Jump to content

Infection? - Is this dangerous?


Recommended Posts

I did a preliminary scan before 18/6/2017.

 

I think that you might find this interesting.

 

Both AVG and Malwarebytes detected this:

 

Registry Value: 1

 

PUP.Optional.VulnerableDellSystemDetect, HKU\S-1-5-21-4079396374-1713880073-3064916896-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DELLSYSTEMDETECT, No Action By User, [15449], [251680],1.0.2074

 

The good news is that Malwarebytes only detected one issue, which AVG detected as well.

 

The question is that how dangerous is this?

 

Is it a threat?

 

It takes a while to access registry files, and upload to your website, so I’ll wait till 18/6 to get the report from http://www.virustotal.com.

 

I think it’s very good news that since I removed Malwarebytes, only one issue has been detected since re-installation.

 

I think this means that Windows Defender is doing a very good job on Windows 10 Home Edition at least.

Addition.txt

FRST.txt

Link to post
Share on other sites

:welcome:

This is not a infection.  This is a P U P  ( potentially unwanted ) detection.  You should check with Dell support and insure this pc has the latest version of Dell System Detect.

Please check out the link below.  It has some information.  At the top you will see a link ( in blue) to Update.

This is the link to Dell support page for Dell System Detect

There had been a vulnerability with this Dell app ( from a long time back) but Dell had published a newer version.   You should check on Dell Support and check this pc for updates on Dell apps.

Link to post
Share on other sites

hmmm, if you look at these screenshots.

I think it is very dangerous.

Malwarebytes identified it

AVG identified it

Hitman Pro identified it

Spybot identified it

Superantispyware identified it, and labelled it as a critical threat.

 

 

 

HKU\S-1-5-21-4079396374-1713880073-3064916896-1001

 

is it dangerous?

Link to post
Share on other sites

Which screenshots?

Also, where do you see that Malwarebytes, AVG, HitmanPro and SpyBot detected that key? The key below:

Quote

HKU\S-1-5-21-4079396374-1713880073-3064916896-1001

Point to the SID of a user in the Registry. It isn't malicious.

Edit: For the PUP detection about Dell System Detect, me and @Maurice Naggar already provided you the answer. You can either uninstall or update Dell System Detect to secure your system against the flaw in the program.

Edited by Aura
Link to post
Share on other sites

Alright.

The screenshot from AVG is clearly from their "Registry Cleaner" component which is looking for junk data in the Registry that can be deleted to "save space". It isn't a detection for something malicious. If I were you, I would stay away from that feature as it could damage your system.

The detections from HitmanPro are legitimate, though they point to keys underneath the SID one. These keys are the problem, not the SID one.

Same for Spybot, and same for SUPERAntiSpyware.

Link to post
Share on other sites

Yes, these were good detection to be removed.

And the unpatched Dell System Detect program is considered highly dangerous as it can lead to RCE, which is one of the worse exploit there is, as it can lead to pretty much anything on a system.

Link to post
Share on other sites

Great,

thanks for the rapid replies.

I think that the good news is that;

Good News

Malwarebytes detected only one issue, which Windows Defender did not detect.

Bad News

That this key was highly dangerous in your opinion.

Other software detected this key as well.

I am trying to decide whether or not to include Malwarebytes on the system. Whether Windows Defender is enough protection, or whether I should be using Windows Defender, and Malwarebytes together, at the same time.

 

 

 

Link to post
Share on other sites

Quote

or whether I should be using Windows Defender, and Malwarebytes together, at the same time.

This is what I would be doing. Keep Windows Defender as the main Antivirus, and use Malwarebytes to add multiple layers of protection behind it.

Link to post
Share on other sites

This is the claim that Windows Defender makes - but it seems that at least one issue slipped through the net.

 

 

https://www.microsoft.com/en-us/windows/windows-defender

Microsoft antivirus protection

Windows Defender is the No. 1 antivirus on Windows 10, protecting more computers against viruses, malware, spyware, and other threats than any other solution.
 
 
Link to post
Share on other sites

thanks!

but if you cannot trust the Microsoft website itself, then who can you trust?!!!

