Win32.Virtob.2.Gen

It seems that Nod32 v2.7x & v3.0x did not detected this virus. It's not even in Nod32 database... ;( BitDefender and Norton AV saw the virus and sent it to quarantine. So, what's going on guys?

3 days ago i got infected by this $#%#ing virus and I was "forced" to re-install Windows XP again.

NOD32 guys, please do something about!

 

oh man it's virut
a exe infector

 

please update you nod32 to letest 2653
if virus still not detected upload some infected exe files to
http://www.eset.com/threat-center/up/submit.htm
eset will add it's detection and disinfection

 

Always image your drive when its all complete and you're happy with it. Saves stress and tears every time.

 

I know this is OT but what do you use to image your drive and how do you restore on XP SP2??

 

Imagine that: 2 days before the infection I've made a partition backup (the entire partition) and it saved me... but this is not a solution. Nod32 must update their database ASAP. I have sent this file for analisys to NOD32 support center but nothing ;( They didn't reply to my problem. That is very sad and anoying also.

This virus infected not only the .EXE files but .DLL files also. IT WAS A $#%$ing nightmare!!!

 

How does this virus get spread? Is it an Email virus or a web borne virus?

 

A friend of mine sent me a CD with a application. It seems that one .exe file was infected, but what was more strange is that nod32 was unable to "see" this file on scanning. It was totally "blind"...

 

HIPS would have probably saved your ass, I would suggest installing threatfire or similar to your fresh xp beside nod32

 

Just bought ESET SS 'hope is allright...

 

Hmm... The last 48hrs, my rig was infected ( i don't even suspect anything) with "trojan.ntRootkit.211". Only after 18hrs later did my VBA detected it... that was 12.Nov.2007 (yesterday, right after coldboot).

VBA did a good job of 'deleting' it, leaving original files untouched.... darn, i was almost stressed out worrying all my new compilations gonna be wiped out, when VBA's counter started rolling!

I once disinfect someone's ThinkPad for a record of 600+ "infections" ... using a BidDefender v6.0 It took me 3 days & with a lot of help from Sabina_C of BD (hence i always had high respect on them BD folks) to finish the job... whew

 

Are you positive that it was an actual threat? I've found one dll detected under that name which is part of the Nullsoft installer:

AhnLab-V3 2007.11.13.1 2007.11.13 -
AntiVir 7.6.0.34 2007.11.13 -
Authentium 4.93.8 2007.11.13 -
Avast 4.7.1074.0 2007.11.12 Win32:HideProc-E
AVG 7.5.0.503 2007.11.12 -
BitDefender 7.2 2007.11.13 -
CAT-QuickHeal 9.00 2007.11.12 -
ClamAV 0.91.2 2007.11.13 -
DrWeb 4.44.0.09170 2007.11.13 Trojan.NtRootKit.211
eSafe 7.0.15.0 2007.11.08 -
eTrust-Vet 31.2.5291 2007.11.13 -
Ewido 4.0 2007.11.12 -
FileAdvisor 1 2007.11.13 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.4.2.54 2007.11.13 -
F-Secure 6.70.13030.0 2007.11.13 -
Ikarus T3.1.1.12 2007.11.13 Virus.Win32.HideProc.E
Kaspersky 7.0.0.125 2007.11.13 -
McAfee 5161 2007.11.12 W32/HideProc!sys
Microsoft 1.3007 2007.11.12 -
NOD32v2 2655 2007.11.13 -
Norman 5.80.02 2007.11.13 -
Panda 9.0.0.4 2007.11.13 -
Prevx1 V2 2007.11.13 Heuristic: Suspicious File With Covert Attributes
Rising 20.18.11.00 2007.11.13 -
Sophos 4.23.0 2007.11.13 -
Sunbelt 2.2.907.0 2007.11.13 -
Symantec 10 2007.11.13 -
TheHacker 6.2.9.124 2007.11.13 -
VBA32 3.12.2.4 2007.11.11 suspected of Embedded.Trojan-Clicker.Win32.VB.qj
VirusBuster 4.3.26:9 2007.11.12 -
Webwasher-Gateway 6.0.1 2007.11.13 -

 

I am currently evaluating NOD32 3 and will have to make my mind up about which version to go with when my evaluation period runs out. I see here that a virus or two wasn't detected by version 3. Would that have been the case for Version 2.7, or are the virus databases or detection processes different between the versions?

