Jump to content

Antivirus 2008/2009

Guest Gregg Hill

By Guest Gregg Hill
in Techno Babble

 Share

Recommended Posts

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

Hello!

 

I just ran into my third new client with "Antivirus 2008" or "Antivirus

2009" rogue malware infection on an XP computer. The first to get hit had

Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee that

came with the computer, the third has Dell's Trend Micro PC-Cillin 2008. All

three had the latest antivirus definitions. I can see the SAVCE system and

McAfee getting hit, as neither blocks malware/spyware, but Trend PC-Cillin

Internet Security 2008 is supposed to block it.

 

What is its attack vector?

 

Does anyone know of consumer AV software that actually prevents this thing

from installing?

 

Thank you!

 

Gregg Hill

  • Replies 80
  • Created
  • Last Reply

Popular Days

Popular Days

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

From: "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

 

| Hello!

 

| I just ran into my third new client with "Antivirus 2008" or "Antivirus

| 2009" rogue malware infection on an XP computer. The first to get hit had

| Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee that

| came with the computer, the third has Dell's Trend Micro PC-Cillin 2008. All

| three had the latest antivirus definitions. I can see the SAVCE system and

| McAfee getting hit, as neither blocks malware/spyware, but Trend PC-Cillin

| Internet Security 2008 is supposed to block it.

 

| What is its attack vector?

 

| Does anyone know of consumer AV software that actually prevents this thing

| from installing?

 

| Thank you!

 

| Gregg Hill

 

The attack vector is Social Engineering via well crafted web sites and the stupidity on

the side of the web visitor.

 

Look at the paid-for version of MalwareBytes Anti-Malware as an anti malware application

capable of preventing this from getting installed.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest The Real Truth MVP

Guest The Real Truth MVP

Posted
Posted

Antivirus and Malware are two different things. You are quoting antivirus

that does not detect or remove Malware. As far as prevention then you can

try the paid version of MBAM http://www.malwarebytes.org/mbam.php I don't

know if it will work on 2009. If you want to just remove it then use my

Remove-it software it will clean both 2008 and 2009. Download it here

http://pcbutts1.com/downloads/tools/tools.htm

 

 

--

Cyberstalking is a crime. If you had one as bad as I did simply ignoring

them is not an option.

 

 

 

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Hello!

>

> I just ran into my third new client with "Antivirus 2008" or "Antivirus

> 2009" rogue malware infection on an XP computer. The first to get hit had

> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee that

> came with the computer, the third has Dell's Trend Micro PC-Cillin 2008.

> All three had the latest antivirus definitions. I can see the SAVCE system

> and McAfee getting hit, as neither blocks malware/spyware, but Trend

> PC-Cillin Internet Security 2008 is supposed to block it.

>

> What is its attack vector?

>

> Does anyone know of consumer AV software that actually prevents this thing

> from installing?

>

> Thank you!

>

> Gregg Hill

> </span>

Guest Kerry Brown

Guest Kerry Brown

Posted
Posted

Here's an analysis of one way a computer gets infected.

 

http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

 

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

 

 

 

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Hello!

>

> I just ran into my third new client with "Antivirus 2008" or "Antivirus

> 2009" rogue malware infection on an XP computer. The first to get hit had

> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee that

> came with the computer, the third has Dell's Trend Micro PC-Cillin 2008.

> All three had the latest antivirus definitions. I can see the SAVCE system

> and McAfee getting hit, as neither blocks malware/spyware, but Trend

> PC-Cillin Internet Security 2008 is supposed to block it.

>

> What is its attack vector?

>

> Does anyone know of consumer AV software that actually prevents this thing

> from installing?

>

> Thank you!

>

> Gregg Hill

> </span>

Guest The Real Truth MVP

Guest The Real Truth MVP

Posted
Posted

Actually the paid version of MBAM does NOT prevent infection I just tested

it and it failed miserably. Use Avast. The free home edition is all you need

http://www.avast.com/eng/download-avast-home.html My tests with that were

successful in preventing the download and detecting the insertion into the

temp files.

 

 

 

--

Cyberstalking is a crime. If you had one as bad as I did simply ignoring

them is not an option.

 

 

 

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Hello!

>

> I just ran into my third new client with "Antivirus 2008" or "Antivirus

> 2009" rogue malware infection on an XP computer. The first to get hit had

> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee that

> came with the computer, the third has Dell's Trend Micro PC-Cillin 2008.

> All three had the latest antivirus definitions. I can see the SAVCE system

> and McAfee getting hit, as neither blocks malware/spyware, but Trend

> PC-Cillin Internet Security 2008 is supposed to block it.

>

> What is its attack vector?

>

> Does anyone know of consumer AV software that actually prevents this thing

> from installing?

>

> Thank you!

