eScan / kaspersky antivirus info ?

  • Thread starter Thread starter Thierry
  • Start date Start date
T

Thierry

Hi,
Following Art's sugegstion I ran eScan from Micro World
http://www.claymania.com/KASFX.EXE

Contrary to products from Microsoft, Bitdefender and PCTools, it immediately
found the infected file during the attack and either deleted or renamed them
with a .mwt extension. easy to delete.

Question. I don't really see updates (they seem to be done at the time of
the scan neither manual or a real menuing). Where can I find more
information about this product (but I found its price, about 50 euros)
For example, it opens forst an ftp connexion, probably to download its
latest signatures. But it never closed. Can I once there is no more activity
in this Wget ftp window ?

For example on http://www.claymania.com/nav-map.html I don't really see
information about performances of kaspersky vs others. It seem to handle
more than 151000 signatures where others have only 30000, etc. Where to find
more information (excepted on this fotum, but it is not easy for such info)

Thanks
Thierry, luxembourg
 
Hi,
Following Art's sugegstion I ran eScan from Micro World
http://www.claymania.com/KASFX.EXE

Contrary to products from Microsoft, Bitdefender and PCTools, it immediately
found the infected file during the attack and either deleted or renamed them
with a .mwt extension. easy to delete.

Question. I don't really see updates (they seem to be done at the time of
the scan neither manual or a real menuing).
Click to expand...

That's the way I arranged it. When you run the SFX it first updates
before it starts the scanner. I arranged it as a emergency scanner.
It uses a older version of the freeware version of Escan that has
a clean/rename capability.
Where can I find more
information about this product (but I found its price, about 50 euros)
For example, it opens forst an ftp connexion, probably to download its
latest signatures. But it never closed. Can I once there is no more activity
in this Wget ftp window ?
Click to expand...

That's stuff I added. It uses wget to download updates via FTP.
For example on http://www.claymania.com/nav-map.html I don't really see
information about performances of kaspersky vs others. It seem to handle
more than 151000 signatures where others have only 30000, etc. Where to find
more information (excepted on this fotum, but it is not easy for such info)
Click to expand...

Don't go by that. Go by the results of independent test agencies that
do comparative testing. Browse the claymania site and you'll find some
listed, as well as other information.

Art

http://home.epix.net/~artnpeg
 
From: "Thierry" <->

| Hi,
| Following Art's sugegstion I ran eScan from Micro World
| http://www.claymania.com/KASFX.EXE
|
| Contrary to products from Microsoft, Bitdefender and PCTools, it immediately
| found the infected file during the attack and either deleted or renamed them
| with a .mwt extension. easy to delete.
|
| Question. I don't really see updates (they seem to be done at the time of
| the scan neither manual or a real menuing). Where can I find more
| information about this product (but I found its price, about 50 euros)
| For example, it opens forst an ftp connexion, probably to download its
| latest signatures. But it never closed. Can I once there is no more activity
| in this Wget ftp window ?
|
| For example on http://www.claymania.com/nav-map.html I don't really see
| information about performances of kaspersky vs others. It seem to handle
| more than 151000 signatures where others have only 30000, etc. Where to find
| more information (excepted on this fotum, but it is not easy for such info)
|
| Thanks
| Thierry, luxembourg
|

Thierry:

The tool provided by Art is merely a removal and verification tool. It can NOT self-update
with out your adding that capability.

For example, you can use the Control Panel Applet "Scheduled Tasks" to automate a periodic
update of the Kasperski signature files. However, it isn't suggested. Since this is a "On
Demand scanner, you will only run this on a periodic basis. All one needs to do is run the
batch file and the latest signatures will be downloaded at the time of the desired "On
Demand" scan.

Realize, this is a tool for verification and removal. It is a not a tool of prevention
since it provided no "On Access" scanning capabilities.

BTW:
McAfee is up to about 150,000 infectors in its library.
Sophos is up to about 110,000
Trend Micro is up to about 109,000

Any software with only 30,000 signatures will be considered junk (i.e, ClamAV)
 
BTW:
McAfee is up to about 150,000 infectors in its library.
Sophos is up to about 110,000
Trend Micro is up to about 109,000

Any software with only 30,000 signatures will be considered junk (i.e, ClamAV)
Click to expand...

