Something got through undetected

Discussion in 'ESET NOD32 Antivirus v4 Beta Forum' started by vasamreddy, Jan 4, 2009.

Thread Status:
Not open for further replies.
  1. vasamreddy

    vasamreddy Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    7
    I was browsing the idlebrain.com website (it is a website about indian movie news and reviews). NOD32 gave alerts and quarantined "TrojanDownloader.Agent.OOL" and "BHO.NKU" trojans.

    All the icons on the desktop and my taskbar disappeared. When I checked the processes running, "explorer.exe" was not running anymore. When I restarted the explorer manually, the icons keep appearing and disappearing all the time.

    I ran a quick scan using "Malwarebytes" and it found and cleaned 13 infections. This solved the problem with my explorer too.

    May be someone at ESET should do some guerrilla testing by visiting idlebrain.com and see how many trojans are missed by NOD32.

    To be honest, I didn't run a full scan by NOD32 before running Malwarebytes. But, I thought NOD32 with such good proactive ratings, would be able to pick it up and clean it. Also, I haven't tried the proactive version of Malwarebytes(not free) yet.

    Oh, BTW NOD32 is running at default security level (I didn't modify any of the settings).

    EDIT: Sorry for not providing the full list of infections detected by Malwarebytes AntiMalware earlier. Here it is from the logs
    http://i40.tinypic.com/xm357c.jpg

    PS: I am an ex-Norton customer trying out the NOD32 V4 beta after reading reviews at av-comparatives.org and newegg.com.
     
    Last edited by a moderator: Jan 4, 2009
  2. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    The files that MWB picked up were most likely remains of the active files nod32 cleaned and were not running as processes. nod32 would have most likely cleaned them had you ran a scan.

    If you want to test, you can restore the files from the MWB quarantine to a folder where they won't be executed (create one somewhere) then scan then with nod32. Do not restore the registry entries, the "HKEY" stuff.

    If they are not detected, zip them up with a password "infected" and email them to samples("at")eset[dot]com.
     
  3. vasamreddy

    vasamreddy Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    7
    I deleted the quarantine files already. When I got the alerts from NOD32, I submitted the files using that popup.

    what surprised me is that NOD32 didn't prevent my explorer from getting corrupt like that. This is the second time it happened to me. The first time it happened, I had Norton Internet Security (on a 3 year license about to expire soon). I just restored my system to the previous day's checkpoint using Windows' System Restore. At that point, I checked the reviews on the internet and decided to try this beta version.

    I am not sure why NOD32's quarantine log never showed any signs of Vundo. Hopefully someone is already working on this at ESET.

    Thanks for the reply.

    EDIT: I just purchased MBAM to get their realtime protection. Would this conflict in anyway with NOD32's realtime protection? I hope not, because I love both of them so far.
     
    Last edited: Jan 4, 2009
  4. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Not sure why you deleted the quarantine files, kinda defies the point of quarantine.

    Submitting files already detected by nod32 won't help.

    Unless you physically downloaded this file, it means it drive-by forced it's way on your system, which means you have software not up-to-date on your computer that has an exploit in it. This isn't either ESET's nor Symantec's fault. Possible causes are: Out-of-date windows, browser(IE/firefox/etc), flash player, java player. There was quite a recent exploit in IE about a week or so ago that spread rapidly in exploitation.

    Yes having more than 1 real time protection will conflict and end up in unexpected behavior ranging from over-scanning files, high CPU usage and possible software confusion errors caused by missing infected files.

    You say nod32 quarantine didn't show signs of vundo yet you also say you submitted files, how did you submit it and what did you submit?
     
  5. vasamreddy

    vasamreddy Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    7
    sorry for being such a noob, wish I could be of more help. I have this tendency to take a look at what has been quarantined and I delete all the quarantined files (may be I am too paranoid). From now I on, I will keep the quarantine files. Thanks for the advice.

    I am not a risk taker to download something bad willingly. I regularly browse a few websites. This afternoon, everything was working fine. I visited only two websites "teluguone[dot]com" and "idlebrain[dot]com" and my explorer (not IE) got screwed up. I suspect the second one to be the culprit.

    I read on some other forum (probably HijackThis forum), that I need to update my Java Run Time. I just did that. Both IE and Firefox seem to be up to date.

    Regarding the files submitted, I just clicked yes, when NOD32 gave a prompt asking me whether I wanted to submit suspicious files. Do not remember what specific file it was.

    PS: I blame myself for starting a thread with no useful info. If any moderator is around, please feel free to delete this thread. I apologize for the inconvenience.
     
  6. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    It's not useless, because we're giving you advice here. It could quite possibly be Java. The latest java is Java 6 Update 11. The problem with Java is it doesn't overwrite itself, it installs new copies. You need to go to add/remove and remove all java that isn't 6 Update 11.

    Then download the Secunia PSI and do a scan and tell me if it reports more exploits: http://secunia.com/vulnerability_scanning/personal/
     
Thread Status:
Not open for further replies.