Um, Protection?

Discussion in 'ESET NOD32 Antivirus' started by mrpush, Feb 13, 2012.

Thread Status:
Not open for further replies.
  1. mrpush

    mrpush Registered Member

    Joined:
    Feb 13, 2012
    Posts:
    6
    Location:
    PA
    Hi, Doing some research today. Come to odd site, get popup. I stop right there. Suddenly I get Eset "infiltration" popups.

    Ok, I check logs, then I kill explorer session with task manager.

    Well, next thing I know I have "system check" malware pop up on my machine.

    My ESET NOD32 STOPPED NOTHING and I'm not happy about it.

    What good is this software if it only WARNS me and then allows an infection!

    :mad:

    I need some answers here. I have noted this software going down hill the past few years, and this is pudding in the pie.

    Thanks,

    MP
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    First of all, there's nothing like 100% protection against threats. I assume the following happened: you visited a compromised website and a malicious script downloaded and run unrecognized piece of malware (assuming that you had ESET fully up to date). Afterwards the malware attempted to download other malware but these attempts were blocked by ESET.

    If you need assistance with removing the malware, please contact Customer care and provide them with a SysInspector log for perusal.
     
  3. mrpush

    mrpush Registered Member

    Joined:
    Feb 13, 2012
    Posts:
    6
    Location:
    PA
    Hi, My definitions are automatically applied and were as of todays date.

    Now, SYSTEM CHECK has been around a long time so unless they are hiding it in different things all the time, not sure how that could get through.

    Yes, I'm aware that none are 100% but again seeing SYSTEM CHECK tells me it missed it.

    Not sure how all the scripts works, but I did nothing and ran nothing, simply visited the site.

    So if this is the case, they could change these virus things at randon and your software may never catch any of them.

    So why am I paying for this then?

    Thanks,

    MP
     
  4. mrpush

    mrpush Registered Member

    Joined:
    Feb 13, 2012
    Posts:
    6
    Location:
    PA
    Hi,

    I believe this is the URL vistied

    Ah heck, why is it so hard to add images to nearly all fourms!

    o_O

    http:\\w w w.smashingapps.com\2010/06/05/recover-your-android-phone-with-wheres-my-droid.html

    Thanks,

    MP
     
  5. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
    Hi
    Just a littel tip, A really easy way to enhance your browser protection is to use script blocking. If you have scripting disabel by default, it will reduces the chances of exploitation. Just do a search for Script blocking for your browser. Or do a search here on wilders on the subject.
     
    Last edited: Feb 13, 2012
  6. mrpush

    mrpush Registered Member

    Joined:
    Feb 13, 2012
    Posts:
    6
    Location:
    PA
    Hi,

    Thanks for the tip. The problem is that if I block the scripts, then its a managment nightmare. "I can't do this or that in my browser". In my opinion its not a good solution for us.

    Thanks,

    MP
     
  7. mrpush

    mrpush Registered Member

    Joined:
    Feb 13, 2012
    Posts:
    6
    Location:
    PA
    Ok, to get rid of this SYSTEM CHECK, I determined the best bet was to do a SYSTEM RESTORE (I'm on Windows XP sp3).

    That did the trick, however, I got this yesterday:

    2/14/2012 17:26:12 PM - Module Real-time file system protection - Threat Alert triggered on computer MyPC: C:\System Volume Information\_restore{314000A6-5FFD-4077-BB52-63ABC8B319BC}\RP1218\A0121223.exe contains a variant of Win32/Kryptik.AAPV trojan.

    Does this mean that one of my "restore points" is still infected?

    It says it "cleaned by deleting - quarantined" but the same thing came up again today.

    So it says it cleaned it but it really did not clean it then?

    This is the stuff that bothers me with this software, it's "wishy washy".

    Says "cleaned" but it did not really mean it?

    Any advice?

    Thanks,

    M
     
  8. King Grub

    King Grub Registered Member

    Joined:
    Sep 12, 2006
    Posts:
    814
    Yes, it is inside a restore point. The System Volume Information folder is protected, and anti-virus programs, including ESET, can't manipulate the contents. This isn't ESET-specific.

    Delete the restore point, and it will be gone. You probably won't want to revert to an infected restore point anyway.
     
  9. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    One of my customers got infected yesterday while browsing too (definitions were current), with the same "System Check" fake window, as well as many "Windows Delayed Write Failure..." dialogs. ESET did display some notifications, but obviously could not fully block the attack. Threat log shows the Real-time file system protection found several instances of "Win32/Kryptik.CU", which were "cleaned by deleting - quarantined". BUT, after a restart of this PC, Startup Scanner found 2 threats listed as "probably a variant of Win32/Clemag.NAL trojan" and the Action column says "unable to clean".

    As a new user of ESET NOD32 4.2 BE, I am not sure what to do next? In my ERAC I right-click on the threat, hoping there might be an option that would take me to a link on ESET's site with manual remediation instructions. Nope. I choose Request Details - nothing happens.

    Why does the software apparently leave us in limbo? Why not guide us to a quick resolution, even if it requires us to perform some manual disinfection steps.

    A confused newbie o_O
     
  10. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Interestingly, any scans I schedule for this infected machine using ERAC do not appear to complete. I was remoted into the machine yesterday and saw the tray icon indicate a scan was starting (after I requested it in ERAC), so I know it started a scan. But it never finishes (no new item appears on Threats tab, no corresponding item in Tasks tab). That leads me to a question: how are we supposed to track the progress of a scan from ERAC? It's nice to check the Threats tab after the scan completes, but how about during the hours it is scanning? Is there no way to monitor progress back on our ERAC?

    Oddly, earlier yesterday I also booted this machine into Safe Mode and ran a scan and clean. I saw the DOS box launch, and it listed the expected access denied issue with pagefile.sys, so I know it started the scan. When I came back later to check progress, the DOS box was closed/gone. Is that normal? I guess I have to go hunt for a log file somewhere?
     
  11. mrpush

    mrpush Registered Member

    Joined:
    Feb 13, 2012
    Posts:
    6
    Location:
    PA
    Reed,

    If you got SYSTEM CHECK, I'd to a system restore if you can / have it set up.

    The manual steps and even some other sys check removals tools take too much time.

    The system restore fixed mine, it just showed an infection in one of the restore points.

    It's true that no AV is perfect but in my case I'm not so sure it "did what it was supposed to do" but that cannot be proven with how these things work.

    Thanks,

    MP
     
  12. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I fixed it using ESET's manual removal too for "OlmarikTdl4". Now why can't they just integrate these tools right into the darn NOD32 software? Or at least give us a link to the tool when using ERAC (business edition's console).
     
Thread Status:
Not open for further replies.