Jump to content
Sign in to follow this  
teacher

Did you get the trojan?

Recommended Posts

After the inital post of the trojan, I ran a full virus check. I had Avast on my XP partition and it found a single copy of the trojan after scanning all my windows drives. I had been in IE the day before to do updates. I was very perturbed that it did not block it in the first place. I then made the spot on the page a blocked element in Firefox. After reading that some with AVG got it as well, I went back to the newsletter this month and reviewed what Scot had written. As a result I downloaded Kaspersky Anti-Virus 6.0. I downloaded and installed it. Then I ran a scan of all my windows partitions. I had just scanned an hour before and had all my network connections turned off. When it scanned it then found three copies of it on my Vista partition. I had been in Vista the day before and used IE7 - current version. I had CA's antivirus for Vista on that partition. Both CA and AVG were set to scan all partitions.Thus, I am curious. Were there any Antivirus programs that actually caught it immediately? Which ones failed to block it? Please share to help me make a decision about which to use next for my XP partition.Thanks.

Share this post


Link to post
Share on other sites

NOD32 would have nailed it... Saw a post yesterday from someone (can't remember who) who runs it and mentioned NOD32 caught it immediately.

Share this post


Link to post
Share on other sites

Nod32 is out of consideration because I don't use Window's email programs. Scot indicated in the newsletter that they don't scan anything but Outlook and OE, neither of which I have on my computer. I prefer to use Poco, or of course, Evolution rather than Outlook or OE.

Share this post


Link to post
Share on other sites
Nod32 is out of consideration because I don't use Windows email programs. Scot indicated in the newsletter that they don't scan anything but Outlook and OE, neither of which I have on my computer. I prefer to use Poco, or of course, Evolution.
That's out of the context Julia, this one has nothing to do with mail.It was transported through normal http traffic, NOD32 would have nailed it immediately.
After the inital post of the trojan, I ran a full virus check. I had Avast on my XP partition and it found a single copy of the trojan after scanning all my windows drives. I had been in IE the day before to do updates. I was very perturbed that it did not block it in the first place. I then made the spot on the page a blocked element in Firefox.
So you were in Windows. So I answered your question.

Share this post


Link to post
Share on other sites

No it is not out of context. I am looking for a good all-around antivirus program for my Windows partition. It must do my email as well as my web browsing. One without the other is useless. :)

Share this post


Link to post
Share on other sites

Julia, do you know/remember the filenames that Avast caught? (I think that was my post you mentioned there :)).

Share this post


Link to post
Share on other sites

I did not. using mozilla 1.7b

Share this post


Link to post
Share on other sites

Julia, I love this thread because, as you might imagine, I'm thinking the same way. What's more, our recent forums experience may have changed my recommendations.But let me start out by saying that I was running F-Secure and Windows Defender. Windows Defender didn't catch it because F-Secure caught it first. In fact, F-Secure caught several different trojans and viruses in a string that all blatted out at once. I did find some leave behind stuff here and there, including something that was masquerading as part of my Sun Java JRE installation. It installed a subfolder in there. I also just erased everything in every temp area. I didn't make a catalog of what was caught.The products I used in total include: F-Secure Anti-Virus, Windows Defender Beta 2, Webroot Spy Sweeper, and Nod32. As much as I have issues with Nod32 -- and I do -- It is an excellent product in many ways. If I were running Outlook, I would be recommending it. One thing I would like to make sure is clear about Nod32: It *does* scan incoming mail on all email clients. That's is the most important direction. It only scans outbound mail in Microsoft Outlook. If you use Eudora, as I do, you might want to think twice about Nod32.Of the four security products, all found something except Windows Defender. I'm sure that if Windows Defender had been the only security product I was running, it would have found plenty. Windows Defender is the real-time anti-spyware monitoring product I prefer. And the reason for that is that it is excellent about co-existing with other other security products. And it's real-time scan doesn't nag you with a bunch of junk. It goes off when it needs to.Nod32 is in many ways the antivirus counterpart to Windows Defender. It co-exists well with other products. Spy Sweeper 4.5 (the company just released 5.0, which I haven't tried yet) is the anti-spyware utility I put the most trust in. So, given the level of Web-based threat we have on the forums right now, I switched to Spy Sweeper, but it wouldn't co-exist with F-Secure (which has both AV and anti-spyware functionality). So, because of that, I switched from F-Secure to Nod32. That is an excellent duo. And while outbound mail isn't scanned in my environment, I can live with that temporarily.One of the things that this event may change in my AV coverage, is that I may test these products running in conjunction Spy Sweeper. They've all been tested with Windows Defender. Plus, I think it may be important to note this compatibility aspect.I'm not a big fan of multifunction security products. Kaspersky 6 is like that. F-Secure has a higher level Internet Security suite that's like that. I prefer to select security packages the way I select audio equipment -- by matching up components.One thing I would definitely have to say, F-Secure Anti-Virus 2006 is a very good first line of defense product.-- Scot

