Open Files With Trojans

Discussion in 'NOD32 version 2 Forum' started by joe123, Jan 22, 2007.

Thread Status:
Not open for further replies.
  1. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    Hi.

    I am currently evaluating NOD32 AntiVirus which is great so far. I had Norton before which is pure crap.

    I have a question regarding NOD32 not being able to verify files which are "Open". I recently got Infected with a Trojan and NOD32 was not able to see it because during the NOD32 full system scan, it by-passes all open files.

    SpySweeper was able to detect the Trojans which were "open files" and got rid of them. So my question is, is there a way to tell NOD32 to process all open files when scanning?
     
  2. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    firstly, almost all threat protection systems have issues with files held open by the Operating System - a scan and clean in safe-mode normally sees to them.

    But - and this is more worrying... did the threat get onto the system BEFORE you isntalled NOD32 - or after?

    If after, make sure you have potentially dangerous applications checked and that your settings are as per the extra settings thread:

    https://www.wilderssecurity.com/showthread.php?t=37509

    If before - then an already running threat must be removed with a safe-mode scan and clean (again - make sure you have extra setting thread complete before doing this).

    hth

    Greg
     
  3. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    Hi Greg.

    No, the Trojan got in BEFORE I had installed NOD32. NOD32 was able to find 4 virues that Norton missed. So I let NOD32 fix the 4 viruses, ran NOD32 full in-depth scan again and all was well with NOD32, except that it was reporting some strange files as OPEN. I then scan my PC with NOD32 in "Safe Mode" again and nothing was found (all was well).

    So I downloaded SpySweeper and it found the Trojans hidding in those open files.

    Does the "potentially dangerous applications" check box basically mean to have NOD32 process OPEN files as well?
     
  4. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    nope - potentially dangerous applications means some classes of trojans.

    safe mode *AND* potentially dangerous application is needed to be sure you've got a thorough scan of a machine that was previously less than 100% protected.
     
  5. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    Can't Trojans hide as Open Files even in Windows Safe Mode? Sorry if this is a dumb question.

    I know that I did not have those boxes checked when I ran my NOD32 scan in Safe Mode, but NOD32 did not find the Trojans.

    I guess that I am wondering if SpySweeper is better than NOD32 or just the I had not checked those boxes off in NOD32?
     
  6. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    joe123,

    yes - in theory they can. But a windows machine in safe-mode has a much lower number of files opened and locked, because it's running a much smaller setup, this means that files held open in "normal" mode are practically always NOT running - so they are able to be scanned.

    I'm not a windows guru (and the first to admit it) - perhaps someone from Eset can chime in and help with the final bit of this explanation.

    hth though

    Greg
     
  7. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    I got a PM from a member asking if potentially dangerous and potentially unwanted application are the same... well I don't think so - and here is why:

    if you open the control center - AMON setup - Options Tab - you should see two options:

    Potentially unwanted applications (spyware really)
    and
    Potentially unsafe applications (management tools etc).

    I am unsure how Eset now classifies certain programs - but perhaps Marcos or someone else in Eset can help with a clarification... we should ask I suppose!

    Could someone within Eset clarify the differences between them - I was only able to find a help text description of unwanted, and it wasn't an extensive explanation of the term.

    cheers

    Greg
     
  8. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    If Eset replies, one more question for you please:

    Why does NOD32 not process or try to process "OPEN FILES" for Viruses/Trojans?

    I recently ran NOD32 (both in Normal and Safe Mode) and it missed Trojans that were inside OPEN FILES.

    SpySweeper running in normal Windows mode was able to detect the Trojans inside the OPEN FILES.

    Any way to tell NOD32 to look inside OPEN FILES like SpySweeper does?
     
  9. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi Greg,

    That was me ;)

    I think the term "potentially dangerous application" isn't used (anymore) in NOD32.
     
  10. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    yes, I have to update my verbiage - it's a difficult habit to break after several years! ;)
     
  11. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    LOL, I have the same ;)

    Cheers, Jan.
     
  12. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    OK, let's go back to the original question

    I'm glad you like it !

    Hmmm, I would like to suggest to refrain from such statements; sorry.

    Which Trojans were detected by SpySweeper and in which files?
     
  13. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    Sure thing about bad language. Here, let me re-stated it: Norton software while very promissing and surprinsly refreshing UI User Interface which dazzled my eyes for hours on end, was a little short coming in the detection of certain viruses.

    As to the Trojans that SpySweeper detected, sorry, I deleted them. It was a variation of the Trojan that hides as ____.tmp.exe So it shows up as a tmp file when you have "don't show extensions" on Windows view.
     
  14. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    Another question about OPEN FILES:

    Is it normal to have these Open files while scanning in Safe Mode:

    C:\Windows\system32\config\SAM
    C:\Windows\system32\config\SAM.LOG

    and
    C:\Windows\system32\config\default <---- Access denied?
     
  15. FanJ

    FanJ Updates Team

    Joined:
    Feb 9, 2002
    Posts:
    2,564
    Hi,

    The message from NOD32 on my XP-home when scanned in Safe Mode (internet connection was closed by me on the router) about those three, is:

    error opening [File Locked] [4]
    Notes:
    [4] File cannot be opened. It may be in use by another application or operating system.

    PS:
    On a side-note: you said that you had Norton previously installed. Did you completely remove it from your system before installing NOD32?
    And which OS are you running?
     
    Last edited: Jan 22, 2007
  16. joe123

    joe123 Registered Member

    Joined:
    Jan 22, 2007
    Posts:
    14
    Yes, I had Norton 2005 and I used Norton Removal Tool which is supposed to remove all.

    I also used a RegEdit program to clean out the rest as Norton leaves some things behind. I then removed all files of Norton, Symantec, LiveUpdate, etc.
     
Thread Status:
Not open for further replies.