Nod 32 Not Detecting Viruses

Lately my PC has been acting weird. I did a full virus scan with NOD32 and nothing. I have the latest definitions etc and used deep scan etc. So I checked using a few other anti-virus solutions and this is what I found.

McAfee AVERT Stinger Version

2004C:\WINDOWS\system32\drivers\etc\hosts Found the Qhosts.apd trojan !!!C:\WINDOWS\system32\drivers\etc\hosts has been repaired.C:\WINDOWS\system32\TFTP3468 Found the W32/Sdbot.worm.gen.t virus !!!C:\WINDOWS\system32\TFTP3468 has been deleted. Number of clean files: 35666 Number of infected files: 1 Number of files repaired: 1 Number of files deleted: 1

Online McAfee Scan

We found 1 record(s) matching the following criteria:
Virus name with "W32/Gaobot.worm.gen.f".
W32/Gaobot.worm.gen.f


Symantec Online Scan

C:\WINDOWS\system32\wmmon32.exe is infected with W32.HLLW.Gaobot.gen

Trend Micro HouseCall

C:\WINDOWS\system32\wmmon32.exe

Panda Active Scan Virus:W32/Gaobot.AAM.worm Not disinfected C:\WINDOWS\system32\wmmon32.exe


Bit Defender Free 7.2

C:\WINDOWS\system32\wmmon32.exe Infected Backdoor.Agobot.KM


NOD32

number of viruses found: 0

McAfee Stinger found and killed 2 & with Bit Defender FREE I quarantined the other 1 and rebooted and will delete it but the thing is NOD32 found absolutely nothing and this really concerns me. I don't care how many virus bulletins NOD has won or even if it's my fault that they got on my machine. The issue here is why isn't the NOD32 scanner detecting these while all other anti-virus scanners ARE detecting it??. Don't tell me I haven't configured NOD32 properly because that just won't wash with me because I didn't have to configure any of the other anti-viruses and they found it easily. TDS 3 also found nothing.

Unless Panda, McAfee, Symantec, Trend Micro & Bit Defender are all wrong then there's something wrong with NOD32.

My main concern is that the NOD 32 scanner picked up nothing.

Dave

Dave

 

But you submitted the files to DCS and Eset, right

 

He shouldn't have to. If Eset cooperated with other AV companies they would already have these samples. Every one of those was added to their respective providers definitions in early to mid APRIL!!! FOUR MONTHS AGO!!!!

 

Obviously heuristics and reaction time were not acceptable in this case. But NOD did get 3 VB100's during the same time. As for the RU situation, these trojans were obviously not part of the RU set. His computer was acting weird so he chose a multiple opinions. They appear to have been functional and not test viruses. Good thing they weren't on the VB ITW List.

 

If he didn't submit them, we have no idea what they were or were not. All we have here is a post, no submitted files/proof.

 

Agreed, If he is telling the truth though, Symantec, McAfee, Trend Micro and Panda all added these detections between 4/8 and 4/24. i didn't check Bitdefender's website to see when that was added.

 

Hi Guys,

Please be 100% sure I'm telling the truth. I've used NOD32 for 1 year and renewed my license about 2 weeks ago and thought the world of it. The first 2 viruses I couldn't submit because McAfee automatically cleaned them and I looked around on the Eset website for a way to submit the other one but couldn't find any link to do that. Please understand that I tried and if I overlooked something then I'm sorry but I'm 100% sincere.

I have been a NOD 32 fanatic until this and believe me I wouldn't have posted this if it didn't really happen. ALL the details you see were copied and pasted from online scanners as well as Bit Defender and all of them caught everything on my machine and they all agreed that I had viruses but strangely NOD didn't see anything. I even found the file in the windows system32 folder and right clicked on it with NOD and scanned but it said the file was virus free. A right click with BD brought up an alarm.

The other day I had 3 serious crashes and had to figure out what was wrong so when NOD didn't detect anything I sought a 2nd opinion and a 3rd and 4th and was shocked to find they all found something on my pc except NOD which gave it a clean bill of health. I'd understand a virus getting through but this was multiple infections not even detected by Amon, Imon or the scanner so something seems not to be right at all. TDS 3 never picked up anything either but port explorer did show some hidden processes earlier on which were using my connection.

Another thing is that I have ALL Microsoft updates installed as well as my firewall turned on but even if somehow they got on due to user error what concerns me is that I got multiple infections of a worm, a trojan and a virus and the NOD 32 scanner didn't pick up anything. NOD 32 had the latest definitions last night which were 1833. The definitions today now as I post are 1834.

