NOD Installed still virus found

Discussion in 'NOD32 version 2 Forum' started by hasit, Sep 25, 2006.

Thread Status:
Not open for further replies.
  1. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    hello,

    i had formatted my computer from boot record and installed windows again.

    just after loading windows XP, i had installed NOD and did a virus run check and it did not find any error.

    i have configured NOD to scan the entire computer on weekly basis and found that it had generated the following 7 virus found, can anyone explain me why this happened even when NOD is working OK and updating on a reguarly basis?

    C:\System Volume Information\_restore{14157744-4FA2-4CAF-BAFB-72CC49941087}\RP54\A0018931.exe - Win32/Stration.EK worm - quarantined - unable to clean - deleted

    C:\Mails\My Email Attachments\intranet\Junk E-mail\body.zip - Win32/Stration.EK worm - quarantined - deleted

    C:\Mails\My Email Attachments\intranet\Junk E-mail\Update-KB8562-x86.exe - Win32/Stration.EK worm - quarantined - unable to clean - deleted

    C:\Mails\My Email Attachments\intranet\Junk E-mail\body.zip »ZIP »body.txt.bat - Win32/Stration.EK worm

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage.zip »ZIP »homepage.exe - Win95/CIH virus

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage.zip - Win95/CIH virus - quarantined - deleted

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0001.zip »ZIP »homepage.exe - Win95/CIH virus

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0001.zip - Win95/CIH virus - quarantined - deleted

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0002.zip »ZIP »homepage.exe - Win95/CIH virus

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0002.zip - Win95/CIH virus - quarantined - deleted

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0003.zip »ZIP »homepage.exe - Win95/CIH virus

    C:\Mails\My Email Attachments\C_\Mails\archive.pst\Clients1\homepage0003.zip - Win95/CIH virus - quarantined - deleted
     
  2. ASpace

    ASpace Guest

    Hello hasit !


    We need more info here . What you mean by did a virus run check . If I understand it correctly you have used Control Center -> NOD32 -> Run NOD32 (by default it uses Control Center Profile ) . If you haven't modified it , it (the Run)won't be able to detect what you have below

    I have no idea . It is possible , however , that you configured via Blackspear's settings where AMON is set to clean automatically . This means that it will attempt to clean . However clean action is not possible when there is worm/trojan/spyware ... AMON hasn't deleted the malware but for your good has prevented the access to that malware so you were protected.

    The malware has been eliminated however I don't see an action take with some of them . You can manually delete them or check your NOD32 settings with Blackspear's tutorial , boot in Safe Mode and perform full scan from Start->Programs->ESET->NOD32 (make sure you use Control Center profile) and press Scan & Clean

    Test you NOD32's AMON and IMON real-time protection . Goto Control Panel -> AMON -> Setup -> "Actions" tab and make sure you temporary change them to Prohibit access and show alert Windows with actions , apply and ok . Then test your NOD with the harmless Eicar file
    http://www.eicar.org/anti_virus_test_file.htm
    Attemt to download all the file at the bottom and NOD32 should pop-up

    :thumb:
     
  3. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    HI Hasit, I would suggest that you have brought data across from another drive and placed it within a folder on your C Drive and called it "Mails" with a sub-folder called My Email Attachments.

    You may still have an infection with System Restore, so please take the following steps:

    Check your settings against those found HERE

    After this run a scan by following these steps:

    1. Click on the NOD32 Control Centre (Green and White split square on the bottom right hand corner of your computers screen).
    2. Click on NOD32.
    3. Click on Run NOD32.
    4. Click on “Scan and Clean”.

    Let us know how you go...

    Cheers :D
     
  4. agoretsky

    agoretsky Eset Staff Account

    Joined:
    Apr 4, 2006
    Posts:
    4,032
    Location:
    California
    Hello

    There is a specific detector/remover for the Win32/Stration.* series of worms which you can download from http://www.nod32.it/getfile.php?tool=StrationFix.

    Can you please try running it and letting us know the results?


    Regards,

    Aryeh Goretsky
     
  5. Paolo Monti

    Paolo Monti Eset Staff Account

    Joined:
    Oct 25, 2002
    Posts:
    280
    Location:
    Rome, Italy
    Please, consider that my fix it's not a full blown remover/detector: it just cleans a couple of Registry keys/values in order to "dismantle" at the next reboot the rootkit in user mode implanted in the system by Stration's variants. So, to get rid of the worm

    1) run the fix
    2) restart the system
    3) run your AV to detect and remove infected files

    ciao,
    Paolo.
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Paolo, appreciated.

    Cheers :D
     
  7. hasit

    hasit Registered Member

    Joined:
    Jul 24, 2006
    Posts:
    44
    no issues now! problem resolved!

    no virus now, i was wondering why this wrom can enter my computer even-if i had NOD32 installed!

    in any case problem resolved!

    thanks everyone
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good to see.


    Unfortunately someone has to be first to get it, and though NOD32 is in the top of its field, no antivirus will catch 100% of everything 100% of the time, this is simply impossible.

    Cheers :D
     
Thread Status:
Not open for further replies.