Nod 32 Not Detecting Viruses

Is there a copy in the quarantine folder? or how is it sent to Panda, is there a copy there somewhere?

It would be nice to get this over to Eset for analysis...

Cheers

 

I came home from work and the wife said the computer was acting weird, she said every web page was taking forever to download, sounded like a possible trojan to me, I went on line and same thing, I went to www.nod32.com, I managed to take a whiz, and light a cigarette before the page loaded so I did a scan with NOD and nada, switched over to Panda and boom, Trj/Qhost.gen. Thats why. I do like NOD but this is rather frustrating. And yes I had all settings to MAX and AH enabled, heuristics was set to standard though. Everything else according to your settings sticky.

EDIT: Just went over to the laptop and same thing Trj/Qhost.gen with Panda, nothing with NOD.

 

Is there a copy on the laptop that can be zipped and sent to samples@eset.com ?

Cheers

 

Yes there is but it's disinfected even Panda isn't picking it up now.

 

Same here but it is also tied into a MS bulletin and both are fully patched. There is still a copy in the Panda backup folder that I will send to Eset, but Panda isn't picking it up as infected. I do have an idea though see what y'all think. Since the host file is tied into the registry I think I can do a system restore to a previous point and it should go back to what is was before right? I know sys restore does settings and not files but I think it might work for the hosts file, what do you guys think?

 

Worth a try, it would be nice to see what Eset can make of it...

Cheers

 

Ok it worked, I'm back with the hosts file as Panda detecting it, I set it to ignore as it hits it again as infected, I will send it to Eset and to www.virustotal.com to see what other AV's detect it as ronjor has a point only Panda lists this definition, I'll post the results and keep y'all informed.

 

Antivirus Version Update Result
BitDefender 7.0 08.12.2004 -
ClamWin devel-20040727 08.11.2004 -
eTrustAV-Inoc 4641 07.28.2004 -
F-Prot 3.15 08.11.2004 -
Kaspersky 4.0.2.23 08.13.2004 -
McAfee 4385 08.11.2004 -
NOD32v2 1.840 08.11.2004 -
Norman 5.70.10 08.12.2004 -
Panda 7.02.00 08.12.2004 Trj/Qhost.gen
Sybari 7.5.1314 08.13.2004 -
Symantec 8.0 08.12.2004 -
TrendMicro 7.000 08.12.2004 -

As I thought Panda is the only one that detects it as a trojan. Let's see what Eset has to say. I'll keep y'all posted.

 

Cheers

 

It seems even Panda doesn't detect is as a particular trojan. If a signature is generic, it means all similar variants are detected with one signature. We would need to get a sample of it so that we could add detection.

 

I submitted the sample about 12 hours ago to samples@eset.com

 

flyrfan1111,

Were you using the beta when you picked up this 'trojan' infection and when using NOD as your on-access scanner do you run an Antitrojan program alongside it?

This may be possible further evidence that you do need an additional layer to counter the threat of trojans alongside AMON.Would the new HTTP scanner be sufficient here?

Very interesting that even Kaspersky does not pick up this malware.

Keep us posted.

 

Yes I am using the beta, yes I have the HTTP scanner active with AH enabled but I have standard heuristics set to standard instead of deep.

I think it may be a false positive with Panda because as you said KAV doesn't pick it up as infected and neither does McAfee or any other maker for that matter. But then again Panda is the only one that lists this definition so I guess it isn't an FP maybe just a detection that is questionable. No I don't have a anti-trojan program(YET).

 

I haven't got a response for Eset yet, but I noticed in the 1841 update there are 3 new detections for Win32/Qhosts.C ,D and E. I am at work now so I don't know if NOD now picks up this on my hosts file or not. I'll check when I get home.

 

If TDS-3 doesn't call it a trojan, then taking that in addition to the other things here so far, I'd say it probably wasn't a trojan. If you haven't checked with TDS, you could always try the trial and check it out.

 

Ok I received an answer from Eset. It is kinda what I expected from what I found by examining the file before I sent it. I use Spybot S&D and have enabled the host file protection as well as changing the hosts file to list the DNS address of numerous known ad sites to the local host (127.0.0.1) to prevent ads from being loaded. Well it seems Panda's detection of Trj/Qhost.gen was to detect ANY modification to the hosts file. Instead of determining that a site like coolweb was now directed to the local host instead of it's actual address, any change to the hosts file was picked up as being made by a trojan. So it wasn't a true FP from Panda, as it did what it was programmed to do, that is detect that I altered the hosts file, it is more like a questionable detection. NOD does not detect it now and never has and Panda has corrected their definition to look for malicious changes instead of ANY changes. Thanks to all who helped and made suggestions. Thanks to Eset for the analysis and explanation of this problem and the time it took to do even though this wasn't a malicious file.

 

Thanks for keeping us up-to-date Flyrfan111 it's always good to see the outcome...

Cheers

 

Thanks for taking the time to help me!

