is this file anything to worry about?

hi

bored today and so thought i'd install kaspersky to see what it is like, currently i'm a very happy nod32 user.

before doing this i ran a full scan with nod32 2.5 beta fully up to date and with settings maxed out, which turned up nothing suspicious. so i downloaded kaspersky, updated it and ran the scanner and it found 5 infected items in a file stored in my firefox cache.

this is the path:

C:\Documents and Settings\*user*\Application Data\Mozilla\Firefox\Profiles\b7l0rbu2.default\Cache

I submitted that file to Jotti and it produced the result shown below. of the files listed, i know nod32 detects the 'megasearch' and 'savenow' spyware cos i purposefully downloaded them recently to test what nod did with them (yes, sad, i know), and it did detect and remove the files when i attempted to install.
Not sure about the trojans though.

I was wondering if the reason nod32 doesnt detect threats in this file is because it isnt really a threat? i dont know where i should bother submitting the file to eset or not.

regards, lee

 

I would suggest you submit them, I believe Jotti submits all missed files to AV makers that miss a detection so I would think Eset already got them, I am not sure if he does this for Adware though.

 

They may be non-active components or files that do nothing on their own without the active parts that are not present.

 

file sent to eset, thanks to all who replied

 

Got it Under progress

 

BTW... the VBA32 detection is a false postive - it flags a WISE Installer DLL as Spyware/Adware this file will not be included into detection cuz it's clean.

 

Ok, the spyware will be nailed soon
Thanks for sending

 

BTW i give you the ultimate trick

This is a self installing ZIP - Executable. Normally you need to start this via double-click... But hey... Wait!

Rename this file from *.exe into *.zip - then browse it - it will work and nothing will be infected - so you can select the good files out of the spyware.

Pretty cool or ?

Don't touch SEARCHTOOLBARBUND.EXE, WUSVINST.EXE and SETUP_INCREDIFIND_ONLY.EXE that's the spyware... The other files you can use Have fun

8^) HB.

 

that is a useful tip, thanks!

so did nod32 just not detect this file as being a threat because it isnt really a threat? or because it needs new signatures?

there is a file in that archive called Wusvinst.exe which nod32 doesnt report as suspicious, but when i run it it then does recognise it as adware (WhenUSave). can it not be recognised before it is installed?

thanks again, Lee

 

*wink*

 

oh yeah, i read that - i just was wondering if nod32 should be able to detect that file (and others) as adware without having to run it first (which AMON then stops).

 

The missed Spyware will be added

 

oh yeah, course..........but i was just wondering - the WUSVINST.EXE file isnt detected my nod32 scanner or imon when downloading it, but it is detected by amon on running it. is it possible for an anti-virus program to detect that it is spyware just from scanning the .exe file, without having to actually double-click to run the install?

 

Do you have archive scan enabled during on-demand scan?

 

yeah, but even if i unzip those files to a folder and scan the individual file or the whole folder, it doesnt detect any of the files, even SEARCHTOOLBARBUND.EXE, WUSVINST.EXE and SETUP_INCREDIFIND_ONLY.EXE.

 

LOL i know! That's why i told you will be added

 

i'm confused then - i thought if AMON detects WUSVINST.EXE as WhenUSave ADWARE then all other components would be able to detect it too?? do you have to release seperate updates for seperate components then?

 

hi - got the latest update (1.1062) and now the nod32 scanner detects Incredifind.

still curious as to why NOD32 scanner doesnt detect WUSVINST.EXE, but AMON does. Maybe it is me not understanding NOD32 correctly, but I assumed if one module detected a threat then they all did? thanks, lee