>

> Gregg Hill

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

I know that SAVCE and McAfee antivirus do not touch spyware/malware as noted

in my post, but as I said, Trend's Internet Security 2008 software is

supposed to block and/or clean it.

 

I'll look at your tools.

 

Thank you!

 

Gregg Hill

 

 

 

"The Real Truth MVP" <toidi@tpap.com> wrote in message

news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...<span style="color:blue">

> Antivirus and Malware are two different things. You are quoting antivirus

> that does not detect or remove Malware. As far as prevention then you can

> try the paid version of MBAM http://www.malwarebytes.org/mbam.php I don't

> know if it will work on 2009. If you want to just remove it then use my

> Remove-it software it will clean both 2008 and 2009. Download it here

> http://pcbutts1.com/downloads/tools/tools.htm

>

>

> --

> Cyberstalking is a crime. If you had one as bad as I did simply ignoring

> them is not an option.

>

>

>

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> Hello!

>>

>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>> 2009" rogue malware infection on an XP computer. The first to get hit had

>> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee

>> that came with the computer, the third has Dell's Trend Micro PC-Cillin

>> 2008. All three had the latest antivirus definitions. I can see the SAVCE

>> system and McAfee getting hit, as neither blocks malware/spyware, but

>> Trend PC-Cillin Internet Security 2008 is supposed to block it.

>>

>> What is its attack vector?

>>

>> Does anyone know of consumer AV software that actually prevents this

>> thing from installing?

>>

>> Thank you!

>>

>> Gregg Hill

>></span>

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

Thank you!

 

Gregg Hill

 

 

 

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message

news:%237UfcziBJHA.1224@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> Here's an analysis of one way a computer gets infected.

>

> http://www.theregister.co.uk/2008/08/22/anatomy_of_a_hack/

>

> --

> Kerry Brown

> MS-MVP - Windows Desktop Experience: Systems Administration

> http://www.vistahelp.ca/phpBB2/

> http://vistahelpca.blogspot.com/

>

>

>

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> Hello!

>>

>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>> 2009" rogue malware infection on an XP computer. The first to get hit had

>> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee

>> that came with the computer, the third has Dell's Trend Micro PC-Cillin

>> 2008. All three had the latest antivirus definitions. I can see the SAVCE

>> system and McAfee getting hit, as neither blocks malware/spyware, but

>> Trend PC-Cillin Internet Security 2008 is supposed to block it.

>>

>> What is its attack vector?

>>

>> Does anyone know of consumer AV software that actually prevents this

>> thing from installing?

>>

>> Thank you!

>>

>> Gregg Hill

>></span>

> </span>

Guest Leythos

Guest Leythos

Posted
Posted

In article <ySksk.22584$N87.19176@nlpi068.nbdc.sbc.com>, toidi@tpap.com

says...<span style="color:blue">

> Actually the paid version of MBAM does NOT prevent infection I just tested

> it and it failed miserably. Use Avast. The free home edition is all you need

> http://www.avast.com/eng/download-avast-home.html My tests with that were

> successful in preventing the download and detecting the insertion into the

> temp files.

> </span>

 

Symantec End Point Protection works against it installing, and MBAM

works to remove it.

 

The real solution is to not run as an Administrator and to not fall for

these types of things to start with.

 

 

--

- Igitur qui desiderat pacem, praeparet bellum.

- Calling an illegal alien an "undocumented worker" is like calling a

drug dealer an "unlicensed pharmacist"

spam999free@rrohio.com (remove 999 for proper email address)

Guest Kerry Brown

Guest Kerry Brown

Posted
Posted

Be aware that "The Real Truth MVP" is not a Microsoft MVP. He has a very

poor reputation with many well respected people in the security community.

 

--

Kerry Brown

MS-MVP - Windows Desktop Experience: Systems Administration

http://www.vistahelp.ca/phpBB2/

http://vistahelpca.blogspot.com/

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%23WJDtcjBJHA.1180@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

>I know that SAVCE and McAfee antivirus do not touch spyware/malware as

>noted in my post, but as I said, Trend's Internet Security 2008 software is

>supposed to block and/or clean it.

>

> I'll look at your tools.

>

> Thank you!

>

> Gregg Hill

>

>

>

> "The Real Truth MVP" <toidi@tpap.com> wrote in message

> news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...<span style="color:green">

>> Antivirus and Malware are two different things. You are quoting antivirus

>> that does not detect or remove Malware. As far as prevention then you can

>> try the paid version of MBAM http://www.malwarebytes.org/mbam.php I don't

>> know if it will work on 2009. If you want to just remove it then use my

>> Remove-it software it will clean both 2008 and 2009. Download it here

>> http://pcbutts1.com/downloads/tools/tools.htm

>>

>>

>> --

>> Cyberstalking is a crime. If you had one as bad as I did simply ignoring

>> them is not an option.

