explored.exe

Discussion in 'NOD32 version 2 Forum' started by glenncc, Apr 24, 2004.

Thread Status:
Not open for further replies.
  1. glenncc

    glenncc Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    10
    I have the file explored.exe in my system32 folder. I've read a bit about it on the net and I know it's part of some worm but I don't know what to do about it.
    I've done a full NOD scan but it didn't find it. Can anyone tell me what I should do?
    Also what good is NOD if it can't find a known thing?
     
  2. DiGi

    DiGi Registered Member

    Joined:
    Jul 24, 2003
    Posts:
    114
    Location:
    in the middle of nowhere
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Run NOD32.exe with the /ah parameter and, if a probable NewHeur_PE virus is found, choose to rename it and email it to the aforementioned address for analysis.
     
  4. glenncc

    glenncc Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    10
    I ran an Adaware scan, here's what it says:

    ArchiveData(auto-quarantine- 24-04-2004 19-58-19.bckp)
    ======================================================

    ALEXA
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[0]=RegKey : SOFTWARE\Microsoft\Internet Explorer\Extensions\{c95fe080-8f5d-11d2-a20b-00aa003c157a}

    WIN32.WELCHIA.B
    ¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯¯
    obj[1]=RegKey : SYSTEM\ControlSet001\Services\WksPatch
    obj[2]=RegKey : SYSTEM\CurrentControlSet\Services\WksPatch
    obj[3]=File : c:\windows\system32\drivers\svchost.exe

    ***********************

    Is still don't know if this has fixed the issue or not, or whether I need to do something else.
    And I'm really stuck on the question: If NOD can't find the thing it's supposed to that some free software can, what's the point of ito_O
     
  5. glenncc

    glenncc Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    10
    BTW I didn't pay for NOD with the understanding that I might have to know about adding arcane paramaters in the scan that I know nothing about. I bought it so it would keep my machine safe from known viruses.
     
  6. sir_carew

    sir_carew Registered Member

    Joined:
    Sep 2, 2003
    Posts:
    884
    Location:
    Santiago, Chile
    Hi,
    All the day appear new variants of Spyboter, Spybot, Agobot, etc. indeed many AV are detecting the sample as for example: Spyboter.CC due to the amount of variants that exist today. ESET all the day add to its databases many variants of those family, but it's impossible that a AV can detect all, because exist many variants however a things that NOD has a other AV doesn't has is that NOD can detect those new variants using AH, and for that you need to use /AH command.
     
  7. glenncc

    glenncc Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    10
    This is what I get:
    trojan Win32/Agobot.3.TA found in operating memory. NOD32 cannot clean this infiltration. No action can be taken on a memory infiltration.

    NOD says it can't fix it. What do I do? I don't know how to get it and rename it, I don't know where it is.

    Also I got this by going to "Run" and put in:
    "C:\Program Files\ESET\nod32.exe"
    At first I added "/ah" to the end of that and just got an error message from windows saying it couldn't find the file. I have simply run scan again from within NOD and it didn't find anything.
    So these are my questions now
    What do I do about Agobot.3.TA trojan?
    Why does NOD find this when I run it from 'Run' but not find anything when I use 'scan' from within NOD?
    Why doesn't /ah work and will it be be more help to me?
     
  8. glenncc

    glenncc Registered Member

    Joined:
    Feb 13, 2004
    Posts:
    10
    I think I may have fixed it. If anyone has this problem go to
    http://home.student.uu.se/e/ergu2783/default5.htm

    This address works because it is not one of the sites that the worm lists in the Windows hosts file preventing the browser connecting.

    Sorry for the whining about NOD, but the fact remains it was not a great help. Now that I can get to other sites I see there is alot more useful information on many of the other anti-virus sites.
     
  9. bharath

    bharath Registered Member

    Joined:
    Apr 27, 2004
    Posts:
    1
    Hi,

    Can anyone give us a detailed somparision chart in terms of features when compared to Symantec and NOD32.
     
  10. Bandicoot

    Bandicoot Eset Staff

    Joined:
    Mar 23, 2004
    Posts:
    297
    Location:
    California
  11. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Let this thread be a cautionary tale to Bandicoot and *everyone else*: it is not true that NOD32 has to date caught every ITW virus. If you place reliance on this (false) interpretation of virusBulletin's tests, you will suffer at some stage or other.

