My NOD32 is infected!

Discussion in 'NOD32 version 2 Forum' started by jemmajam, Apr 15, 2005.

Thread Status:
Not open for further replies.
  1. jemmajam

    jemmajam Registered Member

    Joined:
    Apr 15, 2005
    Posts:
    2
    As I write this, my good computer is out cold. It was attacked around 5pm yesterday (Friday). I had the latest window updates on it, XP firewall and the latest NOD32. It comes up with "c:\windows\system32\sass.exe.status code-1073741819" which is exactly what the old sass virus said.

    I should not have this! Anyone else encountered this? Any suggestions on how to fix it? My NOD32 has been infected and I can not reinstall it as the comp is offline because of the attack. The computer I am using to type this is much older but it is all I have until I can fix the other.
     
  2. quexx88

    quexx88 Registered Member

    Joined:
    Nov 26, 2004
    Posts:
    235
    Location:
    Radnor, Pennsylvania
    The NOD32 installer unpacks the files necessary to reinstall to C:\Program Files\ESET\Install so see if they are still there.

    Given the name of the executable running, I have a feeling it should have a chance of picking it up.
     
  3. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    Since you have access on your old computer, head over to Eset. On the homepage, there are free downloadable cleaners, including one for Sasser.A-F.worm. It's a zipfile less than 300 kb in size. If this is sasser, it should deal with it.

    Blue
     
  4. The Point

    The Point Guest

    The point is! He shouldn't have it! How did it get by!
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,790
    Location:
    Texas
    jemmajam

    Do you have all the security updates provided by Microsoft for your operating system?
     
  6. Security Freak

    Security Freak Registered Member

    Joined:
    Apr 14, 2005
    Posts:
    83
    remember,Microsoft release one patch only for sassers worms,you may not up to date,orrrr you or someone of your family open somewhat dangerous,who knows
     
  7. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    The point is the poster may not have their system up to date, and we are yet to learn what security if any they are using.

    Cheers :D
     
  8. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
    On a fully patched system, with Windows ICF, it won't get in natively. If it got in, and NOD was working, it should have been flagged. Let's see what a cleaner can do. If it does not work, maybe this is something altogether different.

    It's a bit early to make assumptions on either side of the fence. Too little firm information. For example, is the behavior classical Sasser? There's another PC available. Is the location NAT'ed? If so, what's the vector? We could spend a lot of effort developing a lot of extraneous information. If it's Sasser, the best course would seem to be to deal with it and spend some quality effort on the event post mortem.

    Blue
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Jemmajam, welcome to Wilders.

    Are you able to boot into Safe Mode and run Nod32 that way?

    Further instructions on booting into Safe Mode can be found in post number 2 HERE.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  10. jemmajam

    jemmajam Registered Member

    Joined:
    Apr 15, 2005
    Posts:
    2
    As I stated in my origional post, Yes windows XP was the latest with all live updates installed. NOD32 was also the latest with all live updates (hourly).

    I have tried scanning in safe mode. I tried this before I made my first post. It can not open NOD32. I have also tried using shutdown -a in run but the comp still shutsdown before I can do too much.

    edit: ok I got NOD32 to work and do a full scan before the computer crashed. It says there are no virus's but it could not open about 20 files. All of these files were in a file called $NtUninstallKB835732$
    I tried to find this file to delete it with BCWipe, but it is not showing. It is in the windows file.
     
    Last edited: Apr 16, 2005
  11. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    My suggestion at this point would be to slave the infected drive off a clean machine and have Nod32 run a scan on the infected drive.

    Cheers :D
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hi jemmajam,

    I wonder if you could clarify why you think your pc is infected with Sasser. It's a quite old worm so no doubt it must be detected by NOD32 (unfortunately, I can't confirm now whether it was detected by AH or not as I'm writing from home).

    If you encounter reboots with a prior pop-up window refering to lsass.exe it may not be (and most likely is not) caused by Sasser. A reboot takes place if the Remote Procedure Call (RPC) service encounters an error while the action to take upon a failure is to reboot the machine (default setting).

    Have you got the beta installed? If not, I wonder if you could install it, just in case (http://www.eset.com/download/downbeta.htm). NB: a newer beta version (probably Release Candidate) is going to be released shortly.
     
  13. PlexShaw

    PlexShaw Registered Member

    Joined:
    Feb 17, 2005
    Posts:
    62
    Great to hear. :)
     
Thread Status:
Not open for further replies.