surila.b

Discussion in 'NOD32 version 2 Forum' started by rheumatoid, Sep 24, 2004.

Thread Status:
Not open for further replies.
  1. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    I have never had a virus before using Nod32. I used McAfee before and although it was a resource hog, made my system unstable and conflicted with other s/ware it never let anything through.
    Nod let something through a couple of months ago and surila in the last couple of weeks. It doesn't even detect it when online scans at trendmicro and panda both detect. I would have remained oblivious unless my ISP's outgoing mail servers had detected it. I have the latest version with all updates.
    I am starting to get the feeling I should not have bought a 3 year license and gone for something else instead. I would be interested to hear the nod officianados and evangelists view on this.

    Jon
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    rheumatoid

    NOD detected this by definition as of June 22, 2004. What was the other virus you had earlier?
    .
     
  3. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    can't remember previous but why is nod not seeing it now even though online scanners see it?
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Good question. It may not be active. This is from the NOD help file.

    Note that in many cases (especially with Win32 worms), the “infected” file is just the body of the worm. Since a file of this type contains no useful data, it is simply deleted instead of cleaned.

    If you still have it, you could sent a copy to samples@nod32.com or samples@eset.com, and get them to analyze the file.
     
  5. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    Presumably it is active if the outgoing mail server detected it? :(
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,719
    Location:
    Texas
    Since it is a backdoor spammer, it may be active.

    I would send Eset a sample.
     
  7. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    What file type was it in? What are you settings? Did you mail the file in question to www.virustotal.com ? If not could you? See if the NOD version they use picks it up. Most important however is what are your settings? Did you leave NOD as is? which version? 2.000.9? 2.12.1 or 2? Too many variables involved for now.
     
  8. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    I have a fair bit of experience with Nod32 and have settings turned to max in terms of heuristics and scanning all files. Info below. Unfortunately I took no risks and let Panda disinfect. all I know is its file name was svkp*.* (can't remember all of it) and it was in the system directory.

    NOD32 Antivirus System information
    Virus signature database version: 1.876 (20040924)
    Dated: 24 September 2004
    Virus signature database build: 4859

    Information on other scanner support parts
    Advanced heuristics module version: 1.010 (20040902)
    Advanced heuristics module build: 1061
    Internet filter version: 1.002 (2004070:cool:
    Internet filter build: 1013
    Archive support module version: 1.021 (20040917)
    Archive support module build version: 1101

    Information on installed components
    NOD32 For Windows NT/2000/XP/2003 - Base
    Version: 2.12.2
    NOD32 For Windows NT/2000/XP/2003 - Internet support
    Version: 2.12.2
    NOD32 for Windows NT/2000/XP/2003 - Standard component
    Version: 2.12.2

    Operating system information
    Platform: Windows XP
    Version: 5.1.2600 Service Pack 1
    Version of common control components: 5.82.2800
    RAM: 1023 MB
    Processor: AMD Athlon(tm) 64 Processor 3000+ (2002 MHz)
     
    Last edited: Sep 24, 2004
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Trojans tend to inject themselves into memory, the only way to rid them once this has happened is to run a scan in "Safe Mode".

    By the sounds of it you were infected prior to the latest release of Nod32 v2.12.2, is this correct?

    Just to be sure EVERYTHING is gone and your system is TOTALLY clean, can you do the following, (which presumes nothing, so please don't take offence that I am trying to tell you how to "suck eggs" so to speak ;)


    Step 1. Install Zone Alarm (free) – Firewall with visual outgoing alerts to see what is trying to access the internet.
    http://www.zonelabs.com


    Step 2. Download Stinger available here: do NOT run this YET.
    http://vil.nai.com/vil/stinger/


    Step 3. Download Ewido – Anti-Trojan Software, Install and update it. do NOT run this YET.
    http://www.ewido.net/en/


    Step 4. MAKE SURE NOD32 IS FULLY UP TO DATE with the latest virus signatures.


    Step 5. Turn OFF System Restore, this process depends on your operating system:


    Windows XP Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on the "System Restore"
    4. Place a tick in "Turn off System Restore on all Drives"
    5. Click OK
    6. Close and restart your system.


    OR


    Windows ME Instructions

    1. Right click on the "My Computer" icon on the Windows desktop
    2. Click "Properties"
    3. Click on "Performance"
    4. Click "File system"
    5. Click "Troubleshooting"
    6. Check "Disable system restore"
    7. Click on OK
    8. Close and restart your system.