>>

>>

>>

>>

>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

>> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> Hello!

>>>

>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>> to block it.

>>>

>>> What is its attack vector?

>>>

>>> Does anyone know of consumer AV software that actually prevents this

>>> thing from installing?

>>>

>>> Thank you!

>>>

>>> Gregg Hill

>>></span>

>></span>

>

> </span>

Guest The Real Truth MVP

Guest The Real Truth MVP

Posted
Posted

Yep I ate my own words in my other post as Avast is an antivirus app.

 

--

Cyberstalking is a crime. If you had one as bad as I did simply ignoring

them is not an option.

 

 

 

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%23WJDtcjBJHA.1180@TK2MSFTNGP04.phx.gbl...<span style="color:blue">

>I know that SAVCE and McAfee antivirus do not touch spyware/malware as

>noted in my post, but as I said, Trend's Internet Security 2008 software is

>supposed to block and/or clean it.

>

> I'll look at your tools.

>

> Thank you!

>

> Gregg Hill

>

>

>

> "The Real Truth MVP" <toidi@tpap.com> wrote in message

> news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...<span style="color:green">

>> Antivirus and Malware are two different things. You are quoting antivirus

>> that does not detect or remove Malware. As far as prevention then you can

>> try the paid version of MBAM http://www.malwarebytes.org/mbam.php I don't

>> know if it will work on 2009. If you want to just remove it then use my

>> Remove-it software it will clean both 2008 and 2009. Download it here

>> http://pcbutts1.com/downloads/tools/tools.htm

>>

>>

>> --

>> Cyberstalking is a crime. If you had one as bad as I did simply ignoring

>> them is not an option.

>>

>>

>>

>>

>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

>> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> Hello!

>>>

>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>> to block it.

>>>

>>> What is its attack vector?

>>>

>>> Does anyone know of consumer AV software that actually prevents this

>>> thing from installing?

>>>

>>> Thank you!

>>>

>>> Gregg Hill

>>></span>

>></span>

>

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

I have a bit of control on my own networks, but these were three different

new clients. I was trying to find a commonality between them, other than

lack of patching.

 

Gregg Hill

 

 

 

"Leythos" <void@nowhere.lan> wrote in message

news:1219625429_482516@news.usenet.com...<span style="color:blue">

> In article <ySksk.22584$N87.19176@nlpi068.nbdc.sbc.com>, toidi@tpap.com

> says...<span style="color:green">

>> Actually the paid version of MBAM does NOT prevent infection I just

>> tested

>> it and it failed miserably. Use Avast. The free home edition is all you

>> need

>> http://www.avast.com/eng/download-avast-home.html My tests with that were

>> successful in preventing the download and detecting the insertion into

>> the

>> temp files.

>></span>

>

> Symantec End Point Protection works against it installing, and MBAM

> works to remove it.

>

> The real solution is to not run as an Administrator and to not fall for

> these types of things to start with.

>

>

> --

> - Igitur qui desiderat pacem, praeparet bellum.

> - Calling an illegal alien an "undocumented worker" is like calling a

> drug dealer an "unlicensed pharmacist"

> spam999free@rrohio.com (remove 999 for proper email address) </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

Kerry,

 

Thank you for the warning.

 

Gregg Hill

 

 

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message

news:ORIj4wjBJHA.4700@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> Be aware that "The Real Truth MVP" is not a Microsoft MVP. He has a very

> poor reputation with many well respected people in the security community.

>

> --

> Kerry Brown

> MS-MVP - Windows Desktop Experience: Systems Administration

> http://www.vistahelp.ca/phpBB2/

> http://vistahelpca.blogspot.com/

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%23WJDtcjBJHA.1180@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>>I know that SAVCE and McAfee antivirus do not touch spyware/malware as

>>noted in my post, but as I said, Trend's Internet Security 2008 software

>>is supposed to block and/or clean it.

>>

>> I'll look at your tools.

>>

>> Thank you!

>>

>> Gregg Hill

>>

>>

>>

>> "The Real Truth MVP" <toidi@tpap.com> wrote in message

>> news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...<span style="color:darkred">

>>> Antivirus and Malware are two different things. You are quoting

>>> antivirus that does not detect or remove Malware. As far as prevention

>>> then you can try the paid version of MBAM

>>> http://www.malwarebytes.org/mbam.php I don't know if it will work on

>>> 2009. If you want to just remove it then use my Remove-it software it

>>> will clean both 2008 and 2009. Download it here

>>> http://pcbutts1.com/downloads/tools/tools.htm

>>>

>>>

>>> --

>>> Cyberstalking is a crime. If you had one as bad as I did simply ignoring

>>> them is not an option.

>>>

>>>

>>>

>>>

>>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

>>> wrote in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...