Have a read of these two links, if it is of interest to you.

Both are non-Microsoft, or what are considered to be 3rd party.

How to change Windows Defender Antivirus cloud-protection level on Windows 10

https://www.windowscentral.com/how-change-windows-defender-antivirus-cloud-protection-level-windows-10

You can use a stronger protection level with Windows Defender Antivirus, and in this guide, we'll tell you how to do it on the Windows 10 Creators Update.

Windows 10 offers the Windows Defender Antivirus as the default security and anti-malware solution to protect your computer and files against the ongoing growth of threats, including viruses, rootkits, spyware, and other types of malware -- and even those nasty ransomware.

Alongside the new features and improvements included with the Windows Defender Security Center, on the Windows 10 Creators Update (version 1703), the antivirus continues to evolve with new enhancements, such as the ability to manually change the cloud-protection level for your devices.

While out-of-the-box, the antivirus already offers robust threat detection, you can now select a higher level of protection to allow Windows Defender Antivirus to be more proactive scanning and detecting suspicious files, which helps Windows 10 users and organizations to keep their PCs more secure.

In this Windows 10 guide, we'll walk you through the steps to change the cloud-protection level that Windows Defender Antivirus uses to scan and block suspicious files using Local Group Policy and the Registry.

Set Windows Defender Antivirus blocking to high on Windows 10

https://www.ghacks.net/2017/05/26/set-windows-defender-antivirus-blocking-to-high-on-windows-10/

Note: The following procedure enables cloud-delivered protection in Windows Defender Antivirus. The feature is only available in Windows 10 version 1703 (and newer), and manageable through various interfaces including Group Policy, Registry, System Center Configuration Manager, or Microsoft Intune.

The main benefit that enabling cloud-delivered protection brings to the table is that it may detect and block new malware, even if no signatures are available yet.

 

 

Link to post
Share on other sites

ok,

that sounds like good advice.

However, if I can leave you with this observation;

Malwarebytes identified HKU\S-1-5-21-4079396374-1713880073-3064916896-1001\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN|DELLSYSTEMDETECT.

According to Aura, Special Ops, this was highly dangerous.

When I ran HitmanPro, it identified this as well, and removed it, as well as others (details attached)

However, if you look at this screen shot, after Malwarebytes identified this, and Hitman Pro removed it, I ran Superantispyware.

Superantispyware identified a similar threat, and labelled it as Critical, and advised that it should be removed straight away.

The conclusion of this work is that Malwarebytes, although effective missed this issue that Superantispyware detected. Hitman Pro missed this as well.

So, although Malwarebytes is good, it is not 100 % effective.

Conclusion

Malwarebytes and Hitman Pro both missed what Superantispyware detected.

 

 

SUPER ANTISPYWARE.jpg

HitmanPro_20170603_1726.log

Link to post
Share on other sites

so, what I am saying is that although Malwarebytes is a good product, I do not agree with the advice to use BOTH Malwarebytes AND Windows Defender.

You could use Malwarebytes, Windows Defender, and Superantispyware, however the general advice is not to use two anti-virus programs together, so I do not think that running three programs is a good idea, even though there is evidence that I have uncovered that Malwarebytes detected something that Windows Defender  didn't, and that Superantispyware detected something that Malwarebytes didn't.

Is it OK to run Windows Defender with Norton or McAfee antivirus protection?

You should never run more than one antivirus program at the same time. The two programs could slow down your computer, and they might even identify each other as a virus, which could lead to file corruption or other conflicts and errors that make your antivirus protection less effective—or not effective at all.

Why Using Multiple Antivirus Programs is a Bad Idea

https://blog.kaspersky.com/multiple-antivirus-programs-bad-idea/2670/

You might think that, much like a pirate going into battle, the more weapons you have at your disposal for your protection the better: cutlass in one hand, pistol and the other, knife held between the teeth (hence the expression ‘armed to the teeth’). But while that may work in old-fashioned combat, it is not the case when it comes to protecting your system from the sea of danger it constantly faces. Running two antivirus programs at the same time is, in fact, a very bad idea. There are three reasons why:

When it comes to protecting your computer, more protection is not better. Take some time to do the research and choose one comprehensive antivirus suite that has been independently tested to combat the latest known malware programs and that will singlehandedly arm your system to the teeth to protect it against every type of threat.

