Nod 32 Not Detecting Viruses

Discussion in 'NOD32 version 2 Forum' started by worldcitizen, Aug 4, 2004.

Thread Status:
Not open for further replies.
  1. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Lately my PC has been acting weird. I did a full virus scan with NOD32 and nothing. I have the latest definitions etc and used deep scan etc. So I checked using a few other anti-virus solutions and this is what I found.

    McAfee AVERT Stinger Version

    2004C:\WINDOWS\system32\drivers\etc\hosts Found the Qhosts.apd trojan !!!C:\WINDOWS\system32\drivers\etc\hosts has been repaired.C:\WINDOWS\system32\TFTP3468 Found the W32/Sdbot.worm.gen.t virus !!!C:\WINDOWS\system32\TFTP3468 has been deleted. Number of clean files: 35666 Number of infected files: 1 Number of files repaired: 1 Number of files deleted: 1

    Online McAfee Scan

    We found 1 record(s) matching the following criteria:
    Virus name with "W32/Gaobot.worm.gen.f".
    W32/Gaobot.worm.gen.f


    Symantec Online Scan

    C:\WINDOWS\system32\wmmon32.exe is infected with W32.HLLW.Gaobot.gen

    Trend Micro HouseCall

    C:\WINDOWS\system32\wmmon32.exe

    Panda Active Scan Virus:W32/Gaobot.AAM.worm Not disinfected C:\WINDOWS\system32\wmmon32.exe


    Bit Defender Free 7.2

    C:\WINDOWS\system32\wmmon32.exe Infected Backdoor.Agobot.KM


    NOD32

    number of viruses found: 0

    McAfee Stinger found and killed 2 & with Bit Defender FREE I quarantined the other 1 and rebooted and will delete it but the thing is NOD32 found absolutely nothing and this really concerns me. I don't care how many virus bulletins NOD has won or even if it's my fault that they got on my machine. The issue here is why isn't the NOD32 scanner detecting these while all other anti-virus scanners ARE detecting it??. Don't tell me I haven't configured NOD32 properly because that just won't wash with me because I didn't have to configure any of the other anti-viruses and they found it easily. TDS 3 also found nothing.

    Unless Panda, McAfee, Symantec, Trend Micro & Bit Defender are all wrong then there's something wrong with NOD32.

    My main concern is that the NOD 32 scanner picked up nothing.

    Dave

    Dave
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    But you submitted the files to DCS and Eset, right o_O
     
  3. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    He shouldn't have to. If Eset cooperated with other AV companies they would already have these samples. Every one of those was added to their respective providers definitions in early to mid APRIL!!! FOUR MONTHS AGO!!!!
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    Eset does interact with other vendors.


    June 17th, 2004, 03:11 AM
    Eset Moderator

    Join Date: Oct 2002
    Posts: 208
    Default Re: What happend ESET?
    Hi Guys,

    Eset appreciates (a lot) all and every sample/s sent to its labs (samples@eset.com). Every sample is logged and examined using various methods. Addition of a sample-signature into the database is made on a need-to basis. Extraction of a signature of a sample is an automated process and could be completed in no time. However, Eset does not want to take part in a 'maximum-size-of-the-database' race and prefers to keep the database clean, i.e. without 'meaningless' benign signatures.

    Some of the forum participants may recall the Rosenthal Utilities (RU) tests performed by CNET two years ago. All the 'simulated viruses' generated by the RU were benign (non-viral). 100% detection of the RU samples (achieved by some of the products) meant 100% False Alarm Rate. Detection of non-viral samples may lead to a couple of things: excellent results in some 'tests' combined with a false sense of security, a huge 'virus' signature database and 'dinosaur' update files.
    Exponential increase of the number of new malware samples may often lead to a 'path-of-least-resistance' approach: automatic addition of all sample signatures, regardless of their viral nature.

    Eset exchanges samples with several av vendors. Opposite statement is incorrect.

    Speed of update and reaction time is of essence. Eset is fully aware of that. Advanced Heuristics has been developed and implemented with that in mind. The only acceptable reaction time is equal to zero. NOD32 achieves that often, e.g. it detected the infamous Netsky.A and Bagle.A heuristically.