Share this post


Link to post
Share on other sites

somehow, i missed getting trojanized. perhaps i logged off before the offense began...due to projects & stuff, i've been browsing from work, i've been here a lot this week.i do use ff there too; and mcafee av is running.

Share this post


Link to post
Share on other sites

Julia:As far as I can tell AVG stopped it on my Win98SE system, using IE6 (as updated as it gets with Win98).I "reported" it on a different forum, where I was pretty sure Corrine would see it.The symptoms I experienced are described in the first post at:http://www.freedomlist.com/forum/viewtopic.php?t=27476NOTE: AVG certainly detected it and found the html page in my Temporary Internet Files, but I'm not positive that it actually did all the "stopping". My IE security settings (even the "Trusted" zone) are set on extreme paranoia. My firewall (ZA Pro) has been tweaked extensively.....It could have been one of my other security settings that prevented the malware from downloading.

Edited by Pete!

Share this post


Link to post
Share on other sites

I'm scanning three computers because I don't remember which I may have used here on July 12th with CounterSpy or MSAntispyware, AVG, The Cleaner and AdAware. So far two are clean although AVG found an I-Worm/Sober.CF in my Pocomail. Since I haven't downloaded mail in at least a year, that must have laid dormant in there.I use FF to browse and did not get any warnings like Pete! noted.

Share this post


Link to post
Share on other sites

The funny thing is I have Windows Defender running and it did not catch anything. B) I run that and was running Avast and Ewido. Ewido caught the first one and called it Win32:rpcnet trojan dialer. When I used Kaspersky and ran it all I got was a generic trojan dialer. It said it was used for DOS attacks and redirects. Avast was set to scan all three Windows partitions and caught just the one on a manual scan. CA was used in Vista and it did not find anything. Then Kaspersky found the remaining three that happened when I had booted into Vista. I believe my Linux was clean but I had some home partition problems and was reinstalling anyway so I can not check there. In searching my email history I found this one:arcturus has just posted a reply to a topic that you have subscribed to titled ">>> Important message !! <<<".----------------------------------------------------------------------I'm nursing my wounds on this too. All **** broke loose going to the forum and have spent the better part of a day trying to delete trojans that AVG didn't pick up. An online scan from BitDefender picked up no less than 16 infections directly related to this security breach and I couldn't use TrendMicro's online scanner ... any attempt to go to their website *still* results in a redirect to microsoft.com ... in both IE AND Firefox. Spybot picked up a half dozen too.Ultimately I'll restore an image made with Acronis just a week ago as it's the only way to be sure. This has been both a learning experience and a major PIA that I'm sure Scot is going to hear alot more about.----------------------------------------------------------------------I felt one of the best ways to learn from this was to see what folks were using, what worked, what required a manual scan and what failed. With the last newsletter, it is even more timely. I went back and looked at what Scot had written as I searched for and decided upon a new antivirus for XP. Since I use Poco for my email in Windows I wanted something that scanned both in and out for XP. I had been running Ewido for about a week when this hit and was up to date on Avast and Windows Defender but I see a new version update today that is downloading now.

Share this post


Link to post
Share on other sites

Hi Julia,I assume that you are not looking for a free AV necessarily. I am using KAV6 with LnS firewall.Newegg has KAV6 for $24.99 if you are interested. That makes it a good price.http://www.newegg.com/Product/Product.asp?...82E1681370459SFYou can get a 6 months trial of F-Secure as a Windows user. I am trying it on my laptop. There are other extended trials shown also.http://www.microsoft.com/athome/security/v...us/default.mspxThere is a beta of Avira that is getting some good reports on Wilders.http://www.wilderssecurity.com/showthread.php?t=133741I probably have not helped to answer your question, but wanted to provide some sites where some excellent AVs are available for your trials.Edited to correct the Newegg address.Best,Jerry

Edited by JerryM

Share this post


Link to post
Share on other sites

Thanks Jerry. I am using the Kav6 right now on a 30 day trial. It says I have 29 days left. I happen to have the F-Secure downloaded and sitting waiting to try it next. At the moment I am not real keen on trying another beta. B) My vista partition is all beta software. B) I will keep that one in mind too. I figure once my 30 days are up I will try F-Secure and then continue on with what else I can find. I will need to upgrade hubby's computer as well soon. He is running AVG but does not need it a lot playing solitare. :thumbsdown: He does have his pocomail and firefox though. :) The six month trial is a good one. I will have to check that out before I install that one.

