Need Advice - Not sure what's happening.

Discussion in 'NOD32 version 2 Forum' started by anthonyd, Jun 3, 2007.

Thread Status:
Not open for further replies.
  1. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    I have been using Nod32 v2.70.37 for about a month now, configured according to Black Spear's settings, without issue. 2 days ago, NOD32 gave the following error messages:

    Time Module Event User
    6/1/2007 14:38:11 PM Kernel Error initializing file submission system (Used to send suspicious files for analysis)
    6/1/2007 14:38:11 PM AMON Unable to load file system monitor.
    6/1/2007 14:38:08 PM Kernel Virus Scanner could not be initialized. NOD32 System modules may not function properly.
    6/1/2007 14:32:43 PM NOD32 The file NOD32.000 is damaged. WORKHORSE\Anthony
    6/1/2007 14:32:19 PM NOD32 The file NOD32.000 is damaged. WORKHORSE\Anthony
    6/1/2007 14:30:57 PM Kernel Error initializing file submission system (Used to send suspicious files for analysis)
    6/1/2007 14:30:56 PM AMON Unable to load file system monitor.
    6/1/2007 14:30:53 PM Kernel Virus Scanner could not be initialized. NOD32 System modules may not function properly.


    After multiple reboots, the error messages stopped. However, upon running any kind of scan in the past 2 days, the NOD32.exe process uses 99% of the CPU and does not finish the scan. There have been no threats detected on my system. In addition to NOD32, I am running ZA Pro 7.0.337.000

    One other odd finding is the presence of the following empty folders in my \Windows directory:

    logo1_.exe
    rundl132.exe
    rundll16.exe
    zts2.exe

    The following files have also been found in the \Windows directory:

    0.log
    R.COM
    SET3.tmp
    SET7.tmp

    The following empty folder has been found in the \WINDOWS\System32 directory:

    iifgfgf.dll

    Searches of the above folders/files are associated with malware, but like I have mentioned, there have been no threats detected.

    Any advice is appreciated.
     
  2. ASpace

    ASpace Guest

    Hi !

    You'll need to reinstall NOD32 in order to be sure everything is working OK.Follow this procedure:

    1) Download the latest fresh version of NOD32 v 2.7 for your operating system
    Trial version or Full paid version

    2) Open Control Panel-> Add/Remove programs and Uninstall NOD32

    3) Reboot when prompt

    4) After restart , go to C:\Program files and manually delete the folder ESET

    5) Install NOD32 from the file you downloaded in step 1
    Use "Typical" install

    6) Make sure you have stable internet connection and NOD32 (nod32krn.exe) is allowed to go through your firewall.
    Then Update NOD32 !

    Open Control Center and click on Update -> Update now to ensure your NOD32 is up to date.

    Make sure your settings are the same as this tutorial.

    Open Control Center -> NOD32 -> Run NOD32 and perforum full Scan&Clean over your hard drives . NOD32 will take care of all threats found , if any :)

    You can also use Ewido Micro for second opinion.
     
  3. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    Thanks for the advice.

    I followed your suggestions. After reinstalling NOD32 and configuring it, the scan locks up as previous. The CPU hits 100% and the scanner gets stuck when 48% complete. This has not happened once (including the 30 day trial) until the errors described above via the log have occurred. I purchased a one year subscription May 17th, 2007. Very disappointed.

    The ewido scan is totally clean, as well as F-Secure Blacklight.

    Any further suggestions??
    Thanks.
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Depends on where the scanner is locking up, on what file? Try a scan in safe mode.
     
  5. duijv023

    duijv023 Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    230
    Location:
    Rijnsburg, Netherlands
    Just another look at this: Does your NOD32 respond to test with eicar.org testfiles?

    If not, AMON is really not working as it should and you are unprotected
    If it does, than reboot in safe mode an do a comlete system scan in safe mode.
    Probably something will be found

    Other causes that may seem to be possible in my opinion:
    - corrupted files (you may also try to clear all your temp directories)
    - defective harddisk

    Greetings from a summerly Holland
     
  6. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    NOD32 scanning in safe mode still hangs up at around 48% completion and it is not a specific file, having ran it multiple times.

    IMON blocks the d/l of eicar test file. However, I noticed this strange occurance:
    After I d/l and run AVG Anti-RootKit, the scan comes up clean but a weird process appears in task manager, different every time the scan is run (so far the process has been n9.exe, KMF.exe, JGT09Sh.exe). Terminating the process also terminates the scan. Furthermore, when the scan is minimized, it doesnt read AVG Anti-Rootkit, but shows sbHHQSOxQ. The same happens when in safe mode.