    It is true that NOD32 has achieved 'success' at most of virusBulletin's tests on Windows platforms, but this is most definitely not the same thing as having stopped all ITW viruses during the period the tests have been in place.
     
  12. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Beeeeep!

    NOD32 has not missed an In the Wild virus in a Virus Bulletin test since May 1998 ... not one!
     
  13. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Actually, NOD32 failed the virusBulletin tests in November 2000 (Windows NT) and April 2002 (SuSE Linux).

    That aside, it seems you have not properly read and understood my post.

    Don't get me wrong, I think NOD32's virus detection rates are good (though it is poor in some other respects when compared to other AVs), but just because it has passed under test conditions at virusBulletin does not mean that it has caught every ITW virus. I can personally vouch for the fact that NOD32, with up-to-date virus definitions, and advanced heuristics, has on a number of occasions failed to detect a number of ITW viruses arriving here and at other sites I am responsible for.

    In most (but not all) cases, the ITW viruses in question arrived by e-mail some time before Eset updated the NOD32 virus database. So, I say again, NOD2 has *not* caught every ITW virus, over any sensible period you might like to consider.
     
  14. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    I hear You. But you've got 80% more chance to discovery a new ITW virus by using NOD32 then any other AV.


    tECHNODROME
     
  15. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    No-one has ever claimed that NOD32 has ever detected or ever will detect 100% of viruses 100% of the time ... but there is no "false interpretation" of Virus Bulletin's tests when I say that NOD32 has not missed one single solitary In the Wild virus in a Virus Bulletin test since May 1998 ... it's an undeniable fact.

    In the November 2000 VB100, NOD32 was the only antivirus program to make "clean sweep" detection of every virus in every category, but it was disqualified from winning the award due to a single false positive. That's the rule ... one false positive and you're out of the game ... and everyone has to play by the same rules. (NAV and VET did win the November 2000 award ... but they missed 299 and 781 viruses respectively!) (What were you saying about false interpretation of Virus Bulletin's tests ?.?.?)

    Every antivirus program tested in the April 2002 VB100 failed!

    Sure, many new viruses get past NOD32 when they first appear ... just like they get past every other antivirus program! ... but statistics show that NOD32's Advanced Heuristics have detected and blocked more than 80% of the new email-borne viruses that have made it into the wild this year ... without needing an update. Can you name any other antivirus program with a similar track record on brand new unknown viruses ?

    Netsky.Q (for example) was touted as a new type of virus that supposedly took antivirus vendors by surprise and spread freely for several hours before the first update appeared ... but the fact is that NOD32 detected and blocked Netsky.Q on first sight ... a fact that it seems isn't "doom and gloom" enough for the media to report.

    Sure, NOD32 isn't as good as some other antivirus programs at detecting Trojans ... but it's nowhere near as poor with Trojans as some self-proclaimed "virus experts" would have you believe. It was good enough to pass Checkmark Trojan Certification ... and it's getting better all the time. (I would prefer NOD32 to concentrate on viruses and leave Trojans to dedicated anti-Trojan programs ... but that's only my personal opinion as an "old school" AVer.)

    Maybe one day someone will come up with a program that handles viruses, worms, Trojans, spyware, browser hijackers, backdoors, keystroke loggers, porn diallers, keygens, spam, port sniffers, DoS attacks, and the potato peelings in the kitchen sink ... but I don't think I'll live long enough to see it. :)
     
  16. rodzilla

    rodzilla Registered Member

    Joined:
    Jun 15, 2002
    Posts:
    653
    Location:
    australia
    Do you have any idea what the test conditions at Virus Bulletin are ?

    Do you think they are somehow unrepresentative of real world conditions ?
     
  17. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Yes.

    While I can appreciate that NOD32 evangelists will stress the VB test results at every opportunity they can (after all, it is of course only human to stress the positives about whatever it is you support), my point is that there is so much over-reliance on vB test results that is spouted in this forum, to the extent that it gives many people a false sense of security that NOD32 will cure all your A/V needs.