    Once again, I would like to thank you all: for both the samples and your patience :)

    anton
    Last edited by anton : June 17th, 2004 at 04:11 AM.
     
  5. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Obviously heuristics and reaction time were not acceptable in this case. But NOD did get 3 VB100's during the same time. As for the RU situation, these trojans were obviously not part of the RU set. His computer was acting weird so he chose a multiple opinions. They appear to have been functional and not test viruses. Good thing they weren't on the VB ITW List.
     
    Last edited by a moderator: Nov 10, 2004
  6. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    If he didn't submit them, we have no idea what they were or were not. All we have here is a post, no submitted files/proof.
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Agreed, If he is telling the truth though, Symantec, McAfee, Trend Micro and Panda all added these detections between 4/8 and 4/24. i didn't check Bitdefender's website to see when that was added.
     
  8. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    There is still no naming correlation on viruses between the companies. One vendor might call it vx.1. Another might call it vx.1b.

    It causes confusion to us poor saps out here in the blue. :D
     
  9. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi Guys,

    Please be 100% sure I'm telling the truth. I've used NOD32 for 1 year and renewed my license about 2 weeks ago and thought the world of it. The first 2 viruses I couldn't submit because McAfee automatically cleaned them and I looked around on the Eset website for a way to submit the other one but couldn't find any link to do that. Please understand that I tried and if I overlooked something then I'm sorry but I'm 100% sincere.

    I have been a NOD 32 fanatic until this and believe me I wouldn't have posted this if it didn't really happen. ALL the details you see were copied and pasted from online scanners as well as Bit Defender and all of them caught everything on my machine and they all agreed that I had viruses but strangely NOD didn't see anything. I even found the file in the windows system32 folder and right clicked on it with NOD and scanned but it said the file was virus free. A right click with BD brought up an alarm.

    The other day I had 3 serious crashes and had to figure out what was wrong so when NOD didn't detect anything I sought a 2nd opinion and a 3rd and 4th and was shocked to find they all found something on my pc except NOD which gave it a clean bill of health. I'd understand a virus getting through but this was multiple infections not even detected by Amon, Imon or the scanner so something seems not to be right at all. TDS 3 never picked up anything either but port explorer did show some hidden processes earlier on which were using my connection.

    Another thing is that I have ALL Microsoft updates installed as well as my firewall turned on but even if somehow they got on due to user error what concerns me is that I got multiple infections of a worm, a trojan and a virus and the NOD 32 scanner didn't pick up anything. NOD 32 had the latest definitions last night which were 1833. The definitions today now as I post are 1834.

    About me telling the truth. Have a look about any of my other posts about NOD32 and you will see I think the world of it and have no reason to lie.

    I live in Australia and it's winter here. My temps are usually 35 but last night they shot up to 51 idle on both cpu & pwm so I thought it was some backdoor activity and started looking for infiltrations and found 3. Since then my temps have gone back to normal and my connection is no longer continuously downloading like it was the other day when Port Explorer showed some hidden processes running.

    I really did go to the Eset site last night to try and submit a copy but couldn't find any link so I submitted it to Bit defender and had Bit Defender delete it because it caused me so many problems.

    I say again that everything I posted was truthful and accurate and not from me but copied and pasted from the online scans and log files of all the AV's. Please don't doubt my sincerity because this really happened and I am very concerned now about NOD32's scanner as all 3 got through all defenses and even the scanner picked up nothing so I'm really concerned because I need to be properly protected and if something does get through then I must be able to at least have a scanner that detects it.

    Also I do not use System Restore to make sure viruses are not stored anywhere else.

    Best Regards

    Dave
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Dave, do you run a weekly scan with Nod32?

    What other security are you using?

    A firewall?
    Spyware Removal?
    Spyware Prevention?

    If you have a look in your Nod32 Logs, do they show any activity?

    Cheers :D
     
  11. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi BlackSpear,

    I run a full virus scan with NOD daily.

    I just can't understand how TDS 3, Spy Sweeper, Port Explorer, Panda, HouseCall, Symantec, Mc Afee & Bit Defender all set off alarms and KNEW something was definitely wrong while NOD32 gave my machine a clean bill of health. Can someone from Eset explain why only NOD32 didn't detect these infiltrations?