Share this post


Link to post
Share on other sites

Nod32 stopped it in it's track here - can't recommend it enough. I don't know much about the email scanning abilities, but I know if an infected email came in and it tried to do anything Nod32 is gonna catch it right away.

Share this post


Link to post
Share on other sites

Hi Scot,I have been using SuperAntiSpyware for several weeks, and if fact like it so well that I have a lifetime license for both computers. I have always found issues with Spysweeper, and I found Counterspy so heavy that I removed it also. Consider a trial of SAS. The support is superb. Don't let the name turn you off. B) http://www.superantispyware.com/http://forums.superantispyware.com/index.phpSAS has run without conflicts on both my computers.Julia,I would like to buy the Newegg KAV6 since I like it so well on my desktop, but I am too cheap to give up 5 months of free F-Secure, which is an excellent AV. It also runs well with my other applications;Ewido, Win Patrol, LooknStop, SuperAntiSpyware, UnHackMe, Spyware Guard and Snoopfree.My only concern with F-Secure is that it does not update as frequently as some others such as KAV. It does update daily, except on weekends, and more often if an outbreak occurs.It scans much slower than KAV.Just some additional information FWIW.Regards,Jerry

Share this post


Link to post
Share on other sites

I've been on the Internet at home since 92 (at work since 85) and conmputing since 82 at home. This is the first time I have had anything. I figure if my track record holds true it will be a long time before I experience anything like this again. That is why I felt it was important to find out what really worked for folks. Nothing like an actual threat to compare antivirus programs. :D

Share this post


Link to post
Share on other sites
AVG's Resident Shield picked it up right away for me :D
Same here, I captured the screen and sent it to scot who actually replied to me.I then did a scan to check and found a couple of .zip files in my java directorywhich I deleted and all seems clean now.A learning experience.It definately would be a severe problem for non skilled users who use the forum.Rich

Share this post


Link to post
Share on other sites

Hi Julia,I too use Poco Mail on my WinXP partition, and despite Scott's reservations expressed in the newsletter, dl'd & tried Nod32 when my subscription to Norton expired (I grew disgusted with that suite). While the interface could be better, it's a very effective AV program.I too was logged on during the recent attack here. Nod32 popped up and caught the attack every time it tried to hit me. Nothing got through to my HD.And, yes, Nod32 scans all my incoming email on its way to PocoMail. While it's true it doesn't scan outgoing, I'm not in the same position as Scott. I figure if nothing dirty gets in via email, I'm not using any MS email program and thus have no MS-aware address book, and my HD's are clean, I don't have to scan outgoing email.Just my tuppence, but you could do worse than Nod32 to protect PocoMail.Mark

Share this post


Link to post
Share on other sites

I happened to be test driving my new installation of Xandros 4 with the firewall and AV running and didn't get hit. I've since scanned Linux and Windows with NOD32 and both are clean.

Share this post


Link to post
Share on other sites
I "reported" it on a different forum, where I was pretty sure Corrine would see it.
You're right too. That was the first indication I had that there was a problem. Based on your experience and our long association, I had no doubts that action needed to be taken quickly.For myself, I was thinking that it was the combination of Firefox and Sunbelt's Kerio that did the trick. However, in reading this thread I got thinking (I know, scary :D ). Because it is *silent*, I forget that I have a licensed version of SpyBlocker. I checked the log for the time I saw Pete's report and opened a tab here. This is what I discovered:NOTE: Virus/Worm Detected, The actual virus contents have been suppressed to avoid Anti-Virus programs from alerting you with False Positives.Logged Entry Wednesday, Jul 12 2006 at 06:52:10 PMRemote Port: 34805Local Port: 80Host: 69.42.90.4[PORT SCAN][bLOCKED]And this is what Kerio removed:[12/Jul/2006 18:48:28] "Web" method = 'GET', url = 'zdfttygzjm.biz/dl/adv596.php', subj = 'referer', value = 'http://forums.scotsnewsletter.com/index.php?act=idx', action = 'removed'So my A/V software never came in to play.

