I think we should focus some more on Spyware.

Discussion in 'NOD32 version 2 Forum' started by helloWorld, Jan 28, 2005.

Thread Status:
Not open for further replies.
  1. helloWorld

    helloWorld Guest

    Ok currently VX2 is a PITA to remove. I have it running on my WinXP SP2 VM enviroment and the thing is downloading all bunch of crap. From all the trojan downloaders and other crap the Nod32 with AH/all files/deep/ everything maxed out catches only 1 in 15. I know it's not an Anti-SPyware tool but boy currently spyware is becomeing a lot more annoying then virii or some trojans. :)
    Yeah I did infect my VM on purpose and the purspose was to collect all the crap and send it to appriopriate companies (AS/AT/AV). :)
    I have submitted the samples and the traces, now it's up to NOd32 to decide if they should add it or not.

    Cheers,
    Tempnexus on an infected system.
     
  2. iwod

    iwod Registered Member

    Joined:
    Jun 25, 2004
    Posts:
    708
    Have spyware protectoin with AH, Providing there are no perforamce ( CPU / ram usage ) difference.

    I mean don't do it bad, if you are going to do it, be the best.
     
  3. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I just can't believe that VX2 is such a pain and that nothing kills it. The only way I removed it was boot into ERD enviroment and kill the .dll's and files from there.

    OK this is what I"ive thrown against it even with NET OFF:
    Spy Sweeper
    S&D
    AdAware
    AdAware with VX2 plugin
    Tenebril Spy Catcher
    Giant/MS Anti-Spyware
    Pest Patrol
    KAV 4.5 with X_bases
    KAV 5 with Extended Bases
    NOD32 with everything turned on
    BoClean (kept catching a lot of new spyware but would not kill the cause..VX2).
    TDS-3 (same as boClean)
    NO process killers would kill it. And they would not even kill it in SafeMode.

    I mean it's a really "nice" pieace of code. A lot of talent got placed into that...and that frigthens me since if a spyware can do that then what prevents other malware from doing the same? :) I guess we need a next level in protection because today's tools are failing misserably. ERD was the only way to kill it and the only way I could kill it is because I knew what were the file names and were they were placed.
     
  4. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
  5. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Most of the top tier of cleaning Forums eat VX2 for breakfast, lunch and dinner....that's what they volunteer their time for. While it's not the quickest crap to clean off....those that have gathered the right tools....such as the ones rerun2 linked to....have had good success.
     
  6. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    I'm pretty sure that by having "Potentially Dangerous Applications" enabled in the scan options, some degree of protection against malicious spyware is added, without adding a tremendous amount of application bloat like that found in Norton, which is a joke of an antispyware scanner anyway.
     
  7. Gauthreau

    Gauthreau Guest

    I'm stating the obvious here, but NOD is an AV, not a miracle pill. People want it to be an Anti Trojan, people want it to be anti spyware, people want it to make them breakfast in the morning. There are specific tools for the job; get them and you won't be sorry. If you use the links posted here, you will be safe. You will NOT have to post questions about "are we safe from..." and "how come NOD didn't..."

    Neil
     
  8. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    ^^^^

    That is the problem.
    I had all the tools above INSTALLED and running while I executed VX2 in my VM and NONE of th tools prevented the installation NOR CLEANED it UP!
    I know about the step by step process from Lavasoft...but it's been about 3 months and I thought that some of the tools have allready matured enough to at least fix it if not prevent it.
    I am just saying that for spyware as powerful as VX2 every company should chip in. VX2 is a lot more then a nuisance and it should be attacked from all angles both the AT, the AV and the AS.

    I mean who wants to download a specific tool just for VX2 and follow a 10 step process, this is not an AA meeting.
    The sad truth is that VX2 is again just the beginning, it's a next step in Spyware design and it should be nabbed in the butt while it's not matured enough. (or at least the vectors of infections nabbed in the butt).
     
  9. sukarof

    sukarof Registered Member

    Joined:
    Jun 22, 2004
    Posts:
    1,714
    Location:
    Stockholm Sweden
    I agree with Gauthreau. If eset were to implement a spywareremover, I hope they make two versions of NOD32. I bought NOD32 because it wasn´t a bloatware, just a plain AV.

    I rather download specific removers than having protection against spyware that I never get anyway, or atleast very, very seldom (if I´ve been negligent when installing some xxx-ware, and I do test alot of software). I have chosen to use another browser than the standard one so spyware is not a problem.
     
    Last edited: Jan 29, 2005
  10. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    All I want them to do is add the defs of the most prevelant/persistant spyware.
    SO it will stop the dll's from installing before it's installed.
     
