Serious problems at home - ? re. upgrading, quarantine

Discussion in 'ESET NOD32 Antivirus' started by Janices, Aug 30, 2009.

Thread Status:
Not open for further replies.
  1. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    I currently have v2 and want to upgrade to the latest version. We have been on Nod32 for the last 2 years & I just renewed in July.

    We are having serious security problems on our two computers at home. The kids play video games (in limited access accounts) on them which I think is the root of the problem. Our ISP has threatened to shut us off because somehow a trojan has gotten in and is sending emails to bank customers and is asking for account verification. We need to get this fixed ASAP. My husband's job requires us to have Internet access, so I need to make things as tight as possible.

    The instructions recommend uninstalling v2 before installing the new version. I don't want to uninstall v2 while on the Internet because of our problems. Can I download the new file (eav_nt32_enu.msi), unplug the computer from the internet, uninstall v2 and then install the new one? If so, how do I run the .msi file since it is not a .EXE file?

    Also, the ISP help desk said to check out eset.com & I told them I already had Nod32, then they said to run Kaspersky.com's free checker while in Safe mode. I couldn't do that because I didn't have Java runtime installed on the computer & I couldn't install it while in Safe mode. Third, they said to run MalwareByte's anti-malware software. I did that in Safe mode & it found 5 threats on the one computer and 114 on the other one (the one I suspected was the problem). I have deleted them all. I went back and then ran Kaspersky checker on the 5 threat system and it found 5 again. I suspect they are the same 5 as MalwareByte's found. They were in the \ProgramFiles\eset\Infected directory. Is that the quarantine area? If so, how can I completely get rid of them. Can I just delete what is in the eset\infected directory?

    Short of backing up the files, reformatting the hard drive & reinstalling the OS, drivers and the data files, is there anything else I can do to be sure the system is clean?
     
  2. Carver

    Carver Registered Member

    Joined:
    Feb 5, 2006
    Posts:
    1,827
    Location:
    USA
    Check your firewall or change it to tighten-up out bound traffic control to prevent Trojan droppers from phoning home.
     
  3. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    How would I check the firewall?
     
  4. JohnnyDollar

    JohnnyDollar Guest

    What is your OS? Do you know what firewall you have? You should be able to delete infected files in the Nod32 quarantine in the program. I don't have Nod 2.7, but the quarantine shouldn't be hard to find.
     
  5. JohnnyDollar

    JohnnyDollar Guest

    With the 114 infections that you have found on that one pc, I would say there is no way to be sure it is totally clean. The other pc you said they detected Nod's quarantine files, sounds like it may be ok. IMO I would do a reinstall with the other pc with the 114 infections. Others here I am sure would argue against that, but that way you know for sure it is clean. That is why it is so important to use imaging software, so if this happens you can restore the pc from a clean image in only a matter of minutes and be up and running in no time there after.
     
  6. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    The PC with the 5 threats is XP Service Pack 2. The Windows firewall is marked as on.

    The PC with the 114 threats is XP Home Media 2002 Service Pack 2. When I click on the Windows Firewall icon under the control panel, I get "Windows Firewall settings cannot be displayed because the associated service is not running. Do you want to start the Internet Connection Service?" What does that mean?

    Also, can I download the new Nod32 separately and then install when I'm not on the internet?
     
  7. JohnnyDollar

    JohnnyDollar Guest

    It means that you have been running that pc without a firewall. Turn it on. I hope you have them hooked up to a nat router. If not then that media pc has been exposed to inbound with no firewall, that is bad. Your ISP is complaining about email traffic coming from that pc. Heck that thing may be a zombie. Is Nod32 installed on both pc's? To answer your question yes you can download Nod then install it, but you have to have an internet connection to update it.
     
  8. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    That's what I was afraid that meant. We have a Linksys Wireless -N Broadband Router from Cisco. The 2 PCs in question are hardwired to the router & currently nothing is wireless to it. Is there anything on the router that I should tighten up or check. I found that the logging on the router was disabled, so I turned that on. On the router under Security, we have SPI Firewall enabled. Under "Advanced Routing", we have NAT enabled (whatever that means). Under the wireless settings, we have an SSID name but also have "SSID Broadcast" enabled. Is that OK?

    Is the Windows Firewall (if it were enabled) good enough?
     
  9. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    I forgot to answer, Yes we have had and still have Nod 32 on both PCs for the last 2 years. I would like to (offline) uninstall Version 2 and install Version 4 and then go back online to get any updates. I just don't want to be online with a virus checker. Does v4 have a lot more features than version 4?
     
  10. JohnnyDollar

    JohnnyDollar Guest

    That is good news, make sure the router is password protected. XP firewall doesn't provide outbound protection. In your case right now it sounds like you need that. Go over to the firewall forum and look around or start a thread, explain what is going on, you will get plenty of advice about what firewall will suite you.

    https://www.wilderssecurity.com/forumdisplay.php?f=31

    Edit: Also turn on mac filtering on your router if it is available, and set it to only allow pc's with your two mac address's to access the network.
     
