Just curious: why is Nod32 trying to send nonexisting files for analysis?

Discussion in 'NOD32 version 2 Forum' started by TonyKlein, Jun 24, 2005.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    On two or three occasions, usually on reboot after imaging my drive (and I don't mean restoring an image) Nod32 has alerted me to a few suspicious files (always the same ones) it would like me to send in for analysis.

    Log entries after doing so:

    Now I have a few problems with that:

    First of all, I was completely unable to find any trace of those files and besides, I know I'm not infected...

    What's even stranger, I don't HAVE a Docs and Settings\Mike something folder, and, as I'm running XP Pro, I don't even have a C:\Winnt folder either... LOL

    An on demand system scan always pronounces me clean.

    Now in the past I frequently used to download and test malware, but even that doesn't begin to explain (at least to me it doesn't) why Nod32 was/is finding those files, especially in folders that don't exist...

    Can anyone shed some light on this, please (just curious...)
     
  2. FanJ

    FanJ Guest

    I hope you'll get an answer from ESET, Ton.

    Lately I find the support from ESET very bad, and I seriously consider to dump the whole program :mad:

    Take care my old friend !!!

    Cheers, Jan.
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Hi Jan! :)

    I detect some bitterness there... :(

    Personally, I have to say I'm still pretty pleased with this latest version of Nod32, and I expect this to be a harmless, although weird little quirk...
     
  4. Mike415

    Mike415 Registered Member

    Joined:
    Mar 13, 2005
    Posts:
    42
    Try enabling the view of hidden files and folders...
     
  5. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    I know about un-hiding files and folders...

    But please read what I wrote: my system folder is C:\Windows\System32 - I don't HAVE a Winnt folder, and being the only user of this computer, I'd certainly know it if there was a 'Mike' there as well.

    The folders do not exist on my computer
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    To FanJ:
    I really don't know who did you contact because we at Eset in Slovakia respond to every email that arrives. Please send me a PM with more details such as what address you sent it to, or simly PM me your inquiry. I'll be happy to respond instantly, but please take into account that we, at Slovakia, are in a different time zone.

    To TonyKlein:
    I assume the folder c:\winnt was created by a trojan which was subsequently moved by AMON to quarantine (default setting). The same goes for the file in the temp folder.
     
  7. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    '
    Hi Marcos,

    After receiving the first alert, although mighty surprised, I immediately proceeded to search for the files, but, not unexpectedly, i really didn't have the Winnt folder then either.
    File nor folder were there in the first place, nor do I remember Amon quarantining or catching anything beforehand.
    In any case, the Quarantine folder was empty (I now remember I checked it...)

    As for the file in the Temp folder, am I to assume the trojan first created a brand new user profile by the name of Mike something all by itself before subsequently installing itself in it's Local Settings\Temp folder?

    And that subsequently Amon not only deleted/quarantained the infected files but got rid of those folders as well, leaving no trace?

    Pretty much unheard of, if you ask me...
     
    Last edited: Jun 24, 2005
  8. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    ... also, if Amon ever quarantined, detected or removed any of these files, there should be some entry in the logs, I should think... which there isn't.
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Isn't there anything mentioned in the Threat log?

    From time to time, I'm trying to infect my testing machine with 10-20 trojans at a time and AMON has never done anything strange.
     
  10. FanJ

    FanJ Guest

    Hi Marcos,

    I will let you know.
    Looking forward to your reply.

    I don't want to hijack Tony's thread any further.
    Sorry Ton !!!

    Jan.
     
  11. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Entire log (I've been trying out some stuff... LOL)

    (Log since I did a fresh install of the latest build, BTW, TDS3 folder now excluded from scanning...)
     
    Last edited: Jun 24, 2005
  12. FanJ

    FanJ Guest

    For Tony and Marcos:

    Hi guys,
    I will send you both in a few minutes an IM on this board; please do look at it ;)

    Warm regards, Jan.
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Well, could you please confirm you actually installed NOD32 on May 29 as it is the very earliest date in your log?
     
  14. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Not 110% sure, but close to that date, at least.

    However, I'm not sure that's even relevant to this problem, as round the time I got that latest prompt (four days ago) I turned my machine upside down, but of course there were no such folders or files to be found.
    So how can Nod32 be sending in nonexistent files from nonexistent folders (as the log says it did), moreover without as much as a squeak from Amon prior, during or after the event?

    And where did these mysterious files go, if they were neither quarantined nor deleted, and I'm not even mentioning the folders in question?

    I's not a big deal to me, but it's weird nonetheless.

    Were it to happen again (one never knows...) I'll be sure to post here right away...
     
  15. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    OK, I removed all 'bad' links from my Threat Log (thanks, Jan! ;) )
     
Thread Status:
Not open for further replies.