  11. Culvin

    Culvin Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    47
    What is the specific tool for detecting and removing trojans? The comprehensive reviews I've seen all show Kaspersky ANTIVIRUS detecting more trojans than any dedicated AT does. I don't see the logic in wanting an AV that doesn't protect you from trojans -- trojans are every bit as dangerous as viruses, if not more so. And it's not like adding definitons to an AV adds bloat.

    Adding more spyware definitions would just be a bonus. Spyware is dangerous too after all. And again, adding definitions to a program won't make it bloated.

    Wanting an AV to scan for malware and clean it isn't wanting a miracle pill. Wanting an AV to act as a firewall and spam filter is another story though.
     
  12. Mikkel

    Mikkel Registered Member

    Joined:
    Dec 8, 2004
    Posts:
    35
    With the Microsoft release of the Spyware Beat it is no use for EZ to develop their own
    It is free and works very fine imo
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Free at the moment, while it is in Beta ;) :D This IS Microsoft we are talking about ;) :D
     
  14. Yeah Giant/MS is free at the moment BUT it does not detect nor stop VX2 :) NO matter how many scans you do and no matter at which enviroment.
    SO yes it's a good Anti-spyware but it once again signifies that spyware is getting more dangerous and ingenious so it's time to fight it at all fronts.
    And yes adding a def update to some nasty spyware is not a bloat, it's just a bonus. I would not mind if my NOd32 detected blahblah.dll as spyware and prevented it from hooking itself to let say winlogon.exe. That would be just great.
    The VX2 that I got did not come through DX extensions it had to be manually executed so in fact it can be attached to some other legit software.
    Oh yeah and it spews popus even when useing firefox, so firefox is not magical cure once you get infected.
    The worst part is that VX2 opens a flood door to other crap ware, and the other crap ware start installing. So from a single spyware infection you will end up with 20-30-100. I had 60 different spyware installed on my VM system by just leaving the system on OVERNIGHT! (Firewall was off)
    THen I turned on my Anti-spyware tools and the spyware installed even with GIANT/MS running! As for SpySweeper, the VX2 decided to kill the "spyware install" shield and the "browser hijack" shield so the spysweeper was basically just a scanner. EVen when you turn the shields back on, they will get disabled once you reboot.

    Don't get me wrong I've cleaned the system since it was just my sandbox, but what I am trying to say is:
    Let's make the job a bit easier and let's include some more NASTY spyware defs into our database.
    We on theese boards are knowledgable bunch, but what about the mom and pop who all of the sudden can't use their system because the spyware brought it to a crawl and the conflicts it inflicted rendered the system unstable. It just makes the life a bit easier and it makes the company look better, it makes them look like they really care more about their customers.
    And yes spyware is the early 90's virus and the late 90's trojan threats. The face of evil has mutated and we should follow in order to keep it at bay.
     
  15. Oh yeah and downloading specific tools for recovery is only good if you can ID the threat. Since Giant did not ID the spyware I would not know what the hell is going on. So many others would give their system a scan and think they are clean when all of the sudden they get popus and other stuff. (I knew it was VX2 since I installed it and since Ad-AWARE ID it).

    Infection specific techniques are only good if you know what you are infected with and even then you will waste hours trying to pinpoint the source and remove it.
     
  16. Gauthreau

    Gauthreau Guest


    Trojans are a different story than your average virus, hence the reason for programs like Trojan Hunter etc. and I can assure you that Kaspersky does NOT detect more Trojans than the dedicated AT programs. To make a claim like that is a pretty tall order. Don't get me wrong, Kaspersky does a great job at detecting viruses and SOME Trojans, but it's definitely no dedicated AT – I’ve used it in the past, and currently own a copy. It’s also not nearly as light on resources as NOD is either. Spyware is not a virus. There are specific tools for the job, and that we can all agree upon. Just as we would when we say a monkey wrench is not a hammer, saying that an AV should also be a virus remover/protector + an AT remover/protector + an anti-spyware remover/protector is a pretty tall order. You are asking for nothing less than a suite of programs, and that would no less than add bloat (despite what some may think) as well as add enormously to the cost of the program. The people who design the programs aren't going to give them away. A product that can perform all the requested above is no less than a 'miracle pill'.

    It would seem that some have a problem with NOD not detecting certain malware/spyware and have voiced their opinion on the topic, but to me this is misplaced blame. Frustrations concerning malware/spyware should be directed at the dedicated programs that ACTUALLY deal with such items. Ad-Aware, Spywareblaster and Spybot S&D immediately come to mind and posts should be directed at these programs and in the appropriate forums rather than in an AV forum.

    I don't ask utensil manufacturers to produce a spoon that will prevent me from getting fat; rather I must do my part and practice a little common sense when using their products.

