need some advice

Mick2015 · #1 November 21st, 2006, 06:05 AM

hi all
im new to Nod32, since last friday (17/01/06) ive ben getting hit by alot of trojans and nod32 been delte them straght away but every time i shut down and restart the pc they hit my pc again

first off i was hit by Win32/TrojanDownloader.Zlob.AJB that was in v.1867 (20061115) update and now thats gone im ketp on getting hit by the following thats in the log file

Quote:

Time Module Object Name Threat Action User Information
21/11/2006 09:47:45 AMON file C:\WINDOWS\system32\xknyrhnb.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:44 AMON file C:\WINDOWS\system32\vbrmkyaa.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:44 AMON file C:\WINDOWS\system32\uumkmqwd.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:43 AMON file C:\WINDOWS\system32\utachgtn.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:42 AMON file C:\WINDOWS\system32\uqswbier.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:42 AMON file C:\WINDOWS\system32\twpluiiw.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:41 AMON file C:\WINDOWS\system32\oygjnsrg.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:40 AMON file C:\WINDOWS\system32\lgttevjk.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:39 AMON file C:\WINDOWS\system32\keksdmrt.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:36 AMON file C:\WINDOWS\system32\fmchkfen.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:34 AMON file C:\WINDOWS\system32\dyiyahqb.exe Win32/Adware.Toolbar.SearchColours application deleted GUNS4HIRE\Michael Event occurred at an attempt to access the file by the application: C:\Program Files\NoAdware4\NoAdware4.exe.
21/11/2006 09:47:27 AMON file C:\DOCUME~1\MICHAE~1.GUN\LOCALS~1\Temp\ferdkuto.exe Win32/Adware.Toolbar.SearchColours application quarantined - deleted GUNS4HIRE\Michael Event occurred on a new file created by the application: C:\WINDOWS\Explorer.EXE. The file was moved to quarantine. You may close this window.
21/11/2006 09:42:02 IMON file http://82.98.235.61/execpyd.exe?uid=...18972DAB794B2A Win32/Adware.Toolbar.SearchColours application Connection terminated GUNS4HIRE\Michael
20/11/2006 19:17:14 IMON archive http://download.cdn.winsoftware.com/...reeInstall.cab Win32/Adware.WinFixer application Connection terminated GUNS4HIRE\Michael

Blackspear · #2 November 21st, 2006, 06:20 AM

Hi Mick2015, welcome to Wilders.

Please check your settings against those found HERE

After this run a scan by following these steps:

1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
2. Click on NOD32.
3. Click on Run NOD32.
4. Click on “Scan and Clean”.

Let us know how you go...

Cheers

Mick2015 · #3 November 21st, 2006, 07:43 AM

thanks for ur replay and ill get back to you asp

scaa · #4 November 21st, 2006, 08:54 AM

Quote:

Originally Posted by Blackspear

Hi Mick2015, welcome to Wilders.

Please check your settings against those found HERE

After this run a scan by following these steps:

1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
2. Click on NOD32.
3. Click on Run NOD32.
4. Click on “Scan and Clean”.

Let us know how you go...

Cheers

I think you ought to modify the settings tutorial once more for version 2.7 and thanks in advance.

Mick2015 · #5 November 21st, 2006, 12:49 PM

yup i agree m8

now the only problem ive got is now i get this popup block by Nod 32

Quote:

NOD32 antivirus system alert: IMON
Access denied !

Details:

Web page:
[url]http://www.winantivirus.com/pages/scanner/?p=15&j=1&ex=1&ax=1&h=10&aid=nm_sh_wav_kw3&lid=adsare&affid=nm_66973_
1baa50de73f111db818600167647fa98_ec49f22a+4754d5660b584f10b718972dab794b2a

Description:
Access to the web page was blocked by IMON. The web page is on the list of websites with potentially dangerous content.

and this 1 too

Quote:

NOD32 antivirus system alert: IMON
Access denied !

