For more than a year now I have seen with my own customers (to which I sell NOD32), that NOD32 still cant protect against, and remove virtuemonde-malware. Running CounterSPy always did the trick for me, even nowadays unfortunately with the rising of version 3.0 of NOD32.
Will NOD32 ever be able to remove this kind of malware succesfully?

{QUOTE-> For more than a year now I have seen with my own customers (to which I sell NOD32), that NOD32 still cant protect against, and remove virtuemonde-malware. Running CounterSPy always did the trick for me, even nowadays unfortunately with the rising of version 3.0 of NOD32.
Will NOD32 ever be able to remove this kind of malware succesfully? <-QUOTE}

Do you mean that NOD32 detected that Virtumonde but couldn't remove it? Virtumonde is quite resistant against removing, it's injected in an already running process and ensures that continually checks for its registry records and repairs them, if removed or altered.

{QUOTE-> Do you mean that NOD32 detected that Virtumonde but couldn't remove it? Virtumonde is quite resistant against removing, it's injected in an already running process and ensures that continually checks for its registry records and repairs them, if removed or altered. <-QUOTE}


Indeed,
It noticed the infection, but still parts of the operating system, Windows XP, got already changed by it. All this within a couple of seconds, I swear to god.
The automatic update-service is now no longer functioning anymore.
When running explorer.exe, the Windows-shell, sometimes I get pop-up's and webpages look distorted.
When ending that explorer.exe-process it doesnt seem to be active or went dormant.
It somehow works with, or is dependent of, explorer.exe.
Or explorer.exe is changed/corrupted/replaced by a malicious version of it.
Either way, ESET anti-Virus doens't notice it as being malicious.
Very nasty indeed.

By the way, it is still on that machine right now, with NOD32 running.
Even after an ond-demand indepth-scan with BlackSpear's settings.

Only last resolution now is to re-install Windows >:(

Little addon to my story:

Explorer.exe doesn't start automatically anymore..usually
Within Control Panel very little is possible, because rundll32.exe seems to be missing.
On that latter, I think rundll32 has been infected to and therefore removed by Counterspy.
EAV cannot be removed, to re-install it properly after that.

What a mess.

Please send a log from ESET SysInspector (http://download.eset.com/download/sysinspector/32/ENU/SysInspector.exe) to support[at]eset.com with this thread's url in the subject.

{QUOTE-> Please send a log from ESET SysInspector (http://download.eset.com/download/sysinspector/32/ENU/SysInspector.exe) to support[at]eset.com with this thread's url in the subject. <-QUOTE}


Done.

I have to agree...many of my clients on NOD32..are getting hit.

Yes yes the ZLob trojans (engine behind Virtu) are being VERY aggressive...releasing sometimes several new variants per day. But when the other removal tools I turn to...DO detect and remove it...such as MalwareBytes, SuperAntispyware, and even venerable old Spybot S&D....one has to go...."Hmmmmm..."

{QUOTE-> I have to agree...many of my clients on NOD32..are getting hit.

Yes yes the ZLob trojans (engine behind Virtu) are being VERY aggressive...releasing sometimes several new variants per day. But when the other removal tools I turn to...DO detect and remove it...such as MalwareBytes, SuperAntispyware, and even venerable old Spybot S&D....one has to go...."Hmmmmm..." <-QUOTE}

Thing is that NOD32 is not alone in struggling with the current bout of malware variants.
I work for a small engineering company, around 20 workstations. I'm employed as a production controller but also support the IT manager when needed.
For some reason the company has always used Symantec products and can't be persuaded to change.
Last week 2 of the workstations were seriously compromised by a virus. Run was disabled, safe mode was disabled and most applications were disabled. In fact on one of the machines the only app that would run was Word. HijackThis wouldn't run until renamed.
The Symantec product hadn't even caught a sniff of this virus getting in and let it run riot with nothing detected at all until the malware downloaded iE Defender which did get picked up.
The infections were eventually got rid of with a combination of various tools like gmer, SAS, MBAM, file deletion and manual registry cleaning.

Yes my post has gone a bit off topic but my point is that a lot of people here are moaning about the current detection rate of NOD32.
Have a read around the various AV forums and the posts are all the same, "Why did my AV not detect this?"

A swings and roundabouts job methinks.

The fact is, if you read various forums, that MBAM and SAS can detect and remove various infections that NOD32 (and other AV's) cannot.

If NOD32 wants to remain a top-tier respected product, they will ensure that new versions are up-to-speed in this regard.

If SAS and MBAM can do it, why can't NOD32 or any other AV product?

{QUOTE-> The fact is, if you read various forums, that MBAM and SAS can detect and remove various infections that NOD32 (and other AV's) cannot.

If NOD32 wants to remain a top-tier respected product, they will ensure that new versions are up-to-speed in this regard.

If SAS and MBAM can do it, why can't NOD32 or any other AV product? <-QUOTE}

I've had AntiVir catch these infections and remove them. Not sure why NOD32 is having such difficulty lately, especially with a 3.0 product that was supposed to enhance it's capabilities.

{QUOTE-> I've had AntiVir catch these infections and remove them. Not sure why NOD32 is having such difficulty lately, especially with a 3.0 product that was supposed to enhance it's capabilities. <-QUOTE}

Please PM me a link to Virtumonde that is recognized by Antivir or KAV, but not by NOD32. I understand that we do not detect 100%, but I think our detection of this malware family is very close to that. If it wasn't against TOS, I would post here screenshots from VT that might be shocking for some.

do like firebytes did here (http://www.wilderssecurity.com/showpost.php?p=1325299&postcount=15) in this post and you can show us what you are taking about. I would like to see what you are saying because that would prove it to me.

Some off topic posts removed.

Send any suspected files to ESET as noted in this post. (http://www.wilderssecurity.com/showpost.php?p=1324459&postcount=5)