trogan in memory - how do i get rid of it

Hi,
How do I send you a copy of the viruses in my computer. I have 6 trogans and one in memory that I cannot even quarintine. what do I do?

also I can't access IMOM or AMOM with my password. Are they available? and how do i access them? Also cannot access Setup in Nod32 - incorrect password, even after updating database version.

I previously had PCuser passwords but was unable to remember the password so I could not uninstall nod32 before downloading the newer version. Could this be causing the problem of not allowing me to access AMON and IMON?

thanks for any help vicki.

 

thanks for the tip but I'm new at this forum business, so exactly what trogan froum to you mean and how do I get there.

vicki

 

Whomever set up your computer with Nod32 has placed a password in the settings, the ONLY way to recover the password is to contact the Reseller from whom you purchased, they will send you a small file called "unlock.exe" and instructions on its use.

I would suggest doing the above FIRST and address the other problems after this, you may find that AMON and or IMON has been disabled, I came across this exact same situation late last year, I reccon it was done because they did not pay their bill. I was asked to come in and remove viruses from a disabled Nod32

Hope this helps...

Cheers

 

thank you Ronjur,
The link was great however I have to submit all the trojans manually because the 30 day trial does not allow this automatically.

will get back to you on result if any.

Thanks again, vicki

 

Thank you blackspear,

I will contact PCUser,

vicki

 

PS,

I am now getting a virus alert for a file 'eWNHel.exe' and can't delete or quarantine or close it. what the hell do I do

Thanks Vicki

 

Run windows in safe mode. Than run NOD32 with /ah switch.

izi

 

See this thread on how to use "switches available for Nod32"

https://www.wilderssecurity.com/showthread.php?t=33275

I don't know how to do it myself, so I too am watching this thread

For setting up your computer like a fortress, see the following thread on what we do and advise our customers to do:

https://www.wilderssecurity.com/showthread.php?p=181155#post181155

Cheers

 

Hi Vicky,

Please submit any files to submit@diamondcs.com.au as well, and you can email me at gavin@diamondcs.com.au if you are still having problems. Safe Mode scanning would be a good idea

 

The help file is of no help here. I don't know how to use all these switches either. Why doesn't someone from Eset publish the steps to accomplish this? Why does Eset expect anyone using NOD32 to be an advanced computer user? That attitude is not going to get Eset into the major league. Just as making it almost impossible to create floppies for scanning isn't going to endear NOD32 to any average users and certainly not to casual users.

 

VABRUN
you are no longer able to use NOD32 from the PC USER Mag. If you had been using and updating from PC USER since April you are no longer able to update.
You only can use what you have now, or buy a Licence.
regards
hawk22

 

Thanks everyone for the input ,

Will try all suggestions.

Hawk 22, I recently bought the license of nod32, but was unable to uninstall the versions from PC user so I just intalled the new licensed version. I can update nod32 over the net but cannot get into any of the setup options becasue it won't recognize my new password from nod. I've send a mesage to PC user however they may not have received it as my computer is hardly working at the moment. I'm on a friends computer right now.

I can't even get into the nod support forum on my computer. I'm ready to reformt but i'm hoping to find a solution before taking this measure. Or perhaps I'll just be done with it and reformat and start again.

All these options take time. I have managed however to copy the so called offending files to a disk so will email them to the appropriate people.

Also installed Trojan Hunter and it seems to find different viruses? I will send them (TH) the viruses as well

Thanks again everyone Vicki

 

ME AGAIN,

ran nod in safe mode. quarintined all the virues that came up, then tried again in normal mode.

I don't undertand why the viruses keep appearing if I run a scan after I've quarantined them.

I have however figured ou how to look at the log and the type of virues so will search the for the fix which I presume will be on the NOD site.