    Something is definitly wrong, and the following scans are clean, including in safe mode:

    NOD32
    F-Secure Blacklight
    Ewido
    Spybot S&D
    AVG Anti-RootKit - strange as described above
    Trojan Hunter 4
    MWAV - will not load, gives error

    Any advice? Out of thought here.
     
  7. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Run nod32.exe with the /crashlog parameter and, when a scan hangs up, check the last line in crash.log created in the program files\eset folder. Please encrypt that scanned file with WinRAR/ZIP, protect the archive with the password "infected" and send it to support[at]eset.com along with this thread's url in the subject.
     
  8. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    Hi there,

    I ran NOD32 with the /crashlog parameter. The last entry in the log is:

    06/04/2007 20:42:55 ENTER: \??\E:\System Volume Information\_restore{04C78EA9-DE6A-460D-B8D1-613D50C91817}(2)\RP527(2)\A0064727.ini

    The file is 0Kb.

    However, I did notice the following entry in the threat log, although no warning was given:

    Time Module Object Name Threat Action User Information
    6/4/2007 1:07:53 AM AMON file E:\DOCUME~1\ANTHON~1\LOCALS~1\Temp\ex29l.exe probably unknown STEALTH.POLY.CRYPT.TSR.DRIVER virus quarantined - deleted - error while cleaning - operation unavailable for this type of object WORKHORSE\Anthony Event occurred on a new file created by the application: E:\Program Files\TrojanHunter 4.6\TrojanHunter.exe. The file was moved to quarantine. You may close this window.

    The file is not in the directory shown in the event log, is not in quarantine for NOD or Trojan Hunter. I also noticed that the process TROJAN~1.exe starts upon running Trojan Hunter.

    How should I proceed?

    Thanks!
     
  9. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    I see that the above event could be a False Positive when running TH with NOD. However, what accounts for the strange processes starting when scans are run? So far, every scan is clean, except NOD, which hangs at 48% complete.
     
  10. SSK

    SSK Registered Member

    Joined:
    Nov 28, 2004
    Posts:
    976
    Location:
    Amsterdam
    This "strange" process is only there when AVG Anti-Rootkit is run? If so, it's part of AVG, a way to "hide" itself from Rootkits that are looking and killing known security software.
    It seems to crash on a system restore file. You could disable system restore to clear it: MS kb310405. Please remember to make a new restore point if you want to use system restore.
     
  11. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    Thank you for the info.

    I turned off system restore yesterday. NOD keeps locking up in the folder, which contains 4 folders and 4 files all 0Kb's in size. THe odd thing is I cannot delete the folder or any files in it. I've tried CCleaner, Eraser, Unlocker. THe error message states Cannot delete Fifoed(2). The directory is not empty.

    Also, CCleaner shows the contents of \Windows\Temp folder which always has a weird file such as JJJJJ.JJJ, HHHHH.HHH. Every time the folder is deleted a new file appears.
     
  12. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    Forgot to mention... I cannot delete these files/folder in safe mode. I have also tried Sysclean, which gives errors with the E:\System Volume Information\_restore{04C78EA9-DE6A-460D-B8D1-613D50C91817}(2) folder.
     
  13. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    System Volume Information folders are used by System Restore. You can not delete them, only their contents, which is done by turning off system resotre.
     
    Last edited: Jun 5, 2007
  14. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    I cannot delete the contents, despite having turned off system restore.
     
  15. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Did you place a tick "in" to turn off system restore, and did you then reboot your system?

    Cheers :D
     
  16. anthonyd

    anthonyd Registered Member

    Joined:
    Jun 3, 2007
    Posts:
    9
    Yes, the tick was placed in the box to turn off system restore and the computer was rebooted.


    In addition, what does anyone make of the following files/folders:
    logo1_.exe
    rundl132.exe
    rundll16.exe
    zts2.exe

    The following files have also been found in the \Windows directory:

    0.log
    R.COM
    SET3.tmp
    SET7.tmp

    The following empty folder has been found in the \WINDOWS\System32 directory:

    iifgfgf.dll
    THe folders and files persist despite manual deletion.

    Thanks.
     
  17. De Hollander

    De Hollander Registered Member

    Joined:
    Sep 10, 2005
    Posts:
    718
    Location:
    Windmills and cows
    Is "zts2.exe" not related to Worm.Alacra-B ?
     
  18. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,776
    Location:
    Texas
  19. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please encrypt those files with WinRAR/ZIP, protect the archive with the password "infected" and send it to samples[at]eset.com with this thread's url in the subject.
     
  20. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    It's supposed to be like that. Check the help file. Additional security
    to prevent malware from targeting the process and terminating it.
     
Thread Status:
Not open for further replies.