    NOD32 scanner should have picked up SOMETHING during a scan. I scanned several times with all settings on deep. I had mutiple-infiltrations of various kinds of viruses that even anti-spyware detected.

    I really don't know what to do now except buy a new anti-virus tonight because I accept that viruses get through sometimes but if a scanner can't pick up multiple infiltrations while all the other security software is sounding alarms then how can I live with that? What's disappointing to me is that I just spent money on renewing NOD32 2 weeks ago and now I've got to go & buy another AV because NOD32's scanner is missing a lot of viruses.

    Has anyone got any advice about a new anti-virus?

    Thanks

    Dave
     
  12. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA

    Sure, have the files been submitted yet? Then we can take a look and see what's up. BTW - in your previous post you said that TDS3 did not detect these "intrusions" but now you claim they did. Clarification in regards to these claims may be in order.
     
  13. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    further clarification on my part warrants these quotes:


     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I still want to know what other security you are running? A Firewall? This should have let you know that you had something trying to access the internet.

    Do your virus or event logs show AMON having a struggle with it?

    http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.html

    Trojan.Qhosts is a Trojan Horse that will modify the TCP/IP settings to point to a different DNS server.

    Trojan.Qhosts cannot spread by itself. For a computer to become infected, you would have to open an HTML page that contains code, which allows the Trojan to open a viral HTML file on the target computer, so that the script can create and run the malicious executable.

    Cheers :D
     
  15. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Please forgive my mistake. I meant of the 3 viruses I posted TDS 3 didn't detect any. Earlier TDS 3 did detect a RAT as apart from the 3 other infections. That makes FOUR infections. I hope this clarifies the issue and sorry for ommitting it as I didn't find any TDS 3 log referring to the infiltration.

    Please also understand that Stinger cleaned 2 infections automatically and all I was left with was a log to post which I did. I searched in TDS 3 logs but didn't find anything about the RAT. Doesn't TDS 3 keep a record of RATS found etc if so where?

    As to the other virus, I went to the Eset site at about 4am this morning (very tired) I searched but couldn't find or didn't see anywhere to submit the virus. (I have never submitted to Eset before) So I submitted it to Bit Defender which I had downloaded (the free version) and had Bit Defender delete it.

    So TDS 3 found 1 of the infiltrations and the other security software found the other 3 amongst them but NOD 32 found nothing at all. This is the absolute truth so help me God and I'm not about to start lying. So of FOUR infiltrations NOD 32 not only let them in but the scanner didn't detect any of the four.

    So I should have mentioned the 4th RAT and that makes the statement that all security software except NOD 32 detected infiltrations correct, but I have no record that I can find of the RAT being detected. If it's somewhere I can post it for you if I know where to find it.

    Now a question. Whenever I get that red box saying it has found a virus or worm etc and delete it, when I go into AMON it doesn't say found 1 deleted 1 but almost always says found 5 deleted 2 or found 7 deleted 1. It never ever shows in the GUI that it has deleted all the found viruses and whenever I run a scan it ALWAYS reports nothing so I assume that it's nothing or are there viruses getting through which NOD32 just can't delete quick enough and later disguise themselves so NOD32 can't find themo_O With email this never happens and NOD is always able to delete all viruses in emails.

    Dave
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You have 2 world leaders in their fields beaten somehow; I'd also be scratching my head as to why and how... Have you asked the Question in the TDS forum as well as linking to this post?

    When AMON cannot delete a file, it basically means that the file is in memory and must then be removed through a scan in safe mode.

    I have come across an event which I posted somewhere in this forum where AMON had been struggling with a infection stuck in restore, and this had been going on for days (at that time I did not run a weekly scan, to use to my system being clean) When I checked my logs it showed AMON having a struggle with the file. Turned off system restore, ran a scan and everything was back to being clean...

    You are yet to tell me about your security, is it that you are/were running without a firewall?

    Cheers :D
     
  17. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    Hi BlackSpear,

    I was running XP Firewall, Spy Sweeper, TDS 3, NOD 32.

    On a number of occasions lately I have had the NOD32 GUI completely wiped out leaving only the green border with no text inside. Somehow I am of the opinion that there is a worm out there which is able to disable and even delete some AV's and I think that previously NOD was deleted.

    But this time I can't for the likes of me figure out why it isn't detecting at all.