I have used Symantec for years and never had an infection it didn't find and fix. I am wanting to change from Symantec because it hogs system resources and takes up so much disk space. NOD32 is much better in those respects. But, I don't want to give up protection to get those benefits.

marcos - In your previous post you have a list of what appears to be many antivirus programs. Only a few have a virus name after them. Does that list mean you ran a test of the virus in question and only those few detected that virus? If that is the case, is it normal that most antivirus programs will miss a virus or two from time-to-time?

 

Colors say it best.

What Marcos posted was a scan result from Virus Total but it shows these AVs are flagging a non-virus sample as threat (a.k.a False positive detection) . The particular dll Marcos showed the results of is not infected .

Yes . People make antiviruses and humans make mistakes from time to time .

 

Put another way, in 10 years of using Symantec I have only had a few viruses detected and they were cleaned or quarantined. I have never had a problem caused by a virus infection that slipped past Symantec. True, some viruses may have indeed slipped past, but I never have had a problem manifest itself because of a virus. I do use the web heavily and download music and utilities as needed, do the opportunity certainly was there. So, from a user standpoint, Symantec protected me from virus problems.

As a new participant to this forum, I was not aware of Virus Total. I searched for that term and found the website. I did not understand that marcos was showing false positives. Thanks for clarifying that.

That certainly is true. But with the many choices available, even between NOD32 2.7 or 3.0, I want to choose the best protection. I have read a lot of good things about NOD32, but the issues that have come up in this forum about 3.0 are making me wonder if I should go with 2.7, or even look at other antivirus programs. Are there compelling reasons to go with NOD32? I am open to suggestions.

 

The new version 3 does work well on some machines so you must first try it to see if you are one of those who run it flawlessly. For the rest of us , who have small problems , version 2 has been protecting us since 2003 pretty well and will continue working for long. I should not tell you "compelling reasons" , you'd better find them yourself .

 

I am running version 3 and only have problems with some web pages not loading. My evaluation copy is the .551 version. I need to find out how I can upgrade that to the latest version to see if it will fix the web page issue, while still maintaining my evaluation period intact.

I am a bit curious about your comment to find my own compelling reasons for choosing NOD32. I had thought that NOD32 users through this forum would provide compelling reasons for why they had chosen NOD32. I am sure that other NOD32 users do not feel the way you do and will provide me with those testimonials.

 

Sorry for the late reply, 'marcos'... VBA did indicate 'trojan.ntRootkit.211' & it was sourced from a folder that i've tranfereds from an 8gb flashDR. Which in turn was first detected by KAV_7 (i-Swift off) that i maintained on another rig. The flashDR was left overnight attached to that rig - powered off. It made a real mess of that rig thou!!

Am still dazed by this particular infection. KAV_7 detected it as a 'VB' type (in my recollections) infection but wasn't able to eliminate completely due to numerous counts in successions! In haste, I pulled off the flashDR and tranfered it to my other rig that was covered by VBA32. When detected, i do suspect that the original 'VB' infections has morphed. VBA was indicating strings of 'trojan.ntRootkit.211' pests.

The messed up rig should have its log files intact, but i haven't dissect the system files yet. I do have 1 quarantined... and i may have it for verification before the day was out.

--------------------------
EDIT: addendum

 

If you still have the file, let me know. I couldn't find a file undetected by us and detected by VBA as trojan.ntRootkit.211.

 

'marcoS' ... i'll get back to you on that particularly infected file.