Still have no way of ridding the virus in operating memory. I can't delete, quarintine or rename it. It says "Trojan Win32/
trojan Downloader.Dyfica Bq found in operating memory"

Any suggestions, thanks again Vicki

 

Quarantine for Eset doesn't mean what it means for all other AV vendors or the dictionary. All other AV take the virus and MOVE it to the quarantine folder. NOD32 instead COPIES it to the quarantine folder. You, the user, must then MANUALLY DELETE the original from where ever it is located other wise, next scan, NOD32 will find it again.

As for the one in memory, what OS?

 

It sounds like you are running XP with "System Restore" turned on (Windows default setting), you will need to disable this first:

Right click on "My Computer"
Click on "Properties"
Click on the "System Restore" tab
Place a tick in "Turn off system restore", it will ask for confirmation
Click ok.

After this do another scan with Nod.

And as Mele said, quarantine in Nod is NOT quarantine like anywhere else on this planet, Eset use the word for a copy function.

Hope this helps...

Cheers

 

For any of the trojans that are causing grief, I found something that may be a bug (at least for the Dyfica variants). I manually went to the file, fired up the NOD32 scan and did a clean after NOD32 told me it was Dyfica.XX. I received a message to reboot (since it was in memory) and then all was well. Scanning and cleaning from the NOD32 dialogues did not work. DIRECTLY on the file did work.

 

It doesn't matter if system restore is running, NOD32 will still clean/delete from system restore. I know I have read here that those files are protected by Windows and AV can't go in and clean. However, I just had NOD32 on demand scan, using the AH string we've been talking about in another thread here, delete two viruses it found in my System Restore which was running at the time of the scan.

 

As per this thread Mele

https://www.wilderssecurity.com/showthread.php?t=33920

I ran regular scans with Nod, and these came up clean, AFTER I ran a scheduled command line scan using /ah it found System Restore files infected, so this may or may not have something to do with /ah being able to scan in System restore files while a standard scan cannot, I don't know

Cheers

 

You know I read that thread you refer to and even participated in it. Two things I don't understand (1) how the heck did you get an infection in System Restore when you have it turned off? Why were there any files in restore in the first place? If it is off then no restore point is made hence no files that could get infected there. Are you sure it is really off?

(2) Does NOD32 scan with either a scheduled scan or a command line scan using AH have the ability to clean or delete inside running, active System Restore files? It must. That is amazing. I don't think any other AV can do that. Or would the regular NOD32 scanner delete inside running System Restore files if I told it to delete automatically if it can't clean? I have no idea because I have never used the command delete automatically, if cleaning is not possible, until I copied that AH string we were talking about that had delete in it. Questions, questions.

 

I went back and had a double check, there was no "tick" in System Restore, when I actually read what it said, I had to place a tick in there to disable system restore. So in my case System Restore was on, my mistake

Thought I was sure, double checked and was wrong

Now I am

As far as I am aware, no, this is not possible, you have to disable and rescan, then again see my answer below, so now I'm not sure

I'm a bit confused as to the timeline now, I think system restore was still active (due to it having no tick) and a scan using /ah detected files in System Restore and deleted them...



Scan performed at: 27/05/2004 20:17:47 PM
Scanning Log
NOD32 version 1.775 (20040526) NT
Command line: c:\ /clean /mapi- /arch+ /pack+ /ah
Operating memory - is OK

date: 27.5.2004 time: 20:17:53
Scanned disks, directories and files: c:\
...c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003170.scr - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003171.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003173.bat - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003174.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003175.scr - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003196.exe - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003205.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003206.pif - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003207.exe - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP28\A0003267.scr - Win32/Sober.G worm - unable to clean - deleted
c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP28\A0003390.scr - Win32/Sober.G worm - unable to clean - deleted
number of files scanned: 78588
number of viruses found: 15
number of files cleaned: 11
number of viruses active: 1
time of completion: 20:29:52 total scanning time: 719 sec (00:11:59)

Cheers

 

ahhh...OK...so system restore was on...that makes more sense. Good thing you checked again. Now, I know to check to make sure the box is ticked if I ever want to turn it off.

I think from what you have said, and the scan you provided, and my experience that AH actually can go into system restore while it is running and get rid of viruses. That is really neat!