Av-comparatives April results

Discussion in 'Prevx Releases' started by darts, May 15, 2012.

Thread Status:
Not open for further replies.
  1. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    I would like to help you personally if I can. Could you contact me with your email address by PM so that we can work through the issues you're seeing? This is the first I've heard of a user having problems like this and I want to be sure you're fixed completely.

    Thank you!
     
  2. Techfox1976

    Techfox1976 Registered Member

    Joined:
    Jul 22, 2010
    Posts:
    749
    My first thought: What the heck is this guy doing to be infected 10 times in a week? There are no major 0-days out there, pretty much everything is patched solidly ATM. Either the user is horribly inept at things like patching Java and Flash, or is trolling or intentionally trying to get infected, or is just not choosing good sites to go to.

    Next thought: Webroot VP of Development is directly offering to look into it. The legitimacy of the user's story can be easily verified if he accepts the offer of assistance, and any problems can be fixed. Not-accepting of the offer for whatever reasons will just kill the claims and we're set. Accepting the offer finds out what's up and how the user managed to successfully get infected ten times in a week when the average completely-clueless, unprotected web user might be seeing maybe one infection a week when surfing free porn and pirated games.

    Good news on the above next thought: Just informing PrevxHelp of the keycode used on the computer that theoretically got horribly-infected is sufficient to figure out what happened in many cases, so there is unlikely to be any legitimate excuse for not getting help. :)
     
  3. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    6,777
    Location:
    New York City
    He/she may or may not be infected. This is why Wilder's discourages the posting of testing done by forum members. There is no way to know if the tests are legitimate and it's an easy way to spread FUD. In this case, Joe made a gracious offer to help, so we'll soon know the truth.
     
  4. webbit

    webbit Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    223
    through normal web user and downloading i have been virus free fir a while now, i use webroot complete, malwarebytes on demiand and i have windows defender and firewall active also.
    While the results are not good this product is great and will get sorted, the people on here are dedicated and go above and beyond to help.
    there has been many other "test" and webrrot has come out very well.
    So lets not throw this in the long grass lets get behind these people, and help and by the way if you search hard enough webroot is one of the cheapest securtiy product around.
     
  5. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Joe is a saint. I wouldn't even offer the punk help if he's already made up his mind that it's useless and he sounds like he's about to uninstall it anyway, but then again, I'm if I was in Joe's position, I'd have to assume professionalism. :)

    And lol @ Comodo being the "only" good one...seriously? I'm not on board with a product that's never formally evaluated by any of the major organizations being called "the best" because it's really a "o_O" product with different users reporting vastly different experiences. I for one am not too fond of Comodo overall. I respect them, but they can't even get their DNS service to be reliable. I had to switch to Norton.
     
  6. No_script

    No_script Registered Member

    Joined:
    May 12, 2012
    Posts:
    97
    I'm not trolling, maybe I was a bit too strong with my words though.

    Just looking for a offshore vps basically, not a good scene to go looking for
    I've found out. Hit some russian + other s sites and boom! Had my system r00ted, had reformat it was that bad.

    I also downloaded a few files from downloadcrew.com I thought it was legit but I got hit with a few root kits so I think its full of malware.

    I'm contacting webroot as we speak. I really like the product. honestly but webroot didn't pick up anything :( Comodo did however. And trust me I've got security up the wazzooo.
     
  7. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    How in the world are you getting infected so often? If you bang on the side of a beehive you will stir things up.
     
  8. No_script

    No_script Registered Member

    Joined:
    May 12, 2012
    Posts:
    97
    No java, No flash, No adbobe reader. All browser up to date, all patches up to date.

    Just got hit again, this what it looks like when someone installs a bot on your PC.

    Comodo firewall showing port sniffing/easedropping. Just before my machine got infected.
    http://i46.tinypic.com/2rrx5pz.png


    http://i47.tinypic.com/202omp.jpg

    Trusted Installer? Created by them, you can't disable it and it has write permisions. I delete all my user accounts/admin accounts & put 128 key passwords on them so they are bypassing UAC somehow.

    Bot calling home, changed Host file to ;;1 calling port 445

    http://i46.tinypic.com/jrpd13.png


    Combofix picked up 3 files, I'm sending them to Pervix now. Must of ~ Snipped as per TOS ~ someone off :(
     
    Last edited by a moderator: May 23, 2012
  9. PrevxHelp

    PrevxHelp Former Prevx Moderator

    Joined:
    Sep 14, 2008
    Posts:
    8,242
    Location:
    USA/UK
    A scan log from WSA from your system right now would help actually find the problem. The three files that Combofix cleaned from your archive are just temporary files and not malicious.
     
  10. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    I can't see any real problem from the screenshots... As far as I know TrustedInstaller is part of windows and its there to protect core system files. Probably a scan log will indeed help.:)
     
  11. No_script

    No_script Registered Member

    Joined:
    May 12, 2012
    Posts:
    97
    Well I don't know then, something re-wrote my file permissions, changed my host file and was trying to dial out. I'll try and upload the firewall log, this one guy hit me a few houndred times. Had quite a few rootkits/trojans lately, it's made me a bit on edge.

    + the RAT files they drop are usually encrypted from what I've read so you wont see it.
     
