Nod32 made unoperational by fake antivirus

Discussion in 'ESET NOD32 Antivirus' started by Artorius, Aug 27, 2010.

Thread Status:
Not open for further replies.
  1. Artorius

    Artorius Registered Member

    Joined:
    Aug 27, 2010
    Posts:
    1
    I'm quite disappointed in Nod32. Today I found an antivirus-like program "checks" my system, imitates the Windows security alerts and disables any program I would like to open including task manager.

    I restarted, managed to kill the process before it appeared on screen. Installed Nod32, made a system check, nothing.

    Then I restarted again, to confront nod with the virus.

    Amazingly, the virus disabled nod's realtime protection (protection state said disabled, settings shown it was on). Then I had nod check the folder where this virus was located (/application data) - it had a single exe file. Nod found nothing.

    So wtf?
     
  2. Rmuffler

    Rmuffler Former Eset Moderator

    Joined:
    Jun 26, 2008
    Posts:
    995
    Location:
    San Diego, CA USA
    Hello Artorius,

    What region of the world are you located? I recommend contacting support to have an engineer assist you.

    Thank you,
    Richard
     
  3. xMarkx

    xMarkx Registered Member

    Joined:
    Dec 1, 2008
    Posts:
    447
    Hello,

    Malwarebytes' Anti-Malware (free version) is good at removing rogue antiviruses that ESET misses.

    Regards,

    Mark
     
  4. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    This a new Rogue that was just spotted recently, please remember, no AV | AS application can protect you 100 % - 100 % of the time you are on the Internet.

    See this thread or go directly to the Removal Guide
     
    Last edited: Aug 29, 2010
  5. piranha

    piranha Registered Member

    Joined:
    Mar 21, 2005
    Posts:
    623
    Location:
    Laval, Qu?bec, Canada
    your are disappointed but.......did you help your AV nod32 ?

    did you protect your av with a password ? It is highly recommended

    how are your settings ? Are you protect for unwanted and/or potentially dangerous apps ?

    Were you in an user profile with administrator right when you scan with a fake AV ? Nobody should browse internet with administrator rights. Create a limited rights profile and browse with it.

    I you did all right there is another thing. Be more careful with apps you dont know, are unknown or very new. Dont know your windows version but...... If you did accept a fake AV to scan your pc dont blame only NOD !! You fell in a trap like a newbie, take your responsabilty and blame yourself a bit......:cautious:

    I agree with siljaline, AV cant protect 100%. And most of the time, the weak point is the user not the AV....

    I dont criticize you but i am curious about what really happened.......
     
    Last edited: Aug 29, 2010
  6. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Piranha, please give the guy a break.

    It's not always 100% user's fault getting his/her computer infected by Fake/Rogue Avs.

    It's kind of tiresome the same argument I read everyday here that “you got a rogue infection because you were running as Administrator”.....Based on that premise, I ask: Do only Administrators get hit by Rogues? Standard Users and Restricted User never get hit by Rogues?

    I have witnessed all the reverse. At work, my colleagues and I run as Restricted Users on Win XP SP-3 because our IT Dept.'s decision. Our company has about 5,000 employees and 80% of them sit at cubicles with workstations running XP. All of them are Restricted Users and, guess what? IT Dept. receives dozens of calls every week to deal with Rogue AV infections that hit at least 15-20 computers weekly.

    At work, they have McAfee VirusScan Enterprise 8.7i patch 3 and the Antispyware module. They also run Windows Defender on all workstations throughout the company and, having an AV, an AS and the WD have NOT stopped the Fake AVs from infecting machines.

    The ONLY advantage I see from running as a Restricted User is that if your PC gets infected by these Rogues/TDSS combos, the infection is confined to HK_CURRENT_USER hive and will not affect HK_LOCAL_MACHINE hive and the SYSTEM32 folder. Other than that, I see nothing out of the ordinary.

    Being a Restricted User will NOT stop the Rogues from infecting your machine.
    PERIOD.
    Trusted sites like CNN, NYT, BBC, MSN and even Yahoo sometimes have got poisoned by malware writers so you no longer have to seek porn to get a Rogue infection.

    Lastly, in regards to that NO Anti-Virus can protect your PC 100%, that is a true statement but I always think that there is room to IMPROVE. If I, myself were an AV vendor and I get 30-50 weekly complaints from users of my AV telling me that my AV solution, that they are using is letting the Fake AVs slip through then I would try to work hard on improving the detection rate either by fine-tuning the Heuristics or by adding a behavior blocker. But, I would also hunt for malware on those sites that list dangerous URLs to test my AV.


    I know users have to be careful when using the NET but AV vendors also play an important role in this problem.


    Regards,


    Carlos
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Limited users don't have permissions to write into any run key, neither in HKCU. To my best knowledge, with limited permissions rogue AVs will only run until the next computer restart or they create a shortcut in the startup folder to which limited users have full permissions.
     