About me telling the truth. Have a look about any of my other posts about NOD32 and you will see I think the world of it and have no reason to lie.

I live in Australia and it's winter here. My temps are usually 35 but last night they shot up to 51 idle on both cpu & pwm so I thought it was some backdoor activity and started looking for infiltrations and found 3. Since then my temps have gone back to normal and my connection is no longer continuously downloading like it was the other day when Port Explorer showed some hidden processes running.

I really did go to the Eset site last night to try and submit a copy but couldn't find any link so I submitted it to Bit defender and had Bit Defender delete it because it caused me so many problems.

I say again that everything I posted was truthful and accurate and not from me but copied and pasted from the online scans and log files of all the AV's. Please don't doubt my sincerity because this really happened and I am very concerned now about NOD32's scanner as all 3 got through all defenses and even the scanner picked up nothing so I'm really concerned because I need to be properly protected and if something does get through then I must be able to at least have a scanner that detects it.

Also I do not use System Restore to make sure viruses are not stored anywhere else.

Best Regards

Dave

 

Dave, do you run a weekly scan with Nod32?

What other security are you using?

A firewall?
Spyware Removal?
Spyware Prevention?

If you have a look in your Nod32 Logs, do they show any activity?

Cheers

 

Hi BlackSpear,

I run a full virus scan with NOD daily.

I just can't understand how TDS 3, Spy Sweeper, Port Explorer, Panda, HouseCall, Symantec, Mc Afee & Bit Defender all set off alarms and KNEW something was definitely wrong while NOD32 gave my machine a clean bill of health. Can someone from Eset explain why only NOD32 didn't detect these infiltrations?

NOD32 scanner should have picked up SOMETHING during a scan. I scanned several times with all settings on deep. I had mutiple-infiltrations of various kinds of viruses that even anti-spyware detected.

I really don't know what to do now except buy a new anti-virus tonight because I accept that viruses get through sometimes but if a scanner can't pick up multiple infiltrations while all the other security software is sounding alarms then how can I live with that? What's disappointing to me is that I just spent money on renewing NOD32 2 weeks ago and now I've got to go & buy another AV because NOD32's scanner is missing a lot of viruses.

Has anyone got any advice about a new anti-virus?

Thanks

Dave

 

Sure, have the files been submitted yet? Then we can take a look and see what's up. BTW - in your previous post you said that TDS3 did not detect these "intrusions" but now you claim they did. Clarification in regards to these claims may be in order.

 

further clarification on my part warrants these quotes:

 

I still want to know what other security you are running? A Firewall? This should have let you know that you had something trying to access the internet.

Do your virus or event logs show AMON having a struggle with it?

http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows the Trojan to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.

Cheers

 

Please forgive my mistake. I meant of the 3 viruses I posted TDS 3 didn't detect any. Earlier TDS 3 did detect a RAT as apart from the 3 other infections. That makes FOUR infections. I hope this clarifies the issue and sorry for ommitting it as I didn't find any TDS 3 log referring to the infiltration.

Please also understand that Stinger cleaned 2 infections automatically and all I was left with was a log to post which I did. I searched in TDS 3 logs but didn't find anything about the RAT. Doesn't TDS 3 keep a record of RATS found etc if so where?

As to the other virus, I went to the Eset site at about 4am this morning (very tired) I searched but couldn't find or didn't see anywhere to submit the virus. (I have never submitted to Eset before) So I submitted it to Bit Defender which I had downloaded (the free version) and had Bit Defender delete it.

So TDS 3 found 1 of the infiltrations and the other security software found the other 3 amongst them but NOD 32 found nothing at all. This is the absolute truth so help me God and I'm not about to start lying. So of FOUR infiltrations NOD 32 not only let them in but the scanner didn't detect any of the four.

So I should have mentioned the 4th RAT and that makes the statement that all security software except NOD 32 detected infiltrations correct, but I have no record that I can find of the RAT being detected. If it's somewhere I can post it for you if I know where to find it.

Now a question. Whenever I get that red box saying it has found a virus or worm etc and delete it, when I go into AMON it doesn't say found 1 deleted 1 but almost always says found 5 deleted 2 or found 7 deleted 1. It never ever shows in the GUI that it has deleted all the found viruses and whenever I run a scan it ALWAYS reports nothing so I assume that it's nothing or are there viruses getting through which NOD32 just can't delete quick enough and later disguise themselves so NOD32 can't find them With email this never happens and NOD is always able to delete all viruses in emails.