Kaspersky right now is at a bit over 150,000 "records", which doesn't
mean much, I don't think. It has historically displayed a relatively
low number of records compared to the number of malwares it detects
IIRC. Maybe it uses one record for multiple detections and simply
doesn't show the user the number of actual sigs available.

What always struck me odd is that F-prot continually claimed to detect
many more malwares than KAV's # of records. Yet av comparatives
always show that KAV out-detects F-prot by quite a significant margin.

Then you have the influence of heuristics and the detection of
"unknown" malwares ... which most av have ... but which some
av rely on more heavily. So the numbers shown by the scanners
are a poor indicator of actual detection range and capabilities.

Except maybe clamav :)

Art

http://home.epix.net/~artnpeg
 
OK. Many thanks for your smart advice to both of you.
Now I am doing a deep rescan of all my disks to be sure that nothing
malevolent remains.

There are over 10 years that I am no more concerned by anti-viruses... Most
of the time there were not very dangereous and most applications found them.
Not this time. And according to my readings, ITSbar is one of more common
these last months.
In the past (still before NT) I used mcafee, dr solomon and f-prot. if I
remember well at that time there were no more than 5000 signatures I think
(about 20 years ago)... That seriously increased.

About my problem, the status is next : for short : all is OK doc !
This attack allowed me to increase my disk space in merging my two logical
disks when I reformatted all, and I spared the purchase of a new disk.
better to see the good thing of this affair !

To definetely fix my problem with ITSBar trojan (I hope so !), I also
downloaded the beta of kaspersky at
http://www.windowscentral.com/file/22694.htm that looks superb.
NB. even the executable of pctools spyware swdoctor.exe is considered as a
possible infection... So I uninstall this product, as well all other useless
AV, and run only KAV. I hope it is the best.

As my ITSbar trojan seems no more operating, it seems that eScan has found
all traces of it and its malicious friends.
Unfortunately it seemed that my PC hanged at the end of the desinfection (as
before, during the infection in fact), and that my lsass.exe process
continued to end unexpectively (and shut down the PC) a few time later. So I
suspected a corruption of some processes and maybe during the deletion of
infected files too. I thus asked XP to repair (and thus partly reinstall)
the OS. Now, for half an hour I do no more observe any reboot...

I hope that now the problem is fixed for good. I lost almost 2 days in
trying to counter and delete this bulls... of virus. I don't know how these
pirats program these viruses but they are efficient and these people are
really experienced and very clever in their field. Straight on to the
prison, yeah !
Thanks Art for your help in removing it.

I also suggested to a French website about sciences and very frequented that
has written some pages about antiviruses to insist more and provide more
advice about anti-viruses *solutions* instead of listing all possible trojan
and their effects, and more, but without providing the least software to
download...
Read is fine, but repair is better when you have been attacked ! I also
added a link on my website (end of my index) to eScan, KAV and to some info.
I think that is it is a good choice that can help many people because,
unfortunately, statistically other internet users will be infected as
well...
http://www.astrosurf.org/lombry/index.htm
Keep going the good job !

