my laptop is infected

Discussion in 'NOD32 version 2 Forum' started by ankupan, May 27, 2007.

Thread Status:
Not open for further replies.
  1. Jo Ann

    Jo Ann Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    604
    As a NOD32 + Comodo FW user (same protection as ankupan), I find ankupan's problem especially disturbing. Clearly it suggests one of either two possibilities, neither of which speaks well for NOD32... :(

    • NOD32 failed to detect the malware before it infected the system. Worse yet, it is unable to remove the malware => MAJOR RISK and BAD NEWS!

    • NOD32 is issuing an alert based on an FP and there doesn't seem to be any way to confirm that and stop the alert => MAJOR NUISSANCE!
     
  2. ASpace

    ASpace Guest

    This is not the case here . A detection for Agent.OO trojan was not added yesterday nor the previous day . Ankupan repors problems since yesterday.I don't think it is false positive - if it was a FP it would not be so persistent to remove . It is also not a Microsoft file ( I have it on no XP computer)

    NOD32 detects this heuristicially . I managed to see the Jotti scan before it was removed by LWM (Admin) and NOD32 and only one other product detects it .

    The detection by NOD32 (and the other product) is very good thing , at least we know there is a problem . Since Marcos asked the file to be sent for further investigation , I am sure ESET Support will be able to help him .
     
    Last edited by a moderator: May 28, 2007
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    We have confirmed it was not a false positive. AVG was another AV to detect it, but maybe they added detection based on ours :)
     
  4. ASpace

    ASpace Guest

    I myself would be very happy and pleased if you could keep us somehow updated and let us know when his computer is clean . Also , if you could share details how exactly he cured his machine . Thanks in advance and congratulations about the detection :thumb:
     
  5. bad_boy

    bad_boy Registered Member

    Joined:
    May 28, 2007
    Posts:
    2
    to avoid problems with trojans and all that better I recommend to you to move away from nod32 and sw to kaspersky lol
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    At least you added LOL at the end :) However, keep in mind that ranting and trolling is not allowed here and such posts will be removed.
     
  7. Jo Ann

    Jo Ann Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    604
    Pardon me, but as much as I would like my confidence in NOD32 to be restored, I don't see how your reply changes anything!

    NOD32 was in place before ankupan's system was infected. Assuming that it was up-to-date, NOD32 failed to prevent the infection by either signature or heuristic recognition. Furthermore, NOD32 failed to remove the infection once it discovered it (after the fact). Am I missing something here?
     
  8. ASpace

    ASpace Guest

    I am not a virus analyst so I have no detailed information about this trojan . I only know it is probably injected DLL and very difficult to remove . Lots of top vendors even missed detection .

    Why NOD32 didn't detect the trojan before it became malware resident , well that is another topic . Did he stayed updated all the time , did he kept AMON enabled are only some of the questions we can ask . But it is no longer important , we can only guess why . Ankupan is in good hands when there is ESET Tech Support :thumb:
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    NOD32 was one of the few to detect the threat so it surprises me to read complaints here about its detection. As to why it got installed, here are several possibilities:
    - NOD32 was installed on an already infected system and the threat was detected during an on-demand scan in memory
    - AMON was disabled at the time the malicious file got installed
    - NOD32 was outdated at the time the malicious file got installed
    - AMON was not set to move newly created files to quarantine
    - detection for this threat was added after the infection took place
     
  10. Jo Ann

    Jo Ann Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    604
    Actually, it's the most pertinent issue of this topic!


    Of course good tech support is important, but I would venture to guess that most NOD32 users want to believe they are 'in good (protective) hands' by using NOD32!
     
  11. Jo Ann

    Jo Ann Registered Member

    Joined:
    Jan 6, 2007
    Posts:
    604
    Hi Marcos,

    That does make a difference, but I don't see the basis for those comments -- how did you determine the deficiencies quoted above?
     
  12. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi Jo Ann
    Not intending to be argumentative, however, my interpretation is that those are the possible scenarios.
    I would not term them "deficiencies" (as you stated).
    DLL injection is not easy to identify OR remove and it seems to be getting rather prevalent. If the "injection" occurs in an OS system DLL, then removing it will have devastating results.
    Elvis has already left the building ...... LOL :D :D :D :D
    I hope readers get that joke :D :D
    Cheers :D
     
  13. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    Ok, let em ask one thing. If the matter is only a dll then why not to just boot from a CD and delete this stupid dll?
    But where is the source of this dll? I think some maleware is hiding somewhere and reloading this dll again after it is deleted.
    If I am in this situition, I will install a HIPS, delete the dll by booting from a CD and will reboot and see what process tried to reload this dll. Just a wild guess. What u think about this?
     
