NOD32 it seems impossible!

Discussion in 'NOD32 version 2 Forum' started by Jones, Sep 3, 2004.

Thread Status:
Not open for further replies.
  1. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you turned on the XP Firewall?

    Have you managed to install ZoneAlarm (free) firewall?

    Have you run a further online scan to make sure your system is now clean?

    Have you run a further scan with "In Depth Analysis"? Does it now come up clean?

    Have you pasted your LOG file into a email and sent it to support@nod32.com ? If you have not please do so, and if you do not hear from Eset within 3 days (allows for weekends), please advise us here...

    Let us know how you go…

    Cheers :D
     
  2. Jones

    Jones Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    42
    >Have you managed to install ZoneAlarm (free) firewall?

    I now have just installed Zone Alarm.
    After having installed it I had many problems,
    then I have turned on my PC and I did succeed to restore
    the system configuration (latest configuration) before of the error.

    >Have you run a further online scan to make sure your system is now clean?

    Yes, with PC-Cillin online scan and Norton scan.
    They found one swen virus and some trojans.

    >Have you run a further scan with "In Depth Analysis"? Does it now come up >clean?

    Yes but I think I have a problem. When I go in safe mode I don't succeed to open that page where is NOD32 "In Depth Analysis".
    If I scan "In Depth Analysis" in normal mode, NOD32 find these:
    C:\hiruvim.0hm »CHM »/htm2chm_explorer - Exploit/CodeBase trojan
    C:\hiruvim.0hm »CHM »/d_hiruvim.exe - Win32/Dialer.BY trojan
    It tells me there are "number of viruses found: 2" but I don't succeed to delete them.
    In fact when I click on "Clean" it shows a page "Infiltration virus found" and here there is one enabled button "Leave". I see "Delete" unable.
    Why? If I click on "Leave", NOD32 stant another session.

    >Have you pasted your LOG file into a email and sent it to >support@nod32.com ?

    Yes, when I will have a reply I will post it.
    I hope you will give me some advice because I'm an inexperienced boy.
    thanks
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Are you able to run a standard scan with Nod32 WHILE in SAFE MODE?

    Cheers :D
     
  4. Jones

    Jones Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    42
    yes, but "In Depth Analysis" NOD32 finds some trojans instead of in standard scan it doesn't find anything.
    I did online scan (with PC-Cillin) also but withouth finding virus.
     
  5. Jones

    Jones Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    42
    I have just posted my hijackthis log analysis here http://hijackthis.de/index.php?langselect=english
    and this is the result:

    My hijackthis log analysis

    However I would like to inform that my Win XP is up of date because I have just made an update.


    Entry Kind
    (Safe, Nasty, Unknown) Description Tip
    Logfile of HijackThis v1.98.2
    Safe. Shows the version of HijackThis an. The newest version is: v1.98.2! This should be the newest version. (v1.98.2 )
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
    Possibly out of date Shows the version of your Internet Explorer. Newest Version is: 6.00.2900.2180! The version (6.00.2800.1106) is out of date. Check Windows Update to update the Internet Explorer.
    C:\WINDOWS\System32\smss.exe
    Safe. running process. (smss.exe)
    Systemprozess - Anwendung, die benutzt wird um Sitzungen zu starten, verwalten und löschen.
    C:\WINDOWS\system32\winlogon.exe
    Safe. running process. (winlogon.exe)
    Systemprozess - Windows Login Routine
    C:\WINDOWS\system32\services.exe
    Safe. running process. (services.exe)
    Systemprozess - Verwaltet die Systemdienste.
    C:\WINDOWS\system32\lsass.exe
    Safe. running process. (lsass.exe)
    Systemprozess
    C:\WINDOWS\system32\svchost.exe
    Safe. running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste.
    C:\WINDOWS\System32\svchost.exe
    Safe. running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste.
    C:\WINDOWS\system32\spoolsv.exe
    Safe. running process. (spoolsv.exe)
    Systemprozess
    C:\WINDOWS\System32\GEARSec.exe
    Safe. running process. (GEARSec.exe)

