Big Problem

Discussion in 'NOD32 version 2 Forum' started by Tirnanog, Jul 7, 2006.

Thread Status:
Not open for further replies.
  1. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    Computer XP Home /SP2
    2 hard drives
    NO one partitioned c- main / d – data / e – store
    NO 2 partitioned f – image / g - backup



    • One year ago I bought ‘eve ‘2.5’ academic plagiarism detection program and it had worked fine until three weeks ago when Nod reported a problem but did not delete
    • I contacted Eve having paid for it but got no reply
    • Yesterday on my routine full system scan Nod cleaned the whole computer even the install prog from e drive – and reported
    • Time Module Object Name Threat Action User Information
    > 06/07/2006 11:06:50 AMON file C:\Program Files\EVE2.5\eve2.exe
    > IRC/SdBot trojan deleted JOANMAIN\JOAN Event occurred at an attempt to
    > access the file by the application: C:\WINDOWS\Explorer.EXE.
    • I have no means of knowing whether this is a false alert but Nod
    deleted the file therefore I cannot use the program
    • Contacted Nod who were brilliant and replied
    • Could you please send us an example of those files, so that we can test
    it and the problem can be fixed?
    (This file C:\Program Files\EVE2.5\eve2.exe)
    We are very interested in receiving samples of these files for analysis.
    • I attempted to copy from CD disc could not get exe over and neither would it install even with Nod disabled
    • Today took image back x 4 and despite disabling nod could not zip exe to send it just disappeared
    • Went to site http://www.canexus.com/eve/download.shtmland attempted to download and got this message
    • Firefox cannot find file at eve_setupexe and I.E. reported connection with server was terminated abnormally
    • I have scrubbed the computer clean BUT I do not understand why I could not zip program change permissions or download from their site have they done something to my computer though I am back on basic image where eve was never installed

    Sorry this is so long much thanks
     
  2. dog

    dog Guest

    I split this post off from your test thread and moved it to the NOD forum where it will receive proper attention. ;)

    Regards;

    Steve
     
  3. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    Thanks so much I am desperate for some advice
     
  4. ASpace

    ASpace Guest

    I guess this file is already in the quarantine so open NOD32's Control Center and -> Quarantine and follow the instructions to Submit it for analysis .

    You can also submit these files to Virus Total for analysis from all AV softwares . Here
     

    Attached Files:

    • 69.gif
      69.gif
      File size:
      35.2 KB
      Views:
      449
  5. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    No as soon as I pointed file to Quarentine it just disappeared off the computer and Nod said could not Quarantine - I have just tried downloading again now and Nod will not let me and having tried once Firefox then cannot access site for second time
     
  6. ASpace

    ASpace Guest

    Do the following on your own risk
    If you are sure this is wrong , this is false positive , disable AMON and IMON . Open NOD32's Control Center and disable AMON and IMON . Then try to download these things and send them to:
    samples@eset.com

    Subject : False Positive
    Point them to this thread here at Wilders
    It would be a good idea if you can password protect what you send and don't forget to mention the password



    EDIT :
    Why don't you just reply to the Tech Support and send the link with these files so that they download them if you cannot ;)
     
  7. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    I took the risk and disabled Nod totally but even firefox could not download off the site and I still could not down load file and ‘eve exe’ would not let me zip them when I tried never mind password themI could not change the permissions I tried and even looked in registry I did send http://www.canexus.com/eve/ in reply to email obviously I’m not sure if it’s a false positive or not – it will need someone better than me to try
     
  8. ASpace

    ASpace Guest


    Well , you said you sent it to the Support .

    Can you send the link to also samples@eset.com and to support@eset.sk
    Describe the problem in details and if it is something to be fixed , it will be soon
     
  9. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    Thank you so much- I have done what you asked
     
  10. ASpace

    ASpace Guest



    You are welcome ! Good luck ;)
     
  11. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    I downloaded the program, extracted "eve2.exe" from the installer and uploaded it to a couple of online web scanner services (jotti's and VirusTotal). I noticed that NOD32 isn't alone in labelling this as an "SdBot" trojan; F-Prot (together with Authenium) labels it as "W32/Sdbot.TAH". Seems to be runtime packed with "Armadillo". The MD5 of the file is: de7d3a95b14e31046ccc5c3e45feb595

    EDIT: Ewido detects it also, as "Backdoor.SdBot.are". UNA also, as "Backdoor.SdBot".
     
    Last edited: Jul 7, 2006
  12. ASpace

    ASpace Guest


    If so , it is definitely not a fp
     
  13. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    Kjempen / HiTech_boy

    • So relieved that someone else has downloaded the program and got the same result
    • I have taken both computer back to basic image that did not have eve on it
    • Scanned with Nod and free ewido /A2 though ewido nor A2 picked this upon my computer
    • Tried downloading again now after quitting nod - no
    • Message – could not be saved because the source file could not be read try again later or contact server administrator
    • When I disabled everything I down loaded it OK – why is that happening as you were able to download OK
    • Could someone tell me whether they have blacklisted me on their site – if so I don’t care OR more worrying have they done something to my computer to stop me downloading
     
  14. ASpace

    ASpace Guest


    Nobody here can confirm if they have blacklisted you/your IP/your PC but there is no reasonable reason for this so I think you are not banned but note I cannot confirm.

    Second , you need to know NOD32 rarely gives false positives . Moreover , kjempen confirms that NOD32 is not the onliest scanner flagging this as a real threat . As I said , if you send the Support and the VirusLab a link with this , they will analyze it and will fix if something is wrong . If this is a real threat , it will remain and you should not use it anymore !

    I cannot understand that question
    When I disabled everything I down loaded it OK – why is that(what that) happening as you were able to download OK

    Read the whole thread and perform the recommendations . Good luck ! :thumb:
     
  15. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    Please forgive - elderly lady - big secret out not computer literate
    • I know you cannot confirm if I am blacklisted –but I was asking could they do it is it possible but as you mention IP address I suppose they can
    • I wrote them a stinker of an email and said I had contacted Nod – no reply
    • What does this thing do??
    • When I opened Nod and clicked quit – I could not download eve exe and got that strange message – ‘could not be saved because the source file could not be read try again later or contact server administrator’
    • I uninstalled Nod and downloaded eve on to disc [don’t worry scanning now]
    • Just wondered why the difference
     
  16. ASpace

    ASpace Guest

    ? ? ? ? ?


    The tech support should reply you . The VirusLab will check and will fix only if necessary . If the detection is not removed then this means this is real threat/malicous software and you should not use it .


    I also don't worry !:cautious:
     
  17. Tirnanog

    Tirnanog Registered Member

    Joined:
    Jul 7, 2006
    Posts:
    8
    Location:
    Wales
    Lady's age is a secret!!:D
    I know Nod will reply wish I could report this lot somewhere
    Computer now clear many thanks
     
Thread Status:
Not open for further replies.