>>>> Hello!

>>>>

>>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>>> to block it.

>>>>

>>>> What is its attack vector?

>>>>

>>>> Does anyone know of consumer AV software that actually prevents this

>>>> thing from installing?

>>>>

>>>> Thank you!

>>>>

>>>> Gregg Hill

>>>>

>>></span>

>>

>></span>

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

Wow! Interesting person.

 

Gregg Hill

 

 

 

"Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message

news:ORIj4wjBJHA.4700@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> Be aware that "The Real Truth MVP" is not a Microsoft MVP. He has a very

> poor reputation with many well respected people in the security community.

>

> --

> Kerry Brown

> MS-MVP - Windows Desktop Experience: Systems Administration

> http://www.vistahelp.ca/phpBB2/

> http://vistahelpca.blogspot.com/

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%23WJDtcjBJHA.1180@TK2MSFTNGP04.phx.gbl...<span style="color:green">

>>I know that SAVCE and McAfee antivirus do not touch spyware/malware as

>>noted in my post, but as I said, Trend's Internet Security 2008 software

>>is supposed to block and/or clean it.

>>

>> I'll look at your tools.

>>

>> Thank you!

>>

>> Gregg Hill

>>

>>

>>

>> "The Real Truth MVP" <toidi@tpap.com> wrote in message

>> news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...<span style="color:darkred">

>>> Antivirus and Malware are two different things. You are quoting

>>> antivirus that does not detect or remove Malware. As far as prevention

>>> then you can try the paid version of MBAM

>>> http://www.malwarebytes.org/mbam.php I don't know if it will work on

>>> 2009. If you want to just remove it then use my Remove-it software it

>>> will clean both 2008 and 2009. Download it here

>>> http://pcbutts1.com/downloads/tools/tools.htm

>>>

>>>

>>> --

>>> Cyberstalking is a crime. If you had one as bad as I did simply ignoring

>>> them is not an option.

>>>

>>>

>>>

>>>

>>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

>>> wrote in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...

>>>> Hello!

>>>>

>>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>>> to block it.

>>>>

>>>> What is its attack vector?

>>>>

>>>> Does anyone know of consumer AV software that actually prevents this

>>>> thing from installing?

>>>>

>>>> Thank you!

>>>>

>>>> Gregg Hill

>>>>

>>></span>

>>

>></span>

> </span>

Guest John

Guest John

Posted
Posted

Are you saing a this rogue AV infects fully patched PCs and users with no

administrative permissions?

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Hello!

>

> I just ran into my third new client with "Antivirus 2008" or "Antivirus

> 2009" rogue malware infection on an XP computer. The first to get hit had

> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee that

> came with the computer, the third has Dell's Trend Micro PC-Cillin 2008.

> All three had the latest antivirus definitions. I can see the SAVCE system

> and McAfee getting hit, as neither blocks malware/spyware, but Trend

> PC-Cillin Internet Security 2008 is supposed to block it.

>

> What is its attack vector?

>

> Does anyone know of consumer AV software that actually prevents this thing

> from installing?

>

> Thank you!

>

> Gregg Hill

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

On this particular system, I only got a remote look at it for a few minutes.

The guy called as I was about to head out the door. I do know that his Dell

version of Trend Micro PC-cillin Internet Security 2008 was current. I'll

check the OS when I get to his laptop today.

 

Gregg Hill

 

 

"John" <a> wrote in message news:ekgm$NtBJHA.2712@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Are you saing a this rogue AV infects fully patched PCs and users with no

> administrative permissions?

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> Hello!

>>

>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>> 2009" rogue malware infection on an XP computer. The first to get hit had

>> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee

>> that came with the computer, the third has Dell's Trend Micro PC-Cillin

>> 2008. All three had the latest antivirus definitions. I can see the SAVCE

>> system and McAfee getting hit, as neither blocks malware/spyware, but

>> Trend PC-Cillin Internet Security 2008 is supposed to block it.

>>

>> What is its attack vector?

>>

>> Does anyone know of consumer AV software that actually prevents this

>> thing from installing?

>>

>> Thank you!

>>

>> Gregg Hill

>></span>

>

> </span>

Guest John

Guest John

Posted
Posted

Thanks Gregg. Give us an update when you find out more about the system.

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:uS%23$lbuBJHA.4104@TK2MSFTNGP02.phx.gbl...<span style="color:blue">

> On this particular system, I only got a remote look at it for a few

> minutes. The guy called as I was about to head out the door. I do know

> that his Dell version of Trend Micro PC-cillin Internet Security 2008 was

> current. I'll check the OS when I get to his laptop today.

>

> Gregg Hill

>

>

> "John" <a> wrote in message news:ekgm$NtBJHA.2712@TK2MSFTNGP06.phx.gbl...<span style="color:green">

>> Are you saing a this rogue AV infects fully patched PCs and users with no

>> administrative permissions?

