Mass quarantine / submission

Discussion in 'NOD32 version 2 Forum' started by Proactive Services, Feb 7, 2006.

Thread Status:
Not open for further replies.
  1. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    Is there any programatic way to mass-quarantine and mass-submit a large quantity of files? For example all of the exe and dll's in a folder C:\windows\spysheriff? Once you've got ten files or more it can be very tedious!

    Also if you submitted five files to be analysed, does NOD32 have a "wait" period set to it? I sent many submissions in a row and only a couple of them were logged in the Event log as being submitted.
     
  2. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    Not that I know of :(

    I know what you're going through though, had a rather large spysherrif infection on several customer's computers here a few weeks ago :(
     
  3. Proactive Services

    Proactive Services Registered Member

    Joined:
    Jan 10, 2006
    Posts:
    153
    Location:
    Petersfield, Hampshire, UK
    Heh, Spysheriff fun. Seems it (the variant I've got anyway) writes directly to the Security Accounts Manager part of the registry to cripple the Administrators group (not the user) and add another "Admin" user account which presumably isn't crippled. It also seemed to make changes to the Windows crypto engine and/or database which could invalidate any digital signatures on the machine.
    If I find any of these around I'll be backing up and wiping!
     
  4. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    I either didn't notice that or just had a weak variant then, but it was still a PITA to get out.

    Felt bad for the customer mostly, a lot of them BOUGHT this for ~$70 :(
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    I'm sorry, but it's not clear to me what the problem was. Once NOD32 has detected a threat, there should be no problem removing it, at least not in safe mode.
     
  6. Lollan

    Lollan Registered Member

    Joined:
    Feb 2, 2006
    Posts:
    288
    I don't remember the specifics, but I seem to remember files being continuously generated. Nod32 would get rid of them, but never get the root, eventually it stopped, but like I said, I don't remember the specifics, sorry.
     
  7. YeOldeStonecat

    YeOldeStonecat Registered Member

    Joined:
    Apr 25, 2005
    Posts:
    2,345
    Location:
    Along the Shorelines somewhere in New England
    SpySheriff is a nasty one...payloads a lot of other trojans also.
    Follow the guide here...run the manual removal tool...and pay attention to the other removal tools towards the bottom...you're sure to fine SmitFraud also.

    http://www.bleepingcomputer.com/for...Sheriff_Winstallexe_Spysheriffexe-t22402.html

    NOD32 will always pickup a file in the system32 directory...something like browseui.dll

    Don't forget to disable system restore, and run CCleaner first.
     
Thread Status:
Not open for further replies.