Win32.Virtob.2.Gen

Discussion in 'ESET NOD32 Antivirus' started by rares, Nov 12, 2007.

Thread Status:
Not open for further replies.
  1. rares

    rares Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    4
    It seems that Nod32 v2.7x & v3.0x did not detected this virus. It's not even in Nod32 database... ;( BitDefender and Norton AV saw the virus and sent it to quarantine. So, what's going on guys?

    3 days ago i got infected by this $#%#ing virus and I was "forced" to re-install Windows XP again.

    NOD32 guys, please do something about!
     
  2. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
    oh man it's virut
    a exe infector
     
  3. proactivelover

    proactivelover Registered Member

    Joined:
    Apr 7, 2006
    Posts:
    840
    Location:
    Near Wilders Forums
  4. poutine

    poutine Registered Member

    Joined:
    Nov 2, 2007
    Posts:
    371
    Location:
    England or Quebec
    Always image your drive when its all complete and you're happy with it. Saves stress and tears every time.
     
  5. MasterTB

    MasterTB Registered Member

    Joined:
    Jun 19, 2007
    Posts:
    547
    Location:
    Paran?, Argentina
    I know this is OT but what do you use to image your drive and how do you restore on XP SP2??
     
  6. rares

    rares Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    4
    Imagine that: 2 days before the infection I've made a partition backup (the entire partition) and it saved me... but this is not a solution. Nod32 must update their database ASAP. I have sent this file for analisys to NOD32 support center but nothing ;( They didn't reply to my problem. That is very sad and anoying also.

    This virus infected not only the .EXE files but .DLL files also. IT WAS A $#%$ing nightmare!!!
     
  7. nodHead

    nodHead Registered Member

    Joined:
    Sep 23, 2007
    Posts:
    85
    How does this virus get spread? Is it an Email virus or a web borne virus?
     
  8. rares

    rares Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    4
    A friend of mine sent me a CD with a application. It seems that one .exe file was infected, but what was more strange is that nod32 was unable to "see" this file on scanning. It was totally "blind"...
     
  9. risl

    risl Registered Member

    Joined:
    Dec 8, 2006
    Posts:
    581
    HIPS would have probably saved your ass, I would suggest installing threatfire or similar to your fresh xp beside nod32
     
  10. rares

    rares Registered Member

    Joined:
    Nov 12, 2007
    Posts:
    4
    Just bought ESET SS ;) 'hope is allright...
     
  11. clambermatic

    clambermatic Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    216
    Hmm... The last 48hrs, my rig was infected ( i don't even suspect anything) with "trojan.ntRootkit.211". Only after 18hrs later did my VBA detected it... that was 12.Nov.2007 (yesterday, right after coldboot).

    VBA did a good job of 'deleting' it, leaving original files untouched.... darn, i was almost stressed out worrying all my new compilations gonna be wiped out, when VBA's counter started rolling! :blink:

    I once disinfect someone's ThinkPad for a record of 600+ "infections" ... using a BidDefender v6.0 It took me 3 days & with a lot of help from Sabina_C of BD (hence i always had high respect on them BD folks) to finish the job... whew :(
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    Are you positive that it was an actual threat? I've found one dll detected under that name which is part of the Nullsoft installer:

    AhnLab-V3 2007.11.13.1 2007.11.13 -
    AntiVir 7.6.0.34 2007.11.13 -
    Authentium 4.93.8 2007.11.13 -
    Avast 4.7.1074.0 2007.11.12 Win32:HideProc-E
    AVG 7.5.0.503 2007.11.12 -
    BitDefender 7.2 2007.11.13 -
    CAT-QuickHeal 9.00 2007.11.12 -
    ClamAV 0.91.2 2007.11.13 -
    DrWeb 4.44.0.09170 2007.11.13 Trojan.NtRootKit.211
    eSafe 7.0.15.0 2007.11.08 -
    eTrust-Vet 31.2.5291 2007.11.13 -
    Ewido 4.0 2007.11.12 -
    FileAdvisor 1 2007.11.13 -
    Fortinet 3.11.0.0 2007.10.19 -
    F-Prot 4.4.2.54 2007.11.13 -
    F-Secure 6.70.13030.0 2007.11.13 -
    Ikarus T3.1.1.12 2007.11.13 Virus.Win32.HideProc.E
    Kaspersky 7.0.0.125 2007.11.13 -
    McAfee 5161 2007.11.12 W32/HideProc!sys
    Microsoft 1.3007 2007.11.12 -
    NOD32v2 2655 2007.11.13 -
    Norman 5.80.02 2007.11.13 -
    Panda 9.0.0.4 2007.11.13 -
    Prevx1 V2 2007.11.13 Heuristic: Suspicious File With Covert Attributes
    Rising 20.18.11.00 2007.11.13 -
    Sophos 4.23.0 2007.11.13 -
    Sunbelt 2.2.907.0 2007.11.13 -
    Symantec 10 2007.11.13 -
    TheHacker 6.2.9.124 2007.11.13 -
    VBA32 3.12.2.4 2007.11.11 suspected of Embedded.Trojan-Clicker.Win32.VB.qj
    VirusBuster 4.3.26:9 2007.11.12 -
    Webwasher-Gateway 6.0.1 2007.11.13 -
     
