Viruses in Restore....grrrrrr

S

silence

Regular
<rant>

long story short... i DLed something and NOD32 showed its infected, but prevented infection, everything is great so far....

so i decide to do virus and adware sweep just to see if i got anything... and where have been bloody trojans?
stored in restore points, 4 instances of same virus..... i dont even have installer or .exe of that shit on my comp, its prolly something really old or dunno...but as of now no more restore points (i never used that anyway).

both AdAware and Spybot showed 0 (zero) problems with latest definitions and NOD32 was keeping everything out, but i had nice cool trojan sleepers in f**** restore points.....

ya, i know, its not that M$ made that service as virus database, but i was pissed like hell when i saw where they are....
offcourse, now i turned off restoring and all points got deleted....

blah.... i KNEW i am running clean machine, i even google for processes i see in TM and dont recognize and all the time i had this shit that would prolly be activated if i used restore.... ya, NOD32 would prolly show something is wrong, but still....

worst thing is.... i have no bloody idea from where they came..... NOD32 is really good and stops everything before being installed and googling this particular trojans showed there are many variants, but some are older then 2 years (thats BEFORE i had NOD32, while i was on old free AVG which wasnt that good).....

</rant>
 
From where did you get those virii to begin with? The only way I personally has been delivered a virus is via email, and that was way back in the melissa and lovebug days; ie ages ago.

"Legitimate file sharing" has been known to spread a virus or two around, you don't happen to be involved in any such activities? :D
 
Guden Oden said:
From where did you get those virii to begin with? The only way I personally has been delivered a virus is via email, and that was way back in the melissa and lovebug days; ie ages ago.

"Legitimate file sharing" has been known to spread a virus or two around, you don't happen to be involved in any such activities? :D
Click to expand...

the thing is....i have no bloody idea.....
i searched for file that installs that particular virii and it wasnt anywhere and they didnt infect anything, they were only in Restore....
offcourse when NOD32 asked i clicked "delete".....

thats why i ranted... i have no damn bloody idea from where did they come...
NOD32 is really doing great work and as i said...i did some file sharing today and DLed something, but NOD32 stopped it and removed (no, it wasnt same virii).... that was only reason why i did sweep of system anyway, just to make sure....

and to my surprise i found 4 instances of same trojan waiting inside restore points... i googled about that virii and tried to find installer, it wasnt there....

worst of all.... i had restores disabled, i didnt even know they were running again.....



total mess.... thats prolly for laughing at you and MSN toolbar :?


;)
 
I've got a small program I wrote myself, a utility and a library that always come up as being a virus when I run a scan, but I know for sure they're not. They just do some sneaky things in the internals of Windows.
 
DiGuru said:
I've got a small program I wrote myself, a utility and a library that always come up as being a virus when I run a scan, but I know for sure they're not. They just do some sneaky things in the internals of Windows.
Click to expand...

heh.... trust me, this was trojan, i did google and this one has like 20+ versions.... i just wanna know HOW i got it..so i can prevent it.... ;)
 
silence said:
DiGuru said:
I've got a small program I wrote myself, a utility and a library that always come up as being a virus when I run a scan, but I know for sure they're not. They just do some sneaky things in the internals of Windows.
Click to expand...

heh.... trust me, this was trojan, i did google and this one has like 20+ versions.... i just wanna know HOW i got it..so i can prevent it.... ;)
Click to expand...

But those three are falsely identified as being virus so and so. And I had one some time ago, that would generate a virus warning only when I zipped it. It happens. Those scanners look for signatures after all, which are just a sequence of bytes.
 
DiGuru said:
But those three are falsely identified as being virus so and so. And I had one some time ago, that would generate a virus warning only when I zipped it. It happens. Those scanners look for signatures after all, which are just a sequence of bytes.
Click to expand...

possible.... dunno.... its deleted anyway now... ;)
 
I had NOD react just now on some utility I downloaded ages ago to circumvent the port-opening limitation in XP SP2 that it calls win32/tool.evid4226. I googled it, couldn't find any info at all on what this virus supposedly does. Doesn't seem as if any other virusmaker treats it as a virus either so I'm not sure it even is.
 
Guden Oden said:
I had NOD react just now on some utility I downloaded ages ago to circumvent the port-opening limitation in XP SP2 that it calls win32/tool.evid4226. I googled it, couldn't find any info at all on what this virus supposedly does. Doesn't seem as if any other virusmaker treats it as a virus either so I'm not sure it even is.
Click to expand...

