Aloo everyone i have made a links test with cis 6 beta in vmware workstation / windows 7 enterprise 64 bits and i found a file in disk c program data that is considerated malware by malwarebites( trojan.lameshield) , after a full scan with cis this file was not remooved , and it is in the unrecognized files of cis has an unknown file , malwarebites found it!
in kilswitch it apears like this rating/ unknown restriction/restricted virtualization disabled
i also made a scan of the file itself with cis av and didnt find nothing!
the program pops up saying pc is infected (fake av)
im not an expert an forgive me if im beeing ignorant but i think i should post this! i m sending snapshots of the vm for you to see! thank you and sorry mistakes
no i did not i have the vm suspended whright know is just like it was when i took the snapshots, i could do that , to see what hapens what do you think? i can do that and then tell you the results?
thanks
Behavioural information
The following is a condensed report of the behaviour of the file when executed in a controlled environment. The actions and events described were either performed by the file itself or by any other process launched by the executed file or subjected to code injection by the executed file.
File system activity
Opened files...
C:\f10e0c0534ac6f68bd46ee95ca071e0b265498945947c4f588a0246a4fd6ea3e (successful)
\\.\PIPE\lsarpc (successful)
C:\Documents and Settings\All Users\Application Data\E523B22D69C1A9C3006CE52345B45386\E523B22D69C1A9C3006CE52345B45386 (failed)
C:\WINDOWS\Registration\R000000000007.clb (successful)
C:\WINDOWS\system32\shdocvw.dll (successful)
C:\WINDOWS\system32\stdole2.tlb (successful)
Read files...
C:\f10e0c0534ac6f68bd46ee95ca071e0b265498945947c4f588a0246a4fd6ea3e (successful)
C:\WINDOWS\Registration\R000000000007.clb (successful)
C:\WINDOWS\system32\shdocvw.dll (successful)
C:\WINDOWS\system32\stdole2.tlb (successful)
Deleted files...
C:\f10e0c0534ac6f68bd46ee95ca071e0b265498945947c4f588a0246a4fd6ea3e (failed)
Registry activity
Set keys...
KEY: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\E523B22D69C1A9C3006CE52345B45386
TYPE: REG_SZ
VALUE: C:\Documents and Settings\All Users\Application Data\E523B22D69C1A9C3006CE52345B45386\E523B22D69C1A9C3006CE52345B45386.exe (successful)
Mutex activity
Created mutexes...
E523B22D69C1A9C3006CE52345B45386 (successful)
Application windows activity
Searched windows...
CLASS: Shell_TrayWnd
NAME: (null)
Runtime DLLs
psapi.dll (successful)
msimg32.dll (successful)
comdlg32.dll (successful)
winhttp.dll (successful)
kernel32 (successful)
user32 (successful)
ntdll.dll (successful)
kernel32.dll (successful)
shlwapi.dll (successful)
advapi32.dll (successful)
userenv.dll (successful)
rpcrt4.dll (successful)
ws2_32 (successful)
c:\windows\system32\mswsock.dll (successful)
hnetcfg.dll (successful)
c:\windows\system32\wshtcpip.dll (successful)
clbcatq.dll (successful)
ole32 (successful)
ole32.dll (successful)
c:\windows\system32\rpcrt4.dll (successful)
sxs.dll (successful)
oleaut32.dll (successful)
comctl32.dll (successful)
riched20.dll (successful)
shell32.dll (successful)
wininet.dll (successful)
secur32.dll (successful)
c:\windows\system32\winhttp.dll (successful)
Additional details
The file sends control codes directly to certain device drivers making use of the DeviceIoControl Windows API function.
Network activity
HTTP requests...
URL: http://175.41.28.156/api/urls/?ts=c8221d46&affid=70300
TYPE: GET
UA: Mozilla/5.0 (compatible; MSIE 6.0; Windows NT 5.1; Trident/5.0);(b:2600;c:INT-7D60;l:09)
TCP connections...
175.41.28.156:80
UDP communications...
<MACHINE_DNS_SERVER>:53
allo i have finished making a scan with cleaning essentials and it didnt find anything , but malwarebites did , and i uploaded the file to virus total and it was considerated malware by 3 avs companies ,unfortunaly i made a miststake and didnt copy the link( so stupid sorry for that), vakirie from comodo did recognize it has malware too!
the log file from malwarebites after scaning reported that nothing was on critical parts of the pc
im sending screenshots from the vms image for you to see , the links from virus total and valkirie results i made a mistake and did not save them well! sorry for that! i think that you can see for the shots that im sending, and i also think that CIS protected the sysstem although that file was left behind
well i realy dont understand much about this world of security , im just a curious person about it!
i apoligise for my english mistakes and if i `ve been inconvinient please forgive me!
THANK! YOU AND FOR ME CIS FOREVER!
yes absolutely i used cleaning esentials has it it is in shots i opened cis clicked/tasks/ advanced tasks/ clean endpoint and then made full system scan and at the end nothing found reeboot and nothing found by cleaning esentials
so all that happened is that the AV does not have a signature for it. That is normal no AV detects 100% of malware. This is what you are seeing. Just because the file is there does not mean it can do harm to the computer, especially with CIS that blocks unknown malware.