    Last edited by a moderator: Aug 30, 2009
  11. JohnnyDollar

    JohnnyDollar Guest

    According to ESET V4 has better detection and removal abilities that V2, the engines are different. After installing V4, you need to run the SysInspector module and upload the log to ESET. You can download them from here, also download the manual for them.

    http://www.eset.com/download/index.php

    You may also need to visit another forum, possibly look at HijackThis logs.

    https://www.wilderssecurity.com/showthread.php?t=42148
     
  12. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    I think I will try these things with the PC with the 5 threats. As to the other pc with the 114 threats it will need to stay offline because we can't risk being shutdown by the ISP due to my hubby's job. We have been planning on getting a laptop anyway and once we get that (back to school time so hopefully prices will be good), I'll make sure all the files I want to keep (photos, tax files, music, etc) are on the laptop and then wipe out the 114 threat PC and start over from scratch with it. As long as we have one pc on the internet, the kids can do schoolwork.

    Sound like a plan? I just need to figure what drivers I'll need to rebuild the system and to get a copy of the OS.

    Is there another product in addition to Nod32 we should have installed to monitor for the bad guys? I can run the mbam software manually occasionally.
     
  13. JohnnyDollar

    JohnnyDollar Guest

    What brand is the pc?

    I assume the pc that was infected the worst was the one used by the kids. Make sure it is LUA. Make sure your Admin account in safemode is passworded. Perhaps using OpenDNS for a start. http://www.opendns.com/ With OpenDNS you can restrict your kids from visiting a lot of potential bad sites. Or another is K9 Web Protection http://www1.k9webprotection.com/

    Another product besides MBAM that has earned a lot of respect is Superantispyware. It has a free on demand version http://www.superantispyware.com/

    Virtualization is very effective, Sandboxie, Geswall and Returnal are also good programs you can use. http://www.techsupportalert.com/best-free-browser-protection-utility.htm

    After reinstalling the OS and the drivers and updating windows then you need to image it.

    http://www.techsupportalert.com/best-free-drive-imaging-program.htm

    I have a friend that has two teenagers, and I have had to restore it to the factory image on several occasions. This last time I imaged to the present so he would not have to reinstall everything and spend so much time downloading updates the next time it happens. He doesn't pay any attention to what they do online and the same problems just keep happening over and over. They are going to these social sites, using torrent clients, visiting porn sites etc.. I guess the best advice is to really be aware of their online activity, OpenDNS and K9 can help you restrict them from certain kinds of sites.
     
    Last edited by a moderator: Aug 30, 2009
  14. JohnnyDollar

    JohnnyDollar Guest

    BTW if you use Internet Explorer, it would help to switch to another browser such as Opera or Firefox. IE has too many security holes IMO along with activex controls which can be a hazard.
     
  15. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    Both PCs are from Dell. I didn't get an OS disk for the 114 threat PC, so I will need to call them to see what they can give me. I've always had good luck with their support in the past, so hopefully it will be OK.Yes, the badly infected PC is one the kids use. They are ages 13 and 11 so I don't think its the porn sites. There was one game they tried to download called something like "AruaRose" that their friends had been playing. That seems to be when we started having problems. I have always had both PCs set up with one passworded admin account and the kids' accounts are limited.

    I will need to digest all the info you have given me because I do know that we are getting to the ages of needing a net nanny.

    Thank you for your help.
     
  16. JohnnyDollar

    JohnnyDollar Guest

    I just fixed a friends pc that was a Dell, he called them and ordered the recovery disks with no problem. You can use the service tag on the pc at the Dell support page and download all of the drivers that you need. Well one good thing that may come with this is hopefully when you reinstall the os from the recovery disk, it probably will not have all of that 3rd party software garbage that came pre-installed that you don't want.

    BTW are you sure that you don't have a hidden partition that contains the factory image? You can check by control panel, administrative tools, computer management, disk management.
     
  17. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    Two weeks later and I am about ready to wipe out the drive on the PC with the 114 threats. I have copied off all the documents and files that I want to keep and have scanned those files on the flash drive twice (once with Nod32 and again with TrendMicro) before putting it on another system & then ran the Malwarebytes Anti-malware software against it after I put it on the system.

    I do have the Dell PC Restore option which will take my system back to factory settings. Is that as good as reformatting the hard drive and starting over in terms of getting rid of any type of virus and malware left on the system?
     
  18. BlueZannetti

    BlueZannetti Administrator

    Joined:
    Oct 19, 2003
    Posts:
    6,590
  19. JohnnyDollar

    JohnnyDollar Guest

    If you restore from the factory image it will reformat and overwrite the disk with the image. Everything from your old install will be lost. It is not the same as scrubbing the hard drive, but everything will be overwritten. Once that is done there is no danger. May not be good enough for government standards but, that is all you need to do for a pc IMO. I have done it a lot of times. Then you can update windows and install your programs again.
     
  20. Janices

    Janices Registered Member

    Joined:
    Oct 18, 2008
    Posts:
    14
    Is there anything else I could/should have done to prevent spreading the problems from the infected PC? I was hoping the two separate AV scans and the Malwarebytes scan would be good.

    I think I will go with the Dell PC restore to get all the original drivers since I did not modify the internals of that PC since we bought it.

    Thanks for the help.
    Janice
     
  21. JohnnyDollar

    JohnnyDollar Guest

    I am not sure exactly what you mean. If your talking about the infections spreading then I would keep it off of the network. Don't transfer files to another pc unless you are sure they aren't infected. If you think it is clean then it's up to you whether to keep it the way it is or restore it to the factory image.
     
    Last edited by a moderator: Sep 13, 2009
Thread Status:
Not open for further replies.