NOD32 v4.2 BE: what to do after a threat's Action shows as "unable to clean"?

Discussion in 'ESET Server & Remote Administrator' started by Reedmikel, Feb 17, 2012.

Thread Status:
Not open for further replies.
  1. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I'm new to ESET. Have my first infected machine (that didn't take long, only a few weeks after purchasing NOD32). After repeated scans it always lists "unable to clean" under the Threat's Action column. The specific threat is listed as "probably a variant of Win32/Clemag.NAL trojan".

    So, in general, what is the next logical step when ERAC shows "unable to clean"? I was hoping I could right-click the threat and find an option that would link me to more info about this threat, possibly including manual removal instructions. But I do not see any such option. If I click on Details on the context menu, nothing appears/happens.

    I'm sure they must have more built into this product to aid admins when NOD32 can't clean a threat automatically, right?
     
  2. Janus

    Janus Registered Member

    Joined:
    Jan 2, 2012
    Posts:
    588
    Location:
    Europe - Denmark .
  3. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Thanks Janus. I already saw that article and did not see any useful cleaning instructions. Instead, it lists generic things like "update your AV software"...
     
  4. karlisi

    karlisi Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    68
    Location:
    Latvia
    Scan infected computer using bootable antivirus CD, i.e. ESET SysRescue.
    More discs here.
     
  5. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Thanks Karlisi. I already booted into Safe Mode and ran an ESET scan and clean (which disappeared off screen when it finished, so I have no idea what it found). I imagine that does about the same as SysRescue.

    I work remotely, so creating a boot disc/media is an absolute last resort. I can make machines boot into Safe Mode (with networking enabled) and even remote into them while in Safe Mode. So I have a lot of capabilities with my remote tools.

    I am more interested in what one should do from within ERAC, as that is the tool MSPs should be using to manage malware issues like this.
     
  6. karlisi

    karlisi Registered Member

    Joined:
    Apr 7, 2011
    Posts:
    68
    Location:
    Latvia
    Safe mode scan is not the same as offline scan, but this trojan is not the worst, so it helped for you. Some viruses integrates so deeply in Windows, you can clean them only if Windows is not started.

    From ERAC you can try SysInspector scripting, but there is very little chance for success, because virus processes are very clever masked.
     
  7. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    I have a 2nd infected machine, this one with a threat that is listed as "a variant of Win32/Olmarik.AWO trojan" and of course "unable to clean".

    I have a case open with Labtech/ESET, but I guess they are too busy to respond. So I started searching their Support area on their web site and find a "Stand-alone malware removal tools" page. I look for Olmarik and find 2 possible tools. First one didn't find anything, but 2nd one did :) I let it clean it and let it reboot, then will run a full scan... Hopefully that will fix it.

    As a newbie I do not understand why some of this cannot be built right into ERAC? Why do I have to hunt thru their website for a special removal tool? Come on - the threat was detected by a full scan, but could not be cleaned by the standard NOD32 client software. WHY can't I right-click on the threat in ERAC (the console for EAV v4.x Business Edition) and be offered a menu option like a link: Manual removal instructions on ESET web site ?

    Better yet, why can't ERAC be smart enough to provide the manual remediation tool right to the infected machine? Then run it, reboot and perform a scan? WHY do I have to figure all this crap outo_O

    I guess I should pass this on as a feature request?
     
  8. gadget

    gadget Registered Member

    Joined:
    Feb 20, 2012
    Posts:
    6
    Location:
    USA
    Can you share which tool worked?
     
  9. Reedmikel

    Reedmikel Registered Member

    Joined:
    Dec 30, 2011
    Posts:
    185
    Sure, it was their manual removal tool for "OlmarikTdl4" (dated Jan 2012). The older one from 2010 did not detect anything, but this newer one did.

     
Thread Status:
Not open for further replies.