Problem with what seems to be Malware..

Discussion in 'ESET NOD32 Antivirus' started by toxein, Apr 12, 2010.

Thread Status:
Not open for further replies.
  1. toxein

    toxein Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    8
    Hello there. Kind of getting desperate here.

    For the past few days, everytime i do a search on google for example, NOD32 blocks a couple of pages from opening. I went to the logs and this is what i get:

    13-04-2010 0:10:08 HTTP filter file DO NO OPEN THIS!!! -> ~Link removed~ <- DO NO OPEN THIS!!! a variant of Win32/Oficla.FX trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\WINDOWS\system32\svchost.exe.

    Well, i made a scan and deleted one or 2 things, including what appeared to be a Win32/Kryptik.DPU trojan variant.

    The thing is, the problem persists, and even after using other tools (Malwarebytes, or even Spybot in safe mode which were unable to find anything) i can't seem to end this problem.

    Would really use some help here :doubt:
     
    Last edited by a moderator: Apr 12, 2010
  2. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    So, it works as it should and just saved you from possible infection? Stop downloading stuff from dubious sites, pretty much - that's your solution. :D
     
  3. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,722
    Location:
    Texas
    Hello toxein,

    No links to possible malware are to be posted on the forums.

    Please submit your file to ESET.
     
  4. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
  5. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    He's NOT infected. He's complaining that NOD32 saved his ass by terminating connection to a malware infested site.

     
  6. toxein

    toxein Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    8
    Well, let's see. First of all, i am not complaining about the product, so you can dispense the sarcasm. And secondly, if i stop downloading stuff from dubious sites (which i actually didn't do) will that solve my CURRENT problem? i guess not. Thanks for the useless comment.

    If you had been more careful reading my post as you were being a jackass, you would have noticed that i mentioned that this happens when i search for something on GOOGLE. Dubious site huh?

    Thank you for your help. Going to try it.
     
  7. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    And you can certify that having checked the machine? Otherwise
    "
    Well, i made a scan and deleted one or 2 things, including what appeared to be a Win32/Kryptik.DPU trojan variant.
    "
     
  8. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Maybe you could actually describe your problem better? So, you are trying to say that you do a search on Google and without opening any of the search results you get malware downloaded? Or what's exactly your problem?
     
  9. toxein

    toxein Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    8
    Example: When i do a search on Firefox (using Google at the search bar) or even if i make a search using the actual site, as soon as i get the results, NOD32 blocks a series of pages. That makes me think that i have some kind of malware that interacts with my browser, namely when i seach stuff on google.
     
  10. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Did you try another browser? Does it happen there as well? Did you try to delete your FF profile? Still happens? And you are absolutely sure you are browsing real Google? (Like, ping www.google.com shows what?)
     
  11. toxein

    toxein Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    8
    Same thing happens with Internet Explorer, didn't see any need in deleting the Firefox profile. And when i ping Google, the IP is normal (209.85.229.104).
     
  12. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    Well, run Eset SysInspector, generate the log and let ESET have phun with that then. (Could try your luck w/ other tools meanwhile - SAS, Hitman Pro...)
     
  13. toxein

    toxein Registered Member

    Joined:
    Apr 17, 2007
    Posts:
    8
    Been there, done that (Spybot, SAS, Malwarebytes, Hitman Pro). I'm gonna try some help in another forum, if that doesn't work, i'll either contact ESET or just format the whole damn thing.
     
  14. jonymitra

    jonymitra Registered Member

    Joined:
    Apr 12, 2010
    Posts:
    1
    Hello toxein,

    I think i have a problem similar to yours :\
    My NOD32 is going crazy about this warnings:


    HTTP filter file http://client1**.********.***/cache/undo1_2.exe a variant of Win32/Oficla.FX trojan connection terminated - quarantined NT AUTHORITY\SYSTEM Threat was detected upon access to web by the application: C:\Windows\System32\svchost.exe.

    And go this one too like you said:

    Startup scanner file C:\Windows\system32\certjava.dll a variant of Win32/Kryptik.DPU trojan cleaned by deleting (after the next restart) - quarantined

    So far i have tried the following software:
    Hijackthis;NOD32;AVG Rescue USB;Avira Antivirus;Malwarebytes;Seek&Destroy,Combifix

    But no program was able to detect the problem.

    If you got any news how to fix this, please share :)

    thanks
     
  15. doktornotor

    doktornotor Registered Member

    Joined:
    Jul 19, 2008
    Posts:
    2,047
    So what's using svchost.exe to download it? Why don't you install some firewall which will watch the outbound traffic to see?
     
  16. tower059

    tower059 Registered Member

    Joined:
    Apr 13, 2010
    Posts:
    1
    Hello jonymitra,

    I had the same response plus no software was able to detect the problem.
    What I noticed monitoring svchost.exe, is that periodically there's a new one generated in a Temp subfolder by undo1_2.

    Waiting for further news...

    Thank you all :)
     
Thread Status:
Not open for further replies.