Thierry
 
From: "Thierry" <->

| OK. Many thanks for your smart advice to both of you.
| Now I am doing a deep rescan of all my disks to be sure that nothing
| malevolent remains.
|
| There are over 10 years that I am no more concerned by anti-viruses... Most
| of the time there were not very dangereous and most applications found them.
| Not this time. And according to my readings, ITSbar is one of more common
| these last months.
| In the past (still before NT) I used mcafee, dr solomon and f-prot. if I
| remember well at that time there were no more than 5000 signatures I think
| (about 20 years ago)... That seriously increased.
|
| About my problem, the status is next : for short : all is OK doc !
| This attack allowed me to increase my disk space in merging my two logical
| disks when I reformatted all, and I spared the purchase of a new disk.
| better to see the good thing of this affair !
|
| To definetely fix my problem with ITSBar trojan (I hope so !), I also
| downloaded the beta of kaspersky at
| http://www.windowscentral.com/file/22694.htm that looks superb.
| NB. even the executable of pctools spyware swdoctor.exe is considered as a
| possible infection... So I uninstall this product, as well all other useless
| AV, and run only KAV. I hope it is the best.
|
| As my ITSbar trojan seems no more operating, it seems that eScan has found
| all traces of it and its malicious friends.
| Unfortunately it seemed that my PC hanged at the end of the desinfection (as
| before, during the infection in fact), and that my lsass.exe process
| continued to end unexpectively (and shut down the PC) a few time later. So I
| suspected a corruption of some processes and maybe during the deletion of
| infected files too. I thus asked XP to repair (and thus partly reinstall)
| the OS. Now, for half an hour I do no more observe any reboot...
|
| I hope that now the problem is fixed for good. I lost almost 2 days in
| trying to counter and delete this bulls... of virus. I don't know how these
| pirats program these viruses but they are efficient and these people are
| really experienced and very clever in their field. Straight on to the
| prison, yeah !
| Thanks Art for your help in removing it.
|
| I also suggested to a French website about sciences and very frequented that
| has written some pages about antiviruses to insist more and provide more
| advice about anti-viruses *solutions* instead of listing all possible trojan
| and their effects, and more, but without providing the least software to
| download...
| Read is fine, but repair is better when you have been attacked ! I also
| added a link on my website (end of my index) to eScan, KAV and to some info.
| I think that is it is a good choice that can help many people because,
| unfortunately, statistically other internet users will be infected as
| well...
| http://www.astrosurf.org/lombry/index.htm
| Keep going the good job !
|
| Thierry

If the scanner fail and crash it could be indicative of file table problems or file
corruption...

Open a Command Prompt.

In the Command Prompt type the following...

CHKDSK C: /F

If it replies..
"Chkdsk cannot run because the volume is in use by another process.
Would you like to schedule this volume to be checked the next time the system restarts?
(Y/N)"

Choose - Y

type; EXIT

Reboot the PC.

A full Check Disk will want to be performed, allow it.

When it reboots, perform a defragmentation of the hard disk.

You can get to the Defragmenting program easily by executing; dfrg.msc

Start --> run ->
type; dfrg.msc


IST-Bar is an adware type Trojan and to make sure all is gone, use non-viral malware
applications...

Please download, install and update the following software...

Ad-aware SE v1.06
http://www.lavasoft.de/
http://www.lavasoftusa.com/

SpyBot Search and Destroy v1.4
http://security.kolla.de/

After the software is updated, I suggest scanning the system in Safe Mode.

If LSASS generates a NT SYSTEM/SHUTDOWN error message with a 60 sec. countdown, you can go
to; Start --> run and enter; shutdown -a

On Win2k you would need to download a Win2K version of shutdown.exe and its syntax is;
shutdown /a

I have posted a copy in; alt.binaries.comp.virus

Subject: SHUTDOWN.EXE for Windows 2000 platforms for RPC/DCOM and LSASS shutdown issues
 
What always struck me odd is that F-prot continually claimed to detect
many more malwares than KAV's # of records. Yet av comparatives
always show that KAV out-detects F-prot by quite a significant margin.
Click to expand...

F-Prot contains Many double signatures. This is the reason for it not
detecting as many as KAV. I have a really good source on this one :)
 
OK. Many thanks for your smart advice to both of you.
Click to expand...

We do appreciate the positive feedback :)
Now I am doing a deep rescan of all my disks to be sure that nothing
malevolent remains.

There are over 10 years that I am no more concerned by anti-viruses... Most
of the time there were not very dangereous and most applications found them.
Not this time. And according to my readings, ITSbar is one of more common
these last months.
In the past (still before NT) I used mcafee, dr solomon and f-prot. if I
remember well at that time there were no more than 5000 signatures I think
(about 20 years ago)... That seriously increased.

About my problem, the status is next : for short : all is OK doc !
This attack allowed me to increase my disk space in merging my two logical
disks when I reformatted all, and I spared the purchase of a new disk.
better to see the good thing of this affair !

