Question: a variant of Win32/Ozdok trojan

Discussion in 'ESET NOD32 Antivirus' started by Gold, Apr 20, 2008.

Thread Status:
Not open for further replies.
  1. Gold

    Gold Registered Member

    Joined:
    Apr 20, 2008
    Posts:
    3
    Hi Guys,
    I have some question..

    A few days ago I started to receive the following NOD32 message:

    hxxp://208.72.169.189/notepad.exe
    a variant of Win32/Ozdok trojan

    This message appears with some frequency, which means that the threat still is danger for my computer. Please advice how to deal with it?

    Thanks in advance,
    Regards,
    Gold.
     
    Last edited by a moderator: Apr 20, 2008
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Hello Gold,

    As long as NOD is detecting the threat, it is not a danger. However, I would stay away from sites that present you with a warning.

    Your link has been modified in the original post.
     
  3. Gold

    Gold Registered Member

    Joined:
    Apr 20, 2008
    Posts:
    3
    Thanks for your reply.
    The problem is that I don't visit the site mentioned above.
    Let say for example I just watch Youtube and suddenly the NOD32 message
    appears about hxxp://xxx.xxx.xxx.xxx that the threat 'a variant of Win32/Ozdok trojan' terminated. Ok, I open some another website, let's say Google.com. And in 5 minutes again... Suddenly the NOD32 message
    appears about hxxp://xxx.xxx.xxx.xxx that the threat 'a variant of Win32/Ozdok trojan' terminated. I've deleted all internet temporary files and cookies. But still have the problem even I disconnect and than re-connect to the Internet. Just can't configure out what happens. If it caused by some file that is placed on my HDD how to find it? If it's some outside thread why it tries to attack me even I re-connect and change my IP-address? By the way this IP belongs to some allromantic website that I never visited and even don't going to visit... :doubt:
     
  4. ASpace

    ASpace Guest

    One more thing , in addition to Ron's answer to you.

    If you receive such a warning even without you doing something (e.g. visiting a web-site) , you could have a trojan horse downloader . If this is the case , contact ESET support office , describe your case and provide a log file from ESET SysInspector (in attachment)
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    If there is a trojan downloader that attempts to connect out, you can identify it by setting your firewall
    to alert to any outbound connection. I do this when testing malware to see if it spawns a downloader
    that attempts to connect out:


    downloader.gif
    ______________________________________________



    ----
    rich
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Please send a log from ESET SysInspector to support[at]eset.com with this thread's url enclosed. The application that attempted to download the file is listed in the Threat log.
     
  7. Gold

    Gold Registered Member

    Joined:
    Apr 20, 2008
    Posts:
    3
    The problem was solved by:

    1. Removing .exe files that were created on

    C:\Documents and Settings\user\Local Settings\Temp\...

    2. File svchost.exe was infected.

    Mentioned svchost.exe details.
    "File" = "c:\windows\system32\svchost.exe:exe.exe" have 28160 bytes with a "SHA1" = "5B2324678F549C65B4C31424EBC51BAD3614B557" without valid MS digital signature.

    Common svchost.exe details:
    "File" = "c:\windows\system32\svchost.exe" with "File Size" = "14336" and "SHA1" = "DA0FF4006859A7580ABA81F486F692DEAD2014FE" with valid MS digital signature.

    I'm not sure I can understand my activities.
    Because I've done it by some intuitive way :)

    I've renamed svchost.exe to svchost.exe_
    and a new svchost.exe file was somehow re-created.

    Now the NOD32 message windows about virused threat disappeared.

    If anyone can explain it why svchost.exe was 'automaticaly' re-created
    I'd be happy.

    Thanks guys!

    Regards,
    Gold.
     
  8. ASpace

    ASpace Guest

    Well , send this suspicious svchost.exe to ESET support . Also include a log file from SysInspector and they'll provide professional help for all your questions/problems.
     
  9. Tranquillity

    Tranquillity Registered Member

    Joined:
    Apr 21, 2008
    Posts:
    1
    Thanks for the solution,
    I have been trying to get rid of this for a little while now on a friends laptop.
    Following you instructions did the job.
    Well Done and thanks
    Tranquillity.
     
Thread Status:
Not open for further replies.