Should NOD32 catch Spyware Quake trojan?

Discussion in 'NOD32 version 2 Forum' started by supergravy, Jul 25, 2006.

Thread Status:
Not open for further replies.
  1. supergravy

    supergravy Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    17
    Location:
    Oxford, UK
    I am a long time nod32 user with fairly strong pc skills and some network admin experience. Having cleaned spyware from a number of client, family and friends pc's I am all too familiar with the mess spyware can create. What I am not used to is having spyware unintentionally infect one of my personal machines.

    Last night a full scan with Spyware Doctor indicated that Spyware Quake had infected my machine. The machine infected is running winxp sp2 with nod32 v2.5 and Outpost Pro v3.5 (spyware plugin active), all updated and current. I was not using any other real-time protection programs.

    I would have expected nod32 to catch this problem up front as it has never let me down before and it is reported to have recognized earlier versions of this infection. Wondering if my expectations are too high? Also wondering just how effective the outpost spyware plugin is too, although I just recently began using outpost. I am now wondering if it might be best to leave spyware doctor running real-time, something I had avoided due to resource usage and lack of perceived need.

    Anyone have any experience with spyware quake and these applications? Cleanup went smoothly, but now I am just a bit more paranoid then before.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    The question is whether you perform a full system scan with all settings maxed out on a regular basis. If the app got to the disk a long time ago when there was no signature for it and hasn't been accessed since then, there was no chance NOD32 could catch it. To my best knowledge, Spyware Quake's executables are detected.
     
  3. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    If the file is still in Spyware Doctor's quarantine I would restore it and then put it in a password protected archive (make sure to include the password in the email) and send it to samples [at] eset.com. They usually like it when you include a link to your Wilder's thread as well. If this particular piece of spyware should be detected by NOD32 they'll make sure the defs are added.

    -Cov
     
  4. supergravy

    supergravy Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    17
    Location:
    Oxford, UK
    I am fairly certain that this happened within the last three days as SD had shown me as clean at that point in time. I also ran a full nod32 scan the night before finding the infection and got a clean bill of health. Not sure if it was missed or just hadn't hit my machine yet. By the way, I did not experience any pop-ups or strange browser behaviour so the infection might have been less then a couple of hours old.

    To be honest, I am usually very lazy about running full scans of anything as nod32 has done such an excellent job of protecting me. This week I have been in a "security mood" as I was experimenting with jetico, comodo and outpost.

    I will check SD's quarantine tonight and see about sending to ESET - thanks for the tip.
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi supergravy, welcome to Wilders.

    Could you please check your settings against those found HERE this tutorial includes setting up an automated weekly scan.

    After having a run through the tutorial please run a further scan by clicking on the NOD32 Control Centre> NOD32> Run NOD32> Scan and Clean.

    Let us know how you go...

    Cheers :D
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Here's a proof that NOD32 actually detects it:
     

    Attached Files:

    • sq.JPG
      sq.JPG
      File size:
      60.1 KB
      Views:
      238
  7. supergravy

    supergravy Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    17
    Location:
    Oxford, UK
    Hi Blackspear - I have been using the tutorial settings all along! I am a first time poster but very long time lurker. Thank you for the excellent tutorial by the way. I did not have the scheduled scan going though and have now changed this to your recommendation.

    And don't get me wrong, I do believe that nod32 can and should catch this. Just that somehow it didn't in my case...:( I will unquarantine it tonight and do some experimenting.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see.


    I started out the same :D


    My Pleasure.


    Excellent, it is a really important part of the tutorial.


    Look forward to the results.

    Cheers :D
     
  9. supergravy

    supergravy Registered Member

    Joined:
    Jul 25, 2006
    Posts:
    17
    Location:
    Oxford, UK
    Just had a thought on this issue...

    Does anyone know if a problem such as Spyware Quake could be delivered through java? I have created an exception in nod32 for javaw.exe so that I am able to use a java based proxy tunnel program (your-freedom-net) and other java based apps that crash out without this exception. Maybe this slipped through via this route sometime after my last nod32 scan?
     
  10. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    AMON should have then caught the file on creation though once it made it to your HDD.

    -Cov
     
  11. ASpace

    ASpace Guest


    JAVA RE is an application which is famous with its vulnerabilities and thus it was (is) is easily manipulated by Smithraud family . SpywareQuake is part of this malware family .

    Make sure your JAVA version is the latest by :
    • Going to Control Panel-> Add/Remove programs and remove 'JAVA RE' entries
    • Goto C:\Program files and manually delete the folder JAVA
    • Goto www.java.com -> Download section and download and install the latest version of the software
     
Thread Status:
Not open for further replies.