Jump to content


  • Content Count

  • Joined

  • Last visited

Everything posted by fatdcuk

  1. No is not SAS file as SAS uses setnames for their files and not randomized naming
  2. SAS will handle it Well just to balance the coin abit,its not a streight forward *yes* answer and i speak from personal experience whilst testing SAS and later uploading new malwares to SAS hq.It more of a "high chance" its got it covered. New variants of these fraudwares are being distributed/created 24/7 SAS has a very high sucess rate against them because it is updated so quickly to deal with new variants as they emerge.It updates a lot quicker than most of its rival ASW,AT's and AV's and this accounts for its high probability of sucess. But this also must be measured as with all signature based defenders then there is a 0 hour/0 day when the *new* malicious code is not known to them. at which point unless they have special heuristic detection rule for that particular genre of malicious code then it will bypass the realtime defence. HTH:)
  3. The free version is fully functioning detection and removal engine(it is the same as what is in the Pro version) No purchase is required for SAS to be used as a botkiller for cleaning up infected computers Purchase is only required if you want the benefits of realtime protection given by SAS Pro As far as Virtumonde/Vundo infection goes then SAS has has a very high sucess rate versus this family of malwares so is always worth a trow of the dice versus them
  4. No worries, When you first run Autoruns after the EULA(install consent) screen then the tool automatically scans.You will see this as the data list builds and the scan is completed when "Ready" appears in the botom left of the Autoruns windows. HTH
  5. Ok then here 2 of my priniciple diagnostic tools of choice when checking cutomers pc after cleaning with the botkillers Download a copy of Autoruns : http://technet.microsoft.com/en-us/sysi ... 63902.aspx Run a scan but then after it completes Click options . Check both "verify code signatures" and "hide signed microsoft entries" . This will make the output list a lot shorter Now press F5 to rerun the scan with the new settings.When this completes click file tab then select "Export as" and save the log(autoruns.txt) to your desktop. Copy and paste the contents of autoruns.txt to your next post. Download RootkitUnhooker>>> http://rapidshare.com/files/140970549/R ... 3.rar.html Runs a full scan and save the log at the end.Copy and paste the contents of the logfile to your next post:)
  6. Well couple of things there,xpantivirus is a known fake alert infection,it sometimes travels alone and other times is accompanied with various other malwares.Depending on the source and age of the infection will detemine its active malware content As far as "trojan unclassified k series" goes then i'm not sure which bot that is by SAS labelling so dont know what its capabilities/functions are etc Anyhow would you like me to get you to run a couple of diagnostic tools and review the output data ?
  7. Well taking into account that they all miss stuff then this is not surprising...its swings and roundabouts as to who comes out on top on any given day/infection etc That said dont be fooled by the Numbers game at play with detections by softwares. For example only Brand X could detect 100 items of an infection...Folders/files/regkeys/registry values and so on Brand Y only detects 10 items Yet both kill the active infection As long as the active content of infection(EXE's,dll's,sys files etc are removed)then the rest are not crucial removals persay as they do absolutely nothing.They are often refered to as *orphaned* values and represent no risk. As far as what software i use personally,owing to my experience and knowledge of 'puters i run no resident AV and only have SAS pro installed for testing purposes.I spend a lot of my hobby time intentionally infecting my pc inorder to gather new malware,infections and hone my clean up skillz But if you would like my neutral opinion on which to buy then in all honesty PCtools has just been bought out by Symantec and most of the security sphere know that it will get trashed like so many of their other acquisitions. Go for SAS PRO
  8. Ok Chet, In the balance of things it probaly a F/p so if you could restore it and use in software report false Positive function then hopefully SAS HQ will load it into IDA(or whatever their using) and sort it out from there
  9. Anyone with experience dealing with live malware infections will resoundly reply that it is not a forgone conclusion that all is clear.It probaly is but there is always that chance it is not. Although SAS and Avira have very high detection rates in their respective fields it would still take the use of advanced diagnostic tools inorder to definetly sound the all clear after an infection has been removed
  10. Streight answer no one product detects & removes everything on any given day but that is wellknown fact amongst more tech savvy user's. As to which one to purchase then it all boils down to experience and opinion.
