Nod32 - False Positive?

Discussion in 'NOD32 version 2 Forum' started by DDCchik, Aug 15, 2004.

Thread Status:
Not open for further replies.
  1. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Each time I scan with Tauscan (I know Tauscan isn't highly rated, but it's the one I have) - Nod32 brings up an alert. I'm happy to post a screen shot if it would help. The message is:

    File:
    c:\documents and settings\XXXX\Local Settings\Temp\tnp[variable 3 or 4 digit hex number].tmp.exe
    Virus:
    Win32/DeepThroat unknown infection type (DoS)
    AMON cannot clean this infiltration. Event occurred at an attempt to access the file.

    The 'file' can't be quarantined, deleted or renamed. If I do a scan with Nod32 it does not find anything. Either in normal mode or safe mode. Where can it be coming from. Even with no files in that directory, Nod32 finds one.

    There are no files of this name in that directory, I deleted everything in that directory to be certain. That directory is now blocked from access through internet explorer. In fact the Local Settings directory is no longer showing at all. I used A43 to find the directory and the file 'found' doesn't exist. I can find no process related using Faber Toys and systernals procepxp that I can't identify.

    I can't find these files (the hex numbers vary so it could be one) in safe mode or from the command line or using the recovery console.

    Is there a conflict of some kind between Tauscan and Nod32?

    This has occurred everytime I have run Tauscan - so I am presuming that the problem is coming from something that Tauscan does or tries to do.

    Does anyone have any idea what this could be. Any help would be nice. I started out trying to track down an LSP entry in a Hijack This log - with 'wrong' IMON.dll. Haven't go any further with that either.

    Everything is working fine and apart from this the machine is clean
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,734
    Location:
    Texas
    You could try the latest version of HijackThis and see if imon dll is named. I believe this version fixes that find.

    HijackThis
     
  3. anders

    anders Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    410
    It might be that Tauscan is extracting an infected file from somewhere, and that NOD32 detects the file when it is extracted, and blocks access to it, so Tauscan doesn't detect anything. Try to temporarily disable AMON, and do the Tauscan scan again, to see if it detects any infected files. If it does, send that file to samples@eset.com and/or me (virus@eurosecure.com).

    Best regards,
    Anders
     
  4. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Thanks for the prompt responses:)

    Ronjor - HJT 1.98.2 has fixed that imon.dll problem. I thought it was a HJT issue because I couldn't find any LSP problems.

    In my first post - please correct - 'Internet Explorer' to Windows Explorer no longer shows the Local Settings directory under Documents and Settings, although it is clearly there using A43. I am wondering if this is an action by Nod32 or a part of the problem.

    Anders - A Tauscan scan with Nod32 'Disabled' comes up clear. But a further scan with Nod32 enabled gives the same problems. Would an alternate trojan-finding program be a better option or is version 1.7 of Tauscan improved on previous versions?

    A Tauscan scan with Nod32 Enabled still brings up the same alert.

    I have this computer isolated from my network so I will try to find this file and forward it.
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,734
    Location:
    Texas
    What is A43? (Found it--A43 File Management Utility)

    I don't think Local Settings missing is due to NOD.

    This is XP you are using?

    Tauscan in not well thought of generally speaking. You could download TDS3 and give it a whirl and see what it finds.

    http://tds.diamondcs.com.au/index.php?page=easytouse"
     
    Last edited: Aug 15, 2004
  6. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    In the Local Settings\temp directory which was empty last night (I'm in Australia). I have a futher recurrence of the Nod32 alert but the only entry is listed as tnp4e9F.tmp.TXT at 0KB. Nod32 is listing a tnp286.tmp.exe. I found a file called insthelp.dll in the same directory, which shows last accessed today and no other properties of any interest. The only activity on this computer has been the scans I have just run.

    Is there a way to find the .exe that Nod is finding?

    I googled Insthelp.dll and found an entry in Pest Patrol for RedV that lists insthelp.dll - but not in the location listed and with none of the associated files. I have no running processes that I don't know. There are no associated entries in HijackThis either and these files don't list. I can post Nod32, HJT or Adaware logs.

    I have zipped insthelp.dll I think is suspicious because it is in a Temp directory and tnp4E9F.tmp.TXT and will forward them today but I can't find the .exe.
     
