Is this threat gone or still on my pc??

Discussion in 'NOD32 version 2 Forum' started by thankyou, Sep 21, 2005.

Thread Status:
Not open for further replies.
  1. thankyou

    thankyou Guest

    hi, yesterday i got an email, which i stupidly opened.
    Anyway nod32 then found these two files:

    .C:\WINDOWS\system32\wiwshost.exe - Win32/TrojanDownloader.Small.ZL trojan -Alert was generated during the system startup file check.

    .c:\windows\system32\winshost.exe - Win32/Bagle.CM worm - Alert was generated during the system startup file check.

    they were deleted, but earlier today i got an alert from nod32:

    AMON file: C:\System Volume Information\_restore{..........................A0023807.exe
    probably a variant of Win32/Spy.Banker trojan - quarantined - deleted - NT AUTHORITY\SYSTEM
    Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe. The file was moved to quarantine. You may close this window.

    are they related, and is this gone for good, or will it come back up in the future?

    thanks
     
  2. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    chances are good they are related as I see one was in restore file. and as for are they gone for good...you know the drill scan scan scan. I would do an online scan ie trendmicro or elsewhere and get a second opinion as well as a follow up scan with nod.
     
  3. thankyou

    thankyou Guest

    i already did an indepth scan, the second alert was after the scan.
    So now that nod32 deleted the one in system volume...... will svchost create it again (Event occurred on a new file created by the application: C:\WINDOWS\System32\svchost.exe)?
    Is there something i should do to stop it being created in the future?

    thanks again
     
  4. ravin

    ravin Registered Member

    Joined:
    May 2, 2003
    Posts:
    241
    Location:
    South Carolina
    sounds like nod32 is doing it's job and as for the file being created by svchost.exe that file was probably being used by the trojan as it is a helper service.
     
  5. Brian N

    Brian N Registered Member

    Joined:
    Jul 7, 2005
    Posts:
    2,148
    Location:
    Denmark
    Yup I would also use an online scanner just to be sure the computer is clean.
    Here is a list of all online scanners that I currently know exists.
    Remember you gotta use Internet Explorer for the scanners to work (ActiveX).
     
  6. thankyou

    thankyou Guest

    i tried that a while ago, and i had to install stuff, dont really like online scanners, but im sure the nod32 is finding everything just fine.
    The main thing was whether there would be anything i should do to totally make sure it didnt get created again.
    Like ages ago i remember hearing people had to turn of system restore and back on again, to make sure any virus was deleted. I was thinking if i should do anything along those lines, or extra checks for concerning svchost, because im sure if it comes up again nod32 would detect it.


    thanks again.
     
Thread Status:
Not open for further replies.