NOD32 failed to pickup malware...again... :(

Discussion in 'NOD32 version 2 Forum' started by Arksun, Oct 23, 2008.

Thread Status:
Not open for further replies.
  1. Arksun

    Arksun Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    13
    Once again Eset NOD32 has failed me :(.
    I got infected, specifically registry infections (Trojan.FakeAlert.H).

    I'm still using ver 2.7, but that shouldn't matter if the virus signatures are up to date.

    Before anyone asks, yes I'm a long time user (though perhaps not for much longer after this), absolutely everything that NOD32 can check for IS checked in the settings, for AMON, IMON, anyflippingMON, advanced, potentially unsafe app etc etc. Virus/Malware checking is set to the absolute max in NOD32.

    So today I'm using my computer like normally, suddenly I get this wierd little small rectangular popup window saying the following:


    Title: 16bit MS-Dos Subsystem

    Inside the box:

    C:\Windows\Sysvxd.exe
    The NTVDM CPU has encountered an illegal instruction.
    CS:06d1 IP:0007 OP:fe 74 6d de 01 Choose 'Close' to terminate the application.

    Below that is two clickable buttons, Close and Ignore.



    Now because I've never seen anything like this before and hadn't recently installed anything new. I felt it was very dodgy so I didn't click either button.

    Instead tried to shut its process down in ctrl-alt-del. That didn't work, it refused to close. So I had to reset the computer.

    I did so, reset my modem too. Did a full NOD32 scan, it picked up..... wait for it... NOTHING.

    Anyways, it happens again, pops up... again a third time, so I do a bit of google research, it seems there is some nasty malware floating around that can cause this.

    So I download the freeware software Malwarebytes Anti-Malware.

    Perform a 'quick' scan (not even the full scan), 2 seconds later, its telling me two of my registry keys are infected.

    I've no idea yet if Malwarebytes software has completely dealt with the problem, its not like I could do a NOD32 scan to confirm, because scanning with NOD32 doesn't seem to pick everything up anyways!.

    Why did a scan show nothing, but more importantly, why didn't IMON or AMON at any time notify me of any incoming threat?.

    Given that this is not the first, but the second time somethings slipped past the supposedly full-proof 'best in the field' virus/malware checker that is NOD32, you can imagine how annoyed I am a) getting infected and b) finding out a freebie program does a better job of letting me know!.

    I love how NOD32 has very little impact on system performance, but failing to pick something up two times now doesn't fill me with confidence over its virus/malware stopping abilities :(

    FYI, here's the Malwarebytes log file if anyones interested:

    http://www.musicprogressive.com/ml/
     
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
    I would upload svchost.exe to Virustotal to see if other AVs flag the file. Please do not post the results of the Virustotal scan. If you believe the file is infected, compress the suspicious file(s) with WinRAR or another ordinary packer, protect the archive with the password "infected" and send it to samples[at]eset.com with this thread's url in the subject.
     
  3. Arksun

    Arksun Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    13
    I'm not sure where Malwarebytes Anti-Malware quaranteed the file but I'll try and find it and send to the site you suggested.

    ..oh and it fixed the problem, got rid of that trojan, no more annoying popup.

    Googling the specific trojan type listed in the log, it does follow the pattern of behaviour I was experiencing, but not only that, its not a new trojan either. Yet another reason why I was rather miffed that NOD32 did not pick it up either upon infection, or scanning (yet Malwarebytes picked it up in seconds)
     
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Well, version 3 actually has better detection than v2 thanks to technical improvements.
    As for FakeAlert, new variants are badly detected by all AVs. There are very few exceptions (2-3) which detect most of new variants and neither of them scores at the top in tests. Another question is how many FPs such a sensitive detection might produce on certain legit files. We have recently improved detection for this malware family and we will continue to improve it even further.
     
  5. Arksun

    Arksun Registered Member

    Joined:
    Jul 16, 2006
    Posts:
    13
    One of the reasons I went with NOD32 aside from the performance improvements, was that it was also a malware killer in addition to viruses and had advanced heuristics capability.

    If new variants are badly detected by commercial AV's, how come a freeware program found it in seconds?. This is what gets me. NOD32 is supposed to have all these awards for advanced detection over other software, yet a freebie program did a better job.

    Remember that I did a full scan with NOD32 with the latest signature update just before I did the scan with the freeware program, NOD32 picked up nothing, the freebie one got it straight away.

    The whole point of getting NOD32 was so I didn't have to do checks with additional malware/adware checking software on the side.

    But I will try your suggestion of upgrading to ver 3, though I've heard that to get any real additional scanning benefit with that ver it has to eat up a little more resources.
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The question is how effective is that freeware on a large clean set? Are you sure the ratio between detection of malware vs clean files is acceptable? Has anyone performed some tests in this regard with that freeware? Another question is - do malware writers target at it or only at the most famous AV programs? Even if an AV has an acceptable ratio of false positives, it may sooner or later come into attention of malware writers before they target at it and will continually modify the code until it's undetected before they release it.
     
  7. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    MBAM developer already commented on this topic here (cannot find the thread ATM)... They focus on stuff that conventional AVs cannot/do not cope with very well; their product is a supplement to AVs and security suites, not a replacement.
     
  8. nosirrah

    nosirrah Malware Fighter

    Joined:
    Aug 25, 2006
    Posts:
    561
    Location:
    Cummington MA USA
    Correct , a good 50% of the research that goes into MBAM starts with confirmed AV failures .

    Zlob guy , Vundo guy , Rustock guy , Bot guy and TDSS guy all are actively engineering against us . Rustock guy actually forced us to make major changes to MBAM .

    We have an ace in the whole against multiple malware families . They can polymorph and rename all they want and it wont help them at all .
     
  9. stevenz

    stevenz Registered Member

    Joined:
    Jan 24, 2008
    Posts:
    74
    hello
    same problem here,with ess 3.0
    i also used malwarebytes anti malware to find it and completely remove it.
     
Thread Status:
Not open for further replies.