  7. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Ronjor, Yes XP SP1 fully patched (SP2 won't be installed until I am sure it won't break any of my other software :doubt: ) - sorry I missed your post before I posted. The machine is my laptop and I have it disconnected from the network at the moment. I will download TDS3 and run that. I knew Tauscan was not highly regarded - it came preloaded with Outpost as part of a package. I run TrojanHunter on my other computers.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi DDCchik try deleting ALL Temp files including Offline content, disable "System Restore", reboot into Safe Mode and run a scan with Nod32.

    Let us know how you go...

    Cheers :D
     
    Last edited: Aug 15, 2004
  9. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Hi Blackspear - Did all that first up. Installed and started running TDS-3. It triggered a Nod32 alert with a different file name but still W32/Deepthroat.

    Computer crashed before scan was finished :( - re-booted and re-running TDS-3 now in Safe Mode.
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    W32/Deepthroat is Trojan that Nod32 has been detecting since v.1.811 (20040715)

    http://www.nod32.com/support/info.htm

    Usually if AMON can not delete a file it is because it is in memory, doing what I advised above should enable Nod32 to clean the infection, provided Nod32 is full up-to-date...

    The new Beta onwards will vastly improve in Trojan detection upon attempt at downloading, rather than when it has actually downloaded onto your system...

    Let us know how you go with TDS...

    Cheers :D
     
  11. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    XP Pro SP1. Nod32 1.842 (20040813). I had already run Nod32 in Safe Mode with System Restore disabled before I posted and it doesn't find anything. The alerts are only triggered when Tauscan and now, TDS-3, are run. I think Tauscan might have had it's day. I'm very impressed with TDS-3. It has some very powerful options, I like it :) I'm starting to like Nod as well, after years of Norton products, it takes some getting used to. The Nod32 setup thread is excellent.

    The tnpo_O?.tmp.txt files haven't returned. I've no idea where it was before but it's disabled for now. I zipped the insthelp.dll file and deleted the original before this lot of scanning.

    I don't use Internet explorer except for Microsoft update. I got used to Netscape on Windows 3.11 (Yes, I remember as far back as DOS 2.11 on an XT and Bulletin Boards :( ). I cleared the temp directory, cookies and the cache as soon as I started looking for this thing and it's been off-line apart from the TDS download.

    The TDS scan in safe mode found nothing. Nod32 in Safe Mode found nothing. Back to Normal Mode and a TDS scan brings up Nod32 alert for:

    c:\Program Files\TDS\xDynamic\TDS.Unpk\dto.exe
    Virus: Win32/Deepthroat


    So TDS isolated the file and locked it. No alert was triggered from the Local Settings directory and the files have not re-appeared.

    How do I delete this file I'm not familiar with the TDS configuration yet. I don't want Nod bringing this alert everytime I do a scan with TDS.

    Thanks for all the help :)
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    To be on the safe side, can you start a new thread in the TDS section and ask the question up there about this file, as in why it can't be seen in safe mode, that you have zipped the .dll, as they may want you to forward it to them...

    Cheers :D
     
  13. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi there,
    i was asked to jump in for the TDS part.
    Not sure why in safe mode TDS finds nothing and in normal mode it does and why TDS or the computer crashes.

    I see you rebooted in the meantime after installing TDS, and did you grab the latest radius update from the site and (re)load TDS after that?
    While installing and scanning with TDS, did you make sure all other scanners and their resident protection were completely closed?
    This to make sure TDS has full access to every file.

    EDIT: As TDS has no resident protection nor hides any files in any way there is never any need to close TDS while scanning with any other scanners. The only thing is don't have it actively scanning at the same moment for the same reason as mentioned. Even in the registered version with exec protection installed, which can be seen as a resident protection, which is a hook to check executables before running, no need to close that during other scans.
    And yes, NOD32 and TDS are an excellent pair together.


    The files found in the Unpk are copies of originals elsewhere, they are unpacked there and in most cases are deleted afterwards or if not you can delete them from that folder manually, or send in your suspicious files to the developers (zipped if possible).
    In the Alerts bottom console you should find the originals with full path etc.
    Mind you: TDS does not quarantine or lock files itself, it just tells you what is found and you decide what to do with them.

    I'm not sure why there is a difference in safe mode and normal mode scan results at the moment.
    Did you in TDS > System Testing > Scan Control check all scan options on both tabs and save that configuration?
    And in the TDS > Edit files > Scans > FullSystem scan.txt add all scan options from that scan control and save, so the whole system is scanned everywhere?
     
