NOD32 can't clean msn virus?

Discussion in 'ESET NOD32 Antivirus' started by kinson, Nov 21, 2007.

Thread Status:
Not open for further replies.
  1. kinson

    kinson Registered Member

    Joined:
    Nov 21, 2007
    Posts:
    5
    Location:
    Malaysia
    Hey guys, I work as a computer technician in my local computer shop, and I've been using nod32 for a couple of years now and its my #1 antivirus without a doubt.

    I do have a worry though. I use it to clean a lot of my customer's pc's, but one thing I haven't been able to clean with NOD32(v2.7 and v.3) is the msn virus.

    I have a sample of the virus, and uploaded it to virustotal here: http://www.virustotal.com/resultado.html?9c355794dc22855e644394cf5bc7e73e

    If I scan the file with NOD32, it detects without any problems, but if the pc is already infected with the virus, it doesn't seem to be able to clean it :( Unfortunately, Rising antivirus seems to be able to do the job, but I really don't like Rising.

    I've been scanning with in depth scan, is there anything I'm missing?

    I can email the file to Eset no problem if needed.

    Much thanks for any replies/help.

    Cheers,
    Kinson :)
     
  2. zaid786

    zaid786 Registered Member

    Joined:
    Aug 24, 2007
    Posts:
    16
    Have you tried scanning in safe mode?
     
  3. kinson

    kinson Registered Member

    Joined:
    Nov 21, 2007
    Posts:
    5
    Location:
    Malaysia
    Hrmmm, a little embarassing to say that I haven't...I must be losing my touch :(

    But the thing is, I've (taken it out and) scanned the hard disk(as a slave) on another pc with nod32 that is definately not infected, and it still didn't detect :(
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Did you have advanced heuristics and runtime packers actually enabled?
     
  5. kinson

    kinson Registered Member

    Joined:
    Nov 21, 2007
    Posts:
    5
    Location:
    Malaysia
    Do you mean the options under:

    AMON->setup->options->heuristics(checked), and ->additional options on create->runtime packers(checked).

    If so, then yeah, they're enabled by default, and I don't change those settings.

    I'm reading this off Nod32 v2.7 btw.

    cheers,
    Kinson
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you run a full system scan using the on-demand scanner, the files will not be deleted even after the next system restart?
     
  7. Paul_E

    Paul_E Registered Member

    Joined:
    Aug 27, 2007
    Posts:
    52
    Location:
    Dollar
    Why will they not be deleted?
     
  8. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If the files are in use they can only be deleted after the next restart
     
  9. kinson

    kinson Registered Member

    Joined:
    Nov 21, 2007
    Posts:
    5
    Location:
    Malaysia
    Hi guys,

    I've had a little bit of time today, so I took a spare PC to test this virus out:

    My method:
    1) infect pc with msn virus
    2) install kaspersky(and update), scan(without cleaning), uninstall kaspersky
    3) install nod32 v.2.7(and update), scan(without cleaning), uninstall nod32 v2.7
    4) install nod32 v3(update), scan (without cleaning), uninstall nod32 v3
    *all scans done in NORMAL mode, NOT safe mode
    Result:

    1)kaspersky picked up the msn virus
    http://img137.imageshack.us/img137/9496/kasperskymediumqk4.jpg

    2)Nod32 v2.7 picked it up too(yay !)
    http://img137.imageshack.us/img137/3482/nod27mediumck2.jpg

    3)Nod32 v3 also picked it up, but it was a little weird.
    http://img137.imageshack.us/img137/5820/nod3mediumly9.jpg

    V3 didn't seem to pick up the ones in the system restore folder(though, being in the sys restore, they're harmless anyways, lol). I'm just curious I suppose, I thought 2.7 and v3 might share the same engine(especially since V3 isn't available in Malaysia yet. Waiting for it to sell to customers :) ).

    Funnily enough, of the 3 virus exe's in the system32 folder, 2 couldnt be found during the V3 scan(I thought V3 had missed it, until I went to look for it and couldn't find it from the previous path). And I specifically set v2.7 to scan without cleaning. Weird, heh.

    Anyways, I'm happy that NOD32 is tops again :) I was a little worried when it couldn't(for reasons unknown to me) clean the msn virus(though as I said before, it picked it up easily before infection).

    Any idea about why V3 didn't get the Sys restore virus?(its still there, cause I reinstalled kaspersky to double check after uninstalling V3.

    Cheers,
    Kinson :)

    PS: Thanks so much for NOD32 :)
     
  10. steve1955

    steve1955 Registered Member

    Joined:
    Feb 7, 2004
    Posts:
    1,384
    Location:
    Sunny(in my dreams)Manchester,England
    Did you actually try cleaning this PC with either Kav or Nod:-you said earlier Nod detected the infection but didn't clean it,are you sure the previous uncleaned result isn't just the virus in the sys restore folder?
    If Nod still cannot clean this infection your no better of now than when you 1st posted
     
  11. kinson

    kinson Registered Member

    Joined:
    Nov 21, 2007
    Posts:
    5
    Location:
    Malaysia
    When I first posted that NOD32 detected the virus, I meant the file that the virus sends to each other. I received it on my Ubuntu Linux box, so obviously it doesn't do me any harm, so I scanned it on a Windows Box with NOD32, and it detected the virus no problem.

    But the problem was when the pc was ALREADY infected with the Virus NOD32 didn't seem to be able to clean this. Cause I always go through the scan logs to see what is cleaned, what virus people had etc etc.

    Like I said before, in my opinion, NOD32 is the best antivirus there is, thats why I was more than a little curious why it couldn't clean pc's that were already infected with this msn virus. But as long as it does now, I suppose the issue isn't that important. I'm just wondering whether I made a mistake previously, but I honestly doubt so.

    Cheers,
    Kinson
     
Thread Status:
Not open for further replies.