>>

>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

>> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> Hello!

>>>

>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>> to block it.

>>>

>>> What is its attack vector?

>>>

>>> Does anyone know of consumer AV software that actually prevents this

>>> thing from installing?

>>>

>>> Thank you!

>>>

>>> Gregg Hill

>>></span>

>>

>></span>

>

> </span>

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

From: "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

 

| I know that SAVCE and McAfee antivirus do not touch spyware/malware as noted

| in my post, but as I said, Trend's Internet Security 2008 software is

| supposed to block and/or clean it.

 

| I'll look at your tools.

 

| Thank you!

 

| Gregg Hill

 

 

That's NOT entirely true.

 

McAfee can handle some spyware but you must enable detection for "potentially unwanted

programs, (aka; PUPs)".

 

Please see the attched JPEG of file submitted to McAfee WebImmune.

 

Also attached is the McAfee EXTRA.DAT file for this detection.

 

Save the EXTRA.DAT in the same folder you'll find the rest of the McAfee Signature files;

CLEAN.DAT, SCAN.DAT, etc...

 

{ NOTE: What is in EXTRA.DAT may already have been included in Today's v5369 DAT files }

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Guest The Real Truth MVP

Guest The Real Truth MVP

Posted
Posted

You can read and believe what you want about me in these NG it has been

going on for years. I am not the person they say I am, I am not the person

they think I am. Anyone with any common sense would know that if everything

they say were true I would not be here. The un bias real truth about me and

the quality of the tools I make can be found here Check my feedback and see

what others have said about me and my tools.

http://pcbutts1-therealtruth.blogspot.com/ I also tell everyone who sends

feedback or emails me directly not to comment in the NG because they will be

ridiculed by the jealous others in this group. One more thing. They say I am

a thief but they can't seem to find what they say I stole and post proof

(because there is none) and nobody criticizes my tools because they work.

 

 

 

--

Cyberstalking is a crime. If you had one as bad as I did simply ignoring

them is not an option.

 

 

 

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:epzQwToBJHA.3512@TK2MSFTNGP05.phx.gbl...<span style="color:blue">

> Wow! Interesting person.

>

> Gregg Hill

>

>

>

> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message

> news:ORIj4wjBJHA.4700@TK2MSFTNGP03.phx.gbl...<span style="color:green">

>> Be aware that "The Real Truth MVP" is not a Microsoft MVP. He has a very

>> poor reputation with many well respected people in the security

>> community.

>>

>> --

>> Kerry Brown

>> MS-MVP - Windows Desktop Experience: Systems Administration

>> http://www.vistahelp.ca/phpBB2/

>> http://vistahelpca.blogspot.com/

>>

>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

>> in message news:%23WJDtcjBJHA.1180@TK2MSFTNGP04.phx.gbl...<span style="color:darkred">

>>>I know that SAVCE and McAfee antivirus do not touch spyware/malware as

>>>noted in my post, but as I said, Trend's Internet Security 2008 software

>>>is supposed to block and/or clean it.

>>>

>>> I'll look at your tools.

>>>

>>> Thank you!

>>>

>>> Gregg Hill

>>>

>>>

>>>

>>> "The Real Truth MVP" <toidi@tpap.com> wrote in message

>>> news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...

>>>> Antivirus and Malware are two different things. You are quoting

>>>> antivirus that does not detect or remove Malware. As far as prevention

>>>> then you can try the paid version of MBAM

>>>> http://www.malwarebytes.org/mbam.php I don't know if it will work on

>>>> 2009. If you want to just remove it then use my Remove-it software it

>>>> will clean both 2008 and 2009. Download it here

>>>> http://pcbutts1.com/downloads/tools/tools.htm

>>>>

>>>>

>>>> --

>>>> Cyberstalking is a crime. If you had one as bad as I did simply

>>>> ignoring them is not an option.

>>>>

>>>>

>>>>

>>>>

>>>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

>>>> wrote in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...

>>>>> Hello!

>>>>>

>>>>> I just ran into my third new client with "Antivirus 2008" or

>>>>> "Antivirus 2009" rogue malware infection on an XP computer. The first

>>>>> to get hit had Symantec Antivirus Corporate Edition 9.x on it, the

>>>>> second had McAfee that came with the computer, the third has Dell's

>>>>> Trend Micro PC-Cillin 2008. All three had the latest antivirus

>>>>> definitions. I can see the SAVCE system and McAfee getting hit, as

>>>>> neither blocks malware/spyware, but Trend PC-Cillin Internet Security

>>>>> 2008 is supposed to block it.

>>>>>

>>>>> What is its attack vector?

>>>>>

>>>>> Does anyone know of consumer AV software that actually prevents this

>>>>> thing from installing?