Don't use two antivirus programs at once

https://www.bitdefender.com/security/don-t-use-two-antivirus-programs-at-once.html

While one antivirus program is a must for every computer user to stay protected against viruses, malware and other maladies of the internet, Patrick Marshall writes on a Seattle Times Q&A that using two is not recommended.

Reader John Hahn from Woodinville, Washington, wrote in and said he tried running two programs and encountered problems.

"It's generally not a good idea to run two antivirus programs on the same computer, and virtually all antivirus programs warn against doing so," Marshall said. "Antivirus programs monitor your computer's behavior for signs of viruses. The problem is that some of those monitoring activities can look like virus activity. So one antivirus program can appear to another as a virus."

Should you run more than one antivirus program at the same time?

https://support.symantec.com/en_US/article.TECH104806.html

The use of third-party antivirus solutions, concurrent with a Symantec solution that contains antivirus protection, such as Symantec Endpoint Protection (SEP), may cause unexpected behavior and undesired results, and is not supported. You should only run one antivirus program at a time. Having more than one antivirus program active in memory uses additional resources and can result in program conflicts, false virus alerts, and lowered protection.

If Malwarebytes had detected what Superantispyware detected (and labelled as critical), then I would agree that it is permissible to use both Malwarebytes and Windows Defender, as Malwarebytes is not anti-virus, but anti-malware. So in some circumstances it is OK to use both Windows Defender, and Malwarebytes.

My conclusion is that because I cannot see much difference between using Windows Defender alone, and Windows Defender and Malwarebytes, then I think that it is OK to just use Windows Defender alone.

I hope that this makes sense.

 

Link to post
Share on other sites

Are you able to export the SUPERAntiSpyware scan log? I would like to see what threat it identified as "critical". I know what key and value it targeted, but I need to know what data was in that value. It could be a false positive.

Quote

You could use Malwarebytes, Windows Defender, and Superantispyware, however the general advice is not to use two anti-virus programs together, so I do not think that running three programs is a good idea,

Neither Malwarebytes or SUPERAntiSpyware are Antivirus programs, so you would be fine running the three of them at once. As far as I'm concerned, Windows Defender is an Antivirus, Malwarebytes is an Antimalware and Anti-Exploit, and SUPERAntiSpyware is an Anti-Spyware.

Quote

My conclusion is that because I cannot see much difference between using Windows Defender alone, and Windows Defender and Malwarebytes, then I think that it is OK to just use Windows Defender alone.

Using Windows Defender alone leaves your system weakened when it comes to exploit, ransomware and malware protection, hence why running Malwarebytes alongside with would be a good idea.

Link to post
Share on other sites

ok, you sound as though you are technically trained.

I am using Windows 10 HOME, and if you read the link below, you can see that it was the Windows versions that were in the Home that were at less risk to attack .

All I have is the data that I sent you.

Neither Malwarebytes or SUPER AntiSpyWare are Antivirus programs, so you would be fine running the three of them at once.

As far as I'm concerned, Windows Defender is an Antivirus, Malwarebytes is an Antimalware and Anti-Exploit, and SUPER AntiSpyWare is an Anti-Spyware.

True - but if you read this link, SUPER AntiSpyWare can detect Malware.

I would also add that the definition of a virus, malware, spyware, exploit could be considered to be loose, or hazy. 

https://en.wikipedia.org/wiki/SUPERAntiSpyware

SUPER AntiSpyWare is a software application which can detect and remove spyware, adware, trojan horses, rogue security software, computer worms, rootkits, parasites and other potentially harmful software applications. Although it can detect malware, SUPER AntiSpyWare is not designed to replace antivirus software.