Dave

 

You have 2 world leaders in their fields beaten somehow; I'd also be scratching my head as to why and how... Have you asked the Question in the TDS forum as well as linking to this post?

When AMON cannot delete a file, it basically means that the file is in memory and must then be removed through a scan in safe mode.

I have come across an event which I posted somewhere in this forum where AMON had been struggling with a infection stuck in restore, and this had been going on for days (at that time I did not run a weekly scan, to use to my system being clean) When I checked my logs it showed AMON having a struggle with the file. Turned off system restore, ran a scan and everything was back to being clean...

You are yet to tell me about your security, is it that you are/were running without a firewall?

Cheers

 

Hi BlackSpear,

I was running XP Firewall, Spy Sweeper, TDS 3, NOD 32.

On a number of occasions lately I have had the NOD32 GUI completely wiped out leaving only the green border with no text inside. Somehow I am of the opinion that there is a worm out there which is able to disable and even delete some AV's and I think that previously NOD was deleted.

But this time I can't for the likes of me figure out why it isn't detecting at all.



Regards

Dave

 

I just uninstalled NOD 32 and re-installed it after deleting the folder. I'll have a look around for something else. All the other AV's scanned and detected ok so it's just a matter of choosing and paying again.


Dave

 

You have quoted at least 2 Trojans which is the prime function of TDS. You are running XP's own firewall, which is slightly better than nothing at all, you obviously were not warned that there was a program trying to make a outgoing connection, and this being the case, what’s the point of having it? Yes it may stop incoming, but as you found, not outgoing…

All in all your security has holes in it, and this is only from a small amount that you have said...

I would look at tightening your security and using the existing products that you have paid for. I wonder as to why you aren't looking for another Trojan detector other than TDS, I'm not saying you should, just that you seem to be laying the blame at the foot of a anti-VIRUS program (it is becoming better at detecting Trojans, the new Beta and coming version will attest to this), and yet you have one of the worlds best anti-TROJAN detectors that somehow failed to protect your system.

Here is a link discussing what you should have for security on a PC:

https://www.wilderssecurity.com/showthread.php?t=43117

Hope this helps...

Cheers

 

Why not try the Beta that has HTTP scanning, it should have stopped this in its tracks...

Cheers

 

Before considering a new antivirus, Dave, take a look at one of your posts over at the NOD Beta section;

QUOTE - I've been having a real, real problem with Trojans & Downloaders getting onto my PC and causing problems and the other day after a few got onto my hard drive it became corrupted and it took me 2 days to get it back to normal.- UNQUOTE.

And in this main thread you admitted that you surfed a number of questionable sites and a number of us suggested you practice safe-hex; https://www.wilderssecurity.com/showthread.php?t=43036.

Many of us have NEVER had a trojan or virus infection on our machines yet this seems a common occurence on your computer. Even Kaspersky and for example TDS-3 running in real time can be defeated by malware which are not in their database. NO AV or AT can give you 100% protection.

Overall you need to;

1. Start to practice safe-hex and this includes web-sites that you visit.

2. Update to a good software firewall which should detect any trojan phoning home. The XP Firewall gives good inbound but NO OUTBOUND protection.

3. NOD will give you excellent protection IF you practise safe-hex. However, if you want to continue visiting these dubious web-sites you need a good AT running full-time alongside NOD. Was TDS-3 running as a RTM and were you using the recent beta of NOD ( you were previously ) at the time of your present infections. You need a memory scanner for the sites you visit!!!

4. To save money now, run a free AV as a backup to NOD and scan regularly to check whether anything is missed. Good free scanners are;

F-Prot for DOS - http://www.f-prot.com/products/home_use/dos/

eScan AntiVirus Toolkit - http://www.mwti.net/antivirus/free_utilities.asp


Whether NOD let you down here is, in some respects, irrelevant. Overall, even if you have the best protection available you can still become infected if you do not practise PREVENTIVE measures. ALL AV's will let you down if the USER is not playing his/her part in the layered defense of the computer.

Dave, keep NOD and try safe- surfing.

PS Dave, you recently purchased Process Guard; https://www.wilderssecurity.com/showthread.php?t=26907; did this not kick in anywhere during the infections?

 

IF you were running your Process Guard, and therefore protecting NOD, surely this would have been picked up if due to some sort of malware attack?

