Is this threat gone or still on my pc??

Discussion in 'NOD32 version 2 Forum' started by thankyou, Sep 21, 2005.

Thread Status:
Not open for further replies.
  1. thankyou

    thankyou Guest

    hi, yesterday i got an email, which i stupidly opened.
    Anyway nod32 then found these two files:

    .C:\WINDOWS\system32\wiwshost.exe - Win32/TrojanDownloader.Small.ZL trojan -Alert was generated during the system startup file check.

    .c:\windows\system32\winshost.exe - Win32/Bagle.CM worm - Alert was generated during the system startup file check.

    they were deleted, but earlier today i got an alert from nod32:

    AMON file: C:\System Volume Information\_restore{..........................A0023807.exe
    probably a variant of Win32/Spy.Banker trojan - quarantined - deleted - NT AUTHORITY\SYSTEM
    Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

    are they related, and is this gone for good, or will it come back up in the future?

    thanks
     
    thankyou, Sep 21, 2005
    #1
  2. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    chances are good they are related as I see one was in restore file. and as for are they gone for good...you know the drill scan scan scan. I would do an online scan ie trendmicro or elsewhere and get a second opinion as well as a follow up scan with nod.
     
    ravin, Sep 21, 2005
    #2
  3. thankyou

    thankyou Guest

    i already did an indepth scan, the second alert was after the scan.
    So now that nod32 deleted the one in system volume...... will svchost create it again (Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe)?
    Is there something i should do to stop it being created in the future?

    thanks again
     
    thankyou, Sep 21, 2005
    #3
  4. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    sounds like nod32 is doing it's job and as for the file being created by svchost.exe that file was probably being used by the trojan as it is a helper service.
     
    ravin, Sep 21, 2005
    #4
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,174
    Location:
    Denmark
    Yup I would also use an online scanner just to be sure the computer is clean.
    Here is a list of all online scanners that I currently know exists.
    Remember you gotta use Internet Explorer for the scanners to work (ActiveX).
     
    Brian N, Sep 21, 2005
    #5
  6. thankyou

    thankyou Guest

    i tried that a while ago, and i had to install stuff, dont really like online scanners, but im sure the nod32 is finding everything just fine.
    The main thing was whether there would be anything i should do to totally make sure it didnt get created again.
    Like ages ago i remember hearing people had to turn of system restore and back on again, to make sure any virus was deleted. I was thinking if i should do anything along those lines, or extra checks for concerning svchost, because im sure if it comes up again nod32 would detect it.


    thanks again.
     
    thankyou, Sep 21, 2005
    #6
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...