non admin User downloaded a zip file, and scanned it with MSE. While MSE didnt alert (strangely) it did in fact detect a trojan in the zip file and it was supposedly removed.
After the scan the user preceded to unzip the supposedly now clean zip file. This triggered some kind of malware that killed MSE, User immediatly took remediatory action.
Now, it appears to me that one of several possibilities existed... here are my thoughts:
original trojan was easily detected, was this intentional, perhaps luring the target into a false sense of security?
traditionally trojans drop files, or provide access through which further comprimise can occur. There have been no indicators of further comprimise, what am I missing?
What caused MSE to be killed? I know that commands can be executed to kill AV, but they generally require Admin or SYSTEM privlidges, user was un-privlidged. I thought maybe some sort of client side exploit to gain privlidges. I'm just not sure.
Finally, the user immediatly pulled the network cable, scanned the computer in safe mode, and regular mode with up to date scanners (3) and nothing else was detected, but can we trust this? outside of MSE which was originally killed, the other software installed at the time did not stop or detect an attack. In addition the user ran a networksniffer, and did not detect any malicious traffic after the comprimise...