NOD32/TH scan issue

Discussion in 'NOD32 version 2 Forum' started by spy1, Feb 4, 2006.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    but it's only doing so when I run a "Full Scan" with TrojanHunter:

    2/2/2006 23:42:39 PM - AMON - File system monitor Threat Alert triggered on STEVEN-KDHP68D1: F:\DOCUME~1\spy1\LOCALS~1\Temp\SEk.exe is infected with probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus.

    2/4/2006 12:19:54 PM - AMON - File system monitor Threat Alert triggered on STEVEN-KDHP68D1: F:\DOCUME~1\spy1\LOCALS~1\Temp\dK1TGgn.exe is infected with probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus.

    Anyone else that's running both programs seeing this? Pete
     
  2. i_kenefick

    i_kenefick Registered Member

    Joined:
    Nov 29, 2005
    Posts:
    135
    Location:
    Cork, Ireland.
    sample@eset.com is the next stop for you I think. I think that they will determine if this is a false positive or not. ESET are pretty fast in rectifying false positives. I know Nigel Cooke from the support department (support@eset.com) has replied to me in minutes in situations before. Nice chap too!
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Done. Sent all four items in the folder to that address just seconds ago. Pete
     
  4. FanJ

    FanJ Guest

    Hi Pete,

    I myself let other scanners (like TH) only do a full system scan while other resident scanners (like NOD) are temporarily disabled and internet connection is closed, or I scan in safe mode.
    In my humble opinion that's the way it should be done (but others might have a different opinion...).
    Of course there are exceptions (for example, no problem here letting NOD do a full scan with BOClean resident).

    Well, only my 2 cents ;)

    Warm regards, Jan.
     
  5. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Hi, Jan! Good to hear from you again.

    Yes, I realize that scans are supposed to be run separately, with other resident scanners shut down.

    Like you, though, most everything I've got here plays well together (doesn't set off false-positive alerts from each other). That's the way I like it to happen, which is why I try to get these kinds of things sorted out, if possible.

    Who knows? Either I may have a real, genuine, bona-fide threat here - or perhaps one program or the other can be improved by finding out what's going on and getting it corrected.

    I'm happy with either result. Pete
     
  6. FanJ

    FanJ Guest

    Hi Pete,
    Thanks my dear old friend.
    I understand what you're saying.
    Most warmest regards, Jan.
     
  7. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    This is not what I would call a very effective response to the email I sent with the quarantined files attached:

    "Hello,

    You must be using an outdated version of NOD32. I checked both files and my
    NOD32 didn't report anything.

    Best regards,

    Mark

    Eset
    Technical Support
    Slovakia

    Web: www.eset.com
    Email: support@eset.com

    If my copy of the program is "out-dated" (which would be odd, considering the fact that I just re-installed the whole thing in January of this year) - could someone please point out to me what part of it is "out-dated"?

    NOD32 antivirus system information
    Virus signature database version: 1.1393 (20060203)
    Dated: Friday, February 03, 2006
    Virus signature database build: 6724

    Information on other scanner support parts
    Advanced heuristics module version: 1.026 (20060119)
    Advanced heuristics module build: 1104
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.040 (20051222)
    Archive support module build version: 1142

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.50.45
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.50.45
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.50.45

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 1024 MB
    Processor: AMD Athlon(tm) Processor (1325 MHz)
     
  8. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Hmm.. Think I have the same

    NOD32 antivirus system information
    Virus signature database version: 1.1393 (20060203)
    Dated: 3. february 2006
    Virus signature database build: 6724

    Information on other scanner support parts
    Advanced heuristics module version: 1.026 (20060119)
    Advanced heuristics module build: 1104
    Internet filter version: 1.002 (20040708]
    Internet filter build: 1013
    Archive support module version: 1.040 (20051222)
    Archive support module build version: 1142

    Information about installed components
    NOD32 For Windows NT/2000/XP/2003/x64 - Base
    Version: 2.51.20
    NOD32 For Windows NT/2000/XP/2003/x64 - Internet support
    Version: 2.51.20
    NOD32 for Windows NT/2000/XP/2003/x64 - Standard component
    Version: 2.51.20

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 2
    Version of common control components: 5.82.2900
    RAM: 1024 MB
    Processor: AMD Athlon(tm) 64 Processor 3200+ (2010 MHz)
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Your "installed components" (2.51.20) seems to be a later version than mine (2.50.45).

    Methinks I may owe Mark an apology! Pete

    Oh, heck - You've got the 64-bit version of Windows XP - I don't. Pete
     
    Last edited: Feb 5, 2006
  10. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    The 64-bit package includes the 32bit drivers as well. It should automatically decide wich drivers to install :) (It did for me :))
     
  11. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, I had the most up-to-date stuff for my OS to start with. Pete
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    That's odd, I scanned both files you sent with update 1.1393 and all settings maxed out, and it didn't report a thing. I assume you didn't send us the correct files.
     

    Attached Files:

    • scan.jpg
      scan.jpg
      File size:
      64.6 KB
      Views:
      491
  13. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Marcos - Yes, I believe my point was that there is nothing wrong with the files I sent you out of NOD's "Quarantine" folder (I sent the whole folder - it contained four files).

    I went ahead and re-installed NOD yesterday (fresh copy, after correctly un-installing the copy I had), so I'll see if the problem continues. I have NOD set to do nothing but "Prohibit Access/Prompt" in all modes, so it won't automatically fix or quarantine anything it alerts on - I may be able to get better copies of things to send that way.

