trogan in memory - how do i get rid of it

Discussion in 'NOD32 version 2 Forum' started by vabrun, May 25, 2004.

Thread Status:
Not open for further replies.
  1. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    Hi,
    How do I send you a copy of the viruses in my computer. I have 6 trogans and one in memory that I cannot even quarintine. what do I do?

    also I can't access IMOM or AMOM with my password. Are they available? and how do i access them? Also cannot access Setup in Nod32 - incorrect password, even after updating database version.

    I previously had PCuser passwords but was unable to remember the password so I could not uninstall nod32 before downloading the newer version. Could this be causing the problem of not allowing me to access AMON and IMON?

    thanks for any help vicki. :D
     
    Last edited: May 25, 2004
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    vabrun

    While you are waiting for an answer, why don't you post your question in the other anti-trojan software forum also. Someone there may have the answer.
     
  3. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    thanks for the tip but I'm new at this forum business, so exactly what trogan froum to you mean and how do I get there.

    vicki :D
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    Vicki

    Let me suggest this. Go to this link and download a 30 day trial. Scan your computer and see what you find.

    Link: http://tinyurl.com/2cgpc
     
  5. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Whomever set up your computer with Nod32 has placed a password in the settings, the ONLY way to recover the password is to contact the Reseller from whom you purchased, they will send you a small file called "unlock.exe" and instructions on its use.

    I would suggest doing the above FIRST and address the other problems after this, you may find that AMON and or IMON has been disabled, I came across this exact same situation late last year, I reccon it was done because they did not pay their bill. I was asked to come in and remove viruses from a disabled Nod32 :rolleyes:

    Hope this helps...

    Cheers :D
     
  6. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    thank you Ronjur,
    The link was great however I have to submit all the trojans manually because the 30 day trial does not allow this automatically.

    will get back to you on result if any.

    Thanks again, vicki ;)
     
  7. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    Thank you blackspear,

    I will contact PCUser,

    vicki :-*
     
  8. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    PS,

    I am now getting a virus alert for a file 'eWNHel.exe' and can't delete or quarantine or close it. what the hell do I do :doubt:

    Thanks Vicki :)
     
  9. izi

    izi Registered Member

    Joined:
    Jan 19, 2004
    Posts:
    354
    Location:
    Slovenia
    Run windows in safe mode. Than run NOD32 with /ah switch.

    izi
     
  10. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
  11. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
  12. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    The help file is of no help here. I don't know how to use all these switches either. Why doesn't someone from Eset publish the steps to accomplish this? Why does Eset expect anyone using NOD32 to be an advanced computer user? That attitude is not going to get Eset into the major league. Just as making it almost impossible to create floppies for scanning isn't going to endear NOD32 to any average users and certainly not to casual users.
     
  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    We definitely need a good sticky here.

    If it isn't gui driven, most people are lost.
     
  14. hawk22

    hawk22 Registered Member

    Joined:
    Apr 21, 2004
    Posts:
    12
    VABRUN
    you are no longer able to use NOD32 from the PC USER Mag. If you had been using and updating from PC USER since April you are no longer able to update.
    You only can use what you have now, or buy a Licence.
    regards
    hawk22
     
  15. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    Thanks everyone for the input :) ,

    Will try all suggestions.

    Hawk 22, I recently bought the license of nod32, but was unable to uninstall the versions from PC user so I just intalled the new licensed version. I can update nod32 over the net but cannot get into any of the setup options becasue it won't recognize my new password from nod. I've send a mesage to PC user however they may not have received it as my computer is hardly working at the moment. I'm on a friends computer right now.

    I can't even get into the nod support forum on my computer. I'm ready to reformt but i'm hoping to find a solution before taking this measure. Or perhaps I'll just be done with it and reformat and start again.

    All these options take time. I have managed however to copy the so called offending files to a disk so will email them to the appropriate people.

    Also installed Trojan Hunter and it seems to find different viruses? I will send them (TH) the viruses as well

    Thanks again everyone :-* Vicki
     
  16. vabrun

    vabrun Registered Member

    Joined:
    May 24, 2004
    Posts:
    8
    ME AGAIN,

    ran nod in safe mode. quarintined all the virues that came up, then tried again in normal mode.

    I don't undertand why the viruses keep appearing if I run a scan after I've quarantined them.

    I have however figured ou how to look at the log and the type of virues so will search the for the fix which I presume will be on the NOD site.

    Still have no way of ridding the virus in operating memory. I can't delete, quarintine or rename it. It says "Trojan Win32/
    trojan Downloader.Dyfica Bq found in operating memory"

    Any suggestions, thanks again Vicki o_O
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,740
    Location:
    Texas
    vicki

    If you are using XP, turn off system restore, restart your computer and scan in the safe mode.

