I think I have an infection (start.exe) that NOD32 missed. Please help!

Discussion in 'ESET NOD32 Antivirus' started by Exonoesis, May 17, 2008.

Thread Status:
Not open for further replies.
  1. Exonoesis

    Exonoesis Registered Member

    Joined:
    May 17, 2008
    Posts:
    4
    Hi all,

    I was backing up my housemate's computer (Windows XP) with my external hard drive because his computer was badly infected (NOD32 2.7 picked up HEAPS of infected files) and apparently some malware on his computer put autorun.ini and start.exe on the root of my external hard drive and my flash drive so now my computer (Windows Vista 64 bit) is infected I think and so is another PC running Windows XP.

    Initially it looked like NOD32 picked up the malware but apparently it didn't stop it because whenever I try to delete autorun.ini and start.exe they come back. I checked the log and it picked up Win32/Sality.NAJ but said there was an internal error. I guess that means it stopped NOD32. The thing is that virus (Win32/Sality.NAJ) is a couple of years old so maybe it thought it was something it wasn't? Anyway, start.exe is 92KB just in case it matters.

    I noticed HDD activity when I wasn't doing anything and nothing was open, even after I stopped the indexing process so I shut my computer down and now I don't know what to do.

    Helpful suggestions would be greatly appreciated. Please help!
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Have you already sent that start.exe to samples[at]eset.com? You mentioned version 2.7. Does it mean that you're using it or you have upgraded to v3 (ESET NOD32 Antivirus)?
     
  3. Exonoesis

    Exonoesis Registered Member

    Joined:
    May 17, 2008
    Posts:
    4
    No, I haven't sent a sample. I didn't even know I could. But I don't have Internet access where I live. 2.7 is on my housemate's computer (the originally infected one). I am using v3 on my computer which runs Windows Vista 64 bit.

    EDIT: Oh, I don't have Internet access where the infected computers are. I wasn't keen to bring the virus here because of the risk of infection but maybe next week (when I next have Internet access) I will because I disabled the autorun feature.

    In the meantime I think I will try some other up to date AV software.

    Thanks,

    David
     
    Last edited: May 17, 2008
  4. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you know the name of the malicious file, the simplest thing you can do is rename it and restart the computer. If you are computer savy, you can use ESET SysInspector to check the system for suspicious files.
     
  5. Exonoesis

    Exonoesis Registered Member

    Joined:
    May 17, 2008
    Posts:
    4
    Thanks for the reply.

    I'll try SysInspector and I'll try renaming the file.
     
  6. Exonoesis

    Exonoesis Registered Member

    Joined:
    May 17, 2008
    Posts:
    4
    Well I tried SysInspector and renaming the file and neither of those things helped. I tried avast!, Kaspersky, Windows Live One Care or something (which wouldn't install because of lack of 'net access I think), the Windows malicious software removal tool (which was VERY resource hungry) and some other stuff and none of them worked, but I noticed that AVG free and NOD32 (when updated) worked. Avast! seemed to stop it but wouldn't detect or remove it. Oh yeah, Trend Micro couldn't deal with it either. NOD32 detected it as "Win32/IRCBot.AEY trojan".
     
Thread Status:
Not open for further replies.