NOD32 3.0 doesn't detect Google hijack trojan

Discussion in 'ESET NOD32 Antivirus' started by EnGenie, Dec 11, 2007.

Thread Status:
Not open for further replies.
  1. EnGenie

    EnGenie Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    182
    Location:
    Hampshire, England
    I recently got infected with what I believe is called the Virtumonde trojan.

    2 files get installed in C:\Program Files\Common Files\System.

    1. D_4362.dll which is installed as a Browser Helper Object in IE.

    2. svchost.exe (not the real one) which appends itself to the Shell value in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon after explorer.exe.

    The effect of these files is to redirect any Google search results to other Web Sites.

    NOD32 real-time file system protection and web-access protection didn't detect them being installed.

    A manual scan of these files also does not detect any malware.

    I have manually submitted these files to Eset for analysis.
     
  2. Eclipse99fwb

    Eclipse99fwb Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    54
    Location:
    Lakewood, CO
    Thats because its not a "real" trojan, its more of a adware/spyware/crimeware program. Thats why many people on here and the company I work for preach layered security programs, its not good to rely on one product to catch everything. As great as NOD32 is at catching virus's, its always good idea to have a product whos' solo purpopse is antispyware, same as a firewall products. With the right layered security setup your less likely to ever have anything slip through. Theres plenty of info on how to remove this if you need it. Also I believe theres alot of different versions of Vundo trojan family, which makes it harder to have every signature. Good job submitting it though, thats the only way we all can keep each other protected.
     
    Last edited: Dec 11, 2007
  3. EnGenie

    EnGenie Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    182
    Location:
    Hampshire, England
    I managed to remove it quite easily by just deleting the 2 files named above. (I actually got NOD32 to move them to quarantine in case Eset support want any more information about them).

    I also fixed up the Registry by correcting the WinLogon value and removing references to D_4362.dll.

    Do you recommend any good antispyware program?
    I used to have Mocrosoft Windows Defender installed but removed it because it slowed the computer down too much.
     
  4. mrhero

    mrhero Registered Member

    Joined:
    Jul 15, 2005
    Posts:
    297
    Location:
    Ankara , Turkey
    Superantispyware is light and very good.
    My second ,but heavier, choice is Counterspy.
     
  5. Sir George

    Sir George Registered Member

    Joined:
    Nov 10, 2007
    Posts:
    32
    As one line of defense, try Script Sentry.

    "Script Sentry prevents against malicious scripts hidden in ShellScrap (hidden SHS and SHB extensions) files, Word/Excel macro viruses, malicious HTA files, and accidentally run REG files."

    Visit Jason's Toolbox for more info at;

    http://www.jasons-toolbox.com/programs.asp?Program=Script Sentry

    Script Sentry is not a panacea, but a nice addition to other security tools. :thumb:
     
  6. EnGenie

    EnGenie Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    182
    Location:
    Hampshire, England
    Does it work well with ESS and NOD32?

    All 3 products have "real time protection". Do they co-exist well?
     
  7. Eclipse99fwb

    Eclipse99fwb Registered Member

    Joined:
    Oct 26, 2007
    Posts:
    54
    Location:
    Lakewood, CO
    I would recommend SuperAntiSpyware too, great program. Whatever you decide to use, do a full scan for spyware soon, some of the spyware programs are a pain to get rid of. Also here a list of rogue Spyware programs, do not use any of these, as they don't work and usually are harmful for your computer: http://forums.majorgeeks.com/showthread.php?t=79754
    As for your last question, I know it will co-exist with NOD32 3.0 and 2.7, I haven't tried it with ESS yet, but I'm pretty sure it will work too.
     
  8. windstrings

    windstrings Registered Member

    Joined:
    Oct 20, 2004
    Posts:
    337
    I've read your posts and Have researched "SuperAntiSpyware".. it seems quite impressive.. I also like the looks and the way it displays the options and readouts.

    I don't know if you guys recommend this over eset spyware, but I do see the benifit of tapping into someone else's resources of technology of "which" programs are bad as well as "how" to deal with them......

    By using esets, I would be concerned that there is some redundantcy to the AV program as far as detection schemes and recognition.... it may be better to go with another company verses having overlap.

    The reviews are quite impressive... and thats from some "non-novice" users too!

    Its not real popular yet.. but I remember when "NOD32" was new innovative technology that was faster and light on its feet "as it still is" compared to its competition and is very adamant on frequent updates etc... this program seems to share allot in principle with Nod....
    I especially appreciate its ability to "repair" damaged systems effectively.

    A good mechanic can find the problem.. but it takes an "excellent" one to fix it!


    I was intrigued when reading this about their software.

    A program with "new" technology is an advantage... in time, they will have to change their footing to maintain their advantage against the spyware people as they have not yet had time to figure out away around the new detection, so for now, it may be a good program to use.
     
    Last edited: Dec 12, 2007
  9. BradenD

    BradenD Registered Member

    Joined:
    Dec 3, 2007
    Posts:
    6
    Fighting Virtumonde infections is my full time job at the moment:
    The finest tool for that specific job is located at:
    http://www.atribune.org/content/view/24/2/

    The tool is updated frequently.

    ESET has been very good about adding Virtumonde variants to their definitions (if you look at October's definitions lists, you can see half a dozen VT defs added with every update). It will of course be WONDERFUL when ESET starts to catch them all, but Virtumonde is a tricky beast! The virus has new variations in the wild EVERY DAY. It's horrible!

    Anyhow, just thought I'd throw this out there. Good luck all.
     
  10. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    I'd reverse the ranking order as I find CS lighter. But both are good.
     
Thread Status:
Not open for further replies.