NOD32 Scan Findings

Discussion in 'NOD32 version 2 Forum' started by amanson, May 23, 2005.

Thread Status:
Not open for further replies.
  1. amanson

    amanson Registered Member

    Joined:
    May 23, 2005
    Posts:
    4
    I ran a deep scan with NOD32, and it found 5 trojans. I am scared to delete them, as I don't know what the consequences would be.
    Could someone help me get rid of them safely? Here is what it found:

    C:\System Volume Information\_restore{51EDC5F3-5074-48E2-B4E0-12F6A3B9A034}\RP13\A0001402.exe - Win32/TrojanDownloader.Swizzor.C trojan

    C:\System Volume Information\_restore{51EDC5F3-5074-48E2-B4E0-12F6A3B9A034}\RP13\A0001425.exe - a variant of Win32/Adware.MediaTickets application

    C:\System Volume Information\_restore{51EDC5F3-5074-48E2-B4E0-12F6A3B9A034}\RP21\A0005260.exe - probably a variant of Win32/Yodup-based trojan

    C:\WINDOWS\_MSRSTRT.EXE - Win32/Tool.WinCap.Reboot application

    C:\WINDOWS\System32\chkdsk.exe - a variant of Win32/Adware.MediaTickets application

    Any help would be greatly appreciated. Thanks in advance.
     
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,794
    Location:
    Texas
    I'll put this in the NOD forum.
     
  3. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Well Eset says in the downloadable users manual I printed out for 2.12.3 that "Trojans can only be deleated as they do not infect other files and contain only there own code." I would probably download and a trial version of Ewido, a-squared, Trojanhunter, or TDS-3 and run it just in case there are more NOD did not find. I would remove what ever the dedicated trojan finder found via the trojan detector and not NOD. NOD could probably do the surgery but I'd use a specialist if I had one.
     
  4. amanson

    amanson Registered Member

    Joined:
    May 23, 2005
    Posts:
    4
    Thanks very much for your time and your help Hammer!
     
  5. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Use NOD to rescan after removal.
     
  6. Oddbod

    Oddbod Guest

    Hi.

    The ones in your system restore can be deleted by turning off sytem restore, wait till your HD light stops then turn it back on (it better to wait till the light goes out as XP will delete all the restore points, you can create a new one when you turn it back on)

    The _MSRSTRT.EXE can be created by some legitimate apps as a way of reboot the pc (eg during a reg defrag by tuneup utilities etc)

    C:\WINDOWS\System32\chkdsk.exe is a normal XP file, without it you wont be able to do a disk check (chkdsk.exe is the XP replacement for 9x's scandisk.exe.

    If U still have the files then do a check on them with a online scanner but i think the last two are false positives.

    HTH
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Thank's Oddbod for mentioning system restore. Amanson let us know how it went.
     
  8. amanson

    amanson Registered Member

    Joined:
    May 23, 2005
    Posts:
    4
    Thanks again guys for your help - you've been great. I ran Ewido, BitDefender, TrojanHunter and TDS-3 scans (now my computer is really slow - no sh*t! you will tell me, I have to exit some programs and stop some processes every time i rebootto correct this).
    I then ran a NOD32 scan again as you advised me to, and the programs mentioned above seem to have gotten rid of the Swizzor.C trojan and chkdsk.exe . However, the 2 media tickets remain, so I will try and turn pc on system restore as you said Oddbod and see what happens... I will keep you posted...
    Oh, here's a list of defence programs I use: AntiVir, ProcessGuard, ZoneAlarm Firewall, spyware doctor, ms anti-spyware, spyware blaster, and others that are not active that I open only for occasional scans such as Spybot, registry mechanic, lavasoft adaware, bazooka scanner, ccleaner, winASO registry optimizer 2.0, WahshandGo... and others lol
    Any comments/ suggestions?
     
  9. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Google whatever is left. Some of the non active stuff may still have low level processes running which consume resourses. But thats for another tme.
     
    Last edited: May 24, 2005
  10. Oddbod

    Oddbod Guest

    Hi amanson.

    Glad to hear you are clear now, thats some collection of security apps you have there, no wonder your pc is running slow.

    I would choose between eith Ewido resident or TrojanHunter resident, having them both running their guards will give U the effects U are seeing.

    The only progs i have running at bootime are NOD, ProcessGuard, Outpost Pro firewall & Giant Antispyware.

    I only use Spybot for on demand scans & same for TDS-3 & they rarely find anything at all. (practice safe hex)

    You could also maybe choose two of the antispyware apps you like, say Spybot & Ad Aware or Spybot & Spyware Doctor, that way U can check with one & run the other right after to see if it picks up anything more.

    One thing to try to see if that chkdsk.exe was legit or dodgy is to open my computer & right click your main drive & try to run a disk check, if it doesnt work U can always restore the chkdsk.exe file from your XP cd usin SFC (Sytem File Checker)

    That will scan all your sys files & ask to replace them from the XP cd.
     
  11. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Hi Amanson, the media ticket thing is spyware. I am not sure how effective Nod32 is at removing spyware--yet. You probably should log into a security forum, download and run Hijack this, and let one of their gurus assist you in removing it.
    I hope I am not breaking any rules by posting this, but a good site for this kind of problem is:

    http://forums.techguy.org/f54-s.html
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The Media ticket spyware is detected heuristically by NOD32, without needing to update.
     
  13. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA
    Marcos, obviously it is detected. But he seems to be having problems removing it. And I was mistaken, it is not spyware, it is adware. :)

    http://www.spywareguide.com/product_show.php?id=813
     
  14. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    He might not have write permission for the C:\System Volume Information folder which is protected by the system. If an infiltration is found in that folder, turn off system restore on Windows XP.
     
  15. amanson

    amanson Registered Member

    Joined:
    May 23, 2005
    Posts:
    4
    Thanks to everyone who has helped me in my fight against these spywares. I have been protecting and cleaning my pc on a regular basis so obviously none of them were major threats, but still, while I'm far from obsessive about my room, or my bathroom's cleanliness, I am about my pc :D

    NOD32 did offer to delete MediaTickets, but I'm not sure how safe that would be. I would rather have removed it with one of these spyware tools whose URL jayt gave us, but you have to pay for them and they have no trial versions.

    So what should I do then? turning off system restore is not going to delete MediaTickets is it? I will still have to delete it with NOD32, but I can do this without turning off system restore (I think).
     
  16. jayt

    jayt Registered Member

    Joined:
    Aug 30, 2004
    Posts:
    345
    Location:
    PA - USA

    Amanson, there is no charge for the Hijack This program from security forum that I mentioned in my first post. However, maybe an easier way to get rid of the Media Tickets adware would be to download and run the (free) uninstaller from the media ticket website. You can find it at:

    http://www.mediatickets.net/

    Look at the top of the page on the right hand side, next to Log In, click on "uninstaller" and the file will be downloaded to your computer. Just click on it and run it and it should unistall all occasions of Media Ticket.

    Edit-Also, Marcos is quite correct. You should turn off (and then immediately turn back on) System Restore to flush the files from there.
     
Thread Status:
Not open for further replies.