Details:

Web page:
http://www.drivecleaner.com/.freeware/?p=56&a=0&j=1&pp=1&w=1&ex=1&ap=1&hv=10&ed=2&mpt=1164130920&ad=nm_
sh_dc_meta_kw&lid=bad&affid=nm_66973_1BAA50DE73F111DB818600167647FA98_ec49f22a+4754D5660B584F10B718972DAB794B2A

Description:
Access to the web page was blocked by IMON. The web page is on the list of websites with potentially dangerous content.

lucas1985 · #6 November 21st, 2006, 01:04 PM

WinAntivirus is a known rogue site

NOD 32 indicates the software NoAdware(don´t know of this) as the possible source of infection. Could be a FP too
Run an in-depth scan with NOD 32 and another AT/AS scanner if possible
Run them in safe mode

#7 November 21st, 2006, 02:40 PM

Quote:

Originally Posted by lucas1985

WinAntivirus is a known rogue site

NOD 32 indicates the software NoAdware(don´t know of this) as the possible source of infection. Could be a FP too
Run an in-depth scan with NOD 32 and another AT/AS scanner if possible
Run them in safe mode

No , it isn't false positive . The application NoAdware4 tries to access the infected files (Adware.Toolbar...) and NOD32 blocks them

Mick2015 , I would recommend you start with checking in Start->Settings->Control Panel->Add/Remove programs if you have the software NoAdware . If you have such a program , immediately remove it/uninstall it . It is considered rogue program which will do nothing to remove your infections but will , however , infect you more .

After that , perform Blackspear's suggestion to perform full Scan&Clean over the system and remove the infections . I would also recommend you download and run Ewido micro scanner / Spybot Search and Destroy , so that you have a second good opinion

Good luck

lucas1985 · #8 November 21st, 2006, 03:42 PM

Quote:

Originally Posted by HiTech_boy

No , it isn't false positive . The application NoAdware4 tries to access the infected files (Adware.Toolbar...) and NOD32 blocks them

Thanks, the rogue list is very large and it´s difficult to remember all of them

I´d like to know how the infection happened

#9 November 21st, 2006, 03:59 PM

Quote:

Originally Posted by lucas1985

Thanks, the rogue list is very large and it´s difficult to remember all of them

No worries

Quote:

Originally Posted by lucas1985

I´d like to know how the infection happened

From the infromation provided I personally can't say but I don't think it is so important now . The OP should take actions to clean the machine because it seems to be really infected

Blackspear · #10 November 21st, 2006, 09:50 PM

Quote:

Originally Posted by Mick2015

now the only problem ive got is now i get this popup block by Nod 32

If the Tutorial has been completed there will not be any popups; everything is automated.

Cheers

Mick2015 · #11 November 23rd, 2006, 06:55 AM

Quote:

Originally Posted by lucas1985

WinAntivirus is a known rogue site

NOD 32 indicates the software NoAdware(don´t know of this) as the possible source of infection. Could be a FP too
Run an in-depth scan with NOD 32 and another AT/AS scanner if possible
Run them in safe mode

thanks alot for that infor m8, i do have Noadware installed too and will take it off

Quote:

Originally Posted by HiTech_boy

No , it isn't false positive . The application NoAdware4 tries to access the infected files (Adware.Toolbar...) and NOD32 blocks them

Mick2015 , I would recommend you start with checking in Start->Settings->Control Panel->Add/Remove programs if you have the software NoAdware . If you have such a program , immediately remove it/uninstall it . It is considered rogue program which will do nothing to remove your infections but will , however , infect you more .

After that , perform Blackspear's suggestion to perform full Scan&Clean over the system and remove the infections . I would also recommend you download and run Ewido micro scanner / Spybot Search and Destroy , so that you have a second good opinion

Good luck

thanks alot, for the infor anf linsk and will get back to u asp

Quote:

Originally Posted by HiTech_boy

No worries

From the infromation provided I personally can't say but I don't think it is so important now . The OP should take actions to clean the machine because it seems to be really infected

tell u this i not to sure how it happened myself, but i think its been ina zip file i downlaoded but saying taht i vuirs scan all my files before i open them

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search