It's not a virus, but it does mess with system files (specifically tcpip.sys). If you run it you will get a requester from the OS offering you a chance to restore your system file. I guess some heuristic virus scanners are sensitive to things being accessed that "shouldn't" be.

Some real-time scanners just seem to be more prone to false positives that others. In fact, I have seen some real-time scanners scream about some file access, and then when you run the filescanner portion of the anti-virus product over the file in question, it finds nothing suspicious.
 
Bouncing Zabaglione Bros. said:
It's not a virus, but it does mess with system files (specifically tcpip.sys).
Click to expand...
Well, it's SUPPOSED to mess with them. :D I downloaded it but actually never ran it...

Weird tho that it's treated as a threat when it really isn't.
 
Guden Oden said:
I had NOD react just now on some utility I downloaded ages ago to circumvent the port-opening limitation in XP SP2 that it calls win32/tool.evid4226. I googled it, couldn't find any info at all on what this virus supposedly does. Doesn't seem as if any other virusmaker treats it as a virus either so I'm not sure it even is.
Click to expand...

nah...i did Google mine...it was trojan.... and it has like 20+ variants, some newer, but some from 2003 and 2004.....

i just cant get how to hell did i get it..... :?
 
Guden Oden said:
Bouncing Zabaglione Bros. said:
It's not a virus, but it does mess with system files (specifically tcpip.sys).
Click to expand...
Well, it's SUPPOSED to mess with them. :D I downloaded it but actually never ran it...

Weird tho that it's treated as a threat when it really isn't.
Click to expand...

Yes, that's what I was explaining. It gets (incorrectly) picked up as a virus because it interferes with system files that nothing has any business fiddling with, though in this case it is in fact doing a legitimate task. It gets picked up as a virus not becase it has been positively identified as one, but because it's fiddling with something that shouldn't be fiddled with.
 
Except, it comes from a legitimate website and is well-known for what it does. So it's a false positive, seeing as detecting it doesn't protect anyone from anything, and in fact just tarnishes this patcher's name and as a consequence, NOD32's reputation as well. It's never good to mark out harmless programs as threats, it makes your program look amateurish.
 
Guden Oden said:
Except, it comes from a legitimate website and is well-known for what it does. So it's a false positive, seeing as detecting it doesn't protect anyone from anything, and in fact just tarnishes this patcher's name and as a consequence, NOD32's reputation as well. It's never good to mark out harmless programs as threats, it makes your program look amateurish.
Click to expand...

Yeah, but that the nature of heuristic detection. It tries to make an educated guess based on behaviour in order to catch any new virii that it doesn't have a pattern definition for. The downside of that is more false positives, but its the only method to protect against a new virus during the lag period before new definition files arrive.
 
Yes, and the things that are scanned for are the "nasty bits" of those virii, like the sequence that accesses some dangerous, low-level API function, like directly messing with ACL's, or making a pipe to elevate your account rights and stuff like that. Normal programs aren't supposed to do those things.
 
Bouncing Zabaglione Bros. said:
Yeah, but that the nature of heuristic detection.
Click to expand...
It's not a heuristic mis-detection. The "virus" has even been given a name by Eset, NOD doesn't just report file xxx looks like a virus. It's actually IDENTIFIED as one for real. :p
 
Guden Oden said:
Bouncing Zabaglione Bros. said:
Yeah, but that the nature of heuristic detection.
Click to expand...
It's not a heuristic mis-detection. The "virus" has even been given a name by Eset, NOD doesn't just report file xxx looks like a virus. It's actually IDENTIFIED as one for real. :p
Click to expand...

Ahh, that's just them being rubbish then. Probably because they don't think you should be undoing the changes to Microsoft's TCPIP stack which are supposed to limit worm behaviour (ie minimally treat the symptoms). It's a but silly though given that EvID doesn't exhibit any virus-like behaviour. I know F-Prot and Kaspersky don't identify it as a virus.
 
Restore Points are notorious for hiding viruses and trojans. The solution? Disable restore points. It's that eternal security vs. everything else struggle.
 
You must log in or register to reply here.

Similar threads

I
The first Evil Within still has remarkably sophisticated lighting
Replies
2
Views
1K
Phantom88
P
digitalwanderer
Little secret: I HATE OFF-ROADING!!!
6 7 8
Replies
141
Views
13K
Albuquerque
Albuquerque
J
Gaming rant / spewing in general...
Replies
2
Views
1K
Jack Attack
J
Shifty Geezer
Confessions of an Absent Moderator
2
Replies
39
Views
7K
Theeoo
T
digitalwanderer
Contact lens wearers, some questions.
Replies
14
Views
2K
orangpelupa
orangpelupa
Back
Top