I just went through 24 hours of hell trying to rid my PC of "Virtumonde".

NOD32 never alerted me to any sort of problem. Nor could it find the problem once I realized I had it or remove the problem.

In fact, I was let down on a few fronts. AdAware didn't spot it. Spyware Doctor spotted it but only got rid of the latest incarnation and not the root. VundoFix did a bit better. It took Hijaak This for me to manually find the base problem and remove it on my own.

Why is NOD32 failing to protect and remove this virus?

Actually it's not a virus. It's adware which could be a pain and hard to remove in some cases, but it's not a virus. A virus is usually more serious and cause more damage while adware usually don't cause damage except to be a pain.

But it's not like you can find a antivirus software able to stop all adware, virus, worms and other stuff out there. I never read a test where some antivirus software where able to stop absolutely everything. There might be adware, virus and worms that nod32 is able to stop and others not or it could be the other way around. All of them miss something. You could send a mail to eset support regarding Virtumonde.

Also what nod32 detect might depend on your settings. Did you enable Potentially unwanted applications and potentially unsafe applications?

I already sent an e-mail. They're looking into it. I do not agree that a virus is defined by its danger level.

Think of the classic definition. It's a virus regardless of your temperature.

This think attacked my system. I suspect I'll be seeing the same thing from the other side.... "It's not adware, it's a virus."

Well it's defined as adware by most others that create antivirus and antispyware software it seems, but i'm not going into a long discussion what it is if you disagree.

The behavior of VirtuMonde is this "Adware.VirtuMonde is an adware program that downloads and displays popup advertisements". I define that as adware and not virus. A virus in my opinion is something that infect your computer trying to do damage....someone very serious and some not serious at all. I don't define it as a virus because of the danger level, but the behavior.

In any case it's not like nod32 or any other antivirus is able to stop everything and maybe eset define this as adware as well like most others. And nod32 is a antivirus software and not a security suite that include antispyware and stuff like that even if it's able to stop some.

But as i said you should also check your settings. Maybe nod32 actually is able to stop VirtuMonde if the settings is correct.

NOD32 would have detected it if both potentially unwanted and potentially unsafe were enabled. Although I'm not sure why it would be missed if heuristics was turned on. Perhaps Aryeh or Marcos can shed a little light.

Both were enabled.

and advanced heuristics?

AMON under Options tab has every box checked including Advanced Heuristics.

That's why I'm not exactly thrilled. I know this is adware-related but it behaves like a virus and, as such, I believe NOD32 should spot this attack and nail it.

There's an option there for Adware/Spyware/Riskware. If it's of no use, what's the point? I recall a big deal being made about this some time ago as a reason to continue on. I did my share and I continue to be a fan. I just think this case is poor one.

Agrajag I hope you also posted at the forums of the other security programs you use and not just here. If anything like this ever happens again could you send the sample to Eset?

Hammer, I'm not sure what to make of your post. I have indeed posted to the other vendors but that has nothing to do with the post here. What these other vendors do is irrelevant to the conversation here.

What purpose does your post serve? Does it provide me with more information regarding my post? Does it provide me more information about eset? Does it provide anyone here more information about anything? The only purpose I see to your post is to stamp a big, "I love NOD32" sticker on your chest. That doesn't help me or address this issue.

I pay ESET for a service they claim to be the best at. I'm pointing out, as a paying customer (and a pretty happy one that buys and installs their product at dozens of other locations), that I am simply disappointed that NOD32 completely missed something pretty significant in my view. I also e-mailed them on this.

{QUOTE-> Hammer, I'm not sure what to make of your post. I have indeed posted to the other vendors but that has nothing to do with the post here. What these other vendors do is irrelevant to the conversation here.

What purpose does your post serve? Does it provide me with more information regarding my post? Does it provide me more information about eset? Does it provide anyone here more information about anything? The only purpose I see to your post is to stamp a big, "I love NOD32" sticker on your chest. That doesn't help me or address this issue. <-QUOTE}What it has to do with is the fact that your using a multi layer approch which is good and everyone from AdAware to Spyware Doctor wants to improve their products. That's all. Just scanning the posts of various Av vendors tells me everyone will dissappoint at sometime.

When i was using NOD32 I also had problems with Virtumonde, NOD32 detected only part of them, while second part was on my computer, It's ESET's problem, they must add to signatures large number of Virtumonde.

Thanks. That's all I was pointing out and hoping for.

Hi Agrajag, welcome to Wilders.

Virtumonde is update multiple times a day in order to avoid detection, it is also tested at www.virustotal.com in order to see if any software is picking up the new variant. This is a continual cat and mouse game and has been discussed at length in This Thread (http://www.wilderssecurity.com/showthread.php?p=961668&highlight=Virtumonde#post961668) which includes commentary by TonyKlein (http://www.wilderssecurity.com/member.php?u=757).

Cheers ;D

{QUOTE-> I already sent an e-mail. They're looking into it. I do not agree that a virus is defined by its danger level.