  14. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    510
    Hi,

    I did full scan two times and NOD32 caught more 30 trojan (WIN32/Ahent.OO) in different files and all were cleaned).

    But still unable to clean that dll.

    Can some one confirm that it is not useful dll, so I can delete it from my system while using bootable CD.

    Waiting for help.
     
  15. ASpace

    ASpace Guest

    I don't have this dll on any Windows XP I have checked . Marcos confirmed it is not a false positive .

    Didn't you contact ESET Tech support as suggested by me , by Blackspear (in post 20) and by Marcos (post 21) . I would wait for the Support provide removal procedure if everything else fails.
     
    Last edited by a moderator: May 29, 2007
  16. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    It was not a suggestion, I rather asked a sort of Q. I can,t guarante that it will not damage ur system. If u have full backup and ready for any disater like unbootable system etc, u can try( on ur own risk).
     
  17. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    510
    Can I delete this dll ?

     
  18. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,537
    Location:
    USA
    For sure, that is not something you want on your system! If you follow this procedure there's an excellent chance of removing the malware.

    Download Killbox to your desktop - you will need to use it during this procedure.

    Clean out the System Restore folder. Go to Start > Control Panel > System > System Restore Tab and put a check in the box to the left of "Turn off System Restore" then click on Apply and Ok (this may take a minute or so). When finished, go back and remove the check (re-enabling System Restore), click on Apply and Ok.

    Run System Restore again and tick the circle next to "Create a Restore Point", click Next, giving the RP an appropriate name and click Create. Now restart your PC into Safe Mode (continuously tap F8 during bootup until presented with the boot-option menu).

    Launch Killbox, placing a tick next to [x]Delete on reboot "Press the All Files button". Copy the following (red) list to Windows' clipboard (highlight the entire red list below and press CTRL C):

    C:\WINDOWS\libHide.dll `
    C:\WINDOWS\system.exe
    C:\WINDOWS\bot.exe
    C:\WINDOWS\down.exe
    C:\WINDOWS\system16.exe
    C:\WINDOWS\vbstub.exe
    C:\WINDOWS\awnfcandidateform.exe
    C:\WINDOWS\keygen.exe
    C:\WINDOWS\vb.ini
    C:\WINDOWS\vbfile.exe
    C:\WINDOWS\vbaddin.ini

    Now using Killbox go to File > Paste from clipboard. Click on the "All Files button". Next click on the button that has the red circle with the white X in the middle. It will ask for confimation to delete the files on next reboot and then will ask you if you want to reboot now. You do want to reboot now (into normal mode), so click Yes and let your PC reboot. If the computer does not restart automatically, start it manually.

    With any luck that nasty malware should be gone. ~pv
     
    Last edited: May 29, 2007
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,441
    We have already suggested to try using undll, killbox and avenger to no avail. If possible, try renaming the dll and restart the computer to see if the dll's created again.
     
  20. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    510
    Hi,

    thanks for this information.

    When i was trying only one dll, it was failed to delete libhide.DLL.

    As per your suggestion, I selected all these files and deleted through this killbox and amazing, it works and now problem is resolved.

    Yes, i got email from ESET support and they also suggested this killbox, and I tried with only one file and it was failed to delete this file.

    Once again thanks to every one and ESET support for helping me a lot.


     
  21. aigle

    aigle Registered Member

    Joined:
    Dec 14, 2005
    Posts:
    11,161
    Location:
    UK / Pakistan
    So some of these exe was sourceof this dll.
     
  22. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,537
    Location:
    USA
    Glad to hear that my 'Rx' worked and that your problem is now totally resolved...

    Take care, pv
     
  23. ankupan

    ankupan Registered Member

    Joined:
    Oct 4, 2004
    Posts:
    510
    thanks,

     
  24. pvsurfer

    pvsurfer Registered Member

    Joined:
    Sep 1, 2004
    Posts:
    1,537
    Location:
    USA
    yw... ;)
     
  25. bathisland

    bathisland Registered Member

    Joined:
    Jul 1, 2005
    Posts:
    85
    Well that surely made a very good read. I am glad it is finally resolved.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.