Nod32 detects a trojan in lpt9.ekl

Discussion in 'NOD32 version 2 Forum' started by pimse, Oct 4, 2006.

Thread Status:
Not open for further replies.
  1. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7
    Hi!

    Fresh install of XP Home, all updates. Fresh install of Nod 32, also updated.

    When opening IE, Nod detects Win32/Small.JR Trojan, and the file which will be deleted is C:\windows\system32\lpt9.ekl.

    But, Nod cannot rename it, cannot delete it!

    Booting the computer from a bootable cd I can see the file in a file manager, but cannot rename it nor delete it.


    Panda online scan and F-secure online scan does not detect the file.

    I have Googled lpt9.ekl, but with no luck. There is no lpt9.ekl whatsoever.

    The file exist in this specific computer, but not in any other computer I have looked in.


    Nod32 continues detecting a trojan in lpt9.ekl.

    Advices?

    Thanks

    Per
     
  2. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.
  3. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    Did u try a scan in safe mode?
     
  4. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7

    I have noticed that Nod32 doesn´t detect anything in a on demand scan, but the realtime protection detect the thing on opening some applications.


    I have read some links in your search and found out that it seems to be a combo. A rootkit and and a trojan.



    Thanks!

    Per
     
  5. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7

    No, but I have done a scan with Nod32 from a bootable cd.

    Thanks

    Per
     
  6. ASpace

    ASpace Guest

    If NOD32 detects it in Normal mode , it should detected it while scanning from the bootable cd . Did you use the correct options/commands to delete that particular malware ?


    I recommends you do the following to ensure your machine is clean :

    Make sure your NOD32 is updated.

    Then , read Blackspear's tutorial to configure NOD32 for maximum protection and automated work

    Please,boot in Safe Mode (http://support.microsoft.com/kb/315222)

    Goto Start->Programs->ESET->NOD32
    Goto the Profiles tab and make sure you use Control Center Profile
    When so , make sure your set NOD32 to scan all your hard drives and push Scan&Clean

    NOD32 will automatically take care of everything ;)

    Reboot in Normal Mode.

    I would also recommend you scan with Ewido Micro or Ad-Aware se Personal

    Good luck ! :thumb:
     
  7. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7

    I will follow your advices, but not tonight.

    I´ll be back with some feedback.

    Thanks

    Per
     
  8. ASpace

    ASpace Guest

    Ok , you are welcome ! :thumb:
     
  9. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Hello,
    does the file keep re-appearing even if you unplug the computer from network? If so and you are using Windows XP, try disabling system restore first. Should the problem persist, feel free to drop an email to support @ eset.com with a link to this thread.
     
  10. ThunderZ

    ThunderZ Registered Member

    Joined:
    May 1, 2006
    Posts:
    2,459
    Location:
    North central Ohio, U.S.A.

    Rootkit :blink: Not a good situation. If it is executing when ever you launch certain programs it dose sound like it is hooked pretty deep. Follow the good advice already given including the disconnection (actually remove the cable from your PC as some malware calls home for more of its` friends to join the party :eek: ) Also disable system restore, as mentioned, until you are 100% clean. No sense in leaving anything to chance. Good Luck and keep us posted.
     
  11. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    This is most probably part of the gromozon rootkit. lpt<number> is a Windows reserved name and can't be touched with "normal" tools. Download IceSword from here http://www.majorgeeks.com/Icesword_d5199.html, launch it, navigate to "file" on the left panel, right click on the file and remove it.

    Please note that some gromozon variants stop IceSword from running. Keep us informed.
     
  12. Cretemonster

    Cretemonster Registered Member

    Joined:
    Mar 31, 2005
    Posts:
    79
    I helped Pimse remove the rootkit at another forum.

    Tools like IceSword,DarkSpy,RootKitRevealer,Blacklight,GMER,and someothers are disabled by what appears to be a task kill operation.

    It has at this point,disabled the users ability to access the Prevx site,if the removal tool from Prevx is acquired by infected user,it will fail to launch just like the above tools mentioned.

    Ive responded to a post in another forum here,for NOD about some of the changes it makes to certain files,specifically dlls or any com object.

    Ive not logged what files from what applications are altered.

    In the first user I cleaned with this rootkit,the decision to just uninstall and reinstall NOD32 was the choice and one I believe I would recommend to Pimse as well.

    To be totally honest,theres no real way to see what the rootkit did to NOD32 but I can tell you it really messed with the Intrusion Detection Signatures in my Home Security Suite.


    Pimse states that the updater service isnt working which is the same as another person I cleaned up.

    Let me know what extra information is needed?
     
  13. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7
    I see that Cretemonster already have posted here.

    Just ask if there is anything about the computers behavior
    when it was infected you want to know.

    Thanks again, Cretemonster!

    Per
     
  14. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Hi pimse, welcome to Wilders.

    Did you send an email to support @ eset.com with a link to this thread, as requested by Marcos several posts above?

    Cheers :D
     
  15. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7

    Hi Blackspear

    Yes, I have done it now.
     
  16. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Let us know how you go...

    Cheers :D
     
  17. pimse

    pimse Registered Member

    Joined:
    Oct 4, 2006
    Posts:
    7
    The problem with the lost username and password are solved!
    Uninstalling and reinstalling did the trick. No sensation here.

    I just wondering what the rootkit did to Nod32... Well, it doesn´t matter.

    The computer is working fine now!

    Thanks

    Per
     
  18. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Thanks for letting us know, and good to see you are all back up and working.

    Cheers :D
     
Thread Status:
Not open for further replies.