nod32 (2) finds infected files (8) and can only clean 3. It keeps finding an adware toolbar named visua and at one point it found a trojan(trojan.dropper) i have run spy bot search & destroy, trojan hunter, adaware se, counter spy,microsofts anti spy and a full system scan with nod32 and anti-vir all in safe mode and all with system restore disabled. i have deleted %temp% files and *.tmp files. im at my wits end and thinking about doing a wipe of the hard drive and starting over. am i missing something here or am i not looking in the right place? the toolbar first appeared in the firefox browser. the trojan(trojan.dropper) i have no idea where it is. again nod32 finds and quarintines 2 files(win32/adware) but it does not tell me what the other 6 are. if anyone could help i would appreciate it

Could you please send the log of NOD32 on-demand scanner so that we can help you more?...

The latest file is 36 meg,how can i add it to the forum, the amon monitor is reading 8 files infected, 2 cleaned but i cannot find where these infected files are

Instead of looking at the NOD32 Scanner Logs, try looking at the Threat Log.

Time Module Object Name Threat Action User Information
10/26/2005 17:06:17 PM AMON file C:\WINDOWS\TEMP\tmp1.tmp Win32/Adware.Toolbar.Visua application quarantined - deleted - error while Cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe. The file was moved to quarantine. You may close this window.

The "deleted - error while Cleaning - operation unavailable for this type of object" part usually occurs when a virus is found within a .zip file. NOD32 cannot delete files from within a .zip file, so it just deletes the entire .zip file instead. I think that NOD32 sometimes considers this as 2 infected files (once for the virus inside the .zip, another for the .zip file itself), but only only cleans one of the files (the .zip file).

navapsvc.exe is the "Auto Protect" feature of Norton Antivirus. Are you running this and NOD32 at the same time? It could be that Norton is using tmp1.tmp for its own purposes (detecting Visua Toolbar?), and then NOD32 jumps in and finds it there, as well.

if the virus/trojan is in a zip file, how can i locate it, and any idea why, when i look in the windows temp folder the tmp1.tmp (that number keeps changing it could be 1 or 2 etc) file cannot be found. when i reboot nod32 find 4-8 infected files, lists only 1 in the threat log and cleans 2-3 files.

What do you see in your NOD32 System Tools --> Quarantine?

1st from 10/25 C:WINDOWS\TEMP\tmp1.tmp size 80384 reason
win32/adware.toolbar.visua.application number 3

2nd from today all the same except tmp2.tmp reason 1

Can you please empty your Temp Files, then reboot into Safe Mode and run a full scan with Nod32 fully tweaked. (http://www.wilderssecurity.com/showthread.php?t=37509)

Let us know how you go...

Cheers ;D

Did the above, ran nod32 in safemode it found nothing. rebbot computer and amon is stating 4 infected files, 2 cleaned. how do i find those infected files?

-{ Quote: "...amon is stating 4 infected files, 2 cleaned. how do i find those infected files?" }-Can you please copy from the Nod32 Log the 4 files that AMON is catching, I suspect they are in System Restore, in which case you will have to turn System Restore off, reboot your computer and turn it back on.

Cheers ;D

Everything that i have run has always been with system restore off. The only log file i can find is in a dat format and is difficult for me to read. if i can attach it i will and you can read it

-{ Quote: "The only log file i can find is in a dat format and is difficult for me to read. if i can attach it i will and you can read it" }-Hi Booyaa, I'm talking about opening up the Control Centre and double clicking on a scan that shows the 4 files, as per screen shot.

Cheers ;D

did a full system can with nod32 it shows no infections/virus. the amon scanner is the one showing (now it is 8 files infected and 2 cleaned) the file cleaned is in the threat log, it is the adware.toolbar.visua, this is in nortons navapsvc.exe?
it says it is quarantined and i can close the threat log but there is nothing in quarantine. what are the other 6 files? should i delete norton's and see if nod32 stop seeing the infections with amon scanner?

Time Module Object Name Threat Action User Information
11/1/2005 4:49:06 AM AMON file C:\WINDOWS\TEMP\tmp1.tmp Win32/Adware.Toolbar.Visua application quarantined - deleted - error while Cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe. The file was moved to quarantine. You may close this window.

Before deleting Norton, I would try finding a way to disable it, or at least its AutoProtect feature.

One question I have is, does Norton say anything about this file in its logs, or is it just NOD32?

norton's av does not see it, just the nod32 amon scanner, cannot shut off or disable norton's auto protect feature only after comp has rebooted and by then nod's amon scanner has already seen and logged it and put it in quarantine

I am not sure which version of Norton Antivirus you use, but try this to disable Auto-Protect:

Open Norton Systemworks/Antivirus.
Go to Options --> Norton Systemworks.
Click Startup.
Uncheck Auto-Protect.
Hit OK and reboot.

found that, thanks. disabled norton av and rebooted, nod's amon scanner is finding 0 infected files. has nortons av been infected somehow or is this a conflict between the two? this hasnt happened before, they co-existed fine until i picked up a trojan.

It sounds like it could be a conflict or a false positive. It is hard to say for sure without a virus sample. Does the problem come back if you reenable Norton Auto-Protect?

re-activated norton's av, i could not shut off the warning notices telling me that a trojan.dropper has been quarantined and or unable to be removed (had to do ctrl,alt del to stop the process from running), that all these files are located in the windows\temp folder (they dont exist in that folder). i am beginning to think i should say goodbye to norton's av

Yeah, it sounds like a conflict or false positive. If you want, I guess you can keep Norton on the computer, but leave the Auto-Protect off. You can still keep it around for periodic manual scans, just in case NOD32 misses something.