    I'll keep you informed. Pete
     
  14. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    Spy1,

    I run both NOD32 and TrojanHunter. My NOD32 is identical to the system information given on your post above. TH is v4.2 (Build 908 ) and the definitions are up to date.

    I have never observed a TH full scan give any alert to any component of NOD32. I do not disable NOD32 before running TH by the way, nor is any part of NOD32 on my TH ignore list.
     
  15. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, well it invariably happens any time I run a "Full Scan" with TrojanHunter here.

    The only thing I can think of that might relate to the NOD alert (in the TH scan results, that is) is something like this:

    F:\DOCUME~1\spy1\LOCALS~1\Temp\ek2oq.exe Not scanned (in use by another application

    I'd also like to mention that - although I have everything in NOD, all modules, set to do no more than "Alert", that it's clear from the screenshot that it's not listening, as the file alerted on was quarantined.

    Why is that?
     

    Attached Files:

  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    What's also happening is that the exe supposedly found (ek2oq.exe) is the one being quarantined by NOD - because doing a "Search" for it (including all hidden files and folders, of course) doesn't find that exe.

    So, is the "ThreatSense" mechanism in NOD automatically sending this file for evaluation, too - or not? Shouldn't it be?

    (I just re-checked that setting and it was set to "Quarantine" items found - I either missed that one or it re-set itself [AMON/Setup/Actions] ). Pete
     
  17. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I give up. See screenshot for the TH scan I just now ran again. While you're looking at that, bare in mind that I ran this scan after having run both CleanCache 3.0 and CCleaner v.1.26.218 - there shouldn't have been any "temp files" for the programs in question to find.

    The only conclusion I can come with for that is that the "temp file" itself is being created by one of the two programs in question while the TH scan is taking place.

    From the TH scan results screen:

    F:\DOCUME~1\spy1\LOCALS~1\Temp\XHS.exe Not scanned (in use by another application)
     

    Attached Files:

  18. RuyLopez

    RuyLopez Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    44
    Location:
    USA
    If you want to attempt to identify the source of the TEMP file, try FileMon from sysinternals.

    http://www.sysinternals.com/Utilities/Filemon.html

    Download is at bottom of page and it is free.

    I had a similar type of issue with PestPatrol identifying a TEMP file generated by ZoneAlarm as being infected with MidAddle. FileMon picked up the creation of the TEMP file without difficulty. You will need to play with the Filters so that you are not inundated with activity.
     
  19. oldhead

    oldhead Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    8
    Location:
    Jersey
    spy1,

    I'm having exactly the same problem and NOD32 and TH have been happily married for quite some time b4 this started on Jan. 26.

    When I run TH full scan, even 2 or 3X in a row, it displays a NOD AMON alert indicating a different file each time from the same location. AMON is set to prohibit access and show options and it indicates that it is quarantining the files but when I check in Quarantine it is empty.
    I have NOD set to scan after updates, but that scan never picks this up, even on in-depth analysyis, only with TH.

    I'm still on the upside of the learning curve (sounds better to me than newbie...lol) so any suggestions on adjusting any settings in NOD are welcome.

    Is there a way to configure NOD to highlight "Submit for analysis" when the alert window displays?
    It would seem that an alert indicating a "probably unknown" anything would or should prompt to submit the file!

    Thanks in advance for any help! Jeff
     

    Attached Files:

    Last edited: Feb 8, 2006
  20. oldhead

    oldhead Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    8
    Location:
    Jersey
    It was my understanding that NOD is the other application referred to. When TrojanHunter scans, it unpacks all files but cannot scan that file as NOD detects the probably unknown virus and reacts. All my scans always show file as in use as well.

    Why would NOD not pick this up itself?

    Did eset acknowledge that they actually recieved files to check? I ask as I've never had any luck submitting these results to them.
     
  21. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  22. oldhead

    oldhead Registered Member

    Joined:
    Feb 6, 2006
    Posts:
    8
    Location:
    Jersey
    Is that because, since TrojanHunter never picked up on this type of virus (by design?), when you ran the TH scan with NOD32 off there was no way to detect any TSR DRIVER virus and determine where it was unpacked from?

    Since the infected files are different every time its seemingly impossible to search and see if they already exist or somehow being created when TH full scans.

    spy1- I notice in one of your posts that you had sent eset a folder with four(4) files, but they indicated that they had checked both without result. What happened to the other two?
    I hope between eset and Mischel we can figure this out!
     
    Last edited: Feb 6, 2006
  23. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Okay, thanks to Gavin Coe on the TH forum, what's causing it here is that when TrojanHunter scans the MCANSI.DLL in the F:\Program Files\Microsoft Office\Office10 folder, it for some reason causes that dll to generate a randomly-named exe that NOD's AMON monitor then alerts on.

    I guess I could "Exclude" that in NOD - hopefully just the dll and not the entire folder.

    Thank you to everyone who contributed to resolving this. Pete
     
  24. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Excluding the MCANSI.DLL in NOD didn't solve the issue - NOD's AMON still alerts.
     
  25. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    So due to some advice from Magnus, I "Excluded" the same file in TrojanHunter.

    Which worked. No more false alerts. Thanks, guys! Pete
     
Thread Status:
Not open for further replies.