PDA

View Full Version : serious amon question

realitybytez
February 5th, 2007, 07:57 PM
ever since i installed nod32 on my network of 6 servers and 74 pcs, i have been getting sporadic messages similar to this:

NOD32: Virus Alert
5C4Q731@xxxxxxxxxx.com
To: me
2/5/2007 15:43:37 PM - AMON - File system monitor Threat Alert triggered on 5C4Q731: C:\DOCUME~1\marjorie\LOCALS~1\Temp\IH576.tmp is infected with probably a variant of Typer.704 virus.

so can someone tell me with any degree of certainty if this means: "hey we found a virus. we thought you'd like to know. oh and by the way, we didn't do anything about it. the file is still infected with the virus"?

because, that's how it reads to me.

do I need to go back to all of these computers and manually remove all these virusses?
Blackspear
February 5th, 2007, 09:24 PM
"probably a variant of Typer.704 virus."

Highlighted is heuristics in action, basically AMON is saving your bacon. It would appear that you have some form of dropper so I would get in contact with your local NOD32 support office and they will have you download 3 tools to help with analysis:

HijackThis from HERE (http://www.wilderssecurity.com/showthread.php?t=12516)

Autoruns from HERE (http://www.sysinternals.com/Utilities/Autoruns.html)

Lookinmypc from HERE (http://www.lookinmypc.com)

Then run each program and forward the logs from all three programs to me in a reply email together with the following:

1. Go to the NOD32 Control Centre
2. Click on Logs
3. Right Click on one of last completed full system scan logs.
4. Click on “Details”
5. Right Click anywhere on the scan log
6. Click on “copy all”
7. Right Click in the replying email to me.
8. Click on “Paste”

This will paste a copy of one of the scans you have completed.

Let us know how you go....

Cheers ;D
Marcos
February 6th, 2007, 12:01 AM
It could be a false positive. If the file is located in quarantine, send the appropriate nqi/nqf file from the eset/infected folder to samples @ eset.com with a link to this thread in the subject.
realitybytez
February 6th, 2007, 01:19 PM
well, i wanted to come back here and at least report what i discovered.

when i went to the infected computer and looked at the threat log, i found that the file in question had been deleted by amon.

it sure would be nice if the email that was sent to me by amon would have reported that fact.???