serious amon question

Discussion in 'NOD32 version 2 Forum' started by realitybytez, Feb 5, 2007.

Thread Status:
Not open for further replies.
  1. realitybytez

    realitybytez Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    30
    ever since i installed nod32 on my network of 6 servers and 74 pcs, i have been getting sporadic messages similar to this:

    NOD32: Virus Alert
    5C4Q731@xxxxxxxxxx.com
    To: me
    2/5/2007 15:43:37 PM - AMON - File system monitor Threat Alert triggered on 5C4Q731: C:\DOCUME~1\marjorie\LOCALS~1\Temp\IH576.tmp is infected with probably a variant of Typer.704 virus.​

    so can someone tell me with any degree of certainty if this means: "hey we found a virus. we thought you'd like to know. oh and by the way, we didn't do anything about it. the file is still infected with the virus"?

    because, that's how it reads to me.

    do I need to go back to all of these computers and manually remove all these virusses?
     
  2. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    "probably a variant of Typer.704 virus."

    Highlighted is heuristics in action, basically AMON is saving your bacon. It would appear that you have some form of dropper so I would get in contact with your local NOD32 support office and they will have you download 3 tools to help with analysis:

    HijackThis from HERE

    Autoruns from HERE

    Lookinmypc from HERE

    Then run each program and forward the logs from all three programs to me in a reply email together with the following:

    1. Go to the NOD32 Control Centre
    2. Click on Logs
    3. Right Click on one of last completed full system scan logs.
    4. Click on “Details”
    5. Right Click anywhere on the scan log
    6. Click on “copy all”
    7. Right Click in the replying email to me.
    8. Click on “Paste”

    This will paste a copy of one of the scans you have completed.

    Let us know how you go....

    Cheers :D
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    It could be a false positive. If the file is located in quarantine, send the appropriate nqi/nqf file from the eset/infected folder to samples @ eset.com with a link to this thread in the subject.
     
  4. realitybytez

    realitybytez Registered Member

    Joined:
    Sep 8, 2006
    Posts:
    30
    well, i wanted to come back here and at least report what i discovered.

    when i went to the infected computer and looked at the threat log, i found that the file in question had been deleted by amon.

    it sure would be nice if the email that was sent to me by amon would have reported that fact.o_O
     
Thread Status:
Not open for further replies.