Share this post


Link to post
Share on other sites

When I saw the title of this thread I had no idea what had happened. I was not aware that the forum had been attacked. I guess that was the situation.When and how did it take place? I was not on when it happened.Corrine, what version of Kerio are you using? I doubt it is 2.1.5 which I use on my laptop.Thanks,Jerry

Edited by JerryM

Share this post


Link to post
Share on other sites

I think I said this earlier in this thread? I'm actually running Spy Sweeper and Nod32 right now. I like Nod32 a lot as well. I'm just frustrated with the Microsoft-only orientation of the company. Having tested all the AV products I intend to test -- including the latest BitDefender in RC1 form -- I can tell you that Nod32 has the lowest system overhead, and I trust its ability to defend computers as much as I do Kaspersky, which is arguably the most effective.In terms of protection, Kaspersky, Nod32, and BitDefender are all excellent. F-Secure is right up there. AVG is at the top of the next tier.In terms of system overhead and compatibility, Nod32 is best, followed by AVG. F-Secure AntiVirus is distant third, as a sort of C- average. Kaspersky 6 is well down the list there. BitDefender AV in the 9.x version was pretty darn good here, but I can't really tell with the BD10 betas since the only available package has more stuff in it than Norton Internet Security. (It manages the Swiss Army Knife thing much better than Norton, McAfee, etc. But that approach isn't for me.)In terms of UI, which is probably not the most important thing with this product category -- except that if people don't understand the product, they may make themselves either miserable or vulnerable:BitDefender is the best. F-Secure comes in a close second. AVG comes in third, even though the UI is very dated and somewhat annoying graphically. Kapsersky is the most modern, but the UI still needs major help -- it looks cool, but needs another overhaul for process and usability.So there are other factors too, but when you tote this up, you can see why even though I have eliminated Nod32 because of the way it works with Eudora, it's got to be high on the list for anyone using another email package. If you're using Outlook (not Outlook Express), it's a slam dunk, IMO. And notice, I keep writing about it. I keep writing about because I honestly do like many things about it. And I intend to keep it around as a secondary tool for outbreak periods.Eset has promised me that they will add outgoing mail scanning for non-Outlook email packages. That isn't going to happen with the Nod32 3.0 release -- which is a major UI overhaul. But possibly for a release in the 3.x timeframe. I will very definitely be looking at both 3.0 and may adopt it when Eset adds better mail scanning.Off topic, but for those of you who use Poco, are you relying on Poco's antispam? What antispam software are you using?Finally ...

And this is what Kerio removed:[12/Jul/2006 18:48:28] "Web" method = 'GET', url = 'zdfttygzjm.biz/dl/adv596.php', subj = 'referer', value = 'http://forums.scotsnewsletter.com/index.php?act=idx', action = 'removed'So my A/V software never came in to play.
Corrine, I'm impressed that Kerio caught that. I doubt many other firewalls did. Maybe I shoulkd look at that product again.-- Scot

Share this post


Link to post
Share on other sites

I'm using Sunbelt's Kerio Personal Firewall 4.

Share this post


Link to post
Share on other sites
I'm using Sunbelt's Kerio Personal Firewall 4.
Thanks for the reply.Best,Jerry

Share this post


Link to post
Share on other sites
When I saw the title of this thread I had no idea what had happened. I was not aware that the forum had been attacked. I guess that was the situation.When and how did it take place? I was not on when it happened.
Me too, except that I **was** on when it happened. I saw Scot's "indisposed" message and hit other times when the forum was down, and also used the forum around those times when it was up. Another oddity was that my Windows XP had recently been reinstalled, and most of my usual protective programs had not yet been installed. I was running on Norton AV and the built-in firewall in Windows XP. Maybe also ZoneAlarm (free) and Teatimer in Spybot S&D. None of these saw anything, my computer seems normal, and as I download and scan with more protective programs nothing turns up. Does God protect fools? Or can I ascribe this (as I usually do when blind luck favors me) to "skill and clean living." If there is a serious point to this post, it is the great variability which attends these things. Perhaps also there is a moral about the impossibility of selecting protective programs on an entirely rational and objective basis, tho it's certainly worth doing as much as one can in that line. Edited by redmaledeer

Share this post


Link to post
Share on other sites

Thanks Corrine. I am currently (as of today) running Kasperia, Kerio, Spybot, Ewido.... I hope it is another 20 years before I find another bug like this. :whistling:

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...