    Step 6. Delete your TEMP files by doing the following: open up Internet Explorer> Tools> Internet Options> General TAB> Temporary Internet Files> Delete Files> Delete All Offline Content.


    Step 7. Restart your system again in “SAFE MODE” by pressing/tapping F8 while booting up.


    Step 8. Start a scan with Nod32 while in SAFE MODE by doing the following: Start> All Programs> Eset> Nod32.


    CHECK THE FOLLOWING BEFORE YOU START YOUR SCAN:

    “Actions” TAB
    Make sure Quarantine is ticked, both for “If a virus is found” and “Uncleanable viruses”.

    “Setup” TAB
    Objects to diagnose – place a tick in all boxes.
    Diagnostic methods – place a tick in all boxes.
    Heuristic sensitivity – place a tick in “Deep”.
    Extensions – place a tick in “Scan all files”.

    “Scanning targets” TAB
    Double click on ALL of your Hard Drives so there is a RED tick shown
    Click “Clean”


    Make SURE Quarantine is ticked with EVERYTHING that is detected BEFORE you DELETE anything that is found. If you are not sure whether it is safe to delete an infected file, quarantine allows restoration of a file at a later time/date.


    If the scan finds a “Probable NewHeur_PE virus found”, please do the following:

    1. Place a tick in the Quarantine check-box
    2. Select Delete
    3. Send the quarantined file to Eset: samples@nod32.com this file can be found here: C> Program files> Eset> Infected


    Step 9. Run a scan with “Stinger” the program you downloaded above.


    Step 10. Run a scan with “Ewido” the program you downloaded above.


    Step 11. Reboot your system into normal mode.


    Step 12. Run a further online scan found here: http://housecall.trendmicro.com/


    Step 13. Install update and run Spybot Search and Destroy (free) – Spyware removal and protection, with registry monitor.
    http://beam.to/spybotsd


    Step 14. Install update and run Adaware (free) – Spyware removal. What Spybot Search and Destroy doesn’t pick up, this will.
    http://www.lavasoftusa.com


    Step 15. Install and run CWShredder available here:
    https://www.wilderssecurity.com/showthread.php?t=14086


    Step 16. Make sure your Windows is FULLY up-to-date by doing the following: While on the Internet, Click on Internet Explorer (the Blue “e”), Click on Tools (on the bar at the top of your screen in Internet Explorer), Click on Windows Update. This will take you to the Microsoft Windows Update page where you need to follow the on screen prompts, starting with “Scan for Updates”. Install ALL “Critical Updates” and “Service Packs”.

    WEEKLY – check this is “Up to Date”.



    REPEAT ALL THE ABOVE STEPS, this time EVERYTHING should come up clean…



    For the most part what I have suggested fixes the greater majority of problems out there...



    IF the above does NOT fix your problem please download and run Hijack This found here:

    https://www.wilderssecurity.com/showthread.php?t=12516


    and post your log at one of the forums found here:

    http://a-sap.org/


    Keep in mind the following quote:


    When your system is clean you may want to take a look here:

    https://www.wilderssecurity.com/showthread.php?t=45284&page=1&pp=25

    for further discussion on security and how to make your system that much stronger.


    and here for more discussions:

    https://www.wilderssecurity.com/showthread.php?t=43117


    Hope this helps…

    Let us know how you go…

    Cheers :D
     
  10. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    Thanks,

    almost certainly got infected prior to latest engine. Presumably that was the problem and would now be protecteed from mydoom dropping it, although lack of detection with new engine still a worry.

    I already use sygate and will reset to see what is trying to get out. I use adaware, s&d and spyware blaster. Scans using various virus and trojan detectors now show nothing post panda disinfection. Ewido looks interesting. will give it a go.

    R.
     
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Just to be certain, I would download Stinger as well, and boot into Safe Mode and run a scan both with Nod32, Stinger and Ewido. Then run a further online scan and let us know how you go. The above post is pretty comprehensive, it gets rid of most things out there. Then the last 2 links go through to adding security...

    Cheers :D
     
  12. rheumatoid

    rheumatoid Registered Member

    Joined:
    Jul 9, 2003
    Posts:
    49
    Location:
    Norwich, U.K
    Have done everthing you advised and system seems clear. Still worried that Nod did not see something that every other scanner I tried identified :(
     
  13. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see your system is now clean.

    From memory of another user, Panda makes a "Backup" before deleting, if this is still available you could send it to samples@nod32.com

    I wouldn't be too worried until Eset have had a look at the file, if you can find a backup, if not, it will have to remain one of life’s mysteries...

    Cheers :D
     
Thread Status:
Not open for further replies.