    Worth a try>
     
  18. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    Quarantine for Eset doesn't mean what it means for all other AV vendors or the dictionary. All other AV take the virus and MOVE it to the quarantine folder. NOD32 instead COPIES it to the quarantine folder. You, the user, must then MANUALLY DELETE the original from where ever it is located other wise, next scan, NOD32 will find it again.

    As for the one in memory, what OS?
     
  19. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    It sounds like you are running XP with "System Restore" turned on (Windows default setting), you will need to disable this first:

    Right click on "My Computer"
    Click on "Properties"
    Click on the "System Restore" tab
    Place a tick in "Turn off system restore", it will ask for confirmation
    Click ok.

    After this do another scan with Nod.

    And as Mele said, quarantine in Nod is NOT quarantine like anywhere else on this planet, Eset use the word for a copy function.

    Hope this helps...

    Cheers :D
     
  20. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    For any of the trojans that are causing grief, I found something that may be a bug (at least for the Dyfica variants). I manually went to the file, fired up the NOD32 scan and did a clean after NOD32 told me it was Dyfica.XX. I received a message to reboot (since it was in memory) and then all was well. Scanning and cleaning from the NOD32 dialogues did not work. DIRECTLY on the file did work.
     
  21. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    It doesn't matter if system restore is running, NOD32 will still clean/delete from system restore. I know I have read here that those files are protected by Windows and AV can't go in and clean. However, I just had NOD32 on demand scan, using the AH string we've been talking about in another thread here, delete two viruses it found in my System Restore which was running at the time of the scan.
     
  22. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    As per this thread Mele

    https://www.wilderssecurity.com/showthread.php?t=33920

    I ran regular scans with Nod, and these came up clean, AFTER I ran a scheduled command line scan using /ah it found System Restore files infected, so this may or may not have something to do with /ah being able to scan in System restore files while a standard scan cannot, I don't know o_O

    Cheers :D
     
  23. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    You know I read that thread you refer to and even participated in it. Two things I don't understand (1) how the heck did you get an infection in System Restore when you have it turned off? Why were there any files in restore in the first place? If it is off then no restore point is made hence no files that could get infected there. Are you sure it is really off?

    (2) Does NOD32 scan with either a scheduled scan or a command line scan using AH have the ability to clean or delete inside running, active System Restore files? It must. That is amazing. I don't think any other AV can do that. Or would the regular NOD32 scanner delete inside running System Restore files if I told it to delete automatically if it can't clean? I have no idea because I have never used the command delete automatically, if cleaning is not possible, until I copied that AH string we were talking about that had delete in it. Questions, questions. :)
     
  24. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    I went back and had a double check, there was no "tick" in System Restore, when I actually read what it said, I had to place a tick in there to disable system restore. So in my case System Restore was on, my mistake :(



    Thought I was sure, double checked and was wrong :(



    Now I am :D



    As far as I am aware, no, this is not possible, you have to disable and rescan, then again see my answer below, so now I'm not sure o_O



    I'm a bit confused as to the timeline now, I think system restore was still active (due to it having no tick) and a scan using /ah detected files in System Restore and deleted them...



    Scan performed at: 27/05/2004 20:17:47 PM
    Scanning Log
    NOD32 version 1.775 (20040526) NT
    Command line: c:\ /clean /mapi- /arch+ /pack+ /ah
    Operating memory - is OK

    date: 27.5.2004 time: 20:17:53
    Scanned disks, directories and files: c:\
    ...c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003170.scr - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003171.pif - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003173.bat - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003174.pif - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003175.scr - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003196.exe - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003205.pif - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003206.pif - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP26\A0003207.exe - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP28\A0003267.scr - Win32/Sober.G worm - unable to clean - deleted
    c:\System Volume Information\_restore{7EA69FAF-9D49-4735-B141-CB813AEFE73A}\RP28\A0003390.scr - Win32/Sober.G worm - unable to clean - deleted
    number of files scanned: 78588
    number of viruses found: 15
    number of files cleaned: 11
    number of viruses active: 1
    time of completion: 20:29:52 total scanning time: 719 sec (00:11:59)

    Cheers :D
     
    Last edited: May 31, 2004
  25. Mele20

    Mele20 Former Poster

    Joined:
    Apr 29, 2002
    Posts:
    2,495
    Location:
    Hilo, Hawaii
    ahhh...OK...so system restore was on...that makes more sense. Good thing you checked again. Now, I know to check to make sure the box is ticked if I ever want to turn it off. :)

    I think from what you have said, and the scan you provided, and my experience that AH actually can go into system restore while it is running and get rid of viruses. That is really neat!
     
Thread Status:
Not open for further replies.