NOD32 compromised

Discussion in 'ESET NOD32 Antivirus' started by lifemare, Jul 14, 2008.

Thread Status:
Not open for further replies.
  1. lifemare

    lifemare Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    3
    Windows started behaving a little weird yesterday (i mean: more than ususal ;), so i immediately ran an online scan with bitdefender (asked for a second opinion).
    Turns out i had 3 trojans lodged on the system:
    - a trojan.generic variant (243424 or something like that, i didn't save the report)
    - trojan.dropper.delf.BAM
    - and a wonderful little backdoor (backdoor.sdbot.dfsx) masked as svuhost.exe

    They have now been purged but i feel far from safe since NOD32 did not detect them the first time (neither with real-time acess protection or by scanning). So what now? Should i assume the antivirus as been compromised or isn't working as it should? Will a re-install solve it, or, pardon me for suggesting, should i consider switching to another product?

    Any solutions?

    edit: forgot to mention, if it's relevant, i'm using NOD32 v3.0, virus signature 3263 (20080711)
     
    Last edited: Jul 14, 2008
  2. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    Did you run a deep scan with NOD? It's always wise to run at least once in a while. It's always a possibility too that Bitdefender found false positives.
     
  3. virtumonde

    virtumonde Registered Member

    Joined:
    Jan 18, 2008
    Posts:
    501
    With a file named svuhost.exe i doubt ,it's a fP.I seen it often on torrent sites last 2 weeks.
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It is very unlikely that svuhost.exe would be a false positive. However, I've seen some commercial keyloggers disguised under such weird names resembling system files.

    We always recommend to send such files in a password protected archive to samples[at]eset.com
     
  5. Banger696

    Banger696 Registered Member

    Joined:
    Sep 6, 2006
    Posts:
    274
    Sorry yes it's unlikely, I thought of that after I had posted. :)
     
  6. lifemare

    lifemare Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    3
    Seems to me like an incredible coincidence, that someone would have gone to the trouble of creating such a camouflaged file (svchost is a windows process) with no bad intentions in mind and it turning out on a scan. Also a backdoor isn't the usual FP, am i wrong?

    Call me crazy but i imediately deleted it :p ....(regretfully)

    Any thoughts on what to do now?
    I'm on a static ip (because of router port forwarding i have to) and with such a passive anti-virus (don't mean to trash it, it's the best i've ever used) i couldn't feel more vulnerable.
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Well Crazy. You don't say what other security programs you use if any? Things happen occasionally to even safe internet users. After such an occurance I'd be checking to make sure my internet practices didn't contribute to it and I consider myself a safe surfer.
     
    Last edited: Jul 14, 2008
  8. lifemare

    lifemare Registered Member

    Joined:
    Jul 14, 2008
    Posts:
    3
    i might be crazy but i'm not dumb ;)
    Besides from the router port-blocking, i'm using sygate personal firewall and ghostsurf.
    I'm reluctant to consider myself a safe surfer (not even sure if that exists, unless you just use the web for email, and even so...), but i'm wary enough not to download any crap i find. But there's just no software against human intelligence. Google a list of all available exploits, hacking tools, phishing and pharming sites, activex vulnerabilities, spyware cookies, etc and you'll be crazy to ever consider yourself safe from intrusion. I'll just be glad no to be a sitting duck.
     
  9. Umami

    Umami Registered Member

    Joined:
    Jul 28, 2008
    Posts:
    1
    I have recently been affected by svuhost.exe

    I have archived the file in question in 7zip format and archived that 7z file in a zip.

    ~Link removed. No links to possible malware on the forums. - Ron~

    (Known) Symptoms:

    - Running svuhost.exe process
    - Security Center Reports incorrect information
    - Windows Firewall and Update settings cannot be modified

    Suspected Source:

    - Modified Program Setup/Installer
     
    Last edited by a moderator: Jul 28, 2008
Thread Status:
Not open for further replies.