Hit hard with coolezweb

Discussion in 'NOD32 version 2 Forum' started by twwabw, Aug 20, 2009.

Thread Status:
Not open for further replies.
  1. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    At several sites this morning, affecting urlmon.dll. Nod32 warnings pop up but it appears they are already infected. All using current versions. Anyone else seeing this?
     
  2. pwls

    pwls Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    6
    I am having the same problem, Latest version of nod business edition including latest definition 4351

    "2009-08-20 15:57 - Module Real-time file system protection - Threat Alert triggered on computer wkstn56: C:\WINDOWS\system32\urlmon.dll contains Win32/Adware.Coolezweb application."

    I have submitted this file to Eset, despite virustest reporting this file as being clean?!
     
  3. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    It's getting bad- lots of client sites. Could this be related in any fashion to AutoCAD? All users hit are running various flavors of it.

    Even after running Windows File Protection, can't launch internet Explorer- says urlmon.dll missing.
     
  4. pwls

    pwls Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    6
    we also run autocad 2007-2009 at work however the machine in question does not have autocad installed. The machine recently prompted for an adobe flash player upgrade but failed so it could possibly of corrupted urlmon for me anyway :doubt:
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'd recommend installing v4 which has much better detection ration than v2 and can clean resistant threats as well.
     
  6. VisionG

    VisionG Registered Member

    Joined:
    May 22, 2008
    Posts:
    4
    I've got version 3.0.650 and 3.0.657 and i have the same problem with the release of virus definition 4351.

    No Autocad installed on computer.

    Error with file name urlmon.dll win32/adware.coolezweb on 15 computers...
     
  7. pwls

    pwls Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    6
    Thanks for the reply Marcos however, i am currently on 4.0.437.0.

    I appreciate I am on the incorrect sub forum so I will start a new post in the correct place. :D

    Thanks
     
  8. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    Not all on V2.7- one on V3. All running 4351 though. Thoughtso_O??
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It will be fixed in the next update. The file was detected incorrectly. For v3 and v4 users the file will be restored from quarantine automatically shortly after the next update.
     
  10. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    You mean it detected as a false positive??
     
  11. Shyla

    Shyla Registered Member

    Joined:
    Jan 11, 2008
    Posts:
    1
    Add me to the list of those being hit this morning. I got a few different messages with the warnings. Some of them said it was noticed because "google updater" was trying to access the file. The other warnings just said back everything up. Here is screenshot of that one:
    http://img34.imageshack.us/img34/7271/threatp.jpg



    I clicked delete file and restarted my computer, but it didn't delete anything. I've also run AdAware and it didn't find anything.
    Is this a glitch with Nod32?

    Edit: Sorry I was lazy, I didn't read all the replies. Thanks for the update Marcos.
     
  12. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    So when will 4352 be released for ver 2.7? I see it's out already for 3 & 4?
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    A fix has been made to update 4353 which is currently being prepared.
     
  14. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    What about 4352? Is that affected too? That's the latest that's just showing up for 2.7
     
  15. botiitsup

    botiitsup Registered Member

    Joined:
    Aug 20, 2009
    Posts:
    1
    It looks like only XP SP3 Beta machines were affected for us. For some reason we had a handfull on the Beta version of SP3. They were the only ones that had problems with ESET NOD32 4351.
     
  16. BluWav

    BluWav Registered Member

    Joined:
    Aug 20, 2009
    Posts:
    3
    Affected multiple machines here too. Tell users not to restart the affected computers. After a restart (which is instructed in the warning message) Outlook and IE will not open.

    Still waiting to hear back from tech support.
     
  17. BluWav

    BluWav Registered Member

    Joined:
    Aug 20, 2009
    Posts:
    3
    XP SP2 machines were affected here as well. Is anyone else experiencing problems with Outlook and IE after a restart? A bit of good news, I can use Firefox as a browser so I can work at my own desk. Now I just need a solution for email. ;)

    - still no reply from tech support.
     
  18. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Restoring urlmon.dll from quarantine should fix it. If you were using v3 or v4, this would have been done automatically after the last update.
     
  19. pwls

    pwls Registered Member

    Joined:
    Aug 22, 2008
    Posts:
    6
    Thank you Marcos the latest update 4353 did indeed fix this issue, so I take it that 4351 had a false positive?

    luckily our server farm did not receive this error or we could of been in a "bit" of trouble.
     
  20. omis

    omis Registered Member

    Joined:
    Aug 21, 2009
    Posts:
    1
    Marcos,

    i have latest update (4353) and version 2.7.....i can't restore urlmon.dll because it has been deleted...how can I fix thiso_O?
     
  21. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Windows itself should have notified you in case that file was deleted or modified unless system file checking is disabled. Try running "C:\WINDOWS\system32\sfc.exe /scannow" or copy it from the Windows installation cd. Version 3 and 4 never delete files automatically, you can only set the cleaning mode to "no cleaning" and hit the "Delete" button if a threat is found. V2 allowed the user to disable quarantining files.
     
  22. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England

    This question remains unanswered from these guys that ended up having to spend substantial time on their clients....which costs money.

    The consultant answers their phone with their client calling...client has several machines in a useless state thus out of production. Support guy dedicates greater part of his day to this issue, time which would have been spent doing more productive things.
     
  23. twwabw

    twwabw Registered Member

    Joined:
    Jul 30, 2005
    Posts:
    40
    Yes- no explanation. Most of the day wasted... although it was good to talk to You today Brian :) . Another instance of ESET updates causing HUGE grief in our day. Multiple sites, many clients affected. And until we at least found out it was ESET, we thought we had a MAJOR outbreak hitting. And yes, restoring from quarantine SHOULD restore everything to normal, but had a couple it would not. Yes- tried running SFC- didn't work. Frustrating.
     
  24. BluWav

    BluWav Registered Member

    Joined:
    Aug 20, 2009
    Posts:
    3
    Finally! Ran sfe.exe, "regsvr32 urlmon.dll" and then restart the machine. Back in business on two of my machines now. :D
     
Thread Status:
Not open for further replies.