NOD Virus Detected win32/startPage. uu trojan

Discussion in 'NOD32 version 2 Forum' started by Piecan, Apr 12, 2005.

Thread Status:
Not open for further replies.
  1. Piecan

    Piecan Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    59
    Location:
    Essex UK
    Hi there
    Amon keeps finding this virus/trojan and each time I delete it another one with a different file ending appears. I've had c:\windows\system32\psdrvcheck.it win32\startpage.uu trojan and a few other ones including one for c:\Programm files\Pinnacle\Shared Files\InstantCDDVD\IntstantInfo.KOR

    I rang Eset and they said it was being spread by adaware programs. Do I need to do anything else other than delete it and try another adaware program to find the problem? They suggested Counterspy. Thanks Andie
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi Andie, can you post a log from the Nod32 Control Centre> Logs> Virus Log

    This may tell us a little more of where the file is located.

    Cheers :D
     
  3. Piecan

    Piecan Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    59
    Location:
    Essex UK
    Hi Blackspear
    Thanks for your help. Hope this is what you wanted..
     

    Attached Files:

  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Can you copy and paste the log, just cross out your personal info. I'd like to see exactly where the file is located.

    Cheers :D
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Andie, from what I have just read, you have been hit by a CWS variant, and as such you will need to download and run “Hijack This” found here and post your log at one of the forums found at A-SAP.

    The two bigger forums for HijackThis log processing, (meaning they process more log threads each day than most others) are: SpywareInfo.com and CastleCops.com. Be sure to read their posting policy in the links at their log review forum sections prior to posting.

    Once your system is clean I would suggest that you take a look here: Why did I get infected in the first place? Also, for further information on security and how to make your system that much stronger, see here, as well there are discussions here and even more here.

    Hope this helps...

    Let us know how you go.

    Cheers :D
     
  6. Piecan

    Piecan Registered Member

    Joined:
    Oct 17, 2004
    Posts:
    59
    Location:
    Essex UK
    Thanks Blackspear
    Nothing funny is going on with my computer, so wondering if it is a false positive. After Amon came up with the message and I deleted the file the NOD scan didn't find anything.

    Thanks for the links. That Hijack stuff sounds a bit complicated..does the file unzip itself? Andie
     
  7. FanJ

    FanJ Guest

    Hi Craig,

    Could this be the same one as posted here:
    https://www.wilderssecurity.com/showthread.php?t=75076

    It could be a file from Pinnacle InstantCopy.
    http://www.greatis.com/appdata/a/_/_sysdir__psdrvcheck.exe.htm

    Maybe I'm wrong, I don't have that program.

    Maybe a good idea if those with that warning submit it to Eset so they can have a look at it.
    In the meanwhile a second opinion from some Online-scanners like Jotti's and/or KAV can also tell something.

    Well, I have to leave it up to Eset ;)
    Cheers, Jan.
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  9. FanJ

    FanJ Guest

    Oops oops :oops:

    I mis-read the original posting; my fault, sorry ! :oops:

    That file at the Greatis-site is: PSDrvCheck.exe

    So sorry :oops: :oops: :oops:
     
  10. FanJ

    FanJ Guest

    Hi,

    May I ask Eset, and the original poster, what the status is at the moment about those files?
    Thanks ;)

    I knew that a friend of mine has Pinnacle Instant CD/DVD SE on her machine.
    Yesterday I asked her to send me some of these files.
    I just got them.
    Of course I don't know whether it are the same files as those who gave that warning.

    Some info about them:

    PSDrvCheck.IT
    Version 1.0.0.63
    MD5 : 82d551de0dc65c7dbd8cc85a1a9d1bd4

    InstantInfo.KOR
    Version 1.1.0.14
    MD5 : 1bb92c6fc9b768ad2fe2adc9eba61914

    Both files scanned at Jotti : clean.

    Eset, if you like, I could submit those files to you :)

    Cheers, Jan.
     
  11. Happy Bytes

    Happy Bytes Guest

    Gorilla (not sure if it's the same poster) got a email reply - it's fixed.
     
  12. FanJ

    FanJ Guest

    OK, thanks Happy Bytes :)
     
  13. Happy Bytes

    Happy Bytes Guest

    dudus, you are most welcome :D
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks Happy Bytes.

    Cheers :D
     
  15. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Yeah, it got fixed about 28 hours ago :-]
     
  16. Happy Bytes

    Happy Bytes Guest

    That's almost correct, it was fixed 2 days ago assuming that we have now tomorrow. :D
     
  17. FanJ

    FanJ Guest

    Thanks again to Eset ! :D

    Please forgive me for asking (without intention to bashing or something like that): could a confirmation been posted that it was a FP and was fixed?
    Anyhow, I'm glad we know it now and I am happy that it was fixed so quickly :D

    Cheers, Jan.
     
  18. Happy Bytes

    Happy Bytes Guest

    Yes, it was a f/p. ;)

    If you consider that we have time differences all over the world and if you consider when a f/p gets fixed here TODAY that it might be already a fixed update available YESTERDAY for some areas then there wasn't even a f/p who wouldn't probably appear TOMORROW somewhere :D :D :D
     
  19. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    [BLEEP] - just deleted a trial MP3 editor because it had the same DLLs in it and on 04/11 they were found in a full scan .. got to download it again now...
     
  20. Happy Bytes

    Happy Bytes Guest

    Make sure that you have current virus patterns. ;)
     
  21. FanJ

    FanJ Guest

    Edited by FanJ:

    removed unfriendly posting from me.

    :oops:

    Apologies to all
     
    Last edited by a moderator: Apr 14, 2005
  22. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada

    I was current - I was erring on the side of caution - but did think it odd that on the daily scan on the 11th I had 3 positives inside a zip archive, then on the 12th, none - also - I did NOT find the files in quarantine, and the file was still there - obviously ONE of the profiles doesn't have quarantine/delete set properly.... it's getting a little confusing to know which profile I must check though now.. this was a 2.5 beta on my wife's home machine...
     
  23. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada

    I too would like to see a list of f/p somewhere so that we can check if something we're about to clean up is worth the cleanup effort, or not... perhaps using the username/password already issued for updates this could be in some kind of user only area?
     
  24. The Gorilla

    The Gorilla Registered Member

    Joined:
    Apr 11, 2005
    Posts:
    66
    Location:
    England
    As the man said, I did get an email stating it was fixed in double quick time.

    This truely is a great product with great support I am so glad I took the plunge and moved away from Nortons.

    PS. I only posted my question once any similar posts are not related to me.

    Eset Mod Thanks alot.
     
Thread Status:
Not open for further replies.