    Regards

    Dave
     
  18. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    I just uninstalled NOD 32 and re-installed it after deleting the folder. I'll have a look around for something else. All the other AV's scanned and detected ok so it's just a matter of choosing and paying again.


    Dave
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You have quoted at least 2 Trojans which is the prime function of TDS. You are running XP's own firewall, which is slightly better than nothing at all, you obviously were not warned that there was a program trying to make a outgoing connection, and this being the case, what’s the point of having it? Yes it may stop incoming, but as you found, not outgoing…

    All in all your security has holes in it, and this is only from a small amount that you have said...

    I would look at tightening your security and using the existing products that you have paid for. I wonder as to why you aren't looking for another Trojan detector other than TDS, I'm not saying you should, just that you seem to be laying the blame at the foot of a anti-VIRUS program (it is becoming better at detecting Trojans, the new Beta and coming version will attest to this), and yet you have one of the worlds best anti-TROJAN detectors that somehow failed to protect your system.

    Here is a link discussing what you should have for security on a PC:

    https://www.wilderssecurity.com/showthread.php?t=43117

    Hope this helps...

    Cheers :D
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Why not try the Beta that has HTTP scanning, it should have stopped this in its tracks...

    Cheers :D
     
  21. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    Before considering a new antivirus, Dave, take a look at one of your posts over at the NOD Beta section;

    QUOTE - I've been having a real, real problem with Trojans & Downloaders getting onto my PC and causing problems and the other day after a few got onto my hard drive it became corrupted and it took me 2 days to get it back to normal.- UNQUOTE.

    And in this main thread you admitted that you surfed a number of questionable sites and a number of us suggested you practice safe-hex; https://www.wilderssecurity.com/showthread.php?t=43036.

    Many of us have NEVER had a trojan or virus infection on our machines yet this seems a common occurence on your computer. Even Kaspersky and for example TDS-3 running in real time can be defeated by malware which are not in their database. NO AV or AT can give you 100% protection.

    Overall you need to;

    1. Start to practice safe-hex and this includes web-sites that you visit.

    2. Update to a good software firewall which should detect any trojan phoning home. The XP Firewall gives good inbound but NO OUTBOUND protection.

    3. NOD will give you excellent protection IF you practise safe-hex. However, if you want to continue visiting these dubious web-sites you need a good AT running full-time alongside NOD. Was TDS-3 running as a RTM and were you using the recent beta of NOD ( you were previously ) at the time of your present infections. You need a memory scanner for the sites you visit!!!

    4. To save money now, run a free AV as a backup to NOD and scan regularly to check whether anything is missed. Good free scanners are;

    F-Prot for DOS - http://www.f-prot.com/products/home_use/dos/

    eScan AntiVirus Toolkit - http://www.mwti.net/antivirus/free_utilities.asp


    Whether NOD let you down here is, in some respects, irrelevant. Overall, even if you have the best protection available you can still become infected if you do not practise PREVENTIVE measures. ALL AV's will let you down if the USER is not playing his/her part in the layered defense of the computer.

    Dave, keep NOD and try safe- surfing.

    PS Dave, you recently purchased Process Guard; https://www.wilderssecurity.com/showthread.php?t=26907; did this not kick in anywhere during the infections?
     
    Last edited: Aug 5, 2004
  22. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    IF you were running your Process Guard, and therefore protecting NOD, surely this would have been picked up if due to some sort of malware attack?
     
  23. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi Worldcitizen,
    Most of Agobot variants are detected via advanced heuristics - I don't assume it could get into your computer with the beta installed (AH is supported both in the HTTP scanner and AMON). However, I must concede not everyone is willing to install beta - if that's the case, I suggest you carry out a full system scan with AH enabled (it can be triggered by running nod32.exe with the /ah parameter). There are many new improvements planned to be encorporated soon, not forgetting improved submitting of samples. For now, if you find a suspicious file or NOD32 reports one as a probable NewHeur_PE virus, please submit it to samples@eset.com for analysis.
     
  24. worldcitizen

    worldcitizen Registered Member

    Joined:
    May 15, 2003
    Posts:
    530
    OK everyone,

    FIRST. A very BIG THANKS for your extremely patient and kind support which I would receive NOWHERE ELSE. You are very good and knowledgable people and I trust you and like you all a lot.

