got this new virus!

Discussion in 'NOD32 version 2 Forum' started by ddd, Mar 27, 2005.

Thread Status:
Not open for further replies.
  1. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    here's the problem. nod32 finds new kind of virus, but it cannot be removed since is the new kind of virus. it runs in c:\windows\winrun.exe
    i can't open taskmanager, so i really don't know what to do!
    please help!!!! :oops:
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you tried rebooting into Safe Mode and running a scan that way?

    Just make sure Nod32 is set up as per instructions mentioned in post number 2 HERE.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
    Last edited: Mar 27, 2005
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Whenever NOD32 finds a probable unknown NewHeur_PE virus, tick the Quarantine check-box before deleting the file. It should be possible to delete even viruses detected by heuristics. After the scan completes, reboot the machine and send the content of the program files\eset\infected folder to sample@eset.com. Should there be a problem deleting the file, boot to safe mode first as suggested by Blackspear.
     
  4. Happy Bytes

    Happy Bytes Guest

    If you stuck somewhere then download ProcessExplorer from www.sysinternals.com

    Rename the executable to hahayes.exe (that it cannot be terminated within process name) and kill the process :D During kill process maybe you hear this bugger crying, but dont spend attention to that :D
     
  5. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    well my nod32 can't delete the selectede virus not even put in quarantine!
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you tried it in Safe Mode?
     
  7. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    yes, now it seems that the virus is deleted but i still can't open task manager?!
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you please send the quarantined file found in C Drive> Program files> Eset> Infected to sample@eset.com

    If you find Windows system files affected, you can place your Windows CD in the drive, click start> run type in CMD, when the black window opens type in "sfc /scannow" SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    What about changing the appropriate registry value?

    User Key: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\
    System]
    Value Name: DisableTaskMgr
    Data Type: REG_DWORD (DWORD Value)
    Value Data: (0 = default, 1 = disable Task Manager)

    WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system.
     
    Last edited: Mar 28, 2005
  10. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    i've checked in the registry, but the tskmanager is not disabled. when i try to open tskmanager i get the message ''the tskmanager was disabled by your administrator''o_Oo_O??
     
  11. Happy Bytes

    Happy Bytes Guest

  12. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    thx a lot Happy Bytes!
     
  13. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    there is another thing: when i try to open my dvd rom i get no result; if i try this with another account on win xp i have no problems. any idea why is this happening.
     
  14. Happy Bytes

    Happy Bytes Guest

    Open the CDRom how ?
    Via right click and eject media or pressing the button directly on the drive?
     
  15. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    The Task Manager can be disabled with a registry entry or group policy. Once way to reenable it is to go to HKEY_CURENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System . On the right side, look for DisableTaskMgr , which should be of type REG_DWORD. If it is not there, create it. DisableTaskMgr should have a value of 0 (zero, not the letter O).
     
  16. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    It sounds like something in that login is accessing the DVD-ROM drive, or at least keeping it locked. Try looking in the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run... entries for something that should not be there.
     
  17. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    i can't open dvd in my explorer (only when i use my account!). otherwise i can open it with other accounts on my comp.
    i've checked HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run, but nothing weird was there!
     
  18. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    Any CD/DVD burning applications on your computer, like Nero, Roxio, etc.?
     
  19. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Hi ddd,
    Nothing to add with regards to the exact cause but its highly likely your issues are indirectly the result of using KaZaA or WinMX. Do you use either of these?
    I am a bit curious today but I'm wondering also if you've got Advanced Heuristics turned on and all the other bells and whistles - I can't see if you said it is or not? Apart from the link above Blackspear also has an excellent config guide for NOD32 somewhere.
     
  20. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    well i don't use kazaa or winmx nad YES i have turned on advanced heuristic,...
    i reinstalled SP2 and now it's seems ok.
    the weird thing was that i couldn't quarantine the winrun.exe, nod32 just deleted it?!
     
  21. ShunterAlhena

    ShunterAlhena Registered Member

    Joined:
    Aug 1, 2004
    Posts:
    134
    Location:
    Szigethalom, Hungary
    Quarantine in NOD32 doesn't work like in other AV products like in Norton. Here it means that before deleting, cleaning etc. the infected file, NOD32 creates a secure copy of it in the 'infected' folder contained where NOD32 was installed to. So it's not a separate action. If you ticked the checkbox, the copy should be made and accessible via "NOD32 System Tools \ Quarantine".
     
  22. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    hm, it's been more than two weeks now that i got rid of that virus (?), but i have another problem. i kinda lost my administrative rights on my winxp pro sp2. i tried everything, but still i cannot delete some files from partition d: and even on c:
    is it normal that some viruses mess up your registry?
    o_O
     
  23. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Indeed, have you tried what I posted above?

    If you find Windows system files affected, you can place your Windows CD in the drive, click start> run type in CMD, when the black window opens type in "sfc /scannow" SFC (System File Checker, a part of Windows File Protection) will replace any changed/damaged system files with a clean copy. SFC may not solve every problem, but it's a good start that anyone can do.

    Cheers :D
     
  24. alglove

    alglove Registered Member

    Joined:
    Jan 17, 2005
    Posts:
    904
    Location:
    Houston, Texas, USA
    How do you know that the registry is the problem? It could be something else preventing you from deleting these files, like NTFS ownership/permissions. What kind of error messages do you get when you try to delete these files? File locked or in use? Insufficient privilege? Something else?
     
  25. ddd

    ddd Registered Member

    Joined:
    Jun 6, 2004
    Posts:
    20
    Blackspear i've tried what you proposed but it stopped during the process (i think it was the problem with SP2, because my WIN XP has on CD SP1).
    when i try to delete certain files i get the message i don't have permission for deleting files (it's strange cause i'm the administrator for my account). i even can't install some programs on partition d:
    i've looked on internet and some had the same problem-virus, messed up registry,...
    so my guess is that i got messed up registry so i don't have permission for some thing. strange it seems that always bad things happen to me!
     
Thread Status:
Not open for further replies.