 

Hi Worldcitizen,
Most of Agobot variants are detected via advanced heuristics - I don't assume it could get into your computer with the beta installed (AH is supported both in the HTTP scanner and AMON). However, I must concede not everyone is willing to install beta - if that's the case, I suggest you carry out a full system scan with AH enabled (it can be triggered by running nod32.exe with the /ah parameter). There are many new improvements planned to be encorporated soon, not forgetting improved submitting of samples. For now, if you find a suspicious file or NOD32 reports one as a probable NewHeur_PE virus, please submit it to samples@eset.com for analysis.

 

OK everyone,

FIRST. A very BIG THANKS for your extremely patient and kind support which I would receive NOWHERE ELSE. You are very good and knowledgable people and I trust you and like you all a lot.

Now - the beta NOD 32. I installed it a few days ago. Soon after when my wife booted and started listening to her news programs using real player the sound stalled and the pc froze while the disk kept spinning. I rebooted and couldn't restart and had to re-install Windows. Just after I had re-installed everything I went away for a few minutes and the screensaver was running and when I touched the mouse everything went funny and again I had the same problem and had to re-install XP. After another re-install my wife again got stuck and the same problem occured having to re-install again. Coldn't get into safe mode at all any of the times. I tried to figure it out and rang the technician and he couldn't guess. Later I just remembered I had the beta running and uninstalled it. Since then I haven't had any crashes and my wife's programs work as normal again. I did memtest and disk checks etc

So the other day I got these viruses. I had Spy Sweeper and NOD and I can't remember exactly if TDS 3 was running because I start it up manually and that day I was in such a mess I could have forgotten but it's unlikely. I had Outpost Pro running when I had the crashes and I have had problems with it before so I removed it. There used to be an issue with OP that it would crash certain pc's and mine was 1 of them and Agnitum made a fix but I wasn't sure so I uninstalled it but I THINK it may have been the NOD32 beta because since removing that I haven't had any crashes but also I haven't used OP too. I do own BoClean as well as Trojan Hunter as well as TDS 3. I had Extendia AV as a backup but lost my unlock code and purchase email because I hadn't had time to backup. I backup regularly but this problem hit me before I could. They sent me a download link but said I needed a username & password which I lost and I'm waiting if they send it to me.

With Process Guard I have a problem where if I log off then if it pops up offering to allow or deny, then the options (allow, deny) are blanked out and I can't select. I told DCS about this and they know it is a log off and user switching problem and I'm waiting for a fix. I have the BEST security software available but my problem like some others who have posted is that there are bugs and this prevents me from using it. I was really thrilled about PG but when my wife logs off and I log on I can't select any options from the pop up gui anymore unless I do a reboot. The same happens when I logged off and back on again.

I have WormGuard too but it interferes with my email client when I install it and DCS gave me Crypto Suite because they said they wouldn't be making a fix for it until WG4 which I hope is soon. Now it's not all my fault that I don't use some of these great programs. There are very legitimate problems that need to be fixed and I'm not the only 1 waiting. If I remember correctly I did have PG running when NOD was wiped and I had it on the list but I didn't check the task bar to see if the service was still running. When I tried to start NOD because it wasn't in the systray I got a message saying it was already running but the gui was empty so I couldn't do a scan.

But as you have pointed out my weak point is my firewall so I'll have to find something I'm happy with - any suggestions please I'll try and make sure I run TDS3 at all times but the new NOD concerns me after days of crashes. I think I installed and repaired windows about 5 times since installing the beta and only since uninstalling it has my system been stable now all last night and today.

If I've forgotten something or you need clarification please let me know and I will oblige.

Best

Dave

 

WC,

Sounds as if you have a LOT of security software which for some reason are not running too well on your system. My advice would be to remove any programs that seem to be incompatible with your computer and for now run only ONE AV, ONE AT ( running Guard enabled ) and ONE software firewall.

You certainly have a good collection of protective software programs, but you need to become familiar with the software you have before buying other software with overlapping functions.

You need to sort out the problems you have with some of your software before thinking of using them, otherwise write them off and concentrate on the programs which run smoothly and without slowdown on YOUR system.

NOD, BOClean/or TDS-3 ( either running in real time ) and a good firewall (LookNStop, Kerio 2, Zone Alarm 4, Kaspersky AntiHacker) would be a good start together with safe-hex practices.

Regarding a firewall, you could stay with the built-in XP Firewall but run System Safety Monitor alongside it to check for any outbound connections.

Once you have a stable system I would strongly recommend some disc-imaging software such as Acronis TrueImage, then you can trial software in relevant peace!

More importantly as I have stated before YOU are the most important part of your computer's layered defense. A good AV, such as NOD, is only one part of that layer!

Good Luck!