you said the trojan "wacked" your taskmanager, I
intrepreted it as meaning your taskmanager couldnt start. Correct?
If so, that's another sign of something BAD.

The MS task manager only (still) shows the inner box. The list of
processes. I even brought in a couple of 'new ones'. Even though I
would like to believe all evidence of the trojan is gone? Yes, I am
stuck with an MS taskmanager which only shows the 'inner box' of
processes?!

Yes, that was a 'sign' which led me to process manager which disclosed
an 'unknown' .exe which would not 'die'.

Sorry to mislead about the time frame. The date of the trojan 'invasion'
was 4-22 - - A Friday. I did little that weekend except see if the
browser was the problem, install Firefox and it wasn't until Monday the
taskmanager crapped out. - I replaced it with Process Explorer and
discovered the .exe and set about to removing it. The trail was easy to
follow - but it wouldn't die at my hands. It required Avast to kill it
at boot.

However? It is still appearing in my IE Internet Temp file at startup
(I don't use IE).

So, it appears to not be 'doing anything'? But needs to be killed on
each boot...Plus, no one can tell me why MS taskmanager won't return to
a normal GUI. (Even after bring in a 'new' model.) I'm clearly not 'out
of the woods'...Hijackthis folks say a clean install might be my only
option to a full return to normalcy. Oh, System Restore is a joke if
it's infected...

Hardly, point fingers at whoever you like. The point is security software
fails. If you think AVAST is going to be 100% accurate , you will be in
for a surprise.

I wasn't speaking of 'my' finger pointing. Other OP's were blaming the
lack of an app (they didn't realize I was using). I sensed everyone's
ox was getting gored before it was all over. No, I was faithless by
then. Yes, Avast did come through and I wanted to give them credit for
this instance - where at least 5-6 others failed. No, it was less
moaning an trying to suggest Avast may have a clue where five popular
alternatives were, um, worthless?

Hey, yesterday I did a 'trial' of a beefy version of Sophos (big $'s to
by)? It didn't even see the trojan that 'hides' in the IE Internet
Temp..Nope, I don't trust anything, anymore.

I would say 'free' but closed source programs are a slight risk.
Espically for freeware that no one has heard of before.

And I installed three apps in one session. The time stamp of 1:43 PM
tells me little. I may be wrong? I don't recall any effect until
reboot on Saturday morning.

Even for others, do we actually know that freeware even though highly
recommended by regulars here is actually safe? Running adware/spybot
scans + AV of choice to declare something clean helps, but you still
can't be sure.

So we all use freeware, our risk profile will be slightly higher, so what
it's a risk that one chooses freely.

I am less sure whether it is because it is 'freeware' or if it has to do
with the method of distribution? Just a wild guess? That is, if I grab
something from sourceforge? What do I know about the mirror site?
Regardless, it is simply another link in the chain. It might not have
been the app. It might have been a goof ball at a server?

Did not fail you YET you mean

Yes, yet - but most specifically in the context of this event: "In that
circumstance."

7 years is a good run. It had to end. In the grand scheme of things,
whether you are "doing too much" would depend on how valuable your
computer is.

It's better than seven years! In '98 I got a harmless macro virus from
a customer's floppy. That was it since '92! Not to be smug? I figured
it was because I was doing things 'right'.

Funny thing. I know a few (3-5) people who had serious and
consequential experiences. I can name hundreds who have done little and
are without 'evidence' of an invasion. No, that doesn't mean they are
clean? But I can only cite those few who would lead anyone to believe
there is a threat out there. Trust me, it isn't easy for me to inspire
people to switch browsers, e-mail clients or use the most simple freeware.

Okay no need to get overly dramatic. So you got infected once in 7 years.
Combination of perhaps bad luck, user error and security software failure
nailed you. This doesn't mean the sky is falling.

Well, before HIV? What did safe sex mean? I don't know if the sky is
falling or not. All I know is:
1.) "7 years" means nothing.
2.) No 'one' app (nor 5) helped.
3.) I was lucky I got popups and not something that wiped me out.

IMHO your posts reeks of it. With all that jazz about how less than 5% do
what you do and all the security software you run ,and YET you got
infected... On the other hand ,so do mine.

I have a provocative tone. I wasn't bragging...I only meant to suggest
that if 95% of the population (you said 99%?) seems to survive well
enough with minimal protection, my 'story' is not likely to move them.
I'm not the poster boy for 'safe computing'. No, I wasn't smug - - I
was showing that being in the tiniest percentile of the well protected
did me 0 good...in the end.