  12. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    Well I guess I'm infected with the same thing you have then because my Winlogon.exe has TrustedInstaller as a permission. And my Wininit.exe also listens on port 41952.

    I see zero evidence of an infection. Everything you've posted is normal. Looks like WSA has protected you well :D
     
  13. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Are your WSA settings maxed out...o_O
     
  14. No_script

    No_script Registered Member

    Joined:
    May 12, 2012
    Posts:
    97
    I unistalled webroot and installed bitdefender. Has a much better firewall so far, thats one thing webroot needs to improve.

    Sorry no logs I formated, but I know when I'm infected.
     
  15. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    Lol... No comment.
     
  16. Scoobs72

    Scoobs72 Registered Member

    Joined:
    Jul 16, 2007
    Posts:
    1,113
    Location:
    Sofa (left side)
    No you don't. You've proven that quite categorically. All the 'evidence' you've presented is normal behavior and configuration of an uninfected system, based mainly on your inability to understand firewall activity/logs.
     
  17. STV0726

    STV0726 Registered Member

    Joined:
    Jul 29, 2010
    Posts:
    900
    Since you refuse to provide reliable evidence and you are more trying to bash a product without seeking the proper recourse, please don't quote me in other threads and say things like "Webroot LOL".
     
  18. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    Well, lets also add that no security tool can protect from those kind of "infections" not even Scomodo or Sbitdefender :D

    But no need of raging at him, otherwise the poor OP will feel oblidged to get infected at any cost and this is obviously possible. No security is 100% bulletproof. :thumb:
     
  19. webbit

    webbit Registered Member

    Joined:
    Nov 2, 2008
    Posts:
    223
  20. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,906
    Location:
    localhost
    I think everybody should understand that when reporting such strong claims then solid evidence should be also provided. This has been said plenty of times and some moderation policy where introduced to try to reduce this non helpful behavior.

    From some of the information posted is clear OP has problems in interpreting signs of infections. May be its not OP fault but next time the OP should understand that by doing this he is damaging his and the product reputation since unfortunately there are many readers that will still beleive the OP regardless of lack of evidence and others that will for sure identify the OP as "just another troller". :)

    "Av-comparatives April results" could we go back to the subject of the thread?
     
  21. Mongol

    Mongol Registered Member

    Joined:
    Jul 24, 2004
    Posts:
    1,581
    Location:
    Houston, TX
    Have you studied up on ICMP and ICMP Reply? It's quite common in internet land and not necessarily malware phoning home. The malware you seem reluctant to prove you had.
     
  22. No_script

    No_script Registered Member

    Joined:
    May 12, 2012
    Posts:
    97
    Yes I know about ICMP, I'm not a expert but I can tell the difference between normal ICMP and Malware ICMP. which is trying to phone home to it's botnet master or your being attacked.

    Anyway besides this incident fact is Webroot has not done the job, I used to rate it highly but it's just not up to scratch. Kaspersky & comodo both picked up stuff Webroot didn't which is sad because I really like the light weight product. But just having cloud AV doesn't work, something is very broken and the AV tests and my experience shows that.
     
  23. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    And you can tell that how? The IPS change everytime and having a dynamic IP C&C means that it won't make a difference. Most malware does not phone home by IP but by obfuscated url where the IP is derived from over random ports and not the same port each time.

    Your System is Clean.
    I disagree with the statement by Mongol calling BitDefender a SitDefender. I consider BitDefender to be among the top, I am currently beta testing their 2013 line and the system performance is great and it's detection is also near the top on personal malware hunting. I especially like the ability to boot into damn small linux and perform system scan without the need to make a cd. But I digress. I also have WSA running on my Untangle UTM do to it's low system resource usage but I would not trust it solely by itself, not yet, not this version. Unfortunately I have bought 3 licenses of the software, currently have only activated 1 and I am hoping to active the 2nd one when the first one runs out. I am hoping and praying that Webroot will honor their last year and 2011 licenses for next year since I will wait another year for all the bugs to be worked out before changing more of my systems.

    Currently, on my home network I am running Bitdefender 2013, Norton 2013 beta, KAV 2012, Eset 4.0, Malwarebytes, Emisoft Anti-Malware and WSA. From all of those WSA is the lightest and I like it as a 2ndary protection and for my Untangle UTM. I am running THe UTM as a VM so not too afraid of infection, the low probability of something infecting a *nix box and then breaking out of the VM is guarantee enough. However if something does break out then I hope that WSA will provide the extra layer of protection.


    P.S.
    OP, calling someone and "IDIOT" and pretending that you "KNOW WHAT YOU ARE SAYING and SEEING" without accepting friendly advice makes you into a 14 year old in my book.
     
  24. GrammatonCleric

    GrammatonCleric Registered Member

    Joined:
    Jan 8, 2009
    Posts:
    372

    No that's an ECHO REPLY to a PING REQUEST.

    I.e. If you ran BITORRENT and any P2P and then disconnected, the last connecting client will continue knocking at your door seeing if the disruption of service was temporary or not and trying to reconnect.
     
  25. No_script

    No_script Registered Member

    Joined:
    May 12, 2012
    Posts:
    97
    I know I was infected, with out a doubt. I don't know what kind of malware it was but it was there.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.