    C:\WINDOWS\Explorer.EXE
    Safe. running process. (Explorer.EXE)
    Systemprozess für Desktop und Taskleiste.
    C:\Programmi\Eset\nod32krn.exe
    Safe. running process. (nod32krn.exe)

    C:\WINDOWS\System32\nvsvc32.exe
    Safe. running process. (nvsvc32.exe)
    Not dangerous, but unnecessary.
    C:\WINDOWS\System32\svchost.exe
    Safe. running process. (svchost.exe)
    Systemprozess - Allgemeiner Hostprozessname für Dienste.
    C:\Programmi\PowerQuest\Drive Image 7.0\Agent\PQV2iSvc.exe
    Safe. running process. (PQV2iSvc.exe)
    Drive Image 7
    C:\WINDOWS\System32\GSICON.EXE
    Safe. running process. (GSICON.EXE)
    ADSL modem monitor from Eicon Networks (as used by BT for its Broadband internet service for example). Can safely be disabled without affecting the connection - all this does is give an indication of connectivity and access to the diagnostic facilities Not dangerous, but unnecessary.
    C:\Programmi\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
    Safe. running process. (AbbyyNewsReader.exe)

    C:\WINDOWS\System32\dslagent.exe
    Safe. running process. (dslagent.exe)

    C:\Programmi\Eset\nod32kui.exe
    Safe. running process. (nod32kui.exe)