So you discovered that the internet is a dangerous place, even with all
your security apps. Remember, the bad guys are always working to
circumvent your defences. But because most users are exposed only to the
"defending" part of computer security it's easy to I think get lulled
into a false sense of security that because they run x,y,z, they are 100%
safe.

Aaron, this would be easier to swallow if it weren't an 'old trojan'.
If something new slipped through? No, I figured the offense always
would have an advantage. My surprise was that in over a year the
defense didn't catch up. I know I'm on the front line? I don't like
getting beat by a lightweight.

For *that* case. I have no doubt, in other cases, AVAST will fail, while
others succeed. Still anecdotal evidence is not enough in most cases to
determine if one AV is better than another, though of course for most
people it's all they have to go on.

Now the 'list' includes 3 AV (forget the firewall) and at least 4-5
non-AV apps. Aaron? AVAST is the only one to even 'see'
Win32:Qoologic-D. Yes, Hijackthis saw a registry entry and Process
Explorer saw an .exe.

Stories of how they junked X for Y, cos Y detected something X didn't,
unfortunately don't consider the evidence for when X detected something Y
didnt.

I only 'junked' e-trust. I still run Webroot and S&D. Why, I don't know!

Before you start seeing me as a defender of ZA+etrust, I should add, I
don't like either of them and my suspicion is Antivir and AVAST both
outperform Etrust in most cases.

Sorry, I was mostly 'faithless' before this. I love to fly? I'm less
fearless than I am reconciled that pilots are paid well - but not enough
to 'take their lives in their hands.' It was a simple post:
Several apps failed. AVAST did not. It deserved that commendation.
That was then...

So? I guess I'll stick with Avast. My only concers is whether the
ZA

Firewall is any good!

And when AVAST fails what will you do then? . As for your
question about ZA.. It's adequate though I think it lacks the
component monitoring of the pro version so it fails to recognise
malware phoning home, when it intergretes itself to IE as a BHO.

I think users 'best friend' is netstat! Just check once in a while
and 'see' if you are communicating with someone you don't intend to.
You do know about that? At the root: [A good combo is: netstat -a -n]

<Netstat commands snipped>

Netstat is nice but not sufficient I think. Much nicer tools , such as
sysinternals TCPview, Activeports etc etc as well as firewall logs of
most firewall, provide you with more information, including mapping of
processes to ports , as well as a dynamic view as opposed to a static one
provided by netstat

I'd be interested in a short list of such freeware. I do find netstat
to be a quick confirmation -- a few characters/enter -- and I see where
I'm at and how I got there.

But that's not the point. From the POV of netstat and most other port
mappers, any malware intergreted as a BHO in IE, or an extension in
firefox, will be shown connecting outwards as part of the internet
explorer or firefox process.

Well, if netstat shows you are at an 'established' address and you
should not be? Hello!?

It isn't "how you got there?" (For the moment, anyway) But you are
"there" and it wasn't your choice. That is a helluva clue! Yeah, not a
bad way to spend a few seconds, with tapping in a few characters in the
..cmd.

 

[Aaron]

This is getting overly long, perhaps we should continue this via email if
you are interested.

I'm less knowledgeable than informed! I am quite confused and to the
classification of threats! I merely thought I require multiple means
to protect myself. I imagine the classes of threat is well defined?
It isn't clear to me how to specifically deal with 'each' class. It
went from 'viruses' to 'everything else'.

Er no. Classes of threats are not that well defined. Eg Nowdays most
worms also drop payloads like keyloggers , backdoors ,adware etc. Nimda
is a combo worm/virus

I do agree it gets confusing for most people to keep up with the
difference between
virus/worm/trojan/rootkit/spyware/adware/keylogger/bad-door and whatever
new term they coin.

If you are utterly paranoid, you would have specialised programs to
handle each class of threat (eg specialised antikeylogger on top of
generic antiadware and antivirus both which picks up some keyloggers)!

How does a Subject: Cheers for FREE Avast set me up for anything but a
person who is pleased to have found a solution. My 'moaning' was more
a result that I not only took more than 'necessary' measures, I was
left with the conclusion that an 'aged' threat had not been detected
by them.
Yes, I was disappointed in the software...I was more at a 'loss' of
what more I could do.