    Now - the beta NOD 32. I installed it a few days ago. Soon after when my wife booted and started listening to her news programs using real player the sound stalled and the pc froze while the disk kept spinning. I rebooted and couldn't restart and had to re-install Windows. Just after I had re-installed everything I went away for a few minutes and the screensaver was running and when I touched the mouse everything went funny and again I had the same problem and had to re-install XP. After another re-install my wife again got stuck and the same problem occured having to re-install again. Coldn't get into safe mode at all any of the times. I tried to figure it out and rang the technician and he couldn't guess. Later I just remembered I had the beta running and uninstalled it. Since then I haven't had any crashes and my wife's programs work as normal again. I did memtest and disk checks etc

    So the other day I got these viruses. I had Spy Sweeper and NOD and I can't remember exactly if TDS 3 was running because I start it up manually and that day I was in such a mess I could have forgotten but it's unlikely. I had Outpost Pro running when I had the crashes and I have had problems with it before so I removed it. There used to be an issue with OP that it would crash certain pc's and mine was 1 of them and Agnitum made a fix but I wasn't sure so I uninstalled it but I THINK it may have been the NOD32 beta because since removing that I haven't had any crashes but also I haven't used OP too. I do own BoClean as well as Trojan Hunter as well as TDS 3. I had Extendia AV as a backup but lost my unlock code and purchase email because I hadn't had time to backup. I backup regularly but this problem hit me before I could. They sent me a download link but said I needed a username & password which I lost and I'm waiting if they send it to me.

    With Process Guard I have a problem where if I log off then if it pops up offering to allow or deny, then the options (allow, deny) are blanked out and I can't select. I told DCS about this and they know it is a log off and user switching problem and I'm waiting for a fix. I have the BEST security software available but my problem like some others who have posted is that there are bugs and this prevents me from using it. I was really thrilled about PG but when my wife logs off and I log on I can't select any options from the pop up gui anymore unless I do a reboot. The same happens when I logged off and back on again.

    I have WormGuard too but it interferes with my email client when I install it and DCS gave me Crypto Suite because they said they wouldn't be making a fix for it until WG4 which I hope is soon. Now it's not all my fault that I don't use some of these great programs. There are very legitimate problems that need to be fixed and I'm not the only 1 waiting. If I remember correctly I did have PG running when NOD was wiped and I had it on the list but I didn't check the task bar to see if the service was still running. When I tried to start NOD because it wasn't in the systray I got a message saying it was already running but the gui was empty so I couldn't do a scan.

    But as you have pointed out my weak point is my firewall so I'll have to find something I'm happy with - any suggestions pleaseo_O I'll try and make sure I run TDS3 at all times but the new NOD concerns me after days of crashes. I think I installed and repaired windows about 5 times since installing the beta and only since uninstalling it has my system been stable now all last night and today.

    If I've forgotten something or you need clarification please let me know and I will oblige.

    Best

    Dave
     
  25. Blackcat

    Blackcat Registered Member

    Joined:
    Nov 22, 2002
    Posts:
    4,010
    Location:
    Christchurch, UK
    WC,

    Sounds as if you have a LOT of security software which for some reason are not running too well on your system. My advice would be to remove any programs that seem to be incompatible with your computer and for now run only ONE AV, ONE AT ( running Guard enabled ) and ONE software firewall.

    You certainly have a good collection of protective software programs, but you need to become familiar with the software you have before buying other software with overlapping functions.

    You need to sort out the problems you have with some of your software before thinking of using them, otherwise write them off and concentrate on the programs which run smoothly and without slowdown on YOUR system.

    NOD, BOClean/or TDS-3 ( either running in real time ) and a good firewall (LookNStop, Kerio 2, Zone Alarm 4, Kaspersky AntiHacker) would be a good start together with safe-hex practices.

    Regarding a firewall, you could stay with the built-in XP Firewall but run System Safety Monitor alongside it to check for any outbound connections.

    Once you have a stable system I would strongly recommend some disc-imaging software such as Acronis TrueImage, then you can trial software in relevant peace!

    More importantly as I have stated before YOU are the most important part of your computer's layered defense. A good AV, such as NOD, is only one part of that layer!

    Good Luck!
     
Thread Status:
Not open for further replies.