  14. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Jooske - thank you for that additional information. I can't blame TDS for the computer crash. I suspect the computer itself has a heat problem. Anything that involves heavy activity for an extended period tends to cause it to freeze so I usually do all scans as soon as it is switched on. The safe mode and later normal mode scans were OK. I left it turned off for half an hour. It's had that problem since new and it's difficult to fix in a laptop - I can't just add extra cooling :(

    I'm completely new to TDS. When I configured it for the scans, I asked for everything that was offered but I didn't save the configuration. I figured if I was going to scan - then scan for everything. I shut down all unnecessary processes, other than Nod32 so there was as little interference as possible. Other than that - I know nothing about TDS except what I've found out by going through the menus (just to check them out) and that it has the sort of options and powerful action that I like (bit obsessed with my computers) :)

    I suspect TDS had found the file and 'locked' it just before the computer froze - so I missed the full path of the file because the Nod alert was 'on top' and on the further scans it was already 'locked'. The only other files it found were version number files where they had been read as having multiple extensions. I'll do a search for the original file and see it I can find it

    Blackspear - I will start a thread in the TDS forum if you feel it's necessary - but I'm not sure I can contribute a lot - I only found it today. Thank you for all your help and the Nod32 setup thread - it's great!!

    I'll go through the rest of the information in Jooske's post and check the TDS forum. I haven't gone through that yet and I'd like some more setup and configuration stuff to be going on with.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Jooske

    I'll leave that one up to you, it would have been nice to see what it was that was playing hide and seek so well on your system...

    Glad you liked the setup thread, I wanted to know how to do some of it, so when I learnt, decided to make it easy for others...

    Cheers :D
     
  16. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    DDCchik, since you love configuration threads so much, in these IMPORTANT stickeys look at FanJ's basical setup recommendations to start with, although you figured out a lot already. It's all sooooooooooo easy :)
    https://www.wilderssecurity.com/showthread.php?t=24666
    You might like to grab the test/demo files there too and see what TDS and NOD32 do with them.

    You must have pressed something to be able to do the full system scan after checking all the scan options or maybe you added all the selections from the left window to the scan list on the right. Anyway, as long as every bit and byte is scanned.

    Make very sure all folder options in your system are set to show every file and extension, to enable you to find them back, like the file you're looking for now.
    You could do a search for the file via windows if you lost the pathname, if NOD32 allows you to see it somewhere. Guess also DiamondCS likes a copy of the file since you say in the Alerts window it did not show up. Maybe TDS had no access to it since you hadn't closed NOD32 scanner and resident protection!
    Anyway, please find and zip the file --it's in that Unpk folder anyway-- and submit it to submit@diamondcs.com.au and the NOD32 lab if not detected properly enough.
    Double file extensions are not always necessary bad or innocent, they just need your attention if you know the files like file1.2.3.exe you can ignore or something you thought innocent like text.txt.......(lots of spaces)..exe which is very suspicious of course.
    Once you've solved the current problems you will find lots of information in the Help file (manual better said) which is very informative and educative not limited to TDS alone.

    The crashing, is there anything the shop can tell you about that and possible solutions? Maybe it needs other kinds of accus, even more RAM, using less processes at a time, anything to avoid the overheating. Using a laptop should be as normal as any desktop, i hope.
     
  17. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    Jooske thanks for all that - There's a lot of reading in the forum. I usually do read the help files if they are good. Some help files aren't at all helpful ;)

    I'll work my way through the TDS stuff - it certainly does more than Tauscan ever did and a lot more configurable.

    I build and repair computers for a hobby and for charity - but not laptops sadly. It's due for replacement under the rent agreement in a few months so I decided not to worry about it. Just keep it cool and remember to do all scans when it first starts up. It's only scans that upset it. Normal work stuff doesn't. Next one will be more efficient - they've improved a lot over the last couple of years.

    I'm running a search now to see if I can find the original file that Nod named and I still think a .dll in a temporary directory is suspect but it might be quite innocent.
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    See if there is a Nod32 Event or Virus Log File.

    Cheers :D
     
  19. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If you're using NOD32, TDS and maybe some others to clean/test/repair systems which are not yours or are to be donated/sold you might like to consider a roving license, which means you are allowed to have it installed on the systems during those activities and before they leave your hands you're to uninstall them or help the future user with registration.
    TDS has those licenses, thought NOD32 has them too or maybe equal kind of agreement.

    Anyway, with all your hidden files set to not hidden you should be able to search/find the files via windows too.

