removing Win32\Padobot

Discussion in 'NOD32 version 2 Forum' started by pykko, Nov 3, 2006.

Thread Status:
Not open for further replies.
  1. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Hello!
    Recently one friend having no ideea about security , AV, etc visited an website and got infected with Win32\Padobot. :(

    Unfortunately she had 2 real-time scanners installed which were running in the same time. One was NOD32. Now NOD prompts about the virus but how can she clean it ?

    Can this worm be removed or she should reinstall Windows. I know the virus uses LSASS security hole (MS04-011 Microsoft Security Bulletin).

    She doesn't know how to do it anyway... she basically knows nothing about PCs. :D

    I am supposed to go to her and clean the PC and I wanted to have some advice. Should I try something else instead of booting in Safe Mode and scanning with NOD ? (OF course removing first of all the other AV scanner. :D )
     
  2. pc-support

    pc-support Registered Member

    Joined:
    Mar 10, 2005
    Posts:
    285
    Location:
    Edinburgh, UK
    Safe mode and Blackspears settings :D
     
  3. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I'll try and hope it will work. :D
     
  4. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, I couldn't manage to boot in safe mode. I scanned her PC with NOD32, found 4 .tmp files infected with Win32\Padobot.AA and then the Lsas error appeared suddenly:"Your computer will restart in 60 sec." and the counter went down to 0 and PC restarted. :(

    I reinstalled Windows as the girl said it has nothing to preserve on that partition and it's better to have a fresh installation. I've installed NOD32 right after windows and I got instantly an IMON alert:
    LSAS error appeared again and computer restarted. :'( I installed a firewall that prompted me it has blocked connections to http://10.40.140.../xxxxx (8 attempts and those dots signify different numbers, the address kept changing, only the first 3 groups of numbers stood the same)

    Do you know if this is a virus or not? I think after a fresh install with a format before the virus couldn't persist, isn't it?

    I scanned the PC with NOD again after fresh install and found nothing. o_O
     
  5. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @pykko

    Is this a home machine or does she have it at college or something like that? 10.x.x.x is a private subnet, so it's coming from somewhere not on the internet.

    -Cov
     
  6. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    it's a private machine and you're right. I haven't even set her internet connection yet when the IMON popped up. :(
     
  7. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    Assuming it's a direct connection to the internet (LAN, Cable, DSL, et al) even if you haven't "setup" the internet, it's still connected and communicated. From what it looks like the vulnerability for this is patched by SP2. I'd take it along on a disc and install it before ever even connecting the ethernet cable.

    Beyond, that don't remember how that particular virus works, but you can kill the shutdown by going to the RUN box and typing "shutdown -a"

    -Cov
     
  8. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    thanks for the tip with shut down. Anyway I've questioned some other guys with the same connection and provider and they told me this is actually a network even if it's a fiber link connection... I don't know exactly how but anyway, perhaps somebody was scanning ports and dropping viruses. o_O
     
  9. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Always install behind a firewall, with service pack 2, install and update NOD32, then grab all the Windows updates, and finally begin installing remaining programs.

    This way you are protected from get go.

    Cheers :D
     
    Last edited: Nov 7, 2006
  10. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    I've installed the firewall and NOD32 with all updates and everything is fine now. Thanks guys! ;)
     
  11. covaro

    covaro Registered Member

    Joined:
    Jul 4, 2006
    Posts:
    149
    Location:
    Abingdon, MD, USA
    @pykko

    Good to hear all is working as it should now.

    -Cov
     
  12. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    You are welcome.

    Cheers :D
     
Thread Status:
Not open for further replies.