surila.b

I have never had a virus before using Nod32. I used McAfee before and although it was a resource hog, made my system unstable and conflicted with other s/ware it never let anything through.
Nod let something through a couple of months ago and surila in the last couple of weeks. It doesn't even detect it when online scans at trendmicro and panda both detect. I would have remained oblivious unless my ISP's outgoing mail servers had detected it. I have the latest version with all updates.
I am starting to get the feeling I should not have bought a 3 year license and gone for something else instead. I would be interested to hear the nod officianados and evangelists view on this.

Jon

 

can't remember previous but why is nod not seeing it now even though online scanners see it?

 

Presumably it is active if the outgoing mail server detected it?

 

What file type was it in? What are you settings? Did you mail the file in question to www.virustotal.com ? If not could you? See if the NOD version they use picks it up. Most important however is what are your settings? Did you leave NOD as is? which version? 2.000.9? 2.12.1 or 2? Too many variables involved for now.

 

I have a fair bit of experience with Nod32 and have settings turned to max in terms of heuristics and scanning all files. Info below. Unfortunately I took no risks and let Panda disinfect. all I know is its file name was svkp*.* (can't remember all of it) and it was in the system directory.

NOD32 Antivirus System information
Virus signature database version: 1.876 (20040924)
Dated: 24 September 2004
Virus signature database build: 4859

Information on other scanner support parts
Advanced heuristics module version: 1.010 (20040902)
Advanced heuristics module build: 1061
Internet filter version: 1.002 (2004070
Internet filter build: 1013
Archive support module version: 1.021 (20040917)
Archive support module build version: 1101

Information on installed components
NOD32 For Windows NT/2000/XP/2003 - Base
Version: 2.12.2
NOD32 For Windows NT/2000/XP/2003 - Internet support
Version: 2.12.2
NOD32 for Windows NT/2000/XP/2003 - Standard component
Version: 2.12.2

Operating system information
Platform: Windows XP
Version: 5.1.2600 Service Pack 1
Version of common control components: 5.82.2800
RAM: 1023 MB
Processor: AMD Athlon(tm) 64 Processor 3000+ (2002 MHz)

 

Trojans tend to inject themselves into memory, the only way to rid them once this has happened is to run a scan in "Safe Mode".

By the sounds of it you were infected prior to the latest release of Nod32 v2.12.2, is this correct?

Just to be sure EVERYTHING is gone and your system is TOTALLY clean, can you do the following, (which presumes nothing, so please don't take offence that I am trying to tell you how to "suck eggs" so to speak


Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
http://www.zonelabs.com


Step 2. Download Stinger available here: do NOT run this YET.
http://vil.nai.com/vil/stinger/


Step 3. Download Ewido – Anti-Trojan Software, Install and update it. do NOT run this YET.
http://www.ewido.net/en/


Step 4. MAKE SURE NOD32 IS FULLY UP TO DATE with the latest virus signatures.


Step 5. Turn OFF System Restore, this process depends on your operating system:


Windows XP Instructions

1. Right click on the "My Computer" icon on the Windows desktop
2. Click "Properties"
3. Click on the "System Restore"
4. Place a tick in "Turn off System Restore on all Drives"
5. Click OK
6. Close and restart your system.


OR


Windows ME Instructions

1. Right click on the "My Computer" icon on the Windows desktop
2. Click "Properties"
3. Click on "Performance"
4. Click "File system"
5. Click "Troubleshooting"
6. Check "Disable system restore"
7. Click on OK
8. Close and restart your system.


Step 6. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


Step 7. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up.


Step 8. Start a scan with Nod32 while in SAFE MODE by doing the following: Start> All Programs> Eset> Nod32.


CHECK THE FOLLOWING BEFORE YOU START YOUR SCAN:

“Actions” TAB
Make sure Quarantine is ticked, both for “If a virus is found” and “Uncleanable viruses”.

“Setup” TAB
Objects to diagnose – place a tick in all boxes.
Diagnostic methods – place a tick in all boxes.
Heuristic sensitivity – place a tick in “Deep”.
Extensions – place a tick in “Scan all files”.

“Scanning targets” TAB
Double click on ALL of your Hard Drives so there is a RED tick shown
Click “Clean”


Make SURE Quarantine is ticked with EVERYTHING that is detected BEFORE you DELETE anything that is found. If you are not sure whether it is safe to delete an infected file, quarantine allows restoration of a file at a later time/date.


If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

1. Place a tick in the Quarantine check-box
2. Select Delete
3. Send the quarantined file to Eset: samples@nod32.com this file can be found here: C> Program files> Eset> Infected


Step 9. Run a scan with “Stinger” the program you downloaded above.


Step 10. Run a scan with “Ewido” the program you downloaded above.


Step 11. Reboot your system into normal mode.


Step 12. Run a further online scan found here: http://housecall.trendmicro.com/


Step 13. Install update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
http://beam.to/spybotsd


Step 14. Install update and run Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
http://www.lavasoftusa.com


Step 15. Install and run CWShredder available here:
https://www.wilderssecurity.com/showthread.php?t=14086


Step 16. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”.

WEEKLY – check this is “Up to Date”.



REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…



For the most part what I have suggested fixes the greater majority of problems out there...



IF the above does NOT fix your problem please download and run Hijack This found here:

https://www.wilderssecurity.com/showthread.php?t=12516


and post your log at one of the forums found here:

http://a-sap.org/


Keep in mind the following quote:

When your system is clean you may want to take a look here:

https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

for further discussion on security and how to make your system that much stronger.


and here for more discussions:

https://www.wilderssecurity.com/showthread.php?t=43117


Hope this helps…

Let us know how you go…

Cheers

 

Thanks,

almost certainly got infected prior to latest engine. Presumably that was the problem and would now be protecteed from mydoom dropping it, although lack of detection with new engine still a worry.

I already use sygate and will reset to see what is trying to get out. I use adaware, s&d and spyware blaster. Scans using various virus and trojan detectors now show nothing post panda disinfection. Ewido looks interesting. will give it a go.

R.

 

Just to be certain, I would download Stinger as well, and boot into Safe Mode and run a scan both with Nod32, Stinger and Ewido. Then run a further online scan and let us know how you go. The above post is pretty comprehensive, it gets rid of most things out there. Then the last 2 links go through to adding security...

Cheers

 

Have done everthing you advised and system seems clear. Still worried that Nod did not see something that every other scanner I tried identified

 

Good to see your system is now clean.

From memory of another user, Panda makes a "Backup" before deleting, if this is still available you could send it to samples@nod32.com

I wouldn't be too worried until Eset have had a look at the file, if you can find a backup, if not, it will have to remain one of life’s mysteries...

Cheers