need help removing virus

Discussion in 'NOD32 version 2 Forum' started by jftuga, May 5, 2008.

Thread Status:
Not open for further replies.
  1. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    Last week, one of computers received this message:

    > 5/1/2008 19:27:18 PM - IMON - Internet monitor Threat Alert
    > triggered on xxxxxx:
    --hXXp://pornyoutube-18.com/soft/ztbcprpodfd/50282f2b307/MediaTu--
    > beCodec_ver1.725.7.exe is infected with probably a variant of
    > Win32/Statik application.

    I searched the hard drive for this exe and did not find it. I also deleted the user's Temporary Internet Folder. This person on has User level access, and not Admin. I thought the virus was gone, but now still get another message every few hours throughout the day. A full scan does not report anything.

    alert.jpg

    I am not interested in submission, since the file does not appear to be on the hard drive. How can I get rid of this message and ensure this virus is not on the system?

    Please advise.

    Thanks,
    -John

    EC Edit: removed link to possibly bad website
     
    Last edited by a moderator: May 5, 2008
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,739
    Location:
    New York City
    If this is Windows XP, go to folder C:\Documents and Settings\<username>\Local Settings\Temp and see if the file is there. If so, delete it.

    It is possible the file is in system restore. Follow the instructions give here:
    https://www.wilderssecurity.com/showthread.php?p=1101570#post1101570

    Lastly, I have seen some circumstances where the file appears to be removed from
    the system via the recycle bin. However, the system still recognizes the file.
    I have found Karen's Recycler to be effective in those cases.
    http://www.karenware.com/powertools/ptrecycler.asp
     
    Last edited: May 5, 2008
  3. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hi, you must disable submission of suspicious files in ThreatSense.NET settings - NOD32 Control Center - Tools

    Regards
     
  4. ASpace

    ASpace Guest

    No , if the user doesn't access this web site via their browser , the alert is because of a downloader trying to download a trojan from malicious site/server . NOD32 doesn't detect the downloader but detects the payload with its marvellous heuristics. The downloader uses HTTP and that is why it is IMON taking place.



    @ jftuga

    It is URL , it is not located on your machine's disk .

    Disable the ThreatSense.NET from NOD32 Control Center -> NOD32 System Tools -> "Setup" button -> ThreatSense.NET tab

    And if you still get warnings from IMON or AMON , contact ESET Technical support
     
  5. jftuga

    jftuga Registered Member

    Joined:
    Mar 9, 2007
    Posts:
    64
    Location:
    Athens, GA
    What does Threat Sense want to report when this happens? I have IMON set to deny download of the file if it detecst a virus. Assuming this file is not on the drive, I am not sure what there is to report. Does NOD32 keep a copy of this file so that is can be sent to their server or will it just send the URL?

    Thanks,
    -John
     
  6. ASpace

    ASpace Guest

    It should be a copy of the file , a copy which is in the NOD32's Quarantine
     
Thread Status:
Not open for further replies.