hello,

i had formatted my computer from boot record and installed windows again.

just after loading windows XP, i had installed NOD and did a virus run check and it did not find any error.

i have configured NOD to scan the entire computer on weekly basis and found that it had generated the following 7 virus found, can anyone explain me why this happened even when NOD is working OK and updating on a reguarly basis?

C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP54\A0018931.exe - Win32/Stration.EK worm - quarantined - unable to clean - deleted

C:\Mails\My Email Attachments\intranet\Junk E-mail\body.zip - Win32/Stration.EK worm - quarantined - deleted

C:\Mails\My Email Attachments\intranet\Junk E-mail\Update-KB8562-x86.exe - Win32/Stration.EK worm - quarantined - unable to clean - deleted

C:\Mails\My Email Attachments\intranet\Junk E-mail\body.zip »ZIP »body.txt.bat - Win32/Stration.EK worm

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage.zip - Win95/CIH virus - quarantined - deleted

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0001.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0001.zip - Win95/CIH virus - quarantined - deleted

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0002.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0002.zip - Win95/CIH virus - quarantined - deleted

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0003.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0003.zip - Win95/CIH virus - quarantined - deleted

Hello hasit !


-{ Quote: "
just after loading windows XP, i had installed NOD and did a virus run check and it did not find any error. " }-
We need more info here . What you mean by did a virus run check . If I understand it correctly you have used Control Center -> NOD32 -> Run NOD32 (by default it uses Control Center Profile ) . If you haven't modified it , it (the Run)won't be able to detect what you have below

-{ Quote: "
i have configured NOD to scan the entire computer on weekly basis and found that it had generated the following 7 virus found, can anyone explain me why this happened even when NOD is working OK and updating on a reguarly basis?
" }-

I have no idea . It is possible , however , that you configured via Blackspear's settings where AMON is set to clean automatically . This means that it will attempt to clean . However clean action is not possible when there is worm/trojan/spyware ... AMON hasn't deleted the malware but for your good has prevented the access to that malware so you were protected.

-{ Quote: "
C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP54\A0018931.exe - Win32/Stration.EK worm - quarantined - unable to clean - deleted

C:\Mails\My Email Attachments\intranet\Junk E-mail\body.zip - Win32/Stration.EK worm - quarantined - deleted

C:\Mails\My Email Attachments\intranet\Junk E-mail\Update-KB8562-x86.exe - Win32/Stration.EK worm - quarantined - unable to clean - deleted

C:\Mails\My Email Attachments\intranet\Junk E-mail\body.zip »ZIP »body.txt.bat - Win32/Stration.EK worm

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage.zip - Win95/CIH virus - quarantined - deleted

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0001.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0001.zip - Win95/CIH virus - quarantined - deleted

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0002.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0002.zip - Win95/CIH virus - quarantined - deleted

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0003.zip »ZIP »homepage.exe - Win95/CIH virus

C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0003.zip - Win95/CIH virus - quarantined - deleted" }-

The malware has been eliminated however I don't see an action take with some of them . You can manually delete them or check your NOD32 settings with Blackspear's tutorial , boot in Safe Mode and perform full scan from Start->Programs->ESET->NOD32 (make sure you use Control Center profile) and press Scan & Clean

Test you NOD32's AMON and IMON real-time protection . Goto Control Panel -> AMON -> Setup -> "Actions" tab and make sure you temporary change them to Prohibit access and show alert Windows with actions , apply and ok . Then test your NOD with the harmless Eicar file
http://www.eicar.org/anti_virus_test_file.htm
Attemt to download all the file at the bottom and NOD32 should pop-up

:thumb:

HI Hasit, I would suggest that you have brought data across from another drive and placed it within a folder on your C Drive and called it "Mails" with a sub-folder called My Email Attachments.

You may still have an infection with System Restore, so please take the following steps:

Check your settings against those found HERE (http://www.wilderssecurity.com/showthread.php?t=37509)

After this run a scan by following these steps:

1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
2. Click on NOD32.
3. Click on Run NOD32.
4. Click on “Scan and Clean”.

Let us know how you go...

Cheers ;D

Hello

There is a specific detector/remover for the Win32/Stration.* series of worms which you can download from http://www.nod32.it/getfile.php?tool=StrationFix (http://www.nod32.it/getfile.php?tool=StrationFix).

Can you please try running it and letting us know the results?


Regards,

Aryeh Goretsky

-{ Quote: "Hello
There is a specific detector/remover for the Win32/Stration.* series of worms which you can download from http://www.nod32.it/getfile.php?tool=StrationFix (http://www.nod32.it/getfile.php?tool=StrationFix).
" }-

Please, consider that my fix it's not a full blown remover/detector: it just cleans a couple of Registry keys/values in order to "dismantle" at the next reboot the rootkit in user mode implanted in the system by Stration's variants. So, to get rid of the worm

1) run the fix
2) restart the system
3) run your AV to detect and remove infected files

ciao,
Paolo.

Thanks Paolo, appreciated.

Cheers ;D

no issues now! problem resolved!

no virus now, i was wondering why this wrom can enter my computer even-if i had NOD32 installed!

in any case problem resolved!

thanks everyone

-{ Quote: "no issues now! problem resolved!" }-Good to see.


-{ Quote: "no virus now, i was wondering why this worm can enter my computer even-if i had NOD32 installed!" }-Unfortunately someone has to be first to get it, and though NOD32 is in the top of its field, no antivirus will catch 100% of everything 100% of the time, this is simply impossible.

Cheers ;D