NOD32 didn't, CounterSpy did - Virtuemonde

Discussion in 'ESET NOD32 Antivirus' started by stap0510, Sep 28, 2008.

Thread Status:
Not open for further replies.
  1. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    For more than a year now I have seen with my own customers (to which I sell NOD32), that NOD32 still cant protect against, and remove virtuemonde-malware. Running CounterSPy always did the trick for me, even nowadays unfortunately with the rising of version 3.0 of NOD32.
    Will NOD32 ever be able to remove this kind of malware succesfully?
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Do you mean that NOD32 detected that Virtumonde but couldn't remove it? Virtumonde is quite resistant against removing, it's injected in an already running process and ensures that continually checks for its registry records and repairs them, if removed or altered.
     
  3. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104

    Indeed,
    It noticed the infection, but still parts of the operating system, Windows XP, got already changed by it. All this within a couple of seconds, I swear to god.
    The automatic update-service is now no longer functioning anymore.
    When running explorer.exe, the Windows-shell, sometimes I get pop-up's and webpages look distorted.
    When ending that explorer.exe-process it doesnt seem to be active or went dormant.
    It somehow works with, or is dependent of, explorer.exe.
    Or explorer.exe is changed/corrupted/replaced by a malicious version of it.
    Either way, ESET anti-Virus doens't notice it as being malicious.
    Very nasty indeed.

    By the way, it is still on that machine right now, with NOD32 running.
    Even after an ond-demand indepth-scan with BlackSpear's settings.

    Only last resolution now is to re-install Windows :mad:
     
  4. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104
    Little addon to my story:

    Explorer.exe doesn't start automatically anymore..usually
    Within Control Panel very little is possible, because rundll32.exe seems to be missing.
    On that latter, I think rundll32 has been infected to and therefore removed by Counterspy.
    EAV cannot be removed, to re-install it properly after that.

    What a mess.
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Please send a log from ESET SysInspector to support[at]eset.com with this thread's url in the subject.
     
  6. stap0510

    stap0510 Registered Member

    Joined:
    Aug 5, 2008
    Posts:
    104

    Done.
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    I have to agree...many of my clients on NOD32..are getting hit.

    Yes yes the ZLob trojans (engine behind Virtu) are being VERY aggressive...releasing sometimes several new variants per day. But when the other removal tools I turn to...DO detect and remove it...such as MalwareBytes, SuperAntispyware, and even venerable old Spybot S&D....one has to go...."Hmmmmm..."
     
  8. DooGie

    DooGie Registered Member

    Joined:
    Jul 1, 2006
    Posts:
    112
    Thing is that NOD32 is not alone in struggling with the current bout of malware variants.
    I work for a small engineering company, around 20 workstations. I'm employed as a production controller but also support the IT manager when needed.
    For some reason the company has always used Symantec products and can't be persuaded to change.
    Last week 2 of the workstations were seriously compromised by a virus. Run was disabled, safe mode was disabled and most applications were disabled. In fact on one of the machines the only app that would run was Word. HijackThis wouldn't run until renamed.
    The Symantec product hadn't even caught a sniff of this virus getting in and let it run riot with nothing detected at all until the malware downloaded iE Defender which did get picked up.
    The infections were eventually got rid of with a combination of various tools like gmer, SAS, MBAM, file deletion and manual registry cleaning.

    Yes my post has gone a bit off topic but my point is that a lot of people here are moaning about the current detection rate of NOD32.
    Have a read around the various AV forums and the posts are all the same, "Why did my AV not detect this?"

    A swings and roundabouts job methinks.
     
  9. ablatt

    ablatt Registered Member

    Joined:
    Nov 14, 2004
    Posts:
    128
    Location:
    Canada
    The fact is, if you read various forums, that MBAM and SAS can detect and remove various infections that NOD32 (and other AV's) cannot.

    If NOD32 wants to remain a top-tier respected product, they will ensure that new versions are up-to-speed in this regard.

    If SAS and MBAM can do it, why can't NOD32 or any other AV product?
     
    Last edited: Sep 30, 2008
  10. Causes Drowsiness

    Causes Drowsiness Registered Member

    Joined:
    Nov 6, 2006
    Posts:
    12
    Location:
    Behind you...
    I've had AntiVir catch these infections and remove them. Not sure why NOD32 is having such difficulty lately, especially with a 3.0 product that was supposed to enhance it's capabilities.
     
  11. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Please PM me a link to Virtumonde that is recognized by Antivir or KAV, but not by NOD32. I understand that we do not detect 100%, but I think our detection of this malware family is very close to that. If it wasn't against TOS, I would post here screenshots from VT that might be shocking for some.
     
  12. trjam

    trjam Registered Member

    Joined:
    Aug 18, 2006
    Posts:
    9,057
    Location:
    North Carolina
    do like firebytes did here in this post and you can show us what you are taking about. I would like to see what you are saying because that would prove it to me.
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,802
    Location:
    Texas
    Some off topic posts removed.

    Send any suspected files to ESET as noted in this post.
     
Thread Status:
Not open for further replies.