Think of the classic definition. It's a virus regardless of your temperature.

This think attacked my system. I suspect I'll be seeing the same thing from the other side.... "It's not adware, it's a virus." <-QUOTE}
Well, as you probably know the definition of viruses in Biology terms...
A computer virus will reproduce it's self, infect other files and computers, etc.

So, if anything attacked your system that doesn't automatically make it a virus.

As this one does reproduce itself it continues to work like a virus.

{QUOTE-> As this one does reproduce itself it continues to work like a virus. <-QUOTE}No it doesn't, the authors continually change it to avoid detection, it does not self replicate.

Blackspear.

The fact is that Virtumonde is an annoying and not that unpopular infection.

If NOD32 can't detect and remove the variation you have, and Symantec or Kaspersky can, then it reflects badly on Eset.

The fact is that NOD32 is slipping in detection rates in the large recognized tests recently, and that is not a good thing.

I have used NOD32 for a couple of years because it is light and unobtrusive on my PC, but I will have to look elsewhere if it consistently provides 10% less detection than other popular free and paid antivirus products in tests. I hope version 3 is better.

{QUOTE-> The fact is that Virtumonde is an annoying and not that unpopular infection.

If NOD32 can't detect and remove the variation you have, and Symantec or Kaspersky can, then it reflects badly on Eset.
<-QUOTE}

With regards to vundo/virtumonde, new variants are released more than daily, when released the authors make sure no antivirus detects it, including the AV's you've mentioned. Within a couple of hours, another variant (again usually undetected by all) will be released. As Blackspear said, it's a cat and mouse game, sometimes nod gets the updates in quicker than the AV's you mentioned, and sometimes other av's are quicker. But initially all AV's usually miss a new variant as the authors tweak them (using virustotal etc to check) until they are undetected by nearly all AV's. It's the same with the zlob trojans. I'm not disagreeing with your other statements about overall detection, but I don't think you can measure the effectiveness of any AV with vundo/zlobs, as they all miss new variants every day.

Londonbeat

Malware authors who are payed for their "job" can develop new variant which are undetected even in less than 1 hour after detection for the previous variant was added. With assistence of Eset's support you will be able to remove Virtumonde if you happen to get infected for whatever reason.

{QUOTE-> ...If NOD32 can't detect and remove the variation you have, and Symantec or Kaspersky can, then it reflects badly on Eset... <-QUOTE}
Visit a few of the other AV support fora and look through the threads. I did, in fact, and discovered NOD32 is not the only AV that has a problem detecting and/or removing one (or more) of this one's variants. I saw several posts by support personnel recommending the use of HijackThis and other solutions.

If you are searching AV that detects all variants of virtumond you must switch in other AV, if you want to know which one, PM me and I will tell you :)

{QUOTE-> if you want to know which one <-QUOTE}

100% guaratee there is no such creature !

I will give you whatever you want if you give me an antivirus with 100% detection rate of malware incl. Vundo/Virtumonde

{QUOTE->
I will give you whatever you want if you give me an antivirus with 100% detection rate of malware incl. Vundo/Virtumonde <-QUOTE}

That ought to make some developers in the AV industry work all the more harder to get that magic 100% number :P ;D

Cheers guys, just trying to lighten up the thread a little. Regarding virtumonde, no AV detects all variants of it. Some AVs with Rapid updates are able to provide protection quicker, but no one will provide fool proof protection, except those who are having good behaviour blocker systems. And even that is not 100% fool proof (but yeah sometimes it can come pretty darn close :P). :)

{QUOTE-> If you are searching AV that detects all variants of virtumond you must switch in other AV, if you want to know which one, PM me and I will tell you :) <-QUOTE}Don't hide behind PM's. Tell us all and thus start the stampede to this miracle worker product. I guarantee you will get people from all the major vendors buying.:P

{QUOTE-> Regarding virtumonde, no AV detects all variants of it. Some AVs with Rapid updates are able to provide protection quicker, but no one will provide fool proof protection, except those who are having good behaviour blocker systems. <-QUOTE}

Firecat is right, just ask someone who receives samples from VT, there are variants that are usually detected by one particular AV, but this AV still misses variants detected by others. Virtumonde cannot be dealt with using standard signatures, otherwise you'd end up with zillions of Virtumonde signatures added that still miss zillions of other threats. Don't worry about this, we're on the ball but as I have said, Virtumonde requires a completely different approach.