To definetely fix my problem with ITSBar trojan (I hope so !), I also
downloaded the beta of kaspersky at
http://www.windowscentral.com/file/22694.htm that looks superb.
Click to expand...

Good choice. I've checked the Betas of both this and KIS (Kaspersky
Internet Security 2006) and they were both stable on my machine.

I don't think you have to be concerned with this on the 2006 versions,
but just in case I want to mention something. It's very important with
KAV to make sure it's downloading updates from the so-called extra
defs sites. For one example:

http://updates1.kaspersky-labs.com/updates_x

is one of the extra defs sites. They end with /updates_x

Just to impress you with the importance of this, I don't think KAV
(Escan) would have alerted on the Trojan you got hit with without
the extra defs (but I'm not sure).
NB. even the executable of pctools spyware swdoctor.exe is considered as a
possible infection... So I uninstall this product, as well all other useless
AV, and run only KAV. I hope it is the best.
Click to expand...

As I said, use Spybot and Ad-Aware as well. No single scanner detects
everything.
As my ITSbar trojan seems no more operating, it seems that eScan has found
all traces of it and its malicious friends.
Unfortunately it seemed that my PC hanged at the end of the desinfection (as
before, during the infection in fact), and that my lsass.exe process
continued to end unexpectively (and shut down the PC) a few time later. So I
suspected a corruption of some processes and maybe during the deletion of
infected files too. I thus asked XP to repair (and thus partly reinstall)
the OS. Now, for half an hour I do no more observe any reboot...

I hope that now the problem is fixed for good. I lost almost 2 days in
trying to counter and delete this bulls... of virus. I don't know how these
pirats program these viruses but they are efficient and these people are
really experienced and very clever in their field. Straight on to the
prison, yeah !
Thanks Art for your help in removing it.
Click to expand...

You're welcome.
I also suggested to a French website about sciences and very frequented that
has written some pages about antiviruses to insist more and provide more
advice about anti-viruses *solutions* instead of listing all possible trojan
and their effects, and more, but without providing the least software to
download...
Read is fine, but repair is better when you have been attacked ! I also
added a link on my website (end of my index) to eScan, KAV and to some info.
I think that is it is a good choice that can help many people because,
unfortunately, statistically other internet users will be infected as
well...
http://www.astrosurf.org/lombry/index.htm
Keep going the good job !
Click to expand...

Ah! I see you offer a download of the emergency util I put together.
That's good. I can refer to your site as a alternate :)

Best regards,

Art

http://home.epix.net/~artnpeg
 
Looks like his actual email addy is in his header? If so, I'll drop
him a email. Thanks.
Click to expand...

Thanks for noticing :). I get very little spam. I have a cool system
too. Suspected spam is rerouted. Message containing an executable
'attackments' are also sent to alternative address. It may seem a bit
far fetched but it works well for me. I'm adding a 'mirror' for your
KASFX tool. Stay tuned!
 
Art said:
Whoops. I just noticed it's just a link to the claymania site. I had
been thinking about alternate server sites.
Click to expand...

No I can't manage such a thing as my website is dedicated to astronomy and
amateur radio and the server doesn't belong to me (in practice I could but
not from an ethic point of view).

OK I will updated KAV using Art and David URLs. I still esprimented some
hangings between KAV and my Outlook express. I don't know why. Thus I
rebooted. Till one hanging, reboot, till one hanging. Now it's OK. Then,
after have worked 1hr with an active Internet connexion KAV detected two new
trojan that it intercepted and deleted just in time.

Remain to know where do these trojan come from... who send them, themselves
while reproducing ? But from what server ? Anyone infected close to my
country (I see extension in trojan like .lu or .at, I live in .lu) ? Is this
well their way to spread worldwide ?
Could Google be a relay to viruses or even an official governemental website
? (I don't think)
Who knows ?
Is there a mean to trace the path followed by a trojan ? No mean, even with
a firewall during the downloading of the virus' files (when the source and
destinee PCs are up with an IP) ?

Thierry
 
Back
Top