Hi
Something very strange happened recently with my NOD32. Oh I digress, let me establish my caveat here :D
I have NOD32 on my main PC and my laptop.. working fine... but something has occured which I thought I would share.
Got an email (hotmail) telling me that my order for a Sony Laptop was shipped. As I didn't order anything, that made me suspicious so I d/l the attachment to a floppy, it was xxxxx.zip.pdf. That alone told me something is wrong with the file, but I was brave.
I clicked the write protect tab on the floppy and double clicked. WOW..NOD went ballistic. Telling me that it had quarrantined the file from /documents/xxx (Win32/PSW.LdPinch.P trijan) and if I wanted to submit. Of course I said submit and it then told me I can close the window. I am thinking, great, it found a "baddie" and all is well.
Lo and beholf my OUTPOST pops up to say "9129837.exe" wants to establish a outboard connection. WT hell is going on...I don't remember that application, so I told OUTPOST to "block" all requests from this application.
(you can google the above file to get more information). OR go here http://www.avira.com/en/threats/section/fulldetails/id_vir/2867/tr_psw.small.bs.3.html and here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGENT.FBB&VSect=Sn
I checked my startup lists and there it has a "ttool" being loaded by this "9xxxxxx.exe" file, located in %systemroot%/windows.
I used NOD to check, it came back clean.
I used Outpost to check, it came back clean.
I used The Cleaner to check, it came back clean.
I used SAS to check, it came back with identifying 9xxxxxx.exe as malware.
The question I have is this:
Why did my trusted friend NOD (after identifying the baddie) let it continue to be loaded? :-[
Why didn't NOD, manual checking identify 9xxxxxx.exe as the baddie and offer to clean, delete or quarrantine the specific file? >:(
NOD has stopped many "baddies" on both machines in the past, but this behaviour I find a bit strange.
Can any of the NOD gurus in here offer any constructive explanation?
Thanks
Cheers ;D

{QUOTE-> Hi
Something very strange happened recently with my NOD32. Oh I digress, let me establish my caveat here :D
I have NOD32 on my main PC and my laptop.. working fine... but something has occured which I thought I would share.
Got an email (hotmail) telling me that my order for a Sony Laptop was shipped. As I didn't order anything, that made me suspicious so I d/l the attachment to a floppy, it was xxxxx.zip.pdf. That alone told me something is wrong with the file, but I was brave.
I clicked the write protect tab on the floppy and double clicked. WOW..NOD went ballistic. Telling me that it had quarrantined the file from /documents/xxx (Win32/PSW.LdPinch.P trijan) and if I wanted to submit. Of course I said submit and it then told me I can close the window. I am thinking, great, it found a "baddie" and all is well.
Lo and beholf my OUTPOST pops up to say "9129837.exe" wants to establish a outboard connection. WT hell is going on...I don't remember that application, so I told OUTPOST to "block" all requests from this application.
(you can google the above file to get more information). OR go here http://www.avira.com/en/threats/section/fulldetails/id_vir/2867/tr_psw.small.bs.3.html and here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGENT.FBB&VSect=Sn
I checked my startup lists and there it has a "ttool" being loaded by this "9xxxxxx.exe" file, located in %systemroot%/windows.
I used NOD to check, it came back clean.
I used Outpost to check, it came back clean.
I used The Cleaner to check, it came back clean.
I used SAS to check, it came back with identifying 9xxxxxx.exe as malware.
The question I have is this:
Why did my trusted friend NOD (after identifying the baddie) let it continue to be loaded? :-[
Why didn't NOD, manual checking identify 9xxxxxx.exe as the baddie and offer to clean, delete or quarrantine the specific file? >:(
NOD has stopped many "baddies" on both machines in the past, but this behaviour I find a bit strange.
Can any of the NOD gurus in here offer any constructive explanation?
Thanks
Cheers ;D <-QUOTE}


Can you please navigate to the folder where this file is and submit it to ESET labs . Send an email with link to this thread , short description and the file attached . The address is samples@eset.com

In the mean time , open Start->Run->type msconfig->Press ENTER->navigate to "Start-up" tab and uncheck that suspected file from loading . Apply and OK

Hi HiTech_boy
Quote
Can you please navigate to the folder where this file is and submit it to ESET labs . Send an email with link to this thread , short description and the file attached . The address is samples@eset.com
End Quote
A trusted mod had advised me to do this, and it was done.

Quote
In the mean time , open Start->Run->type msconfig->Press ENTER->navigate to "Start-up" tab and uncheck that suspected file from loading . Apply and OK
End Quote
Done in addition to manually cleaning the registry of "hide-evr2.sys" and another location in HKCU. Also restoring the service for Security Center.
Thanks for your input, it is appreciated.
Cheers :)

{QUOTE->
Thanks for your input, it is appreciated.
Cheers :) <-QUOTE}

You are welcome !

This could be a clue :-{QUOTE-> ...I clicked the write protect tab on the floppy... <-QUOTE}

Cheers :)

Hi NOD32 user
That was funny ;D ;D ;D ;D ;D