>>>>>

>>>>> Thank you!

>>>>>

>>>>> Gregg Hill

>>>>>

>>>>

>>>

>>></span>

>></span>

>

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

Well, I do not care to get into the middle of your little urinating contest,

and I have seen your posts as well as others in a Google search. I do not

care to deal with people who cannot seem to carry on an intelligent debate

without resorting to name calling and profanity, of which you and others are

guilty.

 

Your own reactions make me question your integrity. My firewall UTM even

flagged your URL as malware. Sorry, but I think I'll pass. I, too, wonder

about back doors.

 

Gregg

 

 

 

 

 

"The Real Truth MVP" <toidi@tpap.com> wrote in message

news:yzIsk.7817$np7.7445@flpi149.ffdc.sbc.com...<span style="color:blue">

> You can read and believe what you want about me in these NG it has been

> going on for years. I am not the person they say I am, I am not the person

> they think I am. Anyone with any common sense would know that if

> everything they say were true I would not be here. The un bias real truth

> about me and the quality of the tools I make can be found here Check my

> feedback and see what others have said about me and my tools.

> http://pcbutts1-therealtruth.blogspot.com/ I also tell everyone who sends

> feedback or emails me directly not to comment in the NG because they will

> be ridiculed by the jealous others in this group. One more thing. They say

> I am a thief but they can't seem to find what they say I stole and post

> proof (because there is none) and nobody criticizes my tools because they

> work.

>

>

>

> --

> Cyberstalking is a crime. If you had one as bad as I did simply ignoring

> them is not an option.

>

>

>

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:epzQwToBJHA.3512@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> Wow! Interesting person.

>>

>> Gregg Hill

>>

>>

>>

>> "Kerry Brown" <kerry@kdbNOSPAMsys-tems.c a m> wrote in message

>> news:ORIj4wjBJHA.4700@TK2MSFTNGP03.phx.gbl...<span style="color:darkred">

>>> Be aware that "The Real Truth MVP" is not a Microsoft MVP. He has a very

>>> poor reputation with many well respected people in the security

>>> community.

>>>

>>> --

>>> Kerry Brown

>>> MS-MVP - Windows Desktop Experience: Systems Administration

>>> http://www.vistahelp.ca/phpBB2/

>>> http://vistahelpca.blogspot.com/

>>>

>>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

>>> wrote in message news:%23WJDtcjBJHA.1180@TK2MSFTNGP04.phx.gbl...

>>>>I know that SAVCE and McAfee antivirus do not touch spyware/malware as

>>>>noted in my post, but as I said, Trend's Internet Security 2008 software

>>>>is supposed to block and/or clean it.

>>>>

>>>> I'll look at your tools.

>>>>

>>>> Thank you!

>>>>

>>>> Gregg Hill

>>>>

>>>>

>>>>

>>>> "The Real Truth MVP" <toidi@tpap.com> wrote in message

>>>> news:cxjsk.35525$co7.12985@nlpi066.nbdc.sbc.com...

>>>>> Antivirus and Malware are two different things. You are quoting

>>>>> antivirus that does not detect or remove Malware. As far as prevention

>>>>> then you can try the paid version of MBAM

>>>>> http://www.malwarebytes.org/mbam.php I don't know if it will work on

>>>>> 2009. If you want to just remove it then use my Remove-it software it

>>>>> will clean both 2008 and 2009. Download it here

>>>>> http://pcbutts1.com/downloads/tools/tools.htm

>>>>>

>>>>>

>>>>> --

>>>>> Cyberstalking is a crime. If you had one as bad as I did simply

>>>>> ignoring them is not an option.

>>>>>

>>>>>

>>>>>

>>>>>

>>>>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

>>>>> wrote in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...

>>>>>> Hello!

>>>>>>

>>>>>> I just ran into my third new client with "Antivirus 2008" or

>>>>>> "Antivirus 2009" rogue malware infection on an XP computer. The first

>>>>>> to get hit had Symantec Antivirus Corporate Edition 9.x on it, the

>>>>>> second had McAfee that came with the computer, the third has Dell's

>>>>>> Trend Micro PC-Cillin 2008. All three had the latest antivirus

>>>>>> definitions. I can see the SAVCE system and McAfee getting hit, as

>>>>>> neither blocks malware/spyware, but Trend PC-Cillin Internet Security

>>>>>> 2008 is supposed to block it.

>>>>>>

>>>>>> What is its attack vector?

>>>>>>

>>>>>> Does anyone know of consumer AV software that actually prevents this

>>>>>> thing from installing?

>>>>>>

>>>>>> Thank you!

>>>>>>

>>>>>> Gregg Hill

>>>>>>

>>>>>

>>>>

>>>>

>>></span>

>>

>></span>

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

Well, I have the laptop. It is XP Pro SP2 with all critical updates done and

"Trend Micro PC-cillin 12" from Dell is current. His account is in the

Administrators and Debugger Users groups.