Signature based methods will never provide 100% protection. Hence the
move towards behaviourial based methods, or some call it IDS/IDP methods.
These software dont rely on signatures, but not detecting unusual
behaviour.

See http://www.techsupportalert.com/intrusion-detection.htm

You probably already use some simplified versions of this type of
software like tea-timer/winpatrol to monitor startups. But you can use
more advanced (complicated!) versions. Many are freeware/liteware right
now, because the market isn't really ready yet. Eg Processguard free,
PrevX (phones home), Abtrusion protector, SSM (time limited to dec 05),
antihook, Winsonar etc.

They might have helped detect the malware earlier, though the burden is
much heavier on the user to detect unusual events.

It could be argued that with five different applications, my suspicion
was that the prefs.js was a more logical reason for the popups.

So you did have a false sense of security and I suppose how reasonable
your suspicion would depend on how much you understood what the prefs.js
file.

I did have some grounds for not
suspecting an invader, rather thinking it was the 'popup' prevention
of Mozilla which was at fault.

The grounds being you have 5 antispyware?

The MS task manager only (still) shows the inner box. The list of
processes. I even brought in a couple of 'new ones'. Even though I
would like to believe all evidence of the trojan is gone? Yes, I am
stuck with an MS taskmanager which only shows the 'inner box' of
processes?!

Yes, that was a 'sign' which led me to process manager which disclosed
an 'unknown' .exe which would not 'die'.

Sorry to mislead about the time frame. The date of the trojan
'invasion' was 4-22 - - A Friday. I did little that weekend except
see if the browser was the problem, install Firefox and it wasn't
until Monday the taskmanager crapped out. - I replaced it with
Process Explorer and discovered the .exe and set about to removing it.
The trail was easy to follow - but it wouldn't die at my hands. It
required Avast to kill it at boot.

There are several methods to manually kill tough to remove processes. But
you probably need to know what startup method it was using, and I'm
guessing it was probably a very obscure one.

However? It is still appearing in my IE Internet Temp file at startup
(I don't use IE).

So, it appears to not be 'doing anything'? But needs to be killed on
each boot...Plus, no one can tell me why MS taskmanager won't return
to a normal GUI. (Even after bring in a 'new' model.) I'm clearly not
'out of the woods'...Hijackthis folks say a clean install might be my
only option to a full return to normalcy.

Who exactly are the "hijackthis folks"? Lots of forums offer cleaning of
HJT logs, the quality of advise I find is sometimes uneven,even within
the same forum.

Yes, Avast did come through and I wanted to give them credit
for this instance - where at least 5-6 others failed. No, it was less
moaning an trying to suggest Avast may have a clue where five popular
alternatives were, um, worthless?

It's unclear to me if AVAST really completely cleaned the nasty. Besides,
AVAST is hardly unpopular.

Hey, yesterday I did a 'trial' of a beefy version of Sophos (big $'s
to by)? It didn't even see the trojan that 'hides' in the IE Internet
Temp..Nope, I don't trust anything, anymore.

How about Microworld's free Escan? KAV backed database is among one of
the most comprehensive.

You might also consider uploading the file to one of the multiple AV file
scanners to see if any of them detect it.
http://www.virustotal.com/flash/index_en.html
http://virusscan.jotti.org/

I am less sure whether it is because it is 'freeware' or if it has to
do with the method of distribution?

I think it as less to do with the method of distrubtion as compared to
being able to assign responsibility for the product.

Just a wild guess? That is, if I

grab something from sourceforge? What do I know about the mirror
site? Regardless, it is simply another link in the chain. It might
not have been the app. It might have been a goof ball at a server?

To be utterly safe, you would need to download the source, study it, then
compile it yourself. But I think by making a program open source, there
is some measure of 'good faith' being demostrated by the author and
barring a trojanised copy being added, it's probably safe.

A unknown author , hawking some freeware would I think entail higher
risks than a open source project, because you can't even be sure the
original untampered version is safe!

Yes, yet - but most specifically in the context of this event: "In
that circumstance."
Exactly.


It's better than seven years!

Seven years was what you wrote

In '98 I got a harmless macro virus

from a customer's floppy. That was it since '92! Not to be smug? I
figured it was because I was doing things 'right'.

Simpler days. The last time I got infected was to some Dark avenger
virus, which was ages ago.

