is this file anything to worry about?

Discussion in 'NOD32 version 2 Forum' started by rothko, Apr 13, 2005.

Thread Status:
Not open for further replies.
  1. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    hi

    bored today and so thought i'd install kaspersky to see what it is like, currently i'm a very happy nod32 user.

    before doing this i ran a full scan with nod32 2.5 beta fully up to date and with settings maxed out, which turned up nothing suspicious. so i downloaded kaspersky, updated it and ran the scanner and it found 5 infected items in a file stored in my firefox cache.

    this is the path:

    C:\Documents and Settings\*user*\Application Data\Mozilla\Firefox\Profiles\b7l0rbu2.default\Cache

    I submitted that file to Jotti and it produced the result shown below. of the files listed, i know nod32 detects the 'megasearch' and 'savenow' spyware cos i purposefully downloaded them recently to test what nod did with them (yes, sad, i know), and it did detect and remove the files when i attempted to install.
    Not sure about the trojans though.

    I was wondering if the reason nod32 doesnt detect threats in this file is because it isnt really a threat? i dont know where i should bother submitting the file to eset or not.

    regards, lee
     

    Attached Files:

  2. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    I would suggest you submit them, I believe Jotti submits all missed files to AV makers that miss a detection so I would think Eset already got them, I am not sure if he does this for Adware though.
     
  3. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    They may be non-active components or files that do nothing on their own without the active parts that are not present.
     
  4. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    file sent to eset, thanks to all who replied
     
  5. Happy Bytes

    Happy Bytes Guest

    Got it :D Under progress :cool:
     
  6. Happy Bytes

    Happy Bytes Guest

    BTW... the VBA32 detection is a false postive - it flags a WISE Installer DLL as Spyware/Adware this file will not be included into detection cuz it's clean.
     
  7. Happy Bytes

    Happy Bytes Guest

    Ok, the spyware will be nailed soon :cool:
    Thanks for sending ;)
     
  8. Happy Bytes

    Happy Bytes Guest

    BTW i give you the ultimate trick :cool:

    This is a self installing ZIP - Executable. Normally you need to start this via double-click... But hey... Wait! :cool:

    Rename this file from *.exe into *.zip - then browse it - it will work and nothing will be infected - so you can select the good files out of the spyware.

    Pretty cool or ? :D

    Don't touch SEARCHTOOLBARBUND.EXE, WUSVINST.EXE and SETUP_INCREDIFIND_ONLY.EXE that's the spyware... The other files you can use :cool: Have fun :ninja:

    8^) HB.
     
  9. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    that is a useful tip, thanks!

    so did nod32 just not detect this file as being a threat because it isnt really a threat? or because it needs new signatures?

    there is a file in that archive called Wusvinst.exe which nod32 doesnt report as suspicious, but when i run it it then does recognise it as adware (WhenUSave). can it not be recognised before it is installed?

    thanks again, Lee
     
  10. Happy Bytes

    Happy Bytes Guest

    *wink*
     
  11. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    oh yeah, i read that - i just was wondering if nod32 should be able to detect that file (and others) as adware without having to run it first (which AMON then stops).
     
  12. Happy Bytes

    Happy Bytes Guest

    The missed Spyware will be added :cool:
     
  13. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    oh yeah, course..........but i was just wondering - the WUSVINST.EXE file isnt detected my nod32 scanner or imon when downloading it, but it is detected by amon on running it. is it possible for an anti-virus program to detect that it is spyware just from scanning the .exe file, without having to actually double-click to run the install?
     
  14. Happy Bytes

    Happy Bytes Guest

    Do you have archive scan enabled during on-demand scan?
     
  15. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    yeah, but even if i unzip those files to a folder and scan the individual file or the whole folder, it doesnt detect any of the files, even SEARCHTOOLBARBUND.EXE, WUSVINST.EXE and SETUP_INCREDIFIND_ONLY.EXE.
     
  16. Happy Bytes

    Happy Bytes Guest

    LOL i know! That's why i told you will be added :cool:
     
  17. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    i'm confused then - i thought if AMON detects WUSVINST.EXE as WhenUSave ADWARE then all other components would be able to detect it too?? do you have to release seperate updates for seperate components then?
     
  18. rothko

    rothko Registered Member

    Joined:
    Jan 12, 2005
    Posts:
    579
    Location:
    UK
    hi - got the latest update (1.1062) and now the nod32 scanner detects Incredifind.

    still curious as to why NOD32 scanner doesnt detect WUSVINST.EXE, but AMON does. Maybe it is me not understanding NOD32 correctly, but I assumed if one module detected a threat then they all did? thanks, lee
     
Thread Status:
Not open for further replies.