    C:\Programmi\MemoRex\MemoRex.exe
    Unknown running process. (MemoRex.exe)
    This is a unknown process.
    C:\Programmi\Internet\Eudora\Eudora.exe
    Unknown running process. (Eudora.exe)
    This is a unknown process.
    C:\Programmi\HijackThis\HijackThis1982.exe
    Safe. running process. (HijackThis1982.exe)
    HijackThis
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/Programmi/Internet%20Exp
    Possibly nasty This page could possibly be nasty. If you do not know the entry 'file:///C:/Programmi/Internet%20Explorer/AP1.html ', delete it.
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    Safe.
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://pagefirst.netfirms.com/n
    Possibly nasty This page could possibly be nasty. If you do not know the entry 'http://pagefirst.netfirms.com/newod ', delete it.
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://fwalerts.zonelabs.com/fwa
    Nasty Entries with this kind of homepages should always be fixed. This entry should be fixed by HijackThis!
    R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Collegamenti
    Nasty This entry should be fixed by HijackThis! This entry should be fixed by HijackThis!
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programmi\Adobe\Acrobat
    Safe. Entries found in this registry zone are potentially nasty. This application ([06849E9F-C8D7-4D59-B87D-784B7D6BE0B3] - Result: 06849E9F-C8D7-4D59-B87D-784B7D6BE0B3) has been checked. Hit rate: 100,00 %
    O2 - BHO: (no name) - {2A2E29F2-546F-42EB-8746-667D179E6960} - (no file)
    Unknown Entries found in this registry zone are potentially nasty. This application ([2A2E29F2-546F-42EB-8746-667D179E6960] - Result: ) has been checked. Hit rate: 0,00 % Unknown application.
    Unnecessary (deactivated) entry that can be fixed.
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    Safe. Entries found in this registry zone are potentially nasty. This application ([53707962-6F74-2D53-2644-206D7942484F] - Result: 53707962-6F74-2D53-2644-206D7942484F) has been checked. Hit rate: 100,00 %
    O2 - BHO: Ipswitch.WsftpBrowserHelper - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Programmi\Ipswit
    Safe. Entries found in this registry zone are potentially nasty. This application ([601ED020-FB6C-11D3-87D8-0050DA59922B] - Result: 601ED020-FB6C-11D3-87D8-0050DA59922B) has been checked. Hit rate: 100,00 %
    O2 - BHO: (no name) - {6181B5DB-C6B1-4CD7-A891-1E8BABC3CE16} - (no file)
    Unknown Entries found in this registry zone are potentially nasty. This application ([6181B5DB-C6B1-4CD7-A891-1E8BABC3CE16] - Result: ) has been checked. Hit rate: 0,00 % Unknown application.
    Unnecessary (deactivated) entry that can be fixed.
    O2 - BHO: IEHelperObj Class - {6754A456-BAD9-11D4-93D3-00B0D03A2F91} - C:\PROGRA~1\Odigo\Bin\OdigoBH
    Safe. Entries found in this registry zone are potentially nasty. This application ([6754A456-BAD9-11D4-93D3-00B0D03A2F91] - Result: 6754A456-BAD9-11D4-93D3-00B0D03A2F91) has been checked. Hit rate: 100,00 %
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\programmi\google\googl
    Safe. Entries found in this registry zone are potentially nasty. This application ([AA58ED58-01DD-4d91-8333-CF10577473F7] - Result: AA58ED58-01DD-4d91-8333-CF10577473F7) has been checked. Hit rate: 100,00 %
    O2 - BHO: (no name) - {E6D7F60E-C554-4462-8A2A-9D3C8A1978D3} - (no file)
    Unknown Entries found in this registry zone are potentially nasty. This application ([E6D7F60E-C554-4462-8A2A-9D3C8A1978D3] - Result: ) has been checked. Hit rate: 0,00 % Unknown application.
    Unnecessary (deactivated) entry that can be fixed.
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    Safe. Entries found in this registry zone are potentially nasty. This application ([8E718888-423F-11D2-876E-00A0C9082467] - Result: 8E718888-423F-11D2-876E-00A0C9082467) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 100,00 %
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\programmi\google\googletoolbar1.
    Safe. Entries found in this registry zone are potentially nasty. This application ([2318C2B1-4965-11d4-9B18-009027A5CD4F] - Result: 2318C2B1-4965-11D4-9B18-009027A5CD4F) has been checked. If the name is made up of random letters, found in the folder 'Application Data' and the kind is 'Unknown' , it should be fixed. Hit rate: 97,22 %
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    Safe. The entered application NvCplDaemon was identified: NvCplorNvCplDaemon. Hit rate: 73,12 % (result)
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    Safe. The entered application nwiz was identified: nwiz. Hit rate: 100,00 % (result)
    O4 - HKLM\..\Run: [GSICONEXE] GSICON.EXE
    Safe. The entered application GSICONEXE was identified: Gsiconexe. Hit rate: 14,65 % (result) Not dangerous, but unnecessary.
    O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
    Safe. The entered application Ptipbmf was identified: Ptipbmf. Hit rate: 100,00 % (result)
    O4 - HKLM\..\Run: [MemoREX] "C:\Programmi\MemoRex\MemoRexStart.exe"
    Unknown The entered application MemoREX was identified: None. Hit rate: 9,09 % (result) Unknown application.
