Problems with NOD or viruses? Try this first

This is an amalgam of other people's fixes for common NOD32 problems. Please try these (in order) before asking for further help. Also see the NOTES section at the bottom.
I will update this as required.

With thanks to Blackspear, xTiNcTion and others for their suggestions etc.

If you are having problems with NOD:

Not being able to get rid of an infection
Doing odd things
Or want help in setting it up for maximum protection

...then follow the following procedure.

1. If you have NOD already installed then uninstall it, remove the registry keys (HKLM/Software/ESET), reboot and delete the entire ESET directory under 'Program Files'

2. Download NOD32 installer (from Eset website).

3. De-compress the installer. (In Windows XP, right click on NOD32 installer and choose "Extract files..." - put the content on a new folder. You could use any other unzip tool, like 7-zip or winzip).

4. In that folder, unzip nod32config_en.zip (2.2 kb) containing: config.xml and install.bat These files are created and hosted by Computalleres de Nicaragua - a NOD32 Reseller.

5. Double-click on install.bat to begin the installation process... wait for the installer to finish. System will restart automatically.

6. Enter your username and password for NOD and update it.

7. Download and install SuperAntispyware, Lavasoft's Adaware and (preferably) Microsoft's Windows Defender (legitimate copy of XP required. Also requires Validation.)

8. Update all antispyware programs fully.

9. Turn off system restore.

10. Download and run Winsock Repair. You will then need to restart your computer in safe mode.

11. Run SuperAntispyware, Adaware and Windows Defender in full scan mode and let them remove anything it finds.

12. In Windows Defender, click on the Tools icon, then Spynet Community and choose 'Join Community' option. You will then be warned in the future if any programs try to add themselves to the startup groups, change IE setting etc

13. Run NOD32 and let it remove anything it finds. (NOD Control Centre will not run in safe mode. User 'Start/Programs/ESET/NOD32)

14. Restart computer normally.

15. Turn on system restore.

16. Do a Windows Update and install all updates and security patches. Ensure you have a firewall turned on.

17. Hopefully, your PC will now be a much better, more stable beast!



NOTES

Error scanning MBR of disks? More than likely you have slots for CF cards etc on your pc.

Colour coding during scan - Blue: Files locked by Windows (clean), Red: Infected file, not yet dealt with, Brown: Infected file deleted/cleaned

If you have Threatsense enabled (already done if you've followed the above setup instructions) then any unknown samples will be automatically submitted to ESET for further investigation or you can do this manually be emailing it to samples at eset.com

In a Windows server enviroment IMON should be disabled on the server only.

 

Windows Defender is *buggy* BETA , not recommended for any non-pc professional user .

While MS Antispyware beta 1 (the Giant code) was excellent one , Windows Defender (the so called beta 2) is ^unpolished^ product (brand-new MS code)

 

I actually like Windows Defender..have several hundred installs of it running out there. While I do feel they took some of the "roll your sleeves up repair" ability out of the Giant product...it still have proven to me to show good real time protection.

I'm quite wary of SuperAntispyware....something about it still makes me raise an eyebrow of caution.

My usual bag of tricks for cleaning infected rigs...that I keep on my USB thumb drive
Spybot
Adaware
Ewido trial
CCleaner
And my head....a good visual based on experience, windows explorer, and regedit.

 

So was I till a couple of weeks ago when a customer got clobbered by spy falcon. It was the only product I found that got rid of it completely. I'm still trialling it but so far I have no complaints about it... yet!

Also feel the same about Windows Defender - good product but they (MS) removed some of the 'guts' of it.

 

Yeah..the System Explorer tools got stripped down a bit....used to have a few more feature there to allow you to reset. BHOs, Explorer reset to defaults, etc.

SpyFalcon..yeah there's another one that's as much of a pain as SpySheriff and other SmitFraud variants. There's a few special "spy falcon" removal tools out there..carry those on my thumb drive with some others specialized tools and the usual goodies.

 

SuperAntispyware, tried a quick review~Not sure where it really stands in the grand scheme of things as yet, but on an uninstall it was a total mess to get rid of. That seems incongruent with a well written progo, ya think!

Perhaps.

 

I have to agree. I tried it on a client's machine, and it was extremely difficult to uninstall. I certainly would not recommend it. If it had an online scan, I might use that.

 

Hello - what issues did you experience on uninstall? SUPERAntiSpyware is designed to remove all it's components, folders and files on uninstall. Did you reboot after the uninstall? If not, the in-use components would remain on the system.

Nick Skrepetos
SUPERAntiSpyware.com
http://www.superantispyware.com

 

Deserving of 'Sticky' status

 

Really strange statement. I remove SpyFalcon from people's computers almost every week . I have always used the combination between SpyBot S&D , Ad-Aware SE Personal and NOD32 to fully remove SpyFalcon and Smithfraud family .