    For TDS which is rather heavy in the startup scans, especially the memory space scan, you might prefer either to start it manually after the reboot and all the other programs are ready starting or get it from autostart and start it via the statup files, which comes a little behind all the other windows starting too. It might help your laptop tremendously.
    Would suggest to keep as much out of the autostart as possible to help your dear laptop.
    With the full system scan --which is the heaviest part available for you, multithreaded to speed up the scanning-- remember to close as many other programs and browsers as possible, since it's a good time to do some sports or drink a coffee you won't need them anyway.
    Can imagine with NOD32 such an active scan likes all available space as well and will be happy with lots of other stuff closed as well.
     
  20. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As a reseller, we have a monthly evaluation key available, though we only use these to install and update Nod32 for a new customer, until their license arrives...

    Cheers :D
     
  21. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    I think I have may have found a cause or, at least, a contributing factor to the problem of the virus alerts while using a trojan scan.

    I ran a similar scenario on one of my other computers - XP Pro SP1 but using TrojanHunter 3.8 and Norton Antivirus 2003. I got an alert from Nortons during the trojan scan for a Bloodhound.Hybrid virus with a file that I couldn't find. I did the same repeat scans in the same sequence that I did the scans on the computer in this thread. Safe mode, AV only, Trojan only and then trojan with AV enabled.

    Both the trojan scanners were set to scan archives, zipped and UPX packed files etc. To do that they unpack them in Documents and Settings\User\Local Settings\Temp.

    The virus alerts on both computers were finding files in that directory. But there were no files in either directory because I deleted the contents before any of the scans and deleted the contents of the recycle bin and all the other sundry junk one collects.

    The Norton scan named a file that was in the \temp directory. But Trojanhunter identified the same file as being in a zip file (strangely enough in a Toshiba laptop driver file I downloaded for a friend who has dialup).

    I disabled scanning of archives zip and other compressed formats and both scans come up clean with no virus alerts on either computer. I have found a zip file on the laptop that has one filename starting with tnp which is the first three letters of the 'virus' that Nod kept finding.

    Is this a possibility? Probably not as interesting as it sounded originally but maybe worth thinking about?
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you send that file to samples@eset.com and see what they have to say about it.

    From what I understand of Norton when it detects an unknown virus it calls it Bloodhound.Hybrid virus...

    Let us know how you go...

    Cheers :D
     
  23. DDCchik

    DDCchik Registered Member

    Joined:
    Mar 28, 2004
    Posts:
    39
    It's certainly called all the unknown ones on mine Bloodhound.hybrid. Further information simply tells me it's a blended threat :doubt:

    Doesn't say anything about what you can do - or even what it can do.

    Still - over 20 years of computers and I've only had two viruses - One called Jerusalem 42 and I had to wait 2 weeks for the floppy disk to arrive in the mail o_O to fix it and another one that totally trashed my hard drive despite an up to date AV program installed.

    I'll track it down again and forward it to that address. I've got study tomorrow night so it won't be till the weekend.
     
  24. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    If it's a zip it's not so strange it's not detected when you disable scanning in zipped archives :)
    Can you submit it please to submit@diamondcs.com.au too? Thanks.
    Did TDS tell you anything about it? If it's a real virussy virus TDS is not supposed to detect it, but if it has some sneaky trojan or worm elements it could. And even though NOD32 is for viruses in the first place it detects lots more besides those too. :)
    You do have configured show all hidden files and extensions, do you?
    It could be there, but since a scanner detects it might have disabled all access to it including deletion and even made it invisible for all sight.
    Ot maybe an infection hides it or puts it back immediately after deletion. Do the file properties show anything about modifying time?
    For instance AVG is known to do so which is why we recommend all time to close that all including it's resident protection.
    Not sure if NOD32 or Norton would have that same habit too?
    It is the normal temp directory, and not the history or TIF folder?
    As XP doesn't allow to delete today's "historical" or TIF files if i remember well what i read in several threads about that.

    It could be interesting to see your HJT log and AutoStartViewer log with all scanoptions up for possible suspicious startup files and their locations. http://www.diamondcs.com.au/index.php?page=asviewer (free tool)
    Not sure though if the NOD32 support here allows those logs here?
    Since you're evaluating TDS you can send them to support@diamondcs.com.au too if necessary.

    Nice seeing NOD32 and TDS working together on your system!
     
  25. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Indeed Jooske, and also nice seeing you playing in this end of the pask as well ;)

    Cheers :D
     
Thread Status:
Not open for further replies.