Zip file containing the Killdisk trojan not deleted.

Discussion in 'ESET NOD32 Antivirus' started by cdysthe, Jul 19, 2008.

Thread Status:
Not open for further replies.
  1. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    Hi,

    A zip file containing the trojan Killdisk got detected by NOD32 as soon as the archive was selected in Windows Explorer, but not during download. The message from NOD32 was "cleaned by deleting - quarantined". And yes, the trojan can be found in the quarantine, but neither the archive nor the trojan within it has been deleted from my disk. If I select the file again I keep getting the same message from NOD32, but no deletion takes place. If I right click and check the file manually the trojan is detected, the message is the same, but it still isn't deleted.

    Just for testing purposes I put the zip file on another computer which has Avira on it. The file was in quarantine and deleted immediately.

    I may be missing something here, but I would have liked for something as nasty as this to be off my disk before I even knew it was there. Is it a setting or something I have missed? Well, regardless of settings, the message from NOD32 is misleading.

    I'm running NOD32 3 Business Edition.
     
    Last edited: Jul 19, 2008
  2. ASpace

    ASpace Guest

    What you describe is quite strange because NOD32's real time file system protection does NOT scan archives in real-time so if you click on an archive containing some threats inside , it is theoritically impossible for them to be detected until the archive is exctracted .
     
  3. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    Hi,

    I guess I wasn't being totally clear: When I mark the zip file by clicking the right mouse button in Windows Explorer so the context menu comes up NOD32 says it quarantines and deletes the file, but the file isn't being deleted. It happens as soon as I mark the file but before I am making any choices from the context menu. The reason I discovered it in the first place was that marking the file with the right mouse button has "delete" as one of the options which is the way I normally delete files. I'm running Windows Vista by the way.

    During the night here NOD32 has run it's scheduled virus scan and the file is gone. But I still wonder why NOD32 says it quarantines and delete something when it only quarantines, not deletes.
     
  4. ASpace

    ASpace Guest

    NOD32 never deletes something before it has a copy in the Quarantine . Please , access the ESET quarantine and restore the file to a location of your choice . Then , upload the file somewhere and send me a link to it . As I told you in private message I would like to see how it works in my Vista :D
     
  5. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    When I right click NOD32 does copy the trojan from the archive to the quarantine, but the archive file is not deleted even if NOD32 tells me it is. I mean, it's still there! I can continue right clicking on it endlessly and have the same message from NOD32 pop up over and over again.

    You'll find a link to the bugger in my PM response.
     
  6. ASpace

    ASpace Guest

    Hi again!

    Thank you for the link to the trojan horse . Most definitely there is a problem on your side related the operating system and your user rights . EAV 3.0 cannot remove the file and it is related to something else .

    My installation could also block the download process . Here are some proves .

    Part 1
     

    Attached Files:

    • 1.png
      1.png
      File size:
      188.8 KB
      Views:
      6
    • 2.png
      2.png
      File size:
      49.4 KB
      Views:
      6
    • 3.png
      3.png
      File size:
      30.4 KB
      Views:
      3
    • 4.png
      4.png
      File size:
      179.4 KB
      Views:
      182
  7. ASpace

    ASpace Guest

    Part 2
     

    Attached Files:

    • 5.png
      5.png
      File size:
      245.8 KB
      Views:
      176
    • 7.png
      7.png
      File size:
      117.3 KB
      Views:
      4
    • 6.png
      6.png
      File size:
      166.6 KB
      Views:
      2
    • 8.png
      8.png
      File size:
      77.4 KB
      Views:
      175
  8. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    Thanks!

    Where do I begin to look? I use Firefox and Opera as browsers. I use DownThemAll as download manager in Firefox. I have Windows Vista Ultimate. The only thing done to my system is having UAC disabled since I simply can't deal with all those popups. Other than that I have full rights to my account and file and can do whatever I want with them. And as I said earlier the file gets deleted through an on demand scan. I did another check and downloaded the file again with the normal Firefox download manager, and then it got intercepted by NOD32, but still not deleted. I uninstalled NOD32 and installed Avira again, and no such problems at all.

    You know, at the end of the day an AV just has to work. If I have to use IE and reinstall my OS because of the AV it's easier to switch to an AV which just works.
     
    Last edited: Jul 19, 2008
  9. ASpace

    ASpace Guest

    Ok ... Re-check your PM then and do the test again , with IE7
     
  10. ASpace

    ASpace Guest


    You are right - an AV has to work . However , the antivirus software is dependable on the operating system and some other software a user has installed . People generally don't use the default things in a program - they modify settings , they install/use 3rd party software which more or less modify the OS in a way which leads to such incompatibilities/problems.

    You can see yourself that when the download manager in FF is not used , the download could be blocked . I asked you use IE because I suspected there was something in your default browser (FF or Opera) which led to the issue

    I believe your problem can be "fixed" and no OS reinstallation is required.

    Since you changed the antivirus , there is nothing more to comment here .


    I wish you luck ! ;) :thumb:
     
  11. cdysthe

    cdysthe Registered Member

    Joined:
    Mar 6, 2004
    Posts:
    70
    Location:
    Austin, TX and Oslo, Norway
    Hey! I have not changed my AV. It's just that I have to work on my computer, so until I have time to figure this out I'm using something that works with any browser and config on my setup. I will have to use NOD32 in the future since it's my company's policy, so not only do I want to find out, I have to. I will follow your advice and try to fix this and also the performance hit I'm taking using NOD32 3 (may go back to 2.x). I will not give up :)

    Thank you a lot!
     
  12. ASpace

    ASpace Guest

    You uninstalled one AV and installed another one - this is a program change , right :D :D



    You are welcome . Will be glad if I could help :thumb:
     
Thread Status:
Not open for further replies.