Strange Happenstance

Discussion in 'NOD32 version 2 Forum' started by fredra, Oct 29, 2006.

Thread Status:
Not open for further replies.
  1. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi
    Something very strange happened recently with my NOD32. Oh I digress, let me establish my caveat here :D
    I have NOD32 on my main PC and my laptop.. working fine... but something has occured which I thought I would share.
    Got an email (hotmail) telling me that my order for a Sony Laptop was shipped. As I didn't order anything, that made me suspicious so I d/l the attachment to a floppy, it was xxxxx.zip.pdf. That alone told me something is wrong with the file, but I was brave.
    I clicked the write protect tab on the floppy and double clicked. WOW..NOD went ballistic. Telling me that it had quarrantined the file from /documents/xxx (Win32/PSW.LdPinch.P trijan) and if I wanted to submit. Of course I said submit and it then told me I can close the window. I am thinking, great, it found a "baddie" and all is well.
    Lo and beholf my OUTPOST pops up to say "9129837.exe" wants to establish a outboard connection. WT hell is going on...I don't remember that application, so I told OUTPOST to "block" all requests from this application.
    (you can google the above file to get more information). OR go here http://www.avira.com/en/threats/section/fulldetails/id_vir/2867/tr_psw.small.bs.3.html and here http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_AGENT.FBB&VSect=Sn
    I checked my startup lists and there it has a "ttool" being loaded by this "9xxxxxx.exe" file, located in %systemroot%/windows.
    I used NOD to check, it came back clean.
    I used Outpost to check, it came back clean.
    I used The Cleaner to check, it came back clean.
    I used SAS to check, it came back with identifying 9xxxxxx.exe as malware.
    The question I have is this:
    Why did my trusted friend NOD (after identifying the baddie) let it continue to be loaded? :oops:
    Why didn't NOD, manual checking identify 9xxxxxx.exe as the baddie and offer to clean, delete or quarrantine the specific file? :mad:
    NOD has stopped many "baddies" on both machines in the past, but this behaviour I find a bit strange.
    Can any of the NOD gurus in here offer any constructive explanation?
    Thanks
    Cheers :D
     
    Last edited: Oct 29, 2006
  2. ASpace

    ASpace Guest


    Can you please navigate to the folder where this file is and submit it to ESET labs . Send an email with link to this thread , short description and the file attached . The address is samples@eset.com

    In the mean time , open Start->Run->type msconfig->Press ENTER->navigate to "Start-up" tab and uncheck that suspected file from loading . Apply and OK
     
  3. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi HiTech_boy
    Quote
    Can you please navigate to the folder where this file is and submit it to ESET labs . Send an email with link to this thread , short description and the file attached . The address is samples@eset.com
    End Quote
    A trusted mod had advised me to do this, and it was done.

    Quote
    In the mean time , open Start->Run->type msconfig->Press ENTER->navigate to "Start-up" tab and uncheck that suspected file from loading . Apply and OK
    End Quote
    Done in addition to manually cleaning the registry of "hide-evr2.sys" and another location in HKCU. Also restoring the service for Security Center.
    Thanks for your input, it is appreciated.
    Cheers :)
     
  4. ASpace

    ASpace Guest

    You are welcome !
     
  5. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    This could be a clue :-
    Cheers :)
     
  6. fredra

    fredra Registered Member

    Joined:
    Jul 25, 2004
    Posts:
    366
    Hi NOD32 user
    That was funny :D :D :D :D :D
     
    Last edited by a moderator: Oct 30, 2006
Thread Status:
Not open for further replies.