How do I clean my PC with NOD32

Discussion in 'NOD32 version 2 Forum' started by TEEH, Apr 20, 2007.

Thread Status:
Not open for further replies.
  1. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Hi, after having so much trouble with Norton and McAfee which by the way did not cleaned all the viruses in my Pc's I decided to try NOD 32, installed and updated the virus definitions and then proceeded to scan for viruses, it detected some viruses but in the window that appeared telling me that this viruses where found it did not tell me how to eliminate them nor what to do. Sorry but I still do not know how to analyze and clean all those critters, Need some help please.

    Thanks,

    Thor Hedderich
     
  2. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Unless they were found in an archive (zip, rar etc.) you should have the option to clean, quarantine or delete.
    NOD32 (the on-demand scanner) also works in Windows Safe Mode - So try that too.
     
  3. kjempen

    kjempen Registered Member

    Joined:
    May 6, 2004
    Posts:
    379
    Try right-clicking an infected file in the scan/log window. It should give you some choices. Was it this you were after?
     
  4. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
  5. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Some time ago my wife's computer also got infected by a virus, I had McAfee suite and it just did not work at all, the technicians at McAfee sent me some instructions about starting my wife's XP Pc in safe mode, di that and the Pc went into a starting loop and could not get it out so I had to format the HD, lucky me my wife was in Miami and did not noticed the format issue, so I am now afraid of the so called "safe mode" I prefer to try another options before taking that risk in my Pc.

    Thor Hedderich

    * After that I created a starting disk called UBCD4WIN and try it and worked but still do not know what to do in case the Pc goes into a loop in safe mode.
     
  6. ASpace

    ASpace Guest

    This is less likely to happen .


    :D


    Just perform Scan&Clean instead of Scan
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi TEEH, welcome to Wilders.

    Hi there, could you please check your settings against those found in the following NOD32 Tutorial: https://www.wilderssecurity.com/showthread.php?t=37509

    AFTER this run a scan by following these steps:

    1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
    2. Click on NOD32.
    3. Click on Run NOD32.
    4. Click on “Scan and Clean”.
    5. Reboot your Computer into “Safe Mode”.
    6. Click on Start> All Programs> ESET> NOD32
    7. Click on “Scan and Clean”.
    8. Check the scan results.

    Let us know how you go...

    Cheers :D
     
  8. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Hi BlackSpear, I did follow all the tutorial instructions except thos on scheduling the automatic Hard Drives weekly scan from the line command. I will do it later meanwhile I did configure all my LAN Pc's NOD 32 system and did a full scan and found many things McAfee could not. Despite all my efforts when I enable file sharing in all three computers , mysteriously two files always appears in the shared folder, the files names are setup.exe and autorun.inf. I know this are malign files because all this mess started some time ago (first HD Format) when my wife did execute the setup file and from that day on everything went bad, uninstalled McAfee Suite, all Norton software and reinstalled again all the software in my Wife Pc, the files did not appeared again but when I enabled all three computers this %$@%$# files appeared and appeared and appeared. It is something related with sharing folders but do not know how to clean or just avoiding this files to appear. Once I tried to create two files with the same name and extension but suddenly I noticed that the original files I created where transformed into the original infected ones. Weird but I am trying to live with them until a solution is found. NOD 32 detected the setup.exe and it offered me to send it to Esset which I did and it was also automatically deleted but I am always afraid this virus, worm or what ever could mutate into a worst infection. Really I do not know what to do now.

    Thor Hedderich.

    * The tutorial was great and very precise.
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Thor, please rerun a scan on all PC's.

    Please forward logs from the following programs to support office in your country:

    Download HijackThis from HERE

    Download Autoruns from HERE

    Download Lookinmypc from HERE
    1. Select "Generate report"
    2. Wait - scan results will pop up in a browser
    3. Go to folder with LookInMyPC installed (default in C:\ProgramFiles\LookInMyPC\Reports\username\LookInMyPC.zip), and attach LookInMyPC.zip to the reply email

    Then run the other 2 programs and forward the logs from all three programs together with the following:

    1. Go to the NOD32 Control Centre
    2. Click on Logs
    3. Right Click on one of last completed full system scan logs.
    4. Click on “Details”
    5. Right Click anywhere on the scan log
    6. Click on “copy all”
    7. Right Click in the replying email to me.
    8. Click on “Paste”

    This will paste a copy of one of the scans you have completed.