Funny thing. I know a few (3-5) people who had serious and
consequential experiences. I can name hundreds who have done little
and are without 'evidence' of an invasion. No, that doesn't mean they
are clean?

Actually I know of a few cases, where people run almost nothing, and when
i come in to check their system, it is clean (as far as I can tell). I
suppose you could say they could still be infected , but I suppose you
can say the same of me.

But I can only cite those few who would lead anyone to

believe there is a threat out there.

There are threats out there, but there is a line between trying to be
secure and becoming over-confident.

Well, before HIV? What did safe sex mean? I don't know if the sky is
falling or not. All I know is:
1.) "7 years" means nothing.

Your figures

2.) No 'one' app (nor 5) helped.
3.) I was lucky I got popups and not something that wiped me out.

Time to do backups then.

I have a provocative tone. I wasn't bragging...

Or the seven year record, which you later revised to a higher figure?


I only meant to

suggest that if 95% of the population (you said 99%?) seems to survive
well enough with minimal protection, my 'story' is not likely to move
them.

Or perhaps they accept the risk and don't expect 100% security? And as
you said being hit once in more than 7 years aint too bad.

I'm not the poster boy for 'safe computing'. No, I wasn't smug
- - I was showing that being in the tiniest percentile of the well
protected did me 0 good...in the end.

As long as you are not 100% secure (which is impossible), you can always
get nailed. But so what? Does that mean you prefer to be 10% safe as
compared to 95% safe? As I keep repeating, there is so 100% security,no
matter what you do. You say you understand that, but from your tone I
keep getting the sense you dont really accept it.

Aaron, this would be easier to swallow if it weren't an 'old trojan'.

I did a bit of asking around, if it was really Win32:Qoologic-B and D and
not some newer or related variant (a possibility since AVAST doesnt seem
to have cleaned it 100%), it's not some "old" trojan, but a rather tricky
strain that is next to impossible to clean by automated meaning.

If something new slipped through? No, I figured the offense always
would have an advantage. My surprise was that in over a year the
defense didn't catch up. I know I'm on the front line? I don't like
getting beat by a lightweight.

Another possibility is that you were hit by some unusual variant that was
not wide spread and hence wasn't added to most virus databases. Again,
I'm still unsure if AVAST really cleaned it all.

Now the 'list' includes 3 AV (forget the firewall) and at least 4-5
non-AV apps. Aaron? AVAST is the only one to even 'see'
Win32:Qoologic-D.

Yes, for that *ONE* case. I could easily get you a list of malware missed
by AVAST but easily detected by 4 or 5 of other scanners. That's my
point.

I only 'junked' e-trust. I still run Webroot and S&D. Why, I don't
know!

Because despite AVAST prevailing once, it does not automatically
sufficent evidence that it will detect everything that the rest will??
I'm not sure why this point seems to be escaping you.

Sorry, I was mostly 'faithless' before this. I love to fly? I'm less
fearless than I am reconciled that pilots are paid well - but not
enough to 'take their lives in their hands.' It was a simple post:
Several apps failed. AVAST did not. It deserved that commendation.
That was then...

Very long post, for a mere commendation

I'd be interested in a short list of such freeware. I do find netstat
to be a quick confirmation -- a few characters/enter -- and I see
where I'm at and how I got there.

TCPview by sysinternals (which does process explorer) is one.

Well, if netstat shows you are at an 'established' address and you
should not be? Hello!?

Network connections persist for a while, and you probably need to have a
fresh session to ensure that such connections are closed. Personally,
after a long browser session, when I look at my network connections, I
see a big mess. This is further complicated by firefox, RSS feeds,
extensions and so on, so you need to wait a while for them to die down.

Another thing , say you spot some connection, or perhaps some port open
that is listening, with netstat, how do you know what process is keeping
it open? It could very well be some legimate system process or even if
isnt how do you know which process is playing hooky? That's why you use
TCPview over Netstat.

Browser intregretd malware complicates matters since it appears as if it
was coming from the browser. You will need to rule out all the legitmate
connections that the browser is making to be sure there is something
wrong.

I personally use TCPview to look around upon a while, but of course I'm
aware of the possiblity that some malware can hide from TCPview and
similar tools... Heh

 

[Slip Kid]

This is getting overly long, perhaps we should continue this via email if
you are interested.

OK.

 

[Aaron]

OK.

No viruses please though.