Is the nod32 smart scan accurate enough?

Discussion in 'ESET Smart Security' started by satasonic, May 23, 2011.

Thread Status:
Not open for further replies.
  1. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Just wondering. There was an advertisement on a website, which apparently was malicious. The threat came from *tituliaconnect.com* (It would be nice if someone would check if its indeed a threat :) dont know how to myself, lol). After that, I deleted the detected threats log and deleted the file from quarantine after deleting all the cache and history from my browser.

    Now, I am doing a smart scan of my machine. Any idea if its accurate or not?
     
  2. yongsua

    yongsua Registered Member

    Joined:
    Feb 9, 2011
    Posts:
    474
    Location:
    Malaysia
    I believe ESET detection:

    See:
    Report 2011-05-23 10:23:16 (GMT 1)
    Website tituliaconnect.com
    Domain Hash 40d21e02fa6d38f18ff5780a64053dd0
    IP Address 67.225.157.151 [SCAN]
    IP Hostname host.xwhostserver.com
    IP Country US (United States)
    AS Number 32244
    AS Name LIQUID-WEB-INC - Liquid Web, Inc.
    Detections 1 / 23 (4 %)
    Status SUSPICIOUS
    Scanning site with: AMaDa CLEAN
    Scanning site with: BrowserDefender UNRATED
    Scanning site with: DNS-BH CLEAN
    Scanning site with: DShield SDL CLEAN
    Scanning site with: Google Diagnostic CLEAN
    Scanning site with: hpHosts UNRATED
    Scanning site with: joewein.de LLC CLEAN
    Scanning site with: Malc0de CLEAN
    Scanning site with: Malware Domain List CLEAN
    Scanning site with: Malware Patrol CLEAN
    Scanning site with: MyWOT UNRATED
    Scanning site with: Norton SafeWeb UNRATED
    Scanning site with: ParetoLogic URL Clearing House CLEAN
    Scanning site with: PhishTank CLEAN
    Scanning site with: SCUMWARE CLEAN
    Scanning site with: SpamhausDBL CLEAN
    Scanning site with: SURBL CLEAN
    Scanning site with: Threat Log CLEAN
    Scanning site with: Trend Micro Site Safety Center DETECTED
    Scanning site with: URIBL CLEAN
    Scanning site with: VSCAN CLEAN
    Scanning site with: Web Security Guard UNRATED
    Scanning site with: ZeuS Tracker CLEAN

    *

    It is probably malicious.
     
    Last edited by a moderator: May 23, 2011
  3. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Thank you for that. How come other AV programs didnt detect anything though?

    On topic: I scanned my machine twice with smart scan, 0 infections. You think im safe?
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    I think you are safe.
     
  5. tony_m

    tony_m Eset Staff Account

    Joined:
    Nov 22, 2010
    Posts:
    239
    Hi,

    A copy of the Detected threats log would have been helpful here, but I see you deleted it. The threat was detected and stopped by real-time protection, the on-demand scan reveals no threats, it would appear your system is malware free :)
     
  6. m0unds

    m0unds Guest

    FWIW, from a test VM: 5/23/2011 3:30:00 PM HTTP filter file hxxp://tituliaconnect.com/ JS/TrojanDownloader.Iframe.NKC trojan connection terminated - quarantined Threat was detected upon access to web by the application: C:\Program Files (x86)\Mozilla Firefox\firefox.exe. - the detected element's in a <body> tag near the top of the document
     
  7. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Thank you for that, but whats the chance that it might be a false positive?


    On topic:

    A strange thing happened before. When I accessed this website through IE, it didnt get blocked. When I opened it on Opera, it immediately got blocked. After 3 smart scans, nothing was revealed.
     
  8. m0unds

    m0unds Guest

    imo, it's not a false positive. kaspersky is also detecting the threat - the iframe i mentioned contains a call to a remote server, which is currently offline. i found a few references to this particular host being used to deploy iframe exploits.
     
  9. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    So if It got blocked, then I deleted the cookies and temp files from Opera, then deleted the file from quarantine and scanned 3 times, do you think Im safe?


    How could this website infect me? By launching a process or something?
     
  10. m0unds

    m0unds Guest

    when the eset product detected it and quarantined the malicious javascript + iframe, you were safe. it prevent it from being executed by the browser and quarantined it. the ancillary scan wouldn't hurt, and if you're really paranoid you could also run a scan with malwarebytes or something else. personally, i wouldn't worry though since it successfully blocked the script before it could be executed.

    probably doing something to leverage an exploit in an unpatched browser or plugin. since the iframe src's host is down, i have no idea what that particular mechanism would be. something bad, though :)
     
  11. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Thank you for the reply. However another strange thing, is how it all happened.

    My dad has been browsing yesterday, and I just happened to randomly checked the browsing history. That website was there (He uses IE), in some sort of an advertisement form. I deleted the browsing history, and went to the website on my Opera browser, and hurray- It got blocked!

    One question- How did it bypass the block on IE? Maybe my dad didnt really enter it, maybe it just appeared on the front page of some other website?
     
  12. satasonic

    satasonic Registered Member

    Joined:
    Apr 14, 2011
    Posts:
    51
    Bump please
     
Thread Status:
Not open for further replies.