trogan in memory - how do i get rid of it

vabrun · #1 May 25th, 2004, 09:40 PM

Hi,
How do I send you a copy of the viruses in my computer. I have 6 trogans and one in memory that I cannot even quarintine. what do I do?

also I can't access IMOM or AMOM with my password. Are they available? and how do i access them? Also cannot access Setup in Nod32 - incorrect password, even after updating database version.

I previously had PCuser passwords but was unable to remember the password so I could not uninstall nod32 before downloading the newer version. Could this be causing the problem of not allowing me to access AMON and IMON?

thanks for any help vicki.

ronjor · #2 May 25th, 2004, 10:09 PM

vabrun

While you are waiting for an answer, why don't you post your question in the other anti-trojan software forum also. Someone there may have the answer.

vabrun · #3 May 25th, 2004, 10:22 PM

thanks for the tip but I'm new at this forum business, so exactly what trogan froum to you mean and how do I get there.

vicki

ronjor · #4 May 25th, 2004, 10:41 PM

Vicki

Let me suggest this. Go to this link and download a 30 day trial. Scan your computer and see what you find.

Link: http://tinyurl.com/2cgpc

Blackspear · #5 May 25th, 2004, 11:16 PM

Whomever set up your computer with Nod32 has placed a password in the settings, the ONLY way to recover the password is to contact the Reseller from whom you purchased, they will send you a small file called "unlock.exe" and instructions on its use.

I would suggest doing the above FIRST and address the other problems after this, you may find that AMON and or IMON has been disabled, I came across this exact same situation late last year, I reccon it was done because they did not pay their bill. I was asked to come in and remove viruses from a disabled Nod32

Hope this helps...

Cheers

vabrun · #6 May 26th, 2004, 12:06 AM

thank you Ronjur,
The link was great however I have to submit all the trojans manually because the 30 day trial does not allow this automatically.

will get back to you on result if any.

Thanks again, vicki

vabrun · #7 May 26th, 2004, 01:05 AM

Thank you blackspear,

I will contact PCUser,

vicki

vabrun · #8 May 26th, 2004, 01:12 AM

PS,

I am now getting a virus alert for a file 'eWNHel.exe' and can't delete or quarantine or close it. what the hell do I do

Thanks Vicki

izi · #9 May 26th, 2004, 02:47 AM

Run windows in safe mode. Than run NOD32 with /ah switch.

izi

Blackspear · #10 May 26th, 2004, 04:55 AM

Quote:

Originally Posted by izi

Run windows in safe mode. Than run NOD32 with /ah switch. izi

See this thread on how to use "switches available for Nod32"

http://www.wilderssecurity.com/showthread.php?t=33275

I don't know how to do it myself, so I too am watching this thread

For setting up your computer like a fortress, see the following thread on what we do and advise our customers to do:

http://www.wilderssecurity.com/showt...155#post181155

Cheers

Gavin - DiamondCS · #11 May 26th, 2004, 05:08 AM

Hi Vicky,

Please submit any files to submit@diamondcs.com.au as well, and you can email me at gavin@diamondcs.com.au if you are still having problems. Safe Mode scanning would be a good idea

Mele20 · #12 May 26th, 2004, 09:28 AM

Quote:

Originally Posted by Blackspear

See this thread on how to use "switches available for Nod32"

http://www.wilderssecurity.com/showthread.php?t=33275

I don't know how to do it myself, so I too am watching this thread

Cheers

The help file is of no help here. I don't know how to use all these switches either. Why doesn't someone from Eset publish the steps to accomplish this? Why does Eset expect anyone using NOD32 to be an advanced computer user? That attitude is not going to get Eset into the major league. Just as making it almost impossible to create floppies for scanning isn't going to endear NOD32 to any average users and certainly not to casual users.

ronjor · #13 May 26th, 2004, 09:33 AM

We definitely need a good sticky here.

If it isn't gui driven, most people are lost.

hawk22 · #14 May 26th, 2004, 09:40 AM

VABRUN
you are no longer able to use NOD32 from the PC USER Mag. If you had been using and updating from PC USER since April you are no longer able to update.
You only can use what you have now, or buy a Licence.
regards
hawk22

vabrun · #15 May 29th, 2004, 04:12 AM

Thanks everyone for the input

,

Will try all suggestions.

Hawk 22, I recently bought the license of nod32, but was unable to uninstall the versions from PC user so I just intalled the new licensed version. I can update nod32 over the net but cannot get into any of the setup options becasue it won't recognize my new password from nod. I've send a mesage to PC user however they may not have received it as my computer is hardly working at the moment. I'm on a friends computer right now.

I can't even get into the nod support forum on my computer. I'm ready to reformt but i'm hoping to find a solution before taking this measure. Or perhaps I'll just be done with it and reformat and start again.

All these options take time. I have managed however to copy the so called offending files to a disk so will email them to the appropriate people.

Also installed Trojan Hunter and it seems to find different viruses? I will send them (TH) the viruses as well

Thanks again everyone

Vicki

vabrun · #16 May 29th, 2004, 09:56 AM

ME AGAIN,

ran nod in safe mode. quarintined all the virues that came up, then tried again in normal mode.

I don't undertand why the viruses keep appearing if I run a scan after I've quarantined them.

I have however figured ou how to look at the log and the type of virues so will search the for the fix which I presume will be on the NOD site.

Still have no way of ridding the virus in operating memory. I can't delete, quarintine or rename it. It says "Trojan Win32/
trojan Downloader.Dyfica Bq found in operating memory"

Any suggestions, thanks again Vicki

ronjor · #17 May 29th, 2004, 10:07 AM

vicki

If you are using XP, turn off system restore, restart your computer and scan in the safe mode.

