Nod32 & wextract.exe

Discussion in 'NOD32 version 2 Forum' started by TJP, Dec 29, 2006.

Thread Status:
Not open for further replies.
  1. TJP

    TJP Registered Member

    Joined:
    May 6, 2006
    Posts:
    120
    Hi all,

    I've just run a full system scan scan (signatures are 1944 & scanning setup per Blackspear's tutorial) & Nod32 alerted me to the following viri:

    C:\WINDOWS\ServicePackFiles\i386\wextract.exe - Win32/TrojanDropper.Agent.NDN trojan - Error quarantining the object - - unable to clean - deleted
    C:\WINDOWS\system32\wextract.exe - Win32/TrojanDropper.Agent.NDN trojan - Error quarantining the object - - unable to clean - deleted

    Upon their deletion, XP asked me to insert my service pack 2 disk to reinstall the files...I have a feeling they may well be legit MS files.

    Further, these were not detected this afternoon when I ran the same full system scan (signature files being 1943) so I'm at a loss as to why these have been detected as viruses.

    Can anyone shed some light on this? Are they FP or legit virus files.

    Cheers.
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It looks like a false positive.

    Cheers :D
     
  3. TJP

    TJP Registered Member

    Joined:
    May 6, 2006
    Posts:
    120
    Thank you for the quick response.

    BTW, you are the man who I bought my copy of Nod32 from :D (and sold it to a few others from my work!).

    Cheers.
     
  4. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are welcome.

    Cheers :D
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Update 1945 has addressed this False Positive.

    Cheers :D
     
  6. silver-spoon

    silver-spoon Registered Member

    Joined:
    Dec 29, 2006
    Posts:
    6
    Guys, how to get back wextract.exe?
    thanks
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    With XP you should find an exact back-up file of wextract.exe located in your WINDOWS\ServicePackFiles\i386 folder that you can copy into your WINDOWS\system32 folder.

    Bubba
     
  8. ASpace

    ASpace Guest

    Has NOD32 made a copy in the Quarantine ? If so , restore from the Quarantine (Control Center -> NOD32 System Tools -> Quarantine)
     
  9. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    I also had this false positive, had a hunch that it was FP and closed the alert window pending further investigation. I should have selected ignore or quarantine. Now Amon shows 10 files infected - but of course there are none (confirmed also after 1945 sig. update and full scan)

    How to get Amon status window to correctly reflect 0 files infected ?
    Will check on reboot tomorrow.
     
  10. ASpace

    ASpace Guest

    The latest update is 1946

    What does the full scan flag as infected ?
     
  11. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Full scan with sig. 1946 is clean - nothing infected. But Amon still shows 10 due to the actions I took with the fp viz. closing the alert window. See image of Amon status after I did above scan. Thanks.
     

    Attached Files:

    • Amon.jpg
      Amon.jpg
      File size:
      51.8 KB
      Views:
      3,059
  12. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Since that was the last action....that's the info that will remain until other action takes place. If you'd like to not see that info....un-check Amon and then immediately re-check Amon. It should then flush out that previous info and it should show newer info.

    Bubba
     
  13. ASpace

    ASpace Guest

    ... or restart the computer (will have the same effect)
     
  14. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Very true....and time to have a cup of coffee while it's re-booting :eek:
     
  15. ASpace

    ASpace Guest

    A friend of mine used to prepare himself something to eat :blink: while his old computer was restarting , this is true story ;)
     
  16. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Thanks Bubba and HiTech_boy.
    No time for coffee, the damn computer reboots too fast after installing NOD32, about 20 seconds from a warm start.
    Un -checking and then re-enabling did not do the trick, but the reboot sure did. :D :cool:
     
  17. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Now you're just bragging....but I do now have my boots on in case it gets deeper in here :eek: :D
     
  18. STx

    STx Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    5
    Location:
    Sydney,Australia
    mm I have the same issue here, I deleted the wextract.exe from quarantine and I just found this forum hehe. I looked in that folder and theres only a few files there and it doesnt have wextract.exe, its probably because the OS was just recently installed on a new pc using winxp sp2 slipstreamed cd. I actually found that similar file in the slipstreamed iso but its called- "WEXTRACT.EX_File". How should I convert it to the .exe ?

    thanks

    edit: can anyone send me wextract.exe (SP2 version-latest?) please?
     
    Last edited: Dec 30, 2006
  19. lodore

    lodore Registered Member

    Joined:
    Jun 22, 2006
    Posts:
    9,006
    20 second boot time what are your pc specs?
    lodore
     
  20. DevilFrank

    DevilFrank Registered Member

    Joined:
    Jul 20, 2003
    Posts:
    108

    Try this
     
  21. Ocky

    Ocky Registered Member

    Joined:
    May 6, 2006
    Posts:
    2,677
    Location:
    George, S.Africa
    Certainly not as good as you would think. What makes a huge difference is the 10000 rpm WD Raptor HDD from which the OS boots. Also I have disabled unecessary sevices and have kept my start-up entries down to only what is really needed. Anyway I was trying to pull Bubba's leg re. having time to make coffee. The 20 sec. figure is actually the time after POST.
    Motherboard:
    CPU Type DualCore AMD Athlon 64 X2, 2400 MHz (12 x 200) 4600+
    Motherboard Name Asus A8N-SLI Deluxe (3 PCI, 2 PCI-E x1, 2 PCI-E x16, 4 DDR DIMM, Audio, Dual Gigabit LAN,
    System Memory 2048 MB (PC3200 DDR SDRAM)
    Disk Drive ST3120827AS (120 GB, 7200 RPM, SATA)
    Disk Drive WDC WD740GD-00FLC0 (74 GB, 10000 RPM, SATA)

    Regards and have a good 2007 ! :)

    EDIT: Apologies; this is off-topic but a question has been asked and there is the "coffee" link. :)
     
    Last edited: Dec 30, 2006
  22. STx

    STx Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    5
    Location:
    Sydney,Australia
    I just tried that but it just restores WEXTRACT.EX_ or something not the wextract.exe instead. hmm could I just copy this file from my other pc which also uses winxp sp2, and just paste it in here?
     
  23. ASpace

    ASpace Guest

    Don't . Use Windows XP's System Restore and get back to some days ago

    Start->Programs->Accessories->System Tools->System Restore

    Choose to restore to a data before NOD32 flagged this as trojan and follow the instructions . You'll restart and the files should be there :)

    Open NOD32's Control Center -> Update and press Update Now ;)
     
  24. STx

    STx Registered Member

    Joined:
    Dec 30, 2006
    Posts:
    5
    Location:
    Sydney,Australia
    mm thanks, but i disabled system restore before, so I cant use that. There wouldn't be any harm from copying the file from my other pc right? Also I haven't had any errors or problems yet.
     
  25. ASpace

    ASpace Guest

    I cannot guarantee for absolutely sure but try :thumb:
     
Thread Status:
Not open for further replies.