 

Sun Java was 1.4.2_03, which I updated to latest.

 

In "Trend Micro PC-cillin 12" from Dell, all of the spyware categories were

checked except for Other.

 

Trend's URL filtering is enabled with predefined categories.

 

Trend realtime scan popped a warning about catching ADW_ZANGO.BK in

SeekmoUnInstaller.exe and ADW.SEEKMO in SeekmoSA.exe under C:\Program

Files\Seekmo folder structure. Action was Deny Access. On 8/7/8, it

quarantined TROJ_RENOS.ACG file named scui.cpl, which shows as one of

Antivirus 2009's files in Google searches.

 

A deeper look and multiple scans later with MBAM, etc, and it appears that

this laptop got "half hit" with Antivirus 2009. As far as I can tell, the

only file that made it onto the system is av2009.exe.

 

Anyway, it's clean now. Thank you for your input.

 

Gregg Hill

 

 

 

"John" <a> wrote in message news:ekgm$NtBJHA.2712@TK2MSFTNGP06.phx.gbl...<span style="color:blue">

> Are you saing a this rogue AV infects fully patched PCs and users with no

> administrative permissions?

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:green">

>> Hello!

>>

>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>> 2009" rogue malware infection on an XP computer. The first to get hit had

>> Symantec Antivirus Corporate Edition 9.x on it, the second had McAfee

>> that came with the computer, the third has Dell's Trend Micro PC-Cillin

>> 2008. All three had the latest antivirus definitions. I can see the SAVCE

>> system and McAfee getting hit, as neither blocks malware/spyware, but

>> Trend PC-Cillin Internet Security 2008 is supposed to block it.

>>

>> What is its attack vector?

>>

>> Does anyone know of consumer AV software that actually prevents this

>> thing from installing?

>>

>> Thank you!

>>

>> Gregg Hill

>></span>

>

> </span>

Guest John Eddy

Guest John Eddy

Posted
Posted

On Aug 25, 5:56 pm, "The Real Truth MVP" <to...@tpap.com> wrote:<span style="color:blue">

> The un bias real truth about me and

> the quality of the tools I make can be found here Check my feedback and see

> what others have said about me and my tools.http://pcbutts1-therealtruth.blogspot.com/I also tell everyone who sends

> feedback or emails me directly not to comment in the NG because they will be

> ridiculed by the jealous others in this group.</span>

 

If that was 100% unbiased, you'd allow dissenting opinion, such as

from me (John Eddy, former newsgroup administrator at MS), or even

give me the chance to reply to your ridiculous claims about my time at

Microsoft and your supposed influence on them.

Guest John

Guest John

Posted
Posted

Thanks for taking the time to post an update.

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:%231GdAmyBJHA.3200@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> Well, I have the laptop. It is XP Pro SP2 with all critical updates done

> and "Trend Micro PC-cillin 12" from Dell is current. His account is in the

> Administrators and Debugger Users groups.

>

> Sun Java was 1.4.2_03, which I updated to latest.

>

> In "Trend Micro PC-cillin 12" from Dell, all of the spyware categories

> were checked except for Other.

>

> Trend's URL filtering is enabled with predefined categories.

>

> Trend realtime scan popped a warning about catching ADW_ZANGO.BK in

> SeekmoUnInstaller.exe and ADW.SEEKMO in SeekmoSA.exe under C:Program

> FilesSeekmo folder structure. Action was Deny Access. On 8/7/8, it

> quarantined TROJ_RENOS.ACG file named scui.cpl, which shows as one of

> Antivirus 2009's files in Google searches.

>

> A deeper look and multiple scans later with MBAM, etc, and it appears that

> this laptop got "half hit" with Antivirus 2009. As far as I can tell, the

> only file that made it onto the system is av2009.exe.

>

> Anyway, it's clean now. Thank you for your input.

>

> Gregg Hill

>

>

>

> "John" <a> wrote in message news:ekgm$NtBJHA.2712@TK2MSFTNGP06.phx.gbl...<span style="color:green">

>> Are you saing a this rogue AV infects fully patched PCs and users with no

>> administrative permissions?

>>

>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

>> in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...<span style="color:darkred">

>>> Hello!

>>>

>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>> to block it.

>>>

>>> What is its attack vector?

>>>

>>> Does anyone know of consumer AV software that actually prevents this

>>> thing from installing?

>>>

>>> Thank you!

>>>

>>> Gregg Hill

>>></span>

>>

>></span>

>

> </span>

Guest Gregg Hill

Guest Gregg Hill

Posted
Posted

The last system I saw had been hit by Antivirus 2008 and was a pain to

clean. It even ran in Safe Mode, actively combating my efforts to kill its

processes.