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    Safe. The entered application NeroFilterCheck was identified: NeroFilterCheck. Hit rate: 100,00 % (result)
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Programmi\QuickTime\qttask.exe" -atboottime
    Safe. The entered application QuickTime Task was identified: QuickTime Task. Hit rate: 100,00 % (result) Not dangerous, but unnecessary.
    O4 - HKLM\..\Run: [FineReader7NewsReaderPro] "C:\Programmi\ABBYY FineReader 7.0 Professional Edition
    Safe. The entered application FineReader7NewsReaderPro was identified: FineReader7NewsReaderPro. Hit rate: 88,89 % (result)
    O4 - HKLM\..\Run: [DSLAGENTEXE] dslagent.exe USB
    Safe. The entered application DSLAGENTEXE was identified: DSLagentexe. Hit rate: 43,64 % (result)
    O4 - HKLM\..\Run: [nod32kui] "C:\Programmi\Eset\nod32kui.exe" /WAITSERVICE
    Safe. The entered application nod32kui was identified: nod32kui. Hit rate: 96,15 % (result)
    O8 - Extra context menu item: &Google Search - res://c:\programmi\google\GoogleToolbar1.dll/cmsearch
    Safe. The entry &Google Search has been identified as safe. If the entry '&Google Search ' is not needed anymore, it should be fixed.
    O8 - Extra context menu item: Collegamenti a ritroso - res://c:\programmi\google\GoogleToolbar1.dll/
    Safe. The entry Collegamenti a ritroso has been identified as safe. If the entry 'Collegamenti a ritroso ' is not needed anymore, it should be fixed.
    O8 - Extra context menu item: Pagine simili - res://c:\programmi\google\GoogleToolbar1.dll/cmsimilar
    Safe. The entry Pagine simili has been identified as safe. If the entry 'Pagine simili ' is not needed anymore, it should be fixed.
    O8 - Extra context menu item: Versione cache della pagina - res://c:\programmi\google\GoogleToolbar1
    Safe. The entry Versione cache della pagina has been identified as safe. If the entry 'Versione cache della pagina ' is not needed anymore, it should be fixed.
    O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    Safe. The entry ICQ Pro has been identified as safe. If the entry 'ICQ Pro ' is not needed anymore, it should be fixed.
    O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
    Safe. The entry ICQ has been identified as safe. If the entry 'ICQ ' is not needed anymore, it should be fixed.
    O9 - Extra button: (no name) - {76DD9E77-F06C-4471-AB6C-CF03C5C6B5B0} - (no file)
    Possibly nasty Unknown buttons or entries in the 'Extras'-menu should be fixed. To be fixed if the entry '' is unknown.
    Unnecessary (deactivated) entry that can be fixed.
    O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.sym
    Safe. This entry has been identified as safe.
    O16 - DPF: {53AEE57C-FEF2-404C-8791-BEAFAC6FDB6A} -
    Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
    O16 - DPF: {5BF50AC6-9851-4937-8372-254A8D3AE864} -
    Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
    O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.s
    Safe. This entry has been identified as safe.
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/8
    Safe. This entry has been identified as safe.
    O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.c
    Safe. This entry has been identified as safe.
    O16 - DPF: {88C51E90-8E9C-4C96-8A45-574D88B63FAF} - http://acceso.masminutos.com/aplicacion.cab
    Possibly nasty Unknown ActiveX-Objects, or ActiveX-Objects from unknown sites should always be fixed. If the name of the ActiveX-Object or the URL contains the words 'dialer', 'casino', 'free plugin' etc, it should be fixed! Check if you know this site and fix it if you do not.
    O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasof
    Safe. This entry has been identified as safe.
    O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http
    Safe. This entry has been identified as safe.
    O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014041.exe
    Nasty This entry is possibly nasty. Should be fixed.
    O17 - HKLM\System\CCS\Services\Tcpip\..\{1932490C-922E-436F-A528-DF980969AFAC}: NameServer = 80.17.2
    Possibly nasty If this Domain does not belong to your ISP, or your firms network, these entries should be fixed. 'SearchList' entries should be fixed too. Do you know the IP or Domain '80.17.212.208 151.99.125.1 '? If not, fix this entry.


    This log has been checked automatically.
    Check your log file automatically at www.hijackthis.de.
     
  6. Jones

    Jones Registered Member

    Joined:
    Sep 2, 2004
    Posts:
    42
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please follow the thread here and tweak up your Nod32 settings for a default (standard) scan:

    https://www.wilderssecurity.com/showthread.php?t=37509

    When and only when your settings are tweaked:

    BOOT into SAFE MODE by pressing/tapping F8 as your computer begins to boot.

    When your computer is in SAFE MODE

    Run a further NORMAL scan while in SAFE MODE

    In order for Nod32 to both detect and REMOVE these trojans your computer must be in SAFE MODE.

    The ONLY difference between "In Depth Analysis" and a default normal scan is the settings are stronger.

    Let us know how you go...

    Cheers :D
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.