I first clean people's PC from unused software , then I run SpyBot S&D in Safe Mode (with System Restore off) , then I run Ad-Aware SE in Safe Mode . Clean (delete) and Then I boot in Normal Mode and the SpyFalcon is gone .

I then install NOD32 (trial) , update and confige it and do a full scan (maximum level protection ) and it finds some files of Smithfraud family and easily deletes them .

Then , I restart , turn System restore ON and NO MORE SPYFALCON

This is ... For nasty stuff , I aslo use Unlocker , HiJackThis and sometimes but rarely Kaspersky or Panda , and NOD32 ,of course ...

 

NOD doesn't get 100% of smitfraud (I don't think any AV does...nor do most detect it...NOD detects some files)...there's still a few that doing by hand, or using some custom tools like smitrem, need to be done.

 

yes , but the combination of SpyBot S&D , Ad-Aware SE and NOD32 (plus manual delete of some files) can definitely kill SpyFalcon and Smithfraud stuff

 

And this combination was needed today..just ran across a new SmitFraud C variant... On a NOD protected network, they also had Spybot updated and immunized, SpywareBlaster, Adaware. End user couldn't squash it. I went in..CCleaner, even through Ewido on for a quick scan...was still stuck there..nobody touched it. Ended up cleaning it manually.... w01a1231.dll in the system32..plus loading in the Registry HKLM Run.

 

This intrigued me so....

Created one virtual pc, infect it with SpyFalcon, Smitfraud, spyaxe, mediapipe, smileycentral, kazaa, registry cleaner, winfixer2006 and everything else that they installed.

Duplicate said virtual pc 6 times

Ran one of each program (Adaware, Spybot, win defender, superantispyware, NOD and KAV) on the virtual pc's and check the results.

Spybot did really badly, SAS was best (the only one to find mediapipe ) and even NOD did well considering it is mainly an antivirus program

KAV? I just gave up on it. It obviously doesnt like running on a virtual pc ....


Yeah NOD!

 

I think Spybot found 14x items of SpyFalcon the other day for me. What I use those tools for anyways...they're good to remove some stuff...but once it's done with its scan...take a peek at the results. If I see any of the "big bad guys"...I know to take things into account manually. I don't think any one program can take out any of the big bad guys by themselves...or even a combination of them together. Just from experience...clean with them...and check out the results of what they found. If you sees any of the heavyweights of adware...take notes...and go about downloading the specific removal tools..and how to clean them up by hand.

 

NOD32 should detect these "badware" files via ThreatSense without needing to update, personally I've seen a lot of downloaders detected as a variant of WinFixer. After I intentionally infected my testing computer with Winfixer, Winantivirus, ErrorSafe and other suchlike baddies, NOD32 was able to detect all exe/dll files important for proper program functioning and removed them. Of course, it will not remove all registry and benign files bundled with the program, but it make the baddies non-functional at least (e.g. an updater won't be of use without the main program).

 

Indeed.
The sooner we stop suggesting other apps to detect and clean with the better. If anybody does find something that another program detects that NOD32 appears to miss, try submitting it via Quarantine-->Submit for analysis.

Cheers

 

Why? It's not a knock on NOD32...but I'm not about to let my client remain infected and walk away. They'll be calling me the next morning when they reboot and it begins to load up again. My point is..some of these buggers are real persistant...and I don't trust any single application...I hardly trust even a whole bagfull of applications....I have the most trust in manual removal based on my experience and researching specific removal tools.

A couple of days ago I saw a new Smitfraud C variant keep trying to fire up, IMON would jump up every_single_time you'd reboot the PC. It was nearing 5pm, this law firm client was closing...bottom line is...I wanted to go home and cook dinner...and not have my cell phone ring the next day. IMO, so as to avoid repeated complaints from this client, I had to reach into my bag of tricks, and then some, to squash it.

It's not a knock on NOD, sure I'd love for it to bag all of the ad/spyware out there...but I can't expect it or any AV for that matter to keep up with all of them by themselves. It's still my fave AV, and as a reseller I'll continue to pump out several grand a months worth of it.

 

That's great and my experiences have been similar. As a second resort you turned to another product to help identify the source, but when it was identified, did you submit it?

And why it is necessary on the NOD32 support forum to be listing as part of the first set of action to use some other product I still do not understand. Hardly seems appropriate.
For me, it's always second resort is use another product and submit anything detected for analysis. Third and last resort is a clean install.

If anybodies personal method is just to always use some other product then that's their preferance. I do it myself as a backup for malware detection but if I don't bother to take the time to see things submitted for analysis on the odd occasion they are picked up so that next time the other product isn't necessary at all then why bother being a reseller? I certainly don't hurry to recommend other products for detection or cleaning in this forum. Just seems like manners & common sense to me - It's the 'NOD32 support forum' not the 'gerat you've got NOD32, go ahead and use this other program forum'.