  11. You can't unless of course you are familliar with use of diagnostic tools and malware infections in general hence why i as a third party was hoping to assist you in checking. Unfortunetly until i have the requested data from the first post then i cannot procede
  12. It depends on what you call personal information....the log output wiil pretty much tell the trained analysis what softwares are set to load etc It also shows the what else is loading...in your case possibly malware It is a diagnostic tool and a very good one at that produced by a M$ employee. I hope this allays your concerns:)
  13. ok what were the flags and by whom at VirusTotal ? Back to your question it is possible that a new malware has a target string in common with an old file and hence why out of the blue it becomes flagged by a file sniffing software.Although another possibility is that the file has become infected/patched by malware process/code. Eitherway it can be determined with little extra digging
  14. Hi and welcome to the sas forums If i can request some more data from you then i will probaly be able to assist you in finishing the cleanup of your pc 1)What is the filename and location of the file that Nod32 is flagging ? e.g C/Windows/System32/name.exe 2)Ignoring the cookies what are the file name & locations of the SS detections,if any are registry valkues then what is there location ? 3)Download a copy of Autoruns : http://technet.microsoft.com/en-us/sysi ... 63902.aspx Run a scan but then after it completes Click options . Check both "verify code signatures" and "hide signed microsoft entries" . This will make the list a lot shorter . Now press F5 to rerun the scan with the new settings.When this completes click file tab then select "Export as" and save the log(autoruns.txt) to your desktop. Copy and paste the contents of autoruns.txt to your next post and i will review the output data of it:)
  15. Well it is possible in all theories but as most *suspect* detctions then there are steps that can assist is deciding whether it is a f/p First restore the file from quarantine feature of SAS. Next up upload it to VirusTotal service for 36 second opinions http://www.virustotal.com/ If no one else is flagging the file then there is a much higher probability that it is a FalsePositive. If F/p is suspected at this point then rescan with SAS and at the end when it flags the file....select *report FalsePositive* on that file. HTH
  16. All good then:) As of Database Version 3555 - 09-02-2008 SAS now has your particular variant in its target database so thankyou again for uploading this malware variant Trojan.Dropper/Gen-NV C:\DOCUMENTS AND SETTINGS\OWNER\MY DOCUMENTS\MALWARE SAMPLES\MSOFLEX.EXE
  17. Hi and welcome to the SAS forums, Please submit a support request here>>> https://www.superantispyware.com/support.html Scroll to the bottom and submit a CSR (Customer Service Request) They will get you to run their diagnostic tool on the infected pc and from there will be able to update their target database to take down your particular varaition of fake alert infection Leave a link back to this topic so it can be tracked
  18. Your welcome and i will also get your * bot* off to SAS HQ for inclusion in their target database
  19. Okey just got your uploaded sample at CC,thankyou for uploading http://www.virustotal.com/analisis/069c ... cb36eb7c28 ThreatExpert info: http://www.threatexpert.com/report.aspx ... 04fbe15fb6 I must advise you that this is a "password stealer" bot designed to harvest PSW's on the infected system It is highly advisable that you change all your used passwords as a matter of priority
  20. Okey then boot into safe mode and delete the sucker If possible can i grab a copy of it before ya nuke it for distribution/research purposes http://www.castlecops.com/f81-Unknown_Files.html Start a new topic there titled for my attention and attach/upload the file with your post ,no membership is required to do this LMK if the detections persist after its removal & a couple of reboots.
  21. lol thats a large output log...Like looking for a needle in a haystack Okey can you please upload "msoflex.exe" to Virustotal for malware checking and post back the results + msoflex.exe c:\documents and settings\all users\start menu\programs\startup\msoflex.exe
  22. Well if your going to be posting HJT logs then at least rename "HiJackThis.exe" to say "Foo.exe". This is because the Vundo infection you have will subvert the HJT output log by hiding its 02 and 020 entries:wink: Post edited... SAS HQ to the rescue...see next post
  23. Well first off when SAS removes files/reg values etc then they get held in quarantine zone of the software. They are not actually deleted from the computer completely and are easily restored should SAS delete something in error by going to quarantine option in SAS. As far C:\SYSTEM VOLUME INFORMATION\_RESTORE{00A0FBA4-8A7B-4558-BAF6-C51A17F285BD}\RP222\A0012038.EXE This is a file held by system restore. I usually flush system restore after cleaning an infection from a PC.This can be achieved by switching system restore *off* then swithching it back on again http://www.real-knowledge.com/flushres.htm HTH:)
  24. Kind of, I expain how to use "Cookies to keep" function in Options>>>Cookies and do a few for them.The rest is upto the end User to configure
  • Create New...