  13. vivona

    vivona Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    24
    I am currently evaluating NOD32 3 and will have to make my mind up about which version to go with when my evaluation period runs out. I see here that a virus or two wasn't detected by version 3. Would that have been the case for Version 2.7, or are the virus databases or detection processes different between the versions?

    I have used Symantec for years and never had an infection it didn't find and fix. I am wanting to change from Symantec because it hogs system resources and takes up so much disk space. NOD32 is much better in those respects. But, I don't want to give up protection to get those benefits.

    marcos - In your previous post you have a list of what appears to be many antivirus programs. Only a few have a virus name after them. Does that list mean you ran a test of the virus in question and only those few detected that virus? If that is the case, is it normal that most antivirus programs will miss a virus or two from time-to-time?
     
  14. ASpace

    ASpace Guest

    Colors say it best. :rolleyes:

    What Marcos posted was a scan result from Virus Total but it shows these AVs are flagging a non-virus sample as threat (a.k.a False positive detection) . The particular dll Marcos showed the results of is not infected .

    Yes . People make antiviruses and humans make mistakes from time to time .
     
  15. vivona

    vivona Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    24
    Put another way, in 10 years of using Symantec I have only had a few viruses detected and they were cleaned or quarantined. I have never had a problem caused by a virus infection that slipped past Symantec. True, some viruses may have indeed slipped past, but I never have had a problem manifest itself because of a virus. I do use the web heavily and download music and utilities as needed, do the opportunity certainly was there. So, from a user standpoint, Symantec protected me from virus problems.

    As a new participant to this forum, I was not aware of Virus Total. I searched for that term and found the website. I did not understand that marcos was showing false positives. Thanks for clarifying that.

    That certainly is true. But with the many choices available, even between NOD32 2.7 or 3.0, I want to choose the best protection. I have read a lot of good things about NOD32, but the issues that have come up in this forum about 3.0 are making me wonder if I should go with 2.7, or even look at other antivirus programs. Are there compelling reasons to go with NOD32? I am open to suggestions.
     
  16. ASpace

    ASpace Guest

    The new version 3 does work well on some machines so you must first try it to see if you are one of those who run it flawlessly. For the rest of us , who have small problems , version 2 has been protecting us since 2003 pretty well and will continue working for long. I should not tell you "compelling reasons" , you'd better find them yourself .
     
  17. vivona

    vivona Registered Member

    Joined:
    Nov 6, 2007
    Posts:
    24
    I am running version 3 and only have problems with some web pages not loading. My evaluation copy is the .551 version. I need to find out how I can upgrade that to the latest version to see if it will fix the web page issue, while still maintaining my evaluation period intact.

    I am a bit curious about your comment to find my own compelling reasons for choosing NOD32. I had thought that NOD32 users through this forum would provide compelling reasons for why they had chosen NOD32. I am sure that other NOD32 users do not feel the way you do and will provide me with those testimonials.
     
  18. clambermatic

    clambermatic Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    216
    Sorry for the late reply, 'marcos'... VBA did indicate 'trojan.ntRootkit.211' & it was sourced from a folder that i've tranfereds from an 8gb flashDR. Which in turn was first detected by KAV_7 (i-Swift off) that i maintained on another rig. The flashDR was left overnight attached to that rig - powered off. It made a real mess of that rig thou!!

    Am still dazed by this particular infection. KAV_7 detected it as a 'VB' type (in my recollections) infection but wasn't able to eliminate completely due to numerous counts in successions! In haste, I pulled off the flashDR and tranfered it to my other rig that was covered by VBA32. When detected, i do suspect that the original 'VB' infections has morphed. VBA was indicating strings of 'trojan.ntRootkit.211' pests.

    The messed up rig should have its log files intact, but i haven't dissect the system files yet. I do have 1 quarantined... and i may have it for verification before the day was out.

    --------------------------
    EDIT: addendum
     
    Last edited: Nov 14, 2007
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,376
    If you still have the file, let me know. I couldn't find a file undetected by us and detected by VBA as trojan.ntRootkit.211.
     
  20. clambermatic

    clambermatic Registered Member

    Joined:
    Oct 10, 2007
    Posts:
    216
    'marcoS' ... i'll get back to you on that particularly infected file. :)
     
Thread Status:
Not open for further replies.