    Let us know how you go...

    Cheers :D
     
  10. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Hi again, have just downloaded all three programas and will follow your instructions ASAP. Tonight I did some research and lucky me , I am not crazy and not alone in this fight against infected files, I found many related links in Google and Trend explanation sound very similar to what I am experiencing. I am pasting what gthey say about this. By the way I am simply rerrified to try to strart my wifw Pc in safe mode, I had to format the HD twice from doing so, I was wondering if I start the Pc's with my UBCD4WIN start disk and scan the HD's from within , would this nearly the same as starting in safe mode ?


    File type: PE
    Memory resident: Yes
    Size of malware: 68,586 Bytes (compressed)
    Initial samples received on: Jan 20, 2007
    Compression type: FSG
    Related to: PE_FUJACKS.CA, HTML_FUJACKS.J
    Payload 1: Terminates processes
    Payload 2: Deletes registry entries

    Details:

    Installation and Autostart Technique

    This file infector arrives on a system as a file downloaded by unsuspecting users while visiting Web sites.

    Upon execution, it drops a copy of itself as NVSCV32.EXE in the %System%\drivers folder.

    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

    It creates the following registry entry to enable its automatic execution at every system startup:

    HKEY_CURRENT_USER\Software\Microsoft\
    Windows\CurrentVersion\Run
    nvscv32 = "%System%\drivers\NVSCV32.EXE"

    Other System Modifications

    This file infector modifies the following registry entry to enable Hidden and System folders to be Hidden:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL
    CheckedValue = "0"

    (Note: The default value data is user-defined.)

    File Infection

    This file infector searches the affected system for files with the following extension names:

    * EXE
    * SCR
    * PIF
    * COM

    It then creates a copy of itself with a file name following the format of {file name}. {extension}.{extension}. It uses the file names of the found files with the file name extensions mentioned above. It then appends the code of the target file to the created file. Once its code is appended, it deletes the legitimate target file, and renames the created copy with the appended legitimate code to {file name}.{extension}.

    For example, if the target file is EXCEL.EXE, it creates a copy of itself with the file name, EXCEL.EXE.EXE. It then appends the code of EXCEL.EXE to EXCEL.EXE.EXE. After the said routine, it deletes EXCEL.EXE and renames EXCEL.EXE.EXE to EXCEL.EXE. These infected files are detected by Trend Micro as PE_FUJACKS.CA.

    It checks for the infection marker WhBoy at the end of the file to avoid reinfection of files.

    It also searches the affected system for files with the following file name extensions and appends its codes into all files it finds:

    * asp
    * aspx
    * htm
    * html
    * jsp
    * php

    The said infected files are detected by Trend Micro as HTML_FUJACKS.J.

    This file infector drops the file DESKTOP_.INI, which serves as an infection marker in all folders that it traverses. The said .INI file contains the affected system's date of infection.

    However, this file infector avoids infecting files from the following folders:

    * ComPlus Applications
    * Common Files
    * Documents and Settings
    * InstallShield Installation Information
    * Internet Explorer
    * MSN Gamin Zone
    * Messenger
    * Microsoft Frontpage
    * Movie Maker
    * NetMeeting
    * Outlook Express
    * Recycled
    * System Volume Information
    * WINDOWS
    * WINNT
    * Windows Media Player
    * Windows NT
    * WindowsUpdate
    * system32

    It also avoids infecting executable files without an icon.

    Propagation via Mapped and Physical and Removable Drives

    This file infector enumerates the mapped drives in the infected system, into which it attempts to drop copies of itself as GAMES.EXE.

    It uses the following list of user names and passwords to access password-protected shares:

    * 0
    * 111111
    * 11111111
    * 121212
    * 123123
    * 12345
    * 123456
    * 1234567
    * 12345678
    * 123456789
    * 1234qwer
    * 123abc
    * 123asd
    * 123qwe
    * 5201314
    * 54321
    * 654321
    * 88888888
    * 901100
    * Administrator
    * Guest
    * Login
    * abc123
    * admin
    * admin123
    * administrator
    * alpha
    * baseball
    * computer
    * database
    * enable
    * ****you
    * godblessyou
    * harley
    * ihavenopass
    * letmein
    * login
    * mustang
    * mypass
    * mypass123
    * mypc123
    * owner
    * passwd
    * password
    * patrick
    * *****
    * pw123
    * qq520
    * qwerty
    * server
    * shadow
    * super
    * sybase
    * temp123