 

https://arstechnica.co.uk/security/2017/05/windows-7-not-xp-was-the-reason-last-weeks-wcry-worm-spread-so-widely/

The Kaspersky figures are illuminating because they show Windows 7 x64 Edition, which is widely used by large organisations, being infected close to twice as much as Windows 7 versions mostly used in homes and small offices.

As far as I am concerned;

  • Malwarebytes
  • Super antispyware
  • Hitman Pro

All detected HKU\S-1-5-21-4079396374-1713880073-3064916896-1001, which was found in various places.

I think the conclusion to draw is that this bug got in to the computer, multiplied, and affected various parts of the computer, and that one anti-malware software alone was not sufficient enough to detect the products of this multiplication. 

I could run the following together;

  • Windows Defender
  • Malwarebytes
  • Super antispyware

or just run Windows Defender, and periodically install, and uninstall the other two.

Personally I think that Windows Defender is doing a good job, and as the advice on the web suggests to use one software protection, I'll go for the latter. 

 

Link to post
Share on other sites

Hi,

if you have a look at this - I think that you might find it very helpful -

Windows Defender detected TrojanDownloader:PowerShell/Falsip.A, whereas Malwarebytes Premium edition did not.

this confirms my opinion that Windows Defender is sufficient.

According to internet reports TrojanDownloader:PowerShell/Falsip.A is classified as Malware.

WINDEFEN1.jpg

WINDEFEN2.JPG

WINDEFEN3.JPG

Malwarebytes.txt

Link to post
Share on other sites

Quote

I think the conclusion to draw is that this bug got in to the computer, multiplied, and affected various parts of the computer, and that one anti-malware software alone was not sufficient enough to detect the products of this multiplication. 

No. Dell System Detect is a legitimate program that is preinstalled on Dell computers. The reason why it was flagged as a PUP by Malwarebytes is because older versions of the software are vulnerable to RCE, which leaves your system open to infection, hacks, etc. It didn't multiply, nor did it affect various part of your system.

Quote

ok, you sound as though you are technically trained.

I am. I'm trained in malware removal, and I also work as a Technical Support for a big company.

Quote

I am using Windows 10 HOME, and if you read the link below, you can see that it was the Windows versions that were in the Home that were at less risk to attack .

This is true with everything. Newer OS (or OS versions) will always be more secure than their older counterparts. Windows Vista was safer than Windows XP, Windows 7 was safer than Windows Vista, and so on. Windows 10 is considered safer than older Windows version because it is new, however, it doesn't mean that you shouldn't use an Antivirus, Antimalware, Firewall, etc. on it.

Quote

Personally I think that Windows Defender is doing a good job, and as the advice on the web suggests to use one software protection, I'll go for the latter. 

That advice targets Antivirus programs, which is true. However, there is nothing wrong with running Windows Defender (Antivirus) and Malwarebytes (Antimalware) together. A lot of people are doing it and I also recommend everyone to do so.

Also, Malwarebytes won't detect script files (like .hta, .vbs, .js, etc.) but it'll prevent them from being executed and quarantine them if they trigger the Anti-Ransomware or Anti-Exploit module.

Quote

this confirms my opinion that Windows Defender is sufficient.

Once again: Using Windows Defender alone leaves your system weakened when it comes to exploit, ransomware and malware protection, hence why running Malwarebytes alongside with would be a good idea.

Link to post
Share on other sites

No. Dell System Detect is a legitimate program that is preinstalled on Dell computers. The reason why it was flagged as a PUP by Malwarebytes is because older versions of the software are vulnerable to RCE, which leaves your system open to infection, hacks, etc. It didn't multiply, nor did it affect various part of your system.

How do you explain the presence of HKU\S-1-5-21-4079396374-1713880073-3064916896-1001 in various parts of the computer, as detected by the various screenshots?

If you read my latest post, it uncovers evidence of how Windows Defender detected a Malware, that Malwarebytes could not as long as you accept that the Trojan is malware.

I am not an expert, and cannot comment on whether this Trojan is like .hta, .vbs, .js, etc, however my opinion is that Windows Defender is sufficient. I would have expected Malwarebytes to have detected this, and it didn't. 

 

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.