 

What good are all these 'benefits' when the program can't detect viruses half the time? Didn't you check it's record on Virus Bullentin first? http://www.virusbtn.com/vb100/archives/products.xml?bitdefender.xml

Also, have you tried AVK Pro--it has a dual engine gimmic, with one of them being Kaspersky's. Why doesn't anyone else mention this program?

 

Virus Bulletin does not tell the whole story; look at the overall records of Kaspersky, F-Prot, Command, and F-Secure at the same site.

These are all highly regarded Antivirus programs but, unlike NOD, this is not supported by their VB results. Yet these AV's, and BitDefender always score near the top at other testing sites.

We have, many times!!!!!!;

https://www.wilderssecurity.com/showthread.php?t=46356

https://www.wilderssecurity.com/showthread.php?t=33597

 

I tend to feel that because NOD scores the highest at Virus bulletin then VB is used as the main standard by NOD users but on other testing sites other AV's even score better than NOD so although these do act as some sort of a gauge there are many very good AV's out there apart from NOD32.

I never had such attacks when I use Norton or PC Cillin and I was using far less security software then (no DCS programs at all) than now.

As to AVK Pro. Can someone help. I bought it and after the crash I had which wiped even my backup drive I lost my license and even proof of purchase and I contacted these people and they gave me a link to download it again which I did but they didn't give me my serial which I needed to download updates. I emailed them but got no reply so money down the drain.

Poor support is a real pain with some of these products.

Dave

 

Check the last post in this thread and the posts by realblackstuff in the same thread; https://www.wilderssecurity.com/showthread.php?t=33597&page=12&pp=25

They now have a trial version and support seems a little better of late so it is worth sending another email. They do not have a refund policy so persist in trying to contact them, until you receive a positive response.

Glad you have found an AV that you are comfortable with.

 

Good point, I guess it's only logical to not depend on one testing site for the complete story. Do you know of any other such sites, other than the ones mentioned in your first link listed below? Also, it’s ironic that BitDefender is going to be one of the AVK engines, since I was ‘disparaging’ BitDefender to WC, but I was also indicating at the same time that he should try AVK!

BTW, great info. in those threads, thanks.

As far as this particular thread, I just finished reading it while being distracted by a million other things, but I'd like to make a few points based on my fragmented memories of it.

1) I'm puzzled by the fact that Worldcitizen never held TDS-3 accountable for missing the trojan. As logic dictates that TDS is even more responsible than NOD for the trojan, since Nod is primarily designed to detect viruses. In other words, he was relying on TDS to protect him from trojans, but his only beef was with NOD for missing the viruses and trojan. I believe someone else inquired about his lack of concern over the TDS miss, but WC never responded. I don't doubt WC's story, it's just puzzling that he didn't also announce that he was replacing TDS with TrojanHunter or at least supplementing it with BoClean. I mean, why put it all off on just NOD?

2) As far as his suspicion that SpySweeper may have prevented NOD from detecting the malware, it apparently didn't stop those other programs that DID detect it. As I'm sure he didn't make any changes to his system before he ran the other tests. The point being that although he had a lot of security software that could have interfered with NOD, it didn't prevent the other virus programs from functioning correctly. So either way, NOD apparently screwed up big time. Plus, the NOD guy who pops in occasionally didn't seem a bit surprised, or even overly concerned. "Just another day in the life of NOD" kind of attitude.

3) Another thing that puzzles me is that although I've seen other reports of NOD misses while reading this thread, I'm wondering why there aren't HUNDREDS of such reports in Wilders. As obviously, malware doesn't play favorites. So unless NOD's customer base consists of just 250 people, something doesn't add up. And the only thing I can conclude is that NOD isn't missing viruses because it's as crappy as Norton's anti-virus program. Instead, it's due to bugs in the code which are reacting to certain software configurations which just affect a relatively small percentage of people.

For instance, if you install security program blah-2, it screws something up when you uninstall it. And then when you have security programs blah-16, and blah-65 running at the same time, it causes NOD to sabotage itself and stop detecting malware. And I suspect this is probably what everyone else believes who has been following this thread, as I haven't read about anyone else dropping NOD. Most of you would probably want to see at least a dozen threads like this before you'd be motivated to switch to another program. Am I right?

In any event, although I believe NOD is great as long as it’s working, I no longer trust it since it’s proven itself to be unreliable--and I’ll probably get Kaspersky when I retire my miserable Norton. As these alleged bugs in NOD's code would mean that you're playing Russian roulette every time you install a new software program.

Because that may be the live round that knocks out NOD--with no way for you to know the program has stopped detecting malware, since the basic functions would still be operational. And I don’t believe in playing Russian roulette even if the chamber has 1,000 cylinders. And since NOD hasn’t acknowledged or disclosed any bugs in the code, I have no reason to believe the current beta version won’t eventually succumb to the same isolated failures that WC reported.

 

Obviosly you didn't read the thread well at ALL - nothing was missed!!!

Read post 67 - the file was harmless.