Of corse I don t guaranty 100% detection of virtumond, but if you will use AntiVir I can guaranty that iven you will infected with still undetected variant of virtumond, updates will so quickly realased that you will not noticed that, when I was using NOD32 I was waiting for weekends to realased signatures for virus I send to ESET :-\

{QUOTE-> ...if you will use AntiVir I can guaranty that iven you will infected with still undetected variant of virtumond, updates will so quickly realased that you will not noticed that... <-QUOTE}
I can guarantee that you will find posts on the support forum for the product you mentioned, from users of the AV, regarding the malware that is the subject of this thread *and* that users did, indeed, 'notice that'. Sorry to say it doesn't appear to be the panacea you claim it to be.

http://forum.antivir.de/board.php?boardid=18

Well..can you find there such postes? ::)
And why post on the forum about undetected viruses, when you can submit it to Avira and in maximum 24 hours they will answer you, is this sample virus or not and if it's, when they will add it to signatures?

Do a search on that board using "Vundo" as the search word and you'll find several posts, including one where a user eventually re-formatted.

{QUOTE-> Do a search on that board using "Vundo" as the search word and you'll find several posts, including one where a user eventually re-formatted. <-QUOTE}

If user reformatted because Vundo, it's his or her problem ;D , Vundo can't damage system such way :)

{QUOTE-> http://forum.antivir.de/board.php?boardid=18

Well..can you find there such postes? ::)
And why post on the forum about undetected viruses, when you can submit it to Avira and in maximum 24 hours they will answer you, is this sample virus or not and if it's, when they will add it to signatures? <-QUOTE}I found Hijack This logs concerning virtumonde on the forum and that tells me all I need to know. I don't speak or read german but the sheer volume of posts tells me it's not all good news so take off the rose coloured glasses and don't go away mad. Just....;)

Trust me this product detects much more Vundo or VirtumondOand not only this virus) than NOD32. I say that not because I don'tlike NOD32, because I want ESET add more signatures to database! :dry:

{QUOTE-> but if you will use AntiVir I can guaranty that iven you will infected with still undetected variant of virtumond, updates will so quickly realased that you will not noticed that, <-QUOTE}

tsilo,

Your AV can only really protect you from vundo if the realtime guard stops it before it gets the chance to infect your PC, as already stated in this thread none of the AV's detect all new versions of vundo. If you are already infected with vundo, you usually need a special procedure using dedicated tools like those described here (http://wiki.castlecops.com/Malware_Removal:_Virtumundo), which support[at]eset.com would help you with, if you were infected.

Simply adding a signature will probably not help you much if you're already infected with vundo.

I am not ifected with Vundo :)
I like NOD32 and want that daily updates contains more signatures than usually.

{QUOTE-> ...I like NOD32 and want that daily updates contains more signatures than usually. <-QUOTE}
Can I ask why? Although you stated that you like NOD32, it appears that you use another AV. How would more daily updates from ESET benefit you considering the fact that you don't use their product?

As an aside, from what I'm seeing in NOD32, there have been slightly more than 60 updates since the end of April.

Let's just start a pot and raise a few bucks to have these virus writers rubbed out.

{QUOTE-> I like NOD32 and want that daily updates contains more signatures than usually. <-QUOTE}

:o More signatures in an update do not automatically mean better detection. Instead of adding, let's say 10 signatures for Virtumonde, you can improve the heuristics so that it catches zillions of other variants. Virtumonde is not a good example for signature detection. You add 10 signatures and 1000 of new undetected variants will be created in a while.

In fact according tests Avira have better detection, I think it's because they often adds 1500 or more signatures per day, comparing signatures added by ESET it's very large number. If more signatures doasen't mean better detection, so why Avira detects better? I know ESET heuristic is equal if not better than AVira's.

And Marcos please read these posts http://www.wilderssecurity.com/showthread.php?t=174136&page=4 post #94, I think there will be good your opinion (or someone from ESET) about what I sad about NOD32 great heuristic ;)

{QUOTE-> fact according tests Avira have better detection, I think it's because they often adds 1500 or more signatures per day, <-QUOTE}

No. One can add one signature that detects 10 variants, while another can add 10 different signatures to cover those ten variants. Also the signature detection counting method may differ from vendor to vendor. Number of signatures cannot be taken as representative of detection rates of an AV.

{QUOTE-> If more signatures doasen't mean better detection, so why Avira detects better? <-QUOTE}

Avira detects better not because of adding more signatures but simply because they work hard and find/add more malware. There is nothing more to it. Going by this analogy, Rising adds around 2000 signatures a day, but does that mean its better than Avira? ;)

When I say more signatures I mean signatures for more viruses :)
I know large number of signatures doasn't mean better detection.

{QUOTE-> When I say more signatures I mean signatures for more viruses :)
I know large number of signatures doasn't mean better detection. <-QUOTE}

Now, to be honest - you don't really make sense at this point. Regardless, let us please try to keep in mind that this forum section is indeed the NOD32 support section - comparisons etc can freely be discussed in the "Other AVs" section of Wilders.

adware/spyware/highjackware = gets you annoyed by spam etc and slower pc, and installs and make you internet explorer messy and spamy and slow!

virus = bad, it can completly delete files, infect files, make os unbootable etc

One post removed as per our policy noted HERE (http://www.wilderssecurity.com/showthread.php?t=180057)

Blackspear.