How did they slip past AVAST?

i'm looking at the worst case of infection I've seen in 3 years - basically it is a nuke/redo.
This is a lightly-loaded and lightly-used PC, has little on it other than wildlife photos from a hunting ranch, a few programs like for Garmin GPS and adobe reader, etc, and outlook [may be the path?].

this thing has a zw java exploit rootkit of some variant, along with several trojan droppers, ransomware, and other things I'm sure I haven't found yet. the top layers were easy to disarm but the rootkit[s] at bottom eluded both the popular TDSSKiller and Malwarebytes later entry into the Rootkit find/disarm game - both came up clean and so did routine AVAST scans although the full scan of the latter noted some password protected javascript files that would seem to be innocuous but I don't trust them given the primary exploit. Microsoft's aging rootkit revealer found a number of problems - quite a list. and Trend Micro's beta RootKitBuster found a couple of dozen entries that it could not deal with [log: "unable to fix"]

QUESTIONs: what do you think was the door-opener? the machine did have old Java 6 - i believe the updates were through 24 or 25.
HOW did it slip past the AVAST, which was full install, updated/latest, and all scanners running including mail scanner.???
The user's primary browser has been Chrome, at my suggestion! not IE very much other than one or two cranky secure sites that don't play nice with chrome.

sign me baffled... bewildered. My guess, based on some comments by the user, is that this all started with a mail attachment from "a friend", later finding out that the friend's email account had been hijacked. How many times do we have to tell people: DO NOT CLICK.

My usual disclaimer: I'm not an expert at anything! :)

If I had to take a guess I'd say that Java 6 is a likely candidate. Back in January (and for the next few months if I remember correctly) Java 6 and the first few releases of Java 7 were being exploited big time. Seemed like new releases were coming out weekly.

This vulnerability was mainly being exploited by exploit packs, which are crimeware tools made to be stitched into Web sites so that when visitors come to the site with vulnerable/outdated browser plugins (like this Java bug), the site can silently install malware on the visitor’s PC. Exploit packs can be just as easily inserted into legitimate, hacked Web sites as they can be stitched into porn sites . All it takes is for the attackers to be able to insert one line of code into a compromised Web site.

Source

Additional Source

Most, if not all, of the consumer security experts who post on this Forum agree that no anti-malware program will be 100% effective 100% of the time. If there was such a product we'd all be using it. Avast is a well respected product but it's not infallible. If Java was the open door that let the malware in, it's possible that who ever coded the malware was familiar enough with all the major anti-malware products to get past any of them. And your guess that a friend's hijacked email account may have played a part in all of this is equally possible.

Once a computer is infected I don't think I could ever be 100% sure that something wasn't left behind ... no matter how many scans I run that come back clean. For that reason I have several system images available so I can restore a known clean copy of everything on the hard drive in less than an hour. As compared to doing a clean install that can take many hours (or days) to get everything tweaked back to the way it was.

certainly is a good summary. the java exploit was certainly there: I've run so many tools I forget which one identified it but it was early-on in the cleanup.
i finally bailed and am reinstalling the os from scratch. there was just too much core damage done - unnecessary chances for an issue.

i was mainly hoping to learn enough to help people avoid such in the future. I guess the anti-mal business is like the so-called Terror war: the preventors must be right 100% of the time - a real "iron dome" on all/every level. the bad guys get to pick their battle ... cherry-pick in fact

I guess the anti-mal business is like the so-called Terror war: the preventors must be right 100% of the time - a real "iron dome" on all/every level. the bad guys get to pick their battle ... cherry-pick in fact

Very well said.

I'm still amazed by the number of people who still recommend MSE. It consistently rates lower on AV reviews than most of the other free AVs with the exception of McAfee (that one stays close to the bottom of all reviews). MSE's claim to fame is its light footprint, ease of setup, few or no popups, and ease of use.

The light footprint is a moot point anymore since most systems today can handle the "heavier" AVs, including resource hogs like Norton.

Setup takes place only once so ease of setup shouldn't be a criteria for choosing an AV unless it is really obtuse.

Most free AVs, such as Avast, can be set to have few or no popups. Some popups are desirable, such as notification that a nasty has been blocked, but one can set them however they want.

Most free AVs are just as easy to use as MSE, in some cases, easier.

Just a general observation and I'm not directing my opinion at anyone. The choice of AV product is very subjective. Maybe someone's teacher, parent, friend, etc recommended something and that's why it's being used. Maybe someone has had good results (no infections) and continues to use a particular product regardless of where it ranks in a review. And maybe a highly rated product just doesn't play nice on someone's machine whereas a lower rated product does. FWIW, I believe that using something is better than using nothing at all.

Now ...

Lady Fitzgerald said:

I'm still amazed by the number of people who still recommend MSE. It consistently rates lower on AV reviews than most of the other free AVs with the exception of McAfee (that one stays close to the bottom of all reviews). MSE's claim to fame is its light footprint, ease of setup, few or no popups, and ease of use.

The light footprint is a moot point anymore since most systems today can handle the "heavier" AVs, including resource hogs like Norton.

Setup takes place only once so ease of setup shouldn't be a criteria for choosing an AV unless it is really obtuse.

Most free AVs, such as Avast, can be set to have few or no popups. Some popups are desirable, such as notification that a nasty has been blocked, but one can set them however they want.

Most free AVs are just as easy to use as MSE, in some cases, easier.

I've seen avast! cause so many BSODs, and I never really trust reviews at all, the authors are usually paid by companies to give good reviews about their products. The experiences from actually users is what counts.

Sorry for taking this thread slightly off topic

OK, I've never had a BSOD caused by Avast. The only problems I've had with Avast was the current version would disable IE10 (I just rolled back to the previous version to fix that) and the Web Rep tool was causing IE 10 to crash frequently, probably because it was clashing with WOT. Since I prefer WOT, I just disabled the Web Rep tool. Those are nothing compared to the problems I had with MSE.