ESET is "useless" if this is not solved !?!?!?

Discussion in 'ESET NOD32 Antivirus' started by xfadio, Nov 17, 2009.

Thread Status:
Not open for further replies.
  1. xfadio

    xfadio Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    17


    Again..
    Thanks for replying to my posts...
    and Again, I never disrespected anyone..

    its not polite to call my dental files as CRAP

    Thanks for your nice words..
    I didnt know that this is the civilized conversation you meant before.

    Anyway,
    Thanks Marcos
    Eset Moderator
    but can you tell me how to remove this virus?

    I'll be grateful
     
  2. xfadio

    xfadio Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    17
    Guys...
    all of you are greating ESET for beeing the best antivirus ..
    ok I understand.

    Hep Hep Hooray! to ESET for detecting the Virus ...

    but The only solution is to delete my own file (htm or url) ...
    How can I clean ito_O without deleting..

    This is the question ? o_O o_O o_O
     
  3. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    curious, have you uploaded any of these individual files to virustotal.com to see what the 41 other antivirus says ?
     
  4. xfadio

    xfadio Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    17
    Thanks for the virustotal referal

    well these are the answers..

    ~Virus Total results removed per Policy.



    Funny thing I installed f-secure yesterday and updated it but it didnt detect it ..

    ok so I suppose I have to get the other anti-viruses inorder to see whether they clean the infected file or they wont like ESET ?
    any help please?
     
    Last edited by a moderator: Nov 19, 2009
  5. ccomputertek

    ccomputertek Registered Member

    Joined:
    Jul 27, 2009
    Posts:
    371
    Other than Eset, your best bet out of that list would be Kaspersky.You can uninstall Eset and try Kaspersky with the full trial version and see if it will remove the code from all your files.

    Not too many antiviruses clean these days, but it depends, usually documents can have the malicious code cleaned out, but programs that are infected can usually only be deleted.If kaspersky can't clean them, then I think it's safe to say none of them will be able to.
     
    Last edited: Nov 19, 2009
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    Generally, cleaning infected files is not safe and may result in file corruption. For this reason, the user is warned to make a backup copy of the infected file before cleaning takes place. Appended malicious html code can be safely removed by the user and thus such code is normally not removed automatically to avoid corruption of the whole html code.
     
  7. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    @xfadio
    Ask Marcos or anyone from Support what is/are the malicious url(s) in your html files. Open your html files using notepad, find the url, remove it and save. The url is most likely enclosed by the the iframe tag: <iframe></iframe>.

    I'm not using Maxthon but it has an add-on that removes iframes. But be warned that not all iframes are malicious as it might remove all.

    http://addons.maxthon.com/en/post/2817

    @Marcos
    Can't NOD32 just remove the malicious url enclosed by the iframe tag since it is known (in defs) anyway? Maybe users should put in the suggestion thread: html cleaning? :D
     
  8. xfadio

    xfadio Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    17
    Thanks to you my friend..
    good..
    I opened the file by notepad and removed the iframe
    like you said..
    The file opened but photos were X's
    while when i open it without removing the iframe
    the photos are showing..
    (the photos are dental radiographs and charts)

    ok Now things are clear..
    its impossible to open 1000 url or htm through notepad and remove the iframe
    really a waste of time..
    ESET is detecting this thing as False alarm
    these photos are refering thier link to thier original websites (which are definitly clean - sientific, medical and dental links)

    its a knock out to ESET
    they should find a solution, rather than giving false alarms..
    right?
    correct me if I'm wrong..
     
  9. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    I don't think it's a false positive since the ESET vlab confirmed it was infected by Virut. From the ESET Threat Encyclopedia this Virut adds an iframe that points to zief_._pl (remove "_") so look for that. Use notepad's Edit>Find.

    http://www.eset.eu/encyclopaedia/virut_nbk_virus_virut_ce__virut_cf_virut_n?lng=en
    http://www.eset.eu/encyclopaedia/win32-virut-nbp-virus-ce-gen-cf?lng=en
    http://www.eset.eu/encyclopaedia/win32_virut_nbm_virus_virut_ce_cf_n_gen_virus?lng=en

    I don't know if Symantec's removal tool removes the iframes but it's worth a try,

    http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-022016-4444-99
     
  10. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    667
    Download UltraEdit (trial) and get it to "search and replace inside files", based upon a RegExp. You can easily strip out all the iframes - and the chances are that the ONLY iframes are the virus links, since iframes are rarely used for anything else.


    Jim
     
  11. xfadio

    xfadio Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    17

    hi again,
    I bought Ultraedit .. i have it full version..
    (spending alot of money on antivirsues and softwares, trying to look for a solution to a frustrating problem, which is really a nightmare)

    ok, I know how to remove the iframe from one (htm) file
    how can I do that to 1000 (htm, url) at the same time..
    it'll take a hell of time to open each one alone and remove..

    thank you
     
  12. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
  13. xfadio

    xfadio Registered Member

    Joined:
    Oct 5, 2009
    Posts:
    17
    Things are getting more complicated !!!!
    o_O

    I broke ultraedit CD,
    Its not worth trying it..

    sorry
     
  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    This post suggests that you are infected with Virut and the options are limited.

    Some of the spyware fighters are familiar with this malware. See this blog by miekiemoes.
     
  15. thanatos_theos

    thanatos_theos Registered Member

    Joined:
    Apr 28, 2007
    Posts:
    582
    @ronjor
    He may have already formatted or cleaned his machine of the infector. I think what he is doing now is trying to clean/save his html file (backed up) collection.

    @xfadio
    Have you tried Parse-O-Matic? It has a free version; try if the html file mass edit script will work with it. If not, then trial the Advanced version with the script. Have you considered just going to those websites again and saving them?
     
  16. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    163,072
    Location:
    Texas
    @ronjor
    I haven't seen that statement. I have seen this statement from the original post.
    I would think looking over some of the suggestions in this thread might be worth a try in this case although some of them might require some work to save those files.
     
  17. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,456
    With perl installed, you could accomplish that by creating and running a batch file containing the command:

    It will also create a backup copy of each file so that you can revert to it if something fails.
     
  18. jimwillsher

    jimwillsher Registered Member

    Joined:
    Mar 4, 2009
    Posts:
    667

    Exactly as I suggested - Replace In Files feature.

    You tell it what to find (text, or a RegExp) and you tell it what to replace it with. You then tell it which folder to look at, what files to match etc. Then sit back and relax whilst it flies through your files.

    Extremely quick, extremely powerful, and exactly what you need.



    Jim
     
  19. Davel

    Davel Registered Member

    Joined:
    Oct 24, 2009
    Posts:
    7
    Are you sure all 1000 files are infected? It seems unlikely that they would all be infected.

    Editplus is another useful tool for doing bulk find and replace operations. You can download a free evaluation copy at http://www.editplus.com/download.html

    I would run editplus, select a block of infected html files and drag them onto the editplus window. Press Ctrl + H to open the Search and Replace dialogue box. Enter the full infected <iframe>...</iframe> string in the Find what box, place a space in the Replace with box and check the all open files radio button, Hit the Replace All button and see how many files get changed. Finally select File and Save All from the menu.

    Hope this helps

    Dave
     
  20. shitu

    shitu Registered Member

    Joined:
    Oct 31, 2009
    Posts:
    15
    I just can I say ESET and its support forum and team and specially Mr. Marcos rocks.
    Thanks to Mr. Marcos for his support in everyday and every topics.
    Cheers,
    M.A.P.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.