Worth a try>

Mele20 · #18 May 29th, 2004, 10:21 AM

Quote:

Originally Posted by vabrun

ME AGAIN,

ran nod in safe mode. quarintined all the virues that came up, then tried again in normal mode.

I don't undertand why the viruses keep appearing if I run a scan after I've quarantined them.

Any suggestions, thanks again Vicki

Quarantine for Eset doesn't mean what it means for all other AV vendors or the dictionary. All other AV take the virus and MOVE it to the quarantine folder. NOD32 instead COPIES it to the quarantine folder. You, the user, must then MANUALLY DELETE the original from where ever it is located other wise, next scan, NOD32 will find it again.

As for the one in memory, what OS?

Blackspear · #19 May 29th, 2004, 12:01 PM

It sounds like you are running XP with "System Restore" turned on (Windows default setting), you will need to disable this first:

Right click on "My Computer"
Click on "Properties"
Click on the "System Restore" tab
Place a tick in "Turn off system restore", it will ask for confirmation
Click ok.

After this do another scan with Nod.

And as Mele said, quarantine in Nod is NOT quarantine like anywhere else on this planet, Eset use the word for a copy function.

Hope this helps...

Cheers

rumpstah · #20 May 29th, 2004, 01:33 PM

For any of the trojans that are causing grief, I found something that may be a bug (at least for the Dyfica variants). I manually went to the file, fired up the NOD32 scan and did a clean after NOD32 told me it was Dyfica.XX. I received a message to reboot (since it was in memory) and then all was well. Scanning and cleaning from the NOD32 dialogues did not work. DIRECTLY on the file did work.

Mele20 · #21 May 29th, 2004, 08:18 PM

It doesn't matter if system restore is running, NOD32 will still clean/delete from system restore. I know I have read here that those files are protected by Windows and AV can't go in and clean. However, I just had NOD32 on demand scan, using the AH string we've been talking about in another thread here, delete two viruses it found in my System Restore which was running at the time of the scan.

Blackspear · #22 May 29th, 2004, 08:31 PM

Quote:

Originally Posted by Mele20

It doesn't matter if system restore is running, NOD32 will still clean/delete from system restore. I know I have read here that those files are protected by Windows and AV can't go in and clean. However, I just had NOD32 on demand scan, using the AH string we've been talking about in another thread here, delete two viruses it found in my System Restore which was running at the time of the scan.

As per this thread Mele

http://www.wilderssecurity.com/showthread.php?t=33920

I ran regular scans with Nod, and these came up clean, AFTER I ran a scheduled command line scan using /ah it found System Restore files infected, so this may or may not have something to do with /ah being able to scan in System restore files while a standard scan cannot, I don't know

Cheers

Mele20 · #23 May 30th, 2004, 03:08 AM

You know I read that thread you refer to and even participated in it. Two things I don't understand (1) how the heck did you get an infection in System Restore when you have it turned off? Why were there any files in restore in the first place? If it is off then no restore point is made hence no files that could get infected there. Are you sure it is really off?

(2) Does NOD32 scan with either a scheduled scan or a command line scan using AH have the ability to clean or delete inside running, active System Restore files? It must. That is amazing. I don't think any other AV can do that. Or would the regular NOD32 scanner delete inside running System Restore files if I told it to delete automatically if it can't clean? I have no idea because I have never used the command delete automatically, if cleaning is not possible, until I copied that AH string we were talking about that had delete in it. Questions, questions.

Blackspear · #24 May 30th, 2004, 07:38 AM

Quote:

Originally Posted by Mele20

how the heck did you get an infection in System Restore when you have it turned off?

I went back and had a double check, there was no "tick" in System Restore, when I actually read what it said, I had to place a tick in there to disable system restore. So in my case System Restore was on, my mistake

Quote:

Originally Posted by Mele20

Why were there any files in restore in the first place? If it is off then no restore point is made hence no files that could get infected there. Are you sure it is really off?

Thought I was sure, double checked and was wrong

Quote:

Originally Posted by Mele20

Are you sure it is really off?

Now I am

Quote:

Originally Posted by Mele20

Does NOD32 scan with either a scheduled scan or a command line scan using AH have the ability to clean or delete inside running, active System Restore files?

As far as I am aware, no, this is not possible, you have to disable and rescan, then again see my answer below, so now I'm not sure

Quote:

Originally Posted by Mele20

Or would the regular NOD32 scanner delete inside running System Restore files if I told it to delete automatically if it can't clean?

I'm a bit confused as to the timeline now, I think system restore was still active (due to it having no tick) and a scan using /ah detected files in System Restore and deleted them...

Scan performed at: 27/05/2004 20:17:47 PM
Scanning Log
NOD32 version 1.775 (20040526) NT
Command line: c:\ /clean /mapi- /arch+ /pack+ /ah
Operating memory - is OK

date: 27.5.2004 time: 20:17:53
Scanned disks, directories and files: c:\
...c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003170.scr - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003171.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003173.bat - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003174.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003175.scr - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003196.exe - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003205.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003206.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003207.exe - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP28\A0003267.scr - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP28\A0003390.scr - Win32/Sober.G worm - unable to clean - deleted
number of files scanned: 78588
number of viruses found: 15
number of files cleaned: 11
number of viruses active: 1
time of completion: 20:29:52 total scanning time: 719 sec (00:11:59)

Cheers

Mele20 · #25 May 30th, 2004, 10:07 AM

ahhh...OK...so system restore was on...that makes more sense. Good thing you checked again. Now, I know to check to make sure the box is ticked if I ever want to turn it off.

I think from what you have said, and the scan you provided, and my experience that AH actually can go into system restore while it is running and get rid of viruses. That is really neat!

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search