    It also drops the following files in the root folder (usually C:\), physical drives, and removable drives:

    * setup.exe - copy of itself
    * autorun.inf

    The abovementioned .INF file, which contains the following strings, enables the automatic execution of this file infector:

    [AutoRun]
    open=setup.exe
    shellexecute=setup.exe
    shell\Auto\command=setup.exe

    Process Termination

    This file infector terminates the following security and malware-related processes:

    * CCenter.exe
    * FrogAgent.exe
    * FrogAgent.exe
    * KRegEx.exe
    * KRegEx.exe
    * KVCenter.kxp
    * KVCenter.kxp
    * KVSrvXP.exe
    * KVSrvXP.exe
    * KVXP.kxp
    * KVXP.kxp
    * KvMonXP.kxp
    * KvMonXP.kxp
    * Logo1_.exe
    * Logo_1.exe
    * Mcshield.exe
    * Rav.exe
    * RavStub.exe
    * RavTask.exe
    * Ravmon.exe
    * RavmonD.exe
    * Ravmond.exe
    * Rundl132.exe
    * TBMon.exe
    * TrojDie.kxp
    * TrojDie.kxp
    * UIHost.exe
    * UIHost.exe
    * UpdaterUI.exe
    * VsTskMgr.exe
    * naPrdMgr.exe
    * scan32.exe

    It also terminates all processes that contain the following strings in the window title:

    * Symantec AntiVirus
    * System Repair Engineer
    * System Safety Monitor
    * VirusScan
    * Wrapped gift Killer

    Registry Deletion

    It also deletes certain registry entries under the following registry key:

    HKEY_LOCAL_MACHINE\Software\Microsoft\
    Windows\CurrentVersion\Run

    The registry entries it deletes contain the following value names:

    * kav
    * KAVPersonal50
    * KvMonXP
    * McAfeeUpdaterUI
    * Network Associates Error Reporting Service
    * RavTask
    * ShStatEXE
    * yassistse
    * YLive.exe

    Affected Platforms

    This file infector runs on Windows 98, ME, NT, 2000, XP, and Server 2003.


    Analysis By: Vincent R. Cabuag

    Revision History:
    First pattern file version: 4.198.06
    First pattern file release date: Jan 20, 2007

    For additional information about this threat, see:
    Overview
    Solution
    Statistics


    Search a new malware
    Printer Friendly Page


    Tell us how we did. Take our quick survey.
     
  11. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Just in case what measures should I take before attempting to boot in safe mode, is there a way to save some kind of configuration and load it again just in case the Pc goes into that endless loop and my wife kills me? Really guys I do not want to go trough this again, I am still thinking in my UBCD4WIN disk which also have some AV's software included. Any suggestion ?

    Regards,

    Thor Hedderich
     
  12. pain4gain

    pain4gain Registered Member

    Joined:
    Feb 8, 2007
    Posts:
    54
    Hello!!!

    Really, no measures are needed when booting into SAFE MODE. Of course, whenever you have time backup (burn to DVD or move to another drive) your files. Worse case scenario you can always reinstall Windows if you want to make sure all traces of malware are removed from your PC (last resort).

    If you look at your scanner log, how many infected files were found? How many were cleaned?

    If you open the NOD32 Control Center (start > All Programs > Eset > NOD32 Control Center), click on Logs, then Threat Logs, where are the infected files located?
     
  13. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Safe Mode, It happened once and why could it not happen again, I just want to be sure I will not loose my data and of course would like to avoid reinstalling windows XP and all of the other software including NOD 32, I would like to know if I can save all the windows folder to my other HD in the same PC and just in case bring it back if something goes wrong. Believe me I had a hard time when the computer went into the loop and could not stop it.

    Meanwhile I am using the TREN online AV just in case. The two malicious files autorun.inf and setup.exe reappeared again today in two of my lan computers.

    Thor Hedderich
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Have you followed the advice I gave you about forwarding logs from the HijackThis etc to the support office in your country?

    Cheers :D
     
  15. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Sorry, I have not done my homework, I did download the Hijack this but then I found something in trend about this trojan and it seems it is very common, my wife will go to Miami next week and I am just waiting her to live to look into her computer....you know I do not want her to be present if I mess the Pc. I will inform you next time about this.

    Regards,

    Thor Hedderich
     
Thread Status:
Not open for further replies.