Virus cheker did not remove sality virus.

Discussion in 'ESET NOD32 Antivirus' started by mjeffrey, Apr 19, 2009.

Thread Status:
Not open for further replies.
  1. mjeffrey

    mjeffrey Registered Member

    Joined:
    Apr 19, 2009
    Posts:
    4
    I got a nasty virus (sality) all over my PC with multiple boot partitions (3).
    I purchased nod32 V4 reformatted and reinstalled windows on the C drive and ran the virus checker (using "strict" to delete any infections found).

    It found a lot of the sality viruses and deleted them (I uploaded some as well).

    I then restored my D Drive boot from a pre-virus backup and ran the virus checker again - it was clean.

    I rebooted on the D Drive and everything seemed good.
    I was pretty happy but when I started excel I got a pop-up from eset that it found sality in a .sys file!

    Suddenly I could not assess task manager again and I was back to square one!

    Quick reboot back to C Drive and this is my current state.

    Will I have to reformat and reinstall each Drive C, D and E?
    Why didn't nod32 prevent the infected program from running (I thought that was the whole idea)?

    thanks
    Mark
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    1, files infected with a virus are never deleted automatically. If the files are cleanable, they are cleaned automatically, otherwise the program prompts you for an action. If cleaning of a particular virus variant is not supported, send several infected files in a ZIP/RAR archive to samples[at]eset.com with something like "Sality - cleaner needed" in the subject.

    2, try creating a rescue media, booting the system from it and performing a full system scan with cleaning of infected files. If the computer is already infected, enabling advanced heuristics for file access (in the real-time protection ThreatSense setup) might help as well.
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    I use an older version of ESET and this disgusting negligence of a very destructive & decrepit file infector virus i chose DELETE and luckily destroyed it before it could start making random moves all throughout the system which is what this one is very known to do. Much care has to be taken if this monster enters a PC because it zeroes in as quick as a zip to wreak maximum disruption all over the file associations pre-programmed into it to ruin their normal efficiency.

    IT probably helped that my HIPS spotted this and subsequentely aborted it in it's tracks then NOD blasted it before it had a chance to expand it's reach, then it's all over IMO.

    Can this junk even be cleaned?

    EASTER
     
  4. mjeffrey

    mjeffrey Registered Member

    Joined:
    Apr 19, 2009
    Posts:
    4
    Well I did some research and decided that the best option was a complete reformat, I could not trust anything anymore (if nod32 scan says everthing is OK and it is not then what can be trusted?)

    But I thought a virus scanner would detect a virus *before* the program was launched not after. I was rather surprised at this. Is it that the virus signature goes undetected in the file but then shows itself in memory (too late)?

    I was considering a move to OSX and this has bumped me over the edge:

    Goodbye cruel windows...
    ahhhhhhh.

    ;-)
    Mark

    p.s. I did submit the files that were detected but obviously not all were found!
     
  5. mjeffrey

    mjeffrey Registered Member

    Joined:
    Apr 19, 2009
    Posts:
    4
    I was just reading the reply of Marcos again.

    I searched the advanced setup and found that:

    "Advanced Heuristics on file execution" was unchecked (by default it seems).

    I can understand why this is turned off but I think it should be an option on install: "My system is infected: install aggressive virus protection".

    Maybe this would have saved me some time but after a weekend of work I am not so unhappy to have a (nearly) clean system again.

    Mark
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Your assumption is wrong. Advanced heuristics is enabled by default for newly created and modified files. It is not recommended enabling it for file access (you're warned that it may slow down system performance).

    If your computer is already infected with a virus infecting other files, the best course of action is to boot from a clean media and perform cleaning of the whole drives. If cleaning is not possible, you can send a bunch of infected files to samples[at]eset.com as I've described above.
     
  7. mjeffrey

    mjeffrey Registered Member

    Joined:
    Apr 19, 2009
    Posts:
    4
    In fact that is what I did.
    I reinstalled partition C, installed nod32, ran the virus check on the rest of the drives (it found approx 250 infections and I chose to delete these).

    Systems files were deleted so drive D (the one I really needed since it was my wife's partition) was unbootable. I then hoped to retrieve partition D and so I restored a system backup from a month ago, from partition C. This worked. I booted from D, no problem until I ran excel and got the virus problem again.

    I'm not complaining, I just want to explain what I did, maybe someone might benefit from my folly...

    cheers
    Mark
     
  8. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    May i suggest something that may of be of importance on any AV jumping right to viruses. It's very possible NOD experienced a delay before it could act immediately.

    I remedy this on every AV install and even thereafter routinely.

    If you have a collection of adequate system cleaning tools, even NIRSOFT offers some of the best free cleaners, and i don't mean reg cleaners, that can be found anyplace and does a bang up job at cleaning thoroughly any system within it's compatible platform.

    Then try and get the best quality defrag you can afford, you can use file placement technology and set NOD at the front of your hard drive's disk to much better respond without any lag or delay and NOD or any AV will be front & center to jump up at-once compared to if it;s sitting way back at the rear of the HD which in microseconds means everything when a malicious file is attempting an entry into a system.

    Since i began this routine, NOD's performance has improved considerably then before. I used to wonder myself why is this AV so slow in getting on these things, well the app like any other needs to be prepositioned reasonably up front and close so it can be accessed much faster.

    My point is, just because a user formats and installs an AV doesn't mean that the AV of their choice has the position and room it needs to act as fast as possible and if no defrags or routine cleanings are even used, it's not always the fault of the AV in given situations.

    I hope you undrstand what i'm driving at here, NOD may have missed it because it was hampered by slow response that it couldn't help because of the HD debris obstructing a clear clean path to any malicious entry triggering an AV action and it only takes a microburst from a virus to shoot thru to files before the AV can capture it in time. To me it's a matter of timing and i want my AV to have the best possble chance to move with light speed and that entails routine thorough cleanings and quality file placement defrags.

    I don't put a lot of faith in cleaning viruses although it can be done i assume relatively thoroughly (let's hope), the main and chief aspect i depend on with regards to especially these horrible file infectors is the AV snagging them almost immediately to QUARANTINE and like mentioned if it can't be cleaned, submit it (them), then delete the fire out of it.

    EASTER
     
    Last edited: Apr 19, 2009
  9. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,047
    Location:
    Saudi Arabia/ Pakistan
    You have a file infector. Even your backup may be infected. U must start from zero. Don,t attach any USB memory stick, any External Hard Disk until you format all partitions on ur PC, do a clean install of OS and install the antivirus.

    A HIPS in addition to AV can help you lot.
     
Thread Status:
Not open for further replies.