  8. danieln

    danieln Eset Staff

    Joined:
    Jan 7, 2009
    Posts:
    112
    It's true, a portion of rogues comes via exploits using Adobe products or Java. Sometimes it is enough to visit a hacked legitimate site to trigger infection. Countermeasures to reduce risk can be done (for example to disable the Acrobat JavaScript and disable opening of non-PDF file attachments) or various browsers plug-ins can be used to enable JavaScript only for the web-sites where it is desired.
    We always welcome reports/complaints about malicious or hacked legitimate sites which trigger malware infection. Sites serving false cracks and fake videos can be reported too. Undetected files and URLs should be sent via the known instructions:
    http://kb.eset.com/esetkb/index?page=content&id=SOLN141
     
  9. Rolando57

    Rolando57 Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    24
    No, that is not right. We have the same situation described by Zyrtec in our office (XP SP3, alls users running with restricted permissions, NOD32 V4 running). One user got infected by Antivirus 2009 at the beginning of this year, and the .exe-loader got startet with every restart of tc PC again and again because of a registry value.

    If you want restricted users having no permissions to write to the regsitry this would be a special setup, its not standard on XP.
     
  10. Rolando57

    Rolando57 Registered Member

    Joined:
    Jan 21, 2009
    Posts:
    24
    That doesnt have any impact on rogue AVs according to ESET support.
     
  11. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA

    Hello,

    I was trying to point that out as well. At work I run my XP SP-3 workstation like everybody else, just as a Restricted User because IT Dept. wants it that way and, I can modify myself entries on HK_CURRENT_USER hive without any problems. However, when I try to tinker with HK_LOCAL_MACHINE, I get an ACCESS DENIED message that states that I cannot make any changes to that particular Registry Key.

    Thus, that is the ONLY advantage I see (at least on Windows XP) of running as a Restricted User, just not giving Malware (and yourself) access to HK_LOCAL_MACHINE hive and System32 folder.

    However, Malware can still do some dirty deeds on your PC like writing entries on the Host File, messing your network settings, damaging your ability of running any .EXE files, etc. So, how dare to say that all of that is not a DAMAGE to your computer?

    Thank you,

    Carlos
     
  12. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    May be this would be off-topic but what do you mean by "Restricted user" ? Limited user account you just call restricted user or your account is part of Restricted users group applied by group policy ?


    That is correct for limited users.

    There are many advantages by not running as admin. You can read about them here:
    http://technet.microsoft.com/en-us/library/bb456992.aspx

    Perhaps the rogues you see in your company are to some extent users fault . Rogue might start with limited user account but it could a downloader and then just a payload showing ads and trying to steal your information . But this is to some extent user fault (social engineering) . Rogues running in limited users are easy to remove.
     
  13. Zyrtec

    Zyrtec Registered Member

    Joined:
    Mar 4, 2008
    Posts:
    534
    Location:
    USA
    Hey 3GUSER,

    Could you please elaborate just a little bit further what do you mean by “users' fault” for getting their PCs infected by Rogues?

    If one of my colleagues is not savvy enough [like me, for example] and he/she is doing a search on a reputable web-site [ CNN, NYT, BBC, Yahoo, MSN, etc.] and he/she comes across with a pop-up message that reads: “DANGER!!! YOUR COMPUTER IS INFECTED, CLICK HERE ON THIS MESSAGE TO CLEAN IT”.

    He/She selects CANCEL on the pop-up message and even by doing so, he/she still triggers a Trojan Downloader download [e.g. trojan Renos] which in turn downloads a Fake AV that messes everything up on his/her PC....Who would be at fault for this? Our IT Department for not keeping Windows XP, Adobe Reader, Java Runtime Environment, and Flash Player UP-TO-DATE or the user? [Restricted Users cannot install Adobe Reader, Java or even Flash Player on their PCs].

    I would really like to know your opinion about this...

    Furthermore, why our AV/AS did not trap this threat in the first place?

    Thanks in advance for your reply.

    Regards,

    Carlos

    P.S.: I love the term “Restricted User” more than LIMITED USER ACCOUNT cause I'm a Windows NT4, Windows 2000 Pro die hard user. With XP, Microsoft introduced a new Control Panel applet for User accounts management but I didn't like it that much. I always selected: Run---> Control Userpasswords2 to get the old applet.
     
  14. 3GUSER

    3GUSER Registered Member

    Joined:
    Jan 10, 2010
    Posts:
    812
    Hi Zyrtec .

    First of all sites like Yahoo , CNN , NYT , MSN generally do not trigger a pop-up that you are infected ( I have never seen such a pop-up on these legitimate sites) . It must be the site hacked or the computer previously infected to display the pop-up.

    Then clicking on this pop-up will generally pull the user to a fake page doing nothing malicious but requesting downloading/running a file (this file is the malicious one and it might require admin rights).

    Yes , you are right - your computers should be protected . Free software like Norton Safe Web or McAfee SiteAdvisor will be of help . They are installed just once and they care about themselves automatically.

    Yes , you need protection . If I were your admin , I wouldn't let users spent their work time in general sites/portals like Yahoo,MSN , CNN , NYT , etc . These and many many others will be blocked for you.

    However , it takes about 5-10 minutes to explain the end-user a few tricks , what should they do and do not on the computers. Threats are not that dangerous by running a limited user account .

    Limited user account , education , protection - three important ways to keep a workstation protected.

    Greetings! :thumb:
     
  15. volvic

    volvic Registered Member

    Joined:
    Aug 17, 2009
    Posts:
    220
    Why does your website say in large print 'Work. Play. Connect. We'll make sure you're safe on the Internet'.

    Should it be Sometimes we'll make sure you're safe on the Internet.
     
Thread Status:
Not open for further replies.