new malware got past NOD32

[stevesmith 0]

I have had NOD32 for quite some years and been very happy with it, and seen it automatically block nasties that came in from email or websites.  Something new hit me last friday, disabled NOD32 itself and rendered the machine effectively useless, corrupting some other files and apparently making the machine run infinite loops or something else that just tied it up;  responding to a single keystorke might take half-an-hour and restarts did nothing.

 

First warning:  A window popped up, apparently from MacAfee, saying it needed to be updated and "click here" to download the update.  Having MacAfee in my machine for quite some years with no problems, I did not think this unusual and clicked where indicated.

 

MacAfee updates it self automatically;  this was a trap.

 

Machine malfunction happened immediately after this.

 

NOD32 was itself corrupted and had to be reinstalled.  The malware also attacked MacAfee and Spybot Search-ahd-Destroy and Malawarebytes.  All were disabled, as well as some other parts of the Operating System  that we have not yet identified.

 

A friend used some malware cleaning tools and found five things.  I used my camera to take pictures of the screen;  the two attached pictures are of the same screen, with tab-stops moved to read the entire line lengths in the window on the screen.  Well, I tried, but it won't upload my pcitures and says error 10(or IO).  some things said trojan, one thing said Babylon 9.

 

The machine is presently running with some startup-things disabled, as some files are still corrurpted and while the machine runs with any one of them enabled, some combinations crash it again.

 

Whomever keeps NOD32 libraries up-to-date, please take note.

[Marcos 5,074]

First of all, there's nothing like 100% protection from malware. An important aspect of computer security is to be cautious about the files you run. Once you have run malware with administrator rights, it can do virtually anything with the system, including uninstallation of security software regardless how good the self-protection it employs.

[stevesmith 0]

What you say is certainly true.  I posted this so the entire community can be warned.  The thing that got in somehow was not malware as such, but a window pretending to be a legitimate program, asking to be updated.

I don't know how it got past NOD32, but it did, perhaps because it was not a virus or whatever as-such.  It was pretending to be something normally trusted, asking to be updated.  I get a lot of such emails that are obviously phishing, and they sre easy to spot.  This did not come in as email, and I did not recognize it as phishing, which is what I think it would be called.

Perhaps in the future NOD32 will be able to alert the user to such phishing traps;  in the meantime we should learn that this kind of trap may come in not only by email but as well by the usual ride-along downloads of ads and whatever from any website, trusted or not.

 

[TomFace 539]

First of all, there's nothing like 100% protection from malware. An important aspect of computer security is to be cautious about the files you run. Once you have run malware with administrator rights, it can do virtually anything with the system, including uninstallation of security software regardless how good the self-protection it employs.

Points well made Marcos...as users we must be vigilant.

 

Steve are you running McAfee with ESET?

Edited August 9, 2015 by TomFace

[stevesmith 0]

I evidently was;  I did not deliberately install it;  I believe it was put on my hard drive a few years ago when I had a hard-drive-crash and had to rebuild everything from my Carbonite data-files backup and whatever program-suite the computer-store installed on my new hard drive along with Windows.  I left it there, not knowing any better.  Every once-in-a-while it would proudly tell me that it had scanned my machine and all was well.  So, I got-on-with-my-work.

 

I have since then learned that many security programs are not fully compatible, just as in Chinese the character showing two women under one roof translates as trouble.

 

I have since had MacAfee removed.  Many years prior, I had an employee do extensive research on the subject of software protection (I have had a hardware firewall long-before-even-that), and found that NOD32 was head-and-shoulders above the rest.  I have since been running it on every incarnation of my machine and the others in my business.

 

I have also discovered and added Ghostery to my Firefox;  perhaps this fake-MacAfee-window got in as one of those parasites that gets downloaded along with the main website info; it is my understanding that Ghostery blocks those things.

[TomFace 539]

I don't know about "Ghostery". Maybe someone else can chime in about it.

 

In addition to Smart Security, I also use MBAM Prem and HitmanPro. They all seem to play nice together. 

Edited September 13, 2015 by TomFace

[SweX 871]

Since you still are able to make it crash, your computer is not in good health yet.

 

Instead of scanning with 25 different scanners or use tools in the hope to find everything that have sneaked in, and maybe fix stuff manually so it doesn't crash. I would take the fast route to backup everything that you want to keep and scan all those files that you want to keep with more than 1 second opinion scanner to see if anything is detected. Then format your drive and start over from fresh, install the latest version of NOD32 from eset.com and make a full system scan, then let it be and it will do the rest.

 

Some securiy softwares (quite many) is indeed not compatible with each other. (compatibility is up to the user to check before installing) But browser addons such Ghostery does not interfer with ESET in any way, and is fully compatible so you can use that if you like. But there is no need to install Spybot Search and destroy, it WAS good, but is no longer average since a couple years back. Malwarebytes can you have installed and use as an on-demand scanner once a month or something like that if you want. Some use MBAM in realtime, personally I don't think its needed and a waste of system resource alongside ESET, but each to their own. I would format since you have had so many weird issues with system crashes, fake popups, infinite loops, trojans and what else, that you will never know for sure when you have fixed and got rid of everything. You might still have a little undetected bastard sitting in a corner somewhere laughing at you as we speak.

 

Which version of NOD32 did you have installed when it got disabled ? And which version do you have installed now ? And do you have detection of Suspicious, Potentially Unwanted and Unsafe applications enabled ? Have you runned a full system scan since reinstalling NOD32.(the latest version of NOD32 I assume)

 

Regarding Phishing protection, protection and blocking of Phishing websites is already in place in the products since a few version back, and get's updated every 20min.

[stevesmith 0]

I agree that my computer is not yet in good health;  there seems to be some combination of two (apparently corrupted) programs that usually get loaded at startup, that will crash it.  My computer-smart employee is slowly isolating which combinations do not crash it and which do.  In the meantime it runs as is, with some six or more of these things all disabled-on-startup.  I am not as knowledgeable as he is.

 

I have scanned the entire machine and all my memory-sticks with the latest NOD32 (and as well my employee used something called AVIRA PC-Cleaner), and everyone reports clean since those five original nasties were removed.

 

I agree that saving my files and formatting the drive would be a clean start-over, but I have many little utility-programs that would be lost in formatting; replacing all them would be an inconvenience I seek to avoid;  formatting is a last resort if I cannot clean and repair the present setup.

 

I had the 2013 version of NOD 23 and renewed the license in 2015 so I assume I had the latest version.  In the course of replacing the corrupted NOD32, I downloaded a recent 30-day free trial, so I surely have the latest version.  I then put my paid-for registration-data into it and that was accepted  So  I think my NOD 32 is up-to-date.

 

As for NOD32 being updated every 20 minutes, I see the occasional update-report-windows popping-up from time-to-time, and yes, that is one of the things I like about it.

 

Nonetheless, there WAS the Fake-MacAfee window that popped up, asking me to "update MacAfee", and THAT was not something in the NOD32 updates, and whatever-slid-in was not blocked by my freshly-updated NOD32.

 

I hope now it will be, and that the user-community knows better to watch for pop-up windows appearing to belong to a program they know and trust.