Granted it's clear the OP was genuine is his desire to be a help to those visiting this forum, and the process would fix just about anything out there, but it seems to me that that list is better suited to somebodies personal site where they can direct their customers to if they choose, rather than here in front of all as a suggested first step.

I don't mean to come across too strongly here and I admit it's JMHO, but doesn't all that make sense?

Cheers

 

Yes...I never have a problem submitting..so that possibly Eset may include this particular bugger in the future. But my primary duty is to my client..right at that moment. I need to clean it right then and there...not wait for a definition to possibly come out in a few days or weeks..then return so that I may clean it.

I don't, as an Eset reseller, consider it blasphemy or treason, to use a specific anti-ad/spyware product..or even several of them. I consider NOD32 a top notch antivirus program....that happens to be growing very strongly in the anti-ad/spyware area also. However..no antivirus product is rock solid in the anti-ad/spyware area...not even Kapersky.

When I come across an infected machine...I need to get it clean in a reasonable amount of time, like an hour or so....and I prefer to take the shotgun approach to that...so that I can feel more confident, that when I leave, the bugger is gone. Some of these new variants have specific removal tools out there written to clean them up...go check out smitrem...look at all the stuff it does. Or the registry cleaner for removing SpyFalcon. Why would you consider using these...a slap in the face of NOD32? And not in your clients best interest?

 

Fully agree

By the way , how do you clean infected machine in one hour only I try to be as fast as possible but it takes me some hours to clean all the malware . Just to underline that my clients are always infected *a lot* , really a lot .

On Sunday , I was given a laptop at home and I cleaned it may be 10 hours or more , so many infetections that you can't even imagine ...(like a garden where you can go and simply pick up the one you want and like )but 1 hour ,never ...

Is there any magic for fast clean

 

I didn't see you mention that anywhere between steps 7 through 11

As stated earlier, I do actually use other stuff as a backup, I just choose not to discuss it here especially as a suggested first course of action.

I'm in much the same situation - I need to get clients up and running and the clock is ticking. I don't consider the use of other products a slap in the face at all, but rather being inteligent. No one product will detect 100% of all the threats that exist. We all realise this.

I don't object to the intent or the information, my original question was with placement and perception, that's all.

Cheers

 

Magic for fast clean? ...heh...I wish. I bet we all wish!

I shoot for trying to not be much more than an hour. Most of my clients have newer PCs..and I carry a buncha tools with me on my lappy and USB thumb drive. However...yes I'll agree that sometimes we come across some new ones..that require you to hop online and do a bit of research..then when it comes down to manually removing it...yes..can take a bit longer.

 

You lost me..did I post 11 steps?

Hungover today...Guinness was flowing a bit much last night.

We all on the same page I think. We all love the NOD too. Man..yesterday..went to setup a small office for a new client. The poor people had a home user 3-pack of Symantec 2006 waiting for me. I bring a brand new PC, P4 dual core 3.something GHz, gig of RAM, 7200rpm SATA (nice HP dc7600 business desktop), Viewsonic LCD monitor. Was replacing an old Dell. Anyways...I get it there..set it up for the user, then I get side tracked in tightening up the wireless LAN at their home office. The prior consultant had left the wireless LAN wide open..no security. And this is a ex-presidential assistants home office...lots of consulting paperwork on network shares...rather sensitive stuff. //rolls eyes. Anyways..while I was clamping down the wireless, she sits down at her PC..."Wow...this is fast..this is nice...I love it." I grudgingly grab the Symantec 2006 CD..I tried to sell her NOD32...she said "Maybe when this expires..I just bought it..."...so anyways..I go install it..suffer through the agonizingly long Symantec install..reboot..register, luall, reboot...ACK..felt like a Pentium 75. Setup her Outlook RPC over HTTP..she sits down.."OMG..what happened...it's so slow now". I laughed....yeah, Symantec.

 

Hi....

I will try to explain as clear as I can. English is not my main language, so sorry if is not clear enough.

I have a small lan at home. I am running NOD32 in all pcs. This morning I tried to access one pc through the lan and NOD32 found the Tenga.Gen virus in too many .exe files. I asked to clean and found that all the files cleaned were lost with 20kb size all of them.

I went to the pc with those files, and opened NOD32 and ask for a complete scan. I set NOD to leave the files without any cleanup and it found that almost all the exe files were infected.

I opened windows explorer selected one of the files infected, right clicked with the mouse and select NOD32 Antivirus system. NOD32 scanned the file and showed that the file was clean. I runned it again from the control center, selected c, and NOD32 says that the files is infected with the Tenga.Gen virus.

So, in windows explorer, if I select a file, right click over it and ask NOD32 to scan the files, shows a clean file. If I scan the same file from inside the control center, the files is infected with the Tenga.gen virus and NOD32 destroys it.

I am missing something?.

Thx in advance...