 

I thought this type of thing was not supposed to run in Safe Mode. Go

figure.

 

Gregg Hill

 

 

"John" <a> wrote in message news:%235ZUJr5BJHA.4932@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> Thanks for taking the time to post an update.

>

> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote

> in message news:%231GdAmyBJHA.3200@TK2MSFTNGP03.phx.gbl...<span style="color:green">

>> Well, I have the laptop. It is XP Pro SP2 with all critical updates done

>> and "Trend Micro PC-cillin 12" from Dell is current. His account is in

>> the Administrators and Debugger Users groups.

>>

>> Sun Java was 1.4.2_03, which I updated to latest.

>>

>> In "Trend Micro PC-cillin 12" from Dell, all of the spyware categories

>> were checked except for Other.

>>

>> Trend's URL filtering is enabled with predefined categories.

>>

>> Trend realtime scan popped a warning about catching ADW_ZANGO.BK in

>> SeekmoUnInstaller.exe and ADW.SEEKMO in SeekmoSA.exe under C:Program

>> FilesSeekmo folder structure. Action was Deny Access. On 8/7/8, it

>> quarantined TROJ_RENOS.ACG file named scui.cpl, which shows as one of

>> Antivirus 2009's files in Google searches.

>>

>> A deeper look and multiple scans later with MBAM, etc, and it appears

>> that this laptop got "half hit" with Antivirus 2009. As far as I can

>> tell, the only file that made it onto the system is av2009.exe.

>>

>> Anyway, it's clean now. Thank you for your input.

>>

>> Gregg Hill

>>

>>

>>

>> "John" <a> wrote in message news:ekgm$NtBJHA.2712@TK2MSFTNGP06.phx.gbl...<span style="color:darkred">

>>> Are you saing a this rogue AV infects fully patched PCs and users with

>>> no administrative permissions?

>>>

>>> "Gregg Hill" <greggmhill at please do not spam me at yahoo dot com>

>>> wrote in message news:%23ihQfMiBJHA.2056@TK2MSFTNGP05.phx.gbl...

>>>> Hello!

>>>>

>>>> I just ran into my third new client with "Antivirus 2008" or "Antivirus

>>>> 2009" rogue malware infection on an XP computer. The first to get hit

>>>> had Symantec Antivirus Corporate Edition 9.x on it, the second had

>>>> McAfee that came with the computer, the third has Dell's Trend Micro

>>>> PC-Cillin 2008. All three had the latest antivirus definitions. I can

>>>> see the SAVCE system and McAfee getting hit, as neither blocks

>>>> malware/spyware, but Trend PC-Cillin Internet Security 2008 is supposed

>>>> to block it.

>>>>

>>>> What is its attack vector?

>>>>

>>>> Does anyone know of consumer AV software that actually prevents this

>>>> thing from installing?

>>>>

>>>> Thank you!

>>>>

>>>> Gregg Hill

>>>>

>>>

>>></span>

>>

>></span>

>

> </span>

Guest John

Guest John

Posted
Posted

There's a lot of malware that runs in safe mode these days. Vundo/Virtumundo

is one of them. I normally clean the infection first (if I have time). It

doesn't matter if the infection is partially or 100% removed, I'll always

follow it up with a nuke (format) a few days/weeks later. I feel safer

starting from scratch (format and reinstall OS).

 

Why bother cleaning it first? Well, that's just me. I like a challenge :-)

 

"Gregg Hill" <greggmhill at please do not spam me at yahoo dot com> wrote in

message news:OqCdjA6BJHA.3496@TK2MSFTNGP03.phx.gbl...<span style="color:blue">

> The last system I saw had been hit by Antivirus 2008 and was a pain to

> clean. It even ran in Safe Mode, actively combating my efforts to kill its

> processes.

>

> I thought this type of thing was not supposed to run in Safe Mode. Go

> figure.

>

> Gregg Hill

>

><span style="color:green">

>> </span></span>

Guest David H. Lipman

Guest David H. Lipman

Posted
Posted

From: "John" <a>

 

| There's a lot of malware that runs in safe mode these days. Vundo/Virtumundo

| is one of them. I normally clean the infection first (if I have time). It

| doesn't matter if the infection is partially or 100% removed, I'll always

| follow it up with a nuke (format) a few days/weeks later. I feel safer

| starting from scratch (format and reinstall OS).

 

| Why bother cleaning it first? Well, that's just me. I like a challenge :-)

 

Take it to the next level...

 

Install OS, update it, install Apps., apply settings and then image the PC using

Norton/Symantec Ghost, Acronis True Image, etc.

 

 

--

Dave

http://www.claymania.com/removal-trojan-adware.html

Multi-AV - http://www.pctipp.ch/downloads/dl/35905.asp

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...