my laptop is infected

As a NOD32 + Comodo FW user (same protection as ankupan), I find ankupan's problem especially disturbing. Clearly it suggests one of either two possibilities, neither of which speaks well for NOD32...

• NOD32 failed to detect the malware before it infected the system. Worse yet, it is unable to remove the malware => MAJOR RISK and BAD NEWS!
  
  
• NOD32 is issuing an alert based on an FP and there doesn't seem to be any way to confirm that and stop the alert => MAJOR NUISSANCE!

 

This is not the case here . A detection for Agent.OO trojan was not added yesterday nor the previous day . Ankupan repors problems since yesterday.I don't think it is false positive - if it was a FP it would not be so persistent to remove . It is also not a Microsoft file ( I have it on no XP computer)

NOD32 detects this heuristicially . I managed to see the Jotti scan before it was removed by LWM (Admin) and NOD32 and only one other product detects it .

The detection by NOD32 (and the other product) is very good thing , at least we know there is a problem . Since Marcos asked the file to be sent for further investigation , I am sure ESET Support will be able to help him .

 

We have confirmed it was not a false positive. AVG was another AV to detect it, but maybe they added detection based on ours

 

I myself would be very happy and pleased if you could keep us somehow updated and let us know when his computer is clean . Also , if you could share details how exactly he cured his machine . Thanks in advance and congratulations about the detection

 

to avoid problems with trojans and all that better I recommend to you to move away from nod32 and sw to kaspersky lol

 

At least you added LOL at the end However, keep in mind that ranting and trolling is not allowed here and such posts will be removed.

 

Pardon me, but as much as I would like my confidence in NOD32 to be restored, I don't see how your reply changes anything!

NOD32 was in place before ankupan's system was infected. Assuming that it was up-to-date, NOD32 failed to prevent the infection by either signature or heuristic recognition. Furthermore, NOD32 failed to remove the infection once it discovered it (after the fact). Am I missing something here?

 

I am not a virus analyst so I have no detailed information about this trojan . I only know it is probably injected DLL and very difficult to remove . Lots of top vendors even missed detection .

Why NOD32 didn't detect the trojan before it became malware resident , well that is another topic . Did he stayed updated all the time , did he kept AMON enabled are only some of the questions we can ask . But it is no longer important , we can only guess why . Ankupan is in good hands when there is ESET Tech Support

 

NOD32 was one of the few to detect the threat so it surprises me to read complaints here about its detection. As to why it got installed, here are several possibilities:
- NOD32 was installed on an already infected system and the threat was detected during an on-demand scan in memory
- AMON was disabled at the time the malicious file got installed
- NOD32 was outdated at the time the malicious file got installed
- AMON was not set to move newly created files to quarantine
- detection for this threat was added after the infection took place

 

Actually, it's the most pertinent issue of this topic!

Of course good tech support is important, but I would venture to guess that most NOD32 users want to believe they are 'in good (protective) hands' by using NOD32!

 

Hi Marcos,

That does make a difference, but I don't see the basis for those comments -- how did you determine the deficiencies quoted above?

 

Hi Jo Ann
Not intending to be argumentative, however, my interpretation is that those are the possible scenarios.
I would not term them "deficiencies" (as you stated).
DLL injection is not easy to identify OR remove and it seems to be getting rather prevalent. If the "injection" occurs in an OS system DLL, then removing it will have devastating results.
Elvis has already left the building ...... LOL
I hope readers get that joke
Cheers

 

Ok, let em ask one thing. If the matter is only a dll then why not to just boot from a CD and delete this stupid dll?
But where is the source of this dll? I think some maleware is hiding somewhere and reloading this dll again after it is deleted.
If I am in this situition, I will install a HIPS, delete the dll by booting from a CD and will reboot and see what process tried to reload this dll. Just a wild guess. What u think about this?

 

Hi,

I did full scan two times and NOD32 caught more 30 trojan (WIN32/Ahent.OO) in different files and all were cleaned).

But still unable to clean that dll.

Can some one confirm that it is not useful dll, so I can delete it from my system while using bootable CD.

Waiting for help.

 

I don't have this dll on any Windows XP I have checked . Marcos confirmed it is not a false positive .

Didn't you contact ESET Tech support as suggested by me , by Blackspear (in post 20) and by Marcos (post 21) . I would wait for the Support provide removal procedure if everything else fails.

 

It was not a suggestion, I rather asked a sort of Q. I can,t guarante that it will not damage ur system. If u have full backup and ready for any disater like unbootable system etc, u can try( on ur own risk).

 

Can I delete this dll ?

 

For sure, that is not something you want on your system! If you follow this procedure there's an excellent chance of removing the malware.

Download Killbox to your desktop - you will need to use it during this procedure.

Clean out the System Restore folder. Go to Start > Control Panel > System > System Restore Tab and put a check in the box to the left of "Turn off System Restore" then click on Apply and Ok (this may take a minute or so). When finished, go back and remove the check (re-enabling System Restore), click on Apply and Ok.

Run System Restore again and tick the circle next to "Create a Restore Point", click Next, giving the RP an appropriate name and click Create. Now restart your PC into Safe Mode (continuously tap F8 during bootup until presented with the boot-option menu).

Launch Killbox, placing a tick next to [x]Delete on reboot "Press the All Files button". Copy the following (red) list to Windows' clipboard (highlight the entire red list below and press CTRL C):

C:\WINDOWS\libHide.dll `
C:\WINDOWS\system.exe
C:\WINDOWS\bot.exe
C:\WINDOWS\down.exe
C:\WINDOWS\system16.exe
C:\WINDOWS\vbstub.exe
C:\WINDOWS\awnfcandidateform.exe
C:\WINDOWS\keygen.exe
C:\WINDOWS\vb.ini
C:\WINDOWS\vbfile.exe
C:\WINDOWS\vbaddin.ini

Now using Killbox go to File > Paste from clipboard. Click on the "All Files button". Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and then will ask you if you want to reboot now. You do want to reboot now (into normal mode), so click Yes and let your PC reboot. If the computer does not restart automatically, start it manually.

With any luck that nasty malware should be gone. ~pv

 

We have already suggested to try using undll, killbox and avenger to no avail. If possible, try renaming the dll and restart the computer to see if the dll's created again.

 

Hi,

thanks for this information.

When i was trying only one dll, it was failed to delete libhide.DLL.

As per your suggestion, I selected all these files and deleted through this killbox and amazing, it works and now problem is resolved.

Yes, i got email from ESET support and they also suggested this killbox, and I tried with only one file and it was failed to delete this file.

Once again thanks to every one and ESET support for helping me a lot.

 

So some of these exe was sourceof this dll.

 

Glad to hear that my 'Rx' worked and that your problem is now totally resolved...

Take care, pv

 

thanks,

 

yw...

 

Well that surely made a very good read. I am glad it is finally resolved.