Jump to content
Seth

Multiple scans with SAS?

Recommended Posts

Nick,

Is the following possible, and if so, how?

On an infected system, an identical repeat scan of sas will find even more malware.

Also, if the above is true, would it apply to other scanners as well?

Share this post


Link to post
Share on other sites
Nick,

Is the following possible, and if so, how?

On an infected system, an identical repeat scan of sas will find even more malware.

Also, if the above is true, would it apply to other scanners as well?

Is it finding it in System Volume Information?

Share this post


Link to post
Share on other sites
Nick,

Is the following possible, and if so, how?

On an infected system, an identical repeat scan of sas will find even more malware.

Also, if the above is true, would it apply to other scanners as well?

Hi Seth

I have found this to be the case on multiple occaisions with many different infections.Not sure of the *why* but possibly hidden files/keys being uncovered after the guardian process has been removed.

Best practice with any ASW/AV/AT software is to run detection and cleaning scans from safemode whenever possible :wink:

Share this post


Link to post
Share on other sites
Nick,

Is the following possible, and if so, how?

On an infected system, an identical repeat scan of sas will find even more malware.

Also, if the above is true, would it apply to other scanners as well?

Hi Seth hope you don't mind me adding my experiences

I have found this to be the case on multiple occaisions/various softwares with many different infections.Not sure of the *why* but possibly hidden files/keys being uncovered after the guardian process has been removed.

Best practice with any ASW/AV/AT software is to run detection and cleaning scans(x2) from safemode whenever possible :wink:

Share this post


Link to post
Share on other sites

Thank you both for the replies.

The question arose on another forum I belong to, and was actually in regards to any antimalware application.

I responded that it's possible, but I wasn't sure why. Fatdcuk, your explanation seems to make sense. I also stated in that thread, running the same antimalware twice (yes, I disinfect using Safe Mode), was not necessary and redundant. I also said that instead of running the same app twice, run an alternate quality scanner.

Share this post


Link to post
Share on other sites

Well I just tested this on an infected system. I did a full sas scan from Normal Mode. Sas found and removed numerous forms of malware. I then ran another full sas scan from Normal Mode, and sas picked up one entry in the System Volume Information. I'm running a third scan and will post the logs.

Nick- Good call on the SVI :). I'll pose a guess: Some malware detects the removal attempt and copies itself to System Restore?

Share this post


Link to post
Share on other sites

Continued from above:

First SAS scan:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 09/15/2007 at 12:19 PM

Application Version : 3.9.1008

Core Rules Database Version : 3307

Trace Rules Database Version: 1313

Scan type : Complete Scan

Total Scan Time : 00:20:33

Memory items scanned : 282

Memory threats detected : 2

Registry items scanned : 4240

Registry threats detected : 18

File items scanned : 25388

File threats detected : 67

Trojan.Downloader-UPNP/Fake

C:\WINDOWS\SYSTEM32\DRIVERS\MZQDD.EXE

C:\WINDOWS\SYSTEM32\DRIVERS\MZQDD.EXE

[_] C:\WINDOWS\SYSTEM32\DRIVERS\MZQDD.EXE

C:\B.TMP

C:\WINDOWS\Prefetch\B.TMP-02D172E1.pf

C:\WINDOWS\Prefetch\MZQDD.EXE-1A55814F.pf

Trojan.Smss/Win

C:\WINDOWS\SMSS.EXE

C:\WINDOWS\SMSS.EXE

[iE Redir] C:\WINDOWS\SMSS.EXE

[Microsoft Windows Session Manager Subsystem] C:\WINDOWS\SMSS.EXE

C:\WINDOWS\Prefetch\SMSS.EXE-3092D7B5.pf

Adware.Agent-XMLHelp

HKLM\Software\Classes\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}#AppID

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}#LU

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\InprocServer32

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\InprocServer32#ThreadingModel

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\ProgID

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\Programmable

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\TypeLib

HKCR\CLSID\{85589B5D-D53D-4237-A677-46B82EA275F3}\VersionIndependentProgID

C:\WINDOWS\SYSTEM32\051IPL8X.DLL

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}

Trojan.BankSteal-Gen

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Microsoft Windows Session Manager Subsystem [ C:\WINDOWS\smss.exe ]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#Microsoft Windows Logon Process [ C:\WINDOWS\winlogon.exe ]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run#WinSysModule [ dsrss.exe ]

C:\WINDOWS\system32\drv32dta\klg.tmp

C:\WINDOWS\system32\drv32dta\pstore_070915_113540.txt

C:\WINDOWS\system32\drv32dta\pstore_070915_115710.txt

C:\WINDOWS\system32\drv32dta

C:\DOCUMENTS AND SETTINGS\DAD\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\CQ5U3YYF\URLS[1].DAT

C:\WINDOWS\URLS.DAT

Trojan.IE Service

C:\D.TMP

C:\WINDOWS\Prefetch\D.TMP-2938ED76.pf

Trojan.Unknown Origin

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013712.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013713.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013714.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013715.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013716.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013717.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013718.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013719.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013720.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013721.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013722.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013723.EXE

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013724.EXE

Trojan.Duncan

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013727.DLL

Trojan.Downloader-Gen/QWERTY

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP18\A0013728.EXE

Second SAS scan:

SUPERAntiSpyware Scan Log

https://www.superantispyware.com

Generated 09/15/2007 at 12:55 PM

Application Version : 3.9.1008

Core Rules Database Version : 3307

Trace Rules Database Version: 1313

Scan type : Complete Scan

Total Scan Time : 00:20:18

Memory items scanned : 262

Memory threats detected : 0

Registry items scanned : 4233

Registry threats detected : 0

File items scanned : 25344

File threats detected : 1

Trojan.Downloader-UPNP/Fake

C:\SYSTEM VOLUME INFORMATION\_RESTORE{8F6E5DC4-71BF-4E24-949A-DB30D18691AA}\RP24\A0013868.EXE

Third scan was clean.

Note that the first scan does detect Trojan.Downloader-UPNP/Fake, but the SVI entry doesn't appear in the first scan.

Share this post


Link to post
Share on other sites
Well I just tested this on an infected system. I did a full sas scan from Normal Mode. Sas found and removed numerous forms of malware. I then ran another full sas scan from Normal Mode, and sas picked up one entry in the System Volume Information. I'm running a third scan and will post the logs.

Nick- Good call on the SVI :). I'll pose a guess: Some malware detects the removal attempt and copies itself to System Restore?

Windows creates the backups in System Volume Restore :)

Share this post


Link to post
Share on other sites
Well I just tested this on an infected system. I did a full sas scan from Normal Mode. Sas found and removed numerous forms of malware. I then ran another full sas scan from Normal Mode, and sas picked up one entry in the System Volume Information. I'm running a third scan and will post the logs.

Nick- Good call on the SVI :). I'll pose a guess: Some malware detects the removal attempt and copies itself to System Restore?

Windows creates the backups in System Volume Restore :)

LOL! I don't know what to think now. You're saying that on the reboot SR created that backup from the malware? Good thing I purge SR after I disinfect.

I'll have some more challenging questions for you tomorrow :)

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×