Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Beef About Panda Active Scan & T. M. House Call


  • Please log in to reply
8 replies to this topic

#1 Wink

Wink

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 31 December 2005 - 09:46 AM

Hello,
I am not very happy with Panda's free scan, 2 days ago I ran a scan it came up with:

adware/Navipromo not disinfected C\WINDOWS\system32\apqzkxgfmd.exe
adware/Navipromo not disinfected C\WINDOWS\system32\aylhngezj.exe
adware/Navipromo not disinfected C\WINDOWS\system32\nwdjtsfpv.exe
adware/Navipromo not disinfected C\WINDOWS\system32\nxwhsfqp.exe


I Googled all the .exe files and found nothing about them. Since I did not want Navipromo on my computer I deleted the .exe files, with no ill effects to my computer, I did notice that these files were created about the same time I ran the scan, and none of my other scanners that I had run before had found them at all.
Being suspicious I ran another scan with Panda at 6:00 this morning after running Ad-Aware SE and SpyBot just before, with no results, Panda found:

adware/Navipomo not disinfected C\WINDOWS\system32\lvupohksfe.exe


I went to the file and guess what! it was created on 31-12-05 at 6:02AM size 233KB. I Googled this .exe file, no results. I do not think I will put much faith in Panda's Active Scan anymore, they seem to be putting Bleep into my computer and I do not like it at all.
For a check up I ran Trend Micro's House Call, it found, I presume it is a trojan," Troj_SE.60717 ", House Call cleans it, but when I go back and run another scan House Call finds it again. I have searched the internet to find more information on this trojan, no references to it at all, I ran every scanner I have and no results, I even E-Mailed Trend Mico support to get more informaton, no response yet.
I am quite disappointed with both of these programs, especially when people count on them for a second opinion to keep their computers clean, these false readings, if that is what they are, are no help at all.
HAPPY NEWYEAR
Wink

BC AdBot (Login to Remove)

 


m

#2 Jesse Bassett

Jesse Bassett

  • Members
  • 418 posts
  • OFFLINE
  •  
  • Location:Rosemount, MINN.
  • Local time:01:43 AM

Posted 31 December 2005 - 01:20 PM

thanks for the warning Wink!
Windows XP Media Center Edition 2005 l McAfee Total Protection l Super AntiSpyware Free Edition l AdAware SE Personal l Spyware Blaster l Spyware Guard l Safe Eyes 2007

#3 Scarlett

Scarlett

    Bleeping Diva


  • Members
  • 7,479 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:As always I'm beside myself ;)
  • Local time:01:43 AM

Posted 10 February 2006 - 07:03 AM

Just curious Wink, did you ever hear anything from Trend Micro?
Posted Image

#4 Wink

Wink
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 26 February 2006 - 10:38 AM

Hi Scarlett,
Sorry I did not respond earlier, I missed your post. NO, Trend Micro has not responded to date about that so called Trojan it keeps finding, and I still have not found any references to it anywhere on the net. I am really disappointed with both Trend Micro's Housecall and Panda's Active Scan. I will not use either programs now, unless it is a matter of the last resort.
After running a few more scans with Panda, I really can not trust what it is finding, at least in the adware part of the scan. If anyone runs a scan and finds adware, check to see when the files it finds, are created. On my system, they are put there the same time Active Scan, downloads their updates at the start of the scan. By the way, Panda has never found any Trojans on my system, even though House Call finds one every time.
In case you are wondering, I always scan my system with Ad-Aware SE, Spybot Search&Destroy and A-Squared before I run either of these online programs. I also have Tea Timer, Spyware Guard, WinPatrol, and Microsoft AntiSpyware running all the time, just call me paranoid, but I have had a lot of trouble with all types of BLEEP! on my computer in the past.
Have a great day,
Wink :thumbsup:

#5 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 26 February 2006 - 09:04 PM

Hi Wink,

I am quite disappointed with both of these programs, especially when people count on them for a second opinion to keep their computers clean, these false readings, if that is what they are, are no help at all.

I believe you've misinterpreted what the scanners are telling you. Looks to me like you have a trojan on your system that they can't clean. First, Panda only cleans up viruses and trojans but won't clean spyware/adware, which is what that infection it found is. Housecall would clean it if it could. But for several different technical reasons it can't. Neither can the other programs you mentioned. Both scanners are telling you they've found something they are unable to clean and extraordinary measures are required to deal with it.

What I know about that particular infection is that it could be root kit based, meaning it has susscessfully hidden from scanners and you won't be able to see it in Windows Explorer. Not those files you've already deleted, but other key files and registry entries. It also can download files while you have your browser open--so Panda didn't put those files on your system. You have to have Internet Explorer to run ActiveScan, so your browser is open communicating thru port 80. There is a way this infection can download more files thru port 80, so that is how it can get past your firewall and have a creation date coincidental to when you ran Panda.

I would strongly advise you to post a HijackThis log. http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/

Don't let the trojan trick you into mistrusting the good guys. We use Panda to detect threats other scanners don't, even HijackThis. But posting a log will get the "extraordinary measures" process started. And because these infections change what they do almost daily we need as much information as we can get. The devil is in the details. :thumbsup:

I also advise you not to fall into trap of thinking that even the best of scanners and protection program are going to clean you spic and span. These malware writers are very clever. Their income is at stake.