    Neil
     
  17. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    What do you mean make breakfast in the morning? I thought NOD already did that !!

    /me *wonders who's been making breakfast?*
     
  18. Culvin

    Culvin Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    47
    Tall order? Go download the detailed results from this well known, independent test:
    http://www.virus.gr/english/fullxml/default.asp?id=67&mnu=67
    Now do you care to show me a review that contradicts this?

    No, I'm looking for one program that will detect and clean malware. Pretty much all AV vendors do this now, including Eset -- NOD32 just needs to improve on its trojan definitions (not add more programs).

    I've seen mods here post that Eset wants to make NOD32 more user-friendly and mainstream. The average home user is not going to distinguish between viruses, trojans, and spyware. They are simply going to want a scanner that detects and cleans any infections on their PC, and this is not at all unreasonable.

    Wanting an AV to detect and clean malware is nothing like wanting a spoon that promotes weightloss... I don't know what more to say on this one.

    Eset knows that ignoring trojans and spyware isn't a good marketing strategy. I'm sure their definitions will continue to improve in these areas over time, and that these definitions won't somehow add bloat to their program.
     
  19. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    Read the test again

    So yes, KAV does detect more virii then all the dedicated ATs. However, you said KAV detected more trojans than all the dedicated ATs.
     
  20. Culvin

    Culvin Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    47
    I think you need to read the test again...

    "The virus samples were divided into these categories, according to the type of the virus :
    File = BeOS, FreeBSD, Linux, Palm, OS2, Unix, BinaryImage, BAS viruses.
    MS-DOS = MS-DOS and HLL*. viruses.
    Windows = Win.*.* viruses.
    Macro = Macro and Formula viruses.
    Malware = DoS, Constructors, Exploit, Flooders, Hoax, Jokes, Nukers, Sniffers, Spoofers, Virus Construction Tools, Virus Tools, Corrupted, Droppers, Intended, PolyEngines.
    Script = BAT, Corel, HTML, Java, Scripts, VBS, WBS, Worms, PHP, Perl viruses.
    Trojans-Backdoors = Trojan and Backdoor viruses."

    Now download the detailed results, like I originally instructed, look specifically at the trojan results, and you will understand.
     
  21. Sorry I didn't want this to get out of hand.
    All I want is this:
    For Major very troublesome Spyware just add thier DLL's and their finger print to your database and call it whatever i.e. VX2.Trojandownloader.whatever. It would really help a lot of people.
    It will not slow down the system unless the NOD32 engine comes to a crawl when there is a large signature database...that I don't know.
    You don't have to do it for every spyware... that is a job left for ANTI-SPYWARE. I am just asking for an inclusion of the nastiest of the nasties. That way no one will have to hunt down 20 solutions to one problem that could have been easily prevented with just a def inclusion.
    And I am not asking for additional module to be included and called SPYMON or whatever. All I am asking is for VX2 and other viscious malware to be included into typical AMON defs without the need to click the POTENTIAL DANGEROUS APPS checkmark in the on-demand portion of the scanner.

    Cheers,
    tempnexus


    P.S.
    If we decide to actually fight together against this threat then we might actually stand a chance. You must realize that spyware is now becoming a very real threat, also the newest brands don't care for system stability so in reality it's beginning to be as annoying as a virus. The previous spyware was just an annoying popup, but this variant and the upcoming variants will actually destabilize your system. They don't care about the symbiotic relationship with you. Most spyware cares to keep your system stable so they can deliver ads, this one just cares to install ads and it does not care if the system reboots or crashes once every few hours. That is why this variant should be added as a regular def. Also as many has realized, the most intelligent malware writters have decided to quit writting trojan and virus code and started working for spyware companies. Since afterall they can use their melicious skills to actually make profit. So VX2 and many strains like it is the thing of the future.
     
  22. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you have a sample which you think should be detected, send it to samples@eset.com and if it's actually spyware we'll add detection.
     
  23. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    YEs I do and yes the VX2.exe (installer) is detected (not the individual DLL's that hook themselves to the winlogon and other processes) but it's only detected when I use an ONDEMAND scan with "potential malware" checkbox checked. THat is why I wish that they remove it from the "potential malware" portion of the scan and add the worse of the worse to normal malware and call it a trojan downloader (since it is in a sense) plus I wish that they would add the DLL's to the detection routine and not just the .exe. That way it will prevent the DLL's from hooking themselves to the process and hence prevent the install of the file just in case the .exe changes.
     
  24. Culvin

    Culvin Registered Member

    Joined:
    Jan 1, 2005
    Posts:
    47
    Another option to consider is putting the "Potentially dangerous applications" option in AMON/IMON.
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
Thread Status:
Not open for further replies.