    Take for instance Bandicoot's posting in this thread - I find it totally out of place and misleading. Despite the fact that glenncc had clearly encountered an infection, Bandicoot's posting effectively implied: "So what? It is irrelevant, because NOD32 has passed all of its vB tests...". And then, while you also seem to object to my observation that the vB tests are not the be-all-and-end-all, you go on to present the test results in a way that 'demonstrates' NOD32's Apr2002 failure was actually better than other A/Vs results where they passed. It is exactly this kind of manipulation that I take issue with.

    What most people want is security software that they install and can have sufficient confidence in. vB tests are but a small fraction of the equation. Usability of the A/V (in this case) software is probably the biggest factor of all: an incorrectly or loosely configured installation is dangerous, and NOD32 IMO fails the test of usability and default installation settings (to be fair KAV 4.5, for instance, is worse in the usability stakes - not so KAV 5.0, though - but its default installation settings are more secure than NOD32's).

    Also, the terms 'virus', 'worm', 'trojan' etc., represent arbitrary distinctions that are to the benefit of the vendors alone. Such terms are not understood by the general user, and nor should there be any need for such understanding. So to tell people that NOD32's virus detection rate is better than any other A/V (which I do believe) does not tell the whole story - while its trojan detection levels have improved recently, they still fall far short of some competitors' products.

    There are other factors I could also add to this, but I think this all makes my point clear enough. Fine, go ahead and praise NOD32 for its vB test performance, but please don't mislead people by blindly spouting it in every opportunity that presents itself, and in contexts where it is inappropriate (as it was here with Bandicoot's post).
     
  18. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    From what you posted earlier, it appears to me that NOD32 was installed, but not updated, and the real-time monitor was not enabled. Do you think this might have been possible--since you posted an Ad-Aware catch of Welchia, and a catch of Agobot by NOD32 when the scan was activated?

    Just wondering. ;)

    For SPM:

    Bandicoot was replying to Bharath, not glenncc--which he clearly stated in his post.
     
  19. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    In that case, his post was even more out of place. The vB tests do not compare 'features', as was asked.
     
  20. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Well, I'll tell ya what--it may not be. But tell that to the client with "Mystery AV" installed on the e-mail server that failed to catch Bagle_Z this morning, and got nailed at the NOD32-protected desktops by AH, before most of the AV companies rolled out of bed...that's at least 1 that NOD32 did catch... :-*
     
  21. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Via what source? E-mail? Floppy disk? Other?
    With NOD32's default settings?
    With what heuristic settings?
    With the aid of an add-on (Paolo Monti's), or not?
    When compared to other A/Vs whose heuristic detection is turned off?

    When such statistics are quoted, it is *imperative* that they are qualified precisely if they are to have any real meaning.
     
  22. spm

    spm Registered Member

    Joined:
    Dec 9, 2002
    Posts:
    437
    Location:
    U.K.
    Then good for NOD32! Who ever claimed that NOD32 didn't catch viruses, anyway? It seems you are using reverse logic ;). That doesn't work.
     
  23. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I switched from KAV to NOD32 several years ago. NOD's IMON, with the default settings, has caught several on mine before the definitions were out.

    Had I been using some of the other AV's they would not have been detected at the time.
     
  24. JimIT

    JimIT Registered Member

    Joined:
    Jan 22, 2003
    Posts:
    1,035
    Location:
    Denton, Texas
    Well, the original post was about explored.exe, and as I suggested, it may have not been detected because of an inactive RTM, or outdated pattern files.

    As for the "Take VB results with a grain of salt" suggestions--I agree, they should be.

    As for "trumpeting" VB results--look around at most AV websites. NOD32 is not alone in blowing their horn when it comes to their record in VB tests--however, IMO there's no distortion involved--as is the case at more than one AV vendor I could name. ;)
     
  25. Technodrome

    Technodrome Security Expert

    Joined:
    Feb 13, 2002
    Posts:
    2,140
    Location:
    New York
    In most (but not all) cases, the ITW viruses in question arrived by e-mail some time before Eset updated the NOD32 virus database.

    As far I remember you were talking about email. See quotes...

    If we are talking about email. Yes.

     
Thread Status:
Not open for further replies.