Also false positives are to be expected. Some antivirus are worse than others about that, but I don't think what Panda and Housecall found are.

If you're still in doubt run an even better online scanner. But be advised that it detects only and doesn't clean.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#6 Wink

Wink
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 27 February 2006 - 11:06 PM

Hello Papakid,
Thank you for your response, I ran the scan that you mentioned, here it is:
-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Monday, February 27, 2006 15:00:00
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 27/02/2006
Kaspersky Anti-Virus database records: 179070
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 123229
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 5960 sec
No malware has been detected. The sections that have been scanned are CLEAN.

Scan process completed.

Could you tell me what the file that T.M. Housecall found Troj_SE.60717 is? If it is a Trojan in my computer I want it out, but if I can not find any information on it, that is quite impossible, would'nt you agree?
As for Panda adware findings, if you google any of the .exe files it says it found, this post at BC comes up and nothing else. I find that highly unusual. The fix available at Symantec Security Response for adware navipromo, which is part of adware.Slagent, mentions none of the above .exe files, I also find that very strange. Which leads me to believe that Panda is putting these files there itself, considering they are created at the same time I start the scan.
Well that is my story and I am stickin' to it, have a good evening,
Wink

#7 Wink

Wink
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 26 March 2006 - 10:22 AM

Hello,
Just to update, I did a HiJack This Log , and it was clean except for a line I was going to remove anyway ( O1 - Hosts: 127.98.9.2 mail@sasktel.net.b9 ), that is a local address. In the process I had to run another Housecall scan, and it found several “Greyware” files, even after I ran every scanner I own, and then some just before, they all came up clean, Housecall found:
Trak_SE.781
Trak_Se.10340
Trak_SE.10419
BHJK_SE.55295
Trak_SE.68189
Trak_SE.68190
Troj_SE.60717
Troj_SE.112842
Troj_SE.112844
Troj_SE.112845
Troj_SE.112846
You can not find out what these files are, anywhere, not even at Trend Micro. So I tried Trend Micro’s support to get more information on these files on March 5, and they responded this time, right away. They asked me; We like to know if the files described below are pertinent to the operation of the system and gave me a Web site to look up the files I listed .
The response I made to them was, how should I know, I have no idea what these files are, ware they are or when they were put on my computer, but there seems to be no problems so far. I went to the Web site at Trend Micro and there are only 5 Greyware listed , and none of them are the ones I listed that Housecall found, not even close, and these are Trend Micro’s pattern files, any search for them brings you back to Trend Micro. I then asked them to tell me exactly what files I was removing, if I let Housecall delete these files, it has been two weeks now and I have not heard from them since, I am still hoping they will get back to me.
I find it rather disturbing that these files are not listed anywhere, any trojan, worm, or spyware I found on my system, there usually a wealth of information on them, on the Net or elsewhere, including fixes, exactly what files or programs that need to be removed, and what has to be deleted from the registry, you can, a lot of times find information on false positives readings too, but only if you have the exact file, you are looking for. Not so with Housecall, at least in there spyware/greyware listings, myself, I kind of like to know what is being added or deleated from my computer.
Have a great day,
Wink :thumbsup:

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,522 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:43 AM

Posted 26 March 2006 - 01:38 PM

Hey Wink,

Sorry I didn't answer your previous post--maybe I can get to it in a bit. In regard to what you're asking about now, best I can tell what is being flagged could be definition files from some other security application, possibly even Housecall's own.

As you and SifuMike have pointed out, you can't really get any information about any of them since TM doesn't include the file name and location. Troj_SE60717, for example is probaly TM's own name for what has been detected, not the file name itself.

I would think the reason you don't get any information on Troj_SE60717 and the others on TM's site (or anywhere else for that matter) is because there are simply way too much malware out there to study enough to do a write up on each one. Have a look at this article:
http://www.viruslist.com/en/analysis?pubid=178949694

By the end of the year, Kaspersky Lab analysts were detecting, on average, 6368 malicious programs per month. This is a rise of 117% over 2005 as a whole, and exceeds last year's figures by 24%. This increase highlights the continuing increase in the demand for malicious code.


That's jsut one guess and there are other things to consider. I'll try to get more into this later, but for now I would like for you to try a little experiment or answer me this question.

When you ran Housecall, did you have AVG's real time protection enabled and running? If not try it again and turn AVG off only during the scan. If you still get any of those detections let me know.

The fate of all mankind, I see

Is in the hands of fools

--King Crimson


#9 Wink

Wink
  • Topic Starter

  • Members
  • 47 posts
  • OFFLINE
  •  
  • Local time:02:43 AM

Posted 26 March 2006 - 10:37 PM

Hi PapaKid,
Glad to hear from you, thank you for the web site, very interesting reading. I realized that there was a lot of mallware out there, but I had no idea it was growing in numbers so fast, very scary indeed! By just looking at the hundreds of HiJack This logs being read a week, just on this site alone, shows what a serious problem it is. By the way I must give a big hand to the volunteers here at BC, they do a wonderful job, and save a lot of grief to computer owners all over the world :thumbsup: :flowers: THANKS A LOT.
In a way, these HiJack This logs makes my point, if the HJT team did not have actual files to work with, they would not be much help at all. What could they do? What files would they delete or fix?
Anyway I will run one last scan with Housecall with AVG turned off, just to see what happens. It might be a day or two, spring has sprung and I have to go back to work.
Have a good one,
Wink




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users