Trojan cannot clean

Discussion in 'NOD32 version 2 Forum' started by scorpionzero, Feb 16, 2006.

Thread Status:
Not open for further replies.
  1. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    I've already use NOD32 version 2.5. Yesterday my mates put a flash drive ie thumb drive to my pc (WinXP Pro SP2) and copy some files to my computer. Then he put the thumb drive again in my friend computer but her antivirus alert that a virus/trojan Kangen.B was found. My friend use Pc-Cillin Internet Security 2006. Then he plug out the thumb drive and install to me again but my NOD32 not even detect the virus. I plug out the thumb drive and plug in to my other friend that use also PC-Cillin 2004. Yes a virus alert pop-up and this time it said Rontokbro.B. I search for the internet and found that yes there is a trojan called Rontokbro.B and Kangen.B maybe its origin from Indonesia.Symantec and McAfee also have the description about that trojan/virus. So I really not satisfied and again I plug-in the USB thumb drive to my pc and select manual scan.The virus database is already update.Again,NOD32 failed to detect the virus.Then I try to check advanced heuristic and scan the thumb drive.Yes, NOD32 can detect it. NOD32 cannot clean but delete the file kangen.exe.So I satisfied.I plug-off the USB thumb drive and plug-in again to my friend PC.I'm shocked because her antivirus again detect the virus Kangen.B and even the kangen.exe suddenly appear in her thumb drive..Then I try to clean the virus/trojan from her PC and wow its works.Pc-Cillin Internet Security 2006 can clean that virus.I plug-off the thumb drive and plug-in to my pc again.Scan with NOD32 advanced heuristics and seem ok..no virus.I plug off the thumb drive and again plug-in to my friend PC that using pc-cillin 2004.No virus alert pop-up appear.Seem ok.I plug of and again plug-in to the one that use Pc-Cillin 2006 Internet Security and yes no virus alert pop-up.The problem is why NOD32 cannot detect this virus but when scan using advanced heuristic it can detect but failed to clean so it delete.Another is I think the virus is not die..because after NOD32 delete kangen.exe the file appear again in my friend virus alert.Can anyone help me solve this? I search over the Internet and found that Trend Micro (Pc-Cillin name this virus as Rontokbro.A to variant B. And this virus also named Kangen before it change to Rontokbro.:mad:
     
  2. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    well, try to see if the virus starts together with your copmputer(Run msconfig), or boot in safe mode and scan with NOD32. ;)
     
  3. tazdevl

    tazdevl Registered Member

    Joined:
    May 17, 2004
    Posts:
    837
    Location:
    AZ, USA
    It also sounds like NOD32 was not set up for maximum security on your computer.

    See this thread...
    https://www.wilderssecurity.com/showthread.php?t=37509

    FYI this is a good place to submit and file and have it scanned by multiple Antivirus softwares...

    http://virusscan.jotti.org/

    Most antiviruses cannot clean a trojan in Windows. As mentioned, you need to boot into safe mode which loads all the system default drivers, dlls etc... at that point the trojan won't be running, use NOD32 in depth scan to find and clean.

    There are also free anti-trojan scanners available. If it works, might want to buy a paid version.
     
  4. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Thanks for your answer.Anyway I ask my mates to configure and setting the NOD32 v2.5 like this in Control Panel:

    AMON:

    In Detection tab I check all the box. On Extension I scan all the files.
    In Options tab I check all the box except Move to quarantine.
    In Actions tab I check Clean Automatically.
    In Exclusions tab nothing in it list.
    In Security tab I check all the box except Allow manual stopping and Load file system monitor dinamically.

    DMON:
    In Setup tab I check all the box except List all files. And in Extensions tab I scan all files.
    In Actions tab I use if virus found 1st action Clean and if cannot clean I select Delete.

    IMON:
    In POP3 tab I check all the box in Email confirmation I select All email.
    In HTTP tab I check all box in Actions I select Automatically deny download file.
    In Misc tab I check all the box and in Scanner setup tab I check all the box with Extensions scan all files.Actions tab I select 1st action Clean and 2nd action Delete.

    Other setting like e-mail scan I set to maximum.Clean and Delete all email that infected.

    So how about the setting I mentioned above? Is that other maximum setting to scan that virus? What I clueless is NOD32 cannot detect the virus in my mates thumb drive automatically and seem that AMON is not alert me or maybe AMON cannot detect that virus.By the way I search virus database for NOD32 and I cannot search any of Rontokbro or Kangen in NOD32 virus database library.Is that make NOD32 dont know that virus because nothing in its database?o_O
     
  5. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    I found these matches on the Kangen, Rontokbro that you named. These are the NOD names.

    Win32/VB.NAD

    a variant of Win32/Brontok

    Win32/Brontok.BB

    Win32/Brontok.BD

    https://www.wilderssecurity.com/showthread.php?t=107777
     
  6. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    If you go through the thread mentioned by tazdevl, you will see why it is very important to make sure Quarantine is Checked. That same thread shows you what to tick for a scan. Once this is completed you should run a scan in "Safe Mode".

    Cheers :D
     
  7. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Thank you guys..I will try to configure it now. By the way I want to ask you all can NOD32 clean boot sector virus such as Wyx.C or Polyboot.B ? My friend PC was infected by this boot sector virus.It run NOD32 and yes NOD32 can detect it but failed to clean it because it say that it was in memory resident.Can you teach me how to clean this virus? By the way she using NOD32 v2.5 trial version v2.50.44.

    Any NOD32 new version from that I mentioned above?:p
     
  8. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    How long has she been using the trial version? This was added awhile back, perhaps her trial has expired and isn't updating anymore.
     
  9. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Well i saw days left on her NOD32 control panel and show 3. Hmm..when I click update now its connect to NOD server and appear a message that her NOD was update and no new update for her. I try again scan and yes the same message appear. I think her Master Boot Record infected with that boot virus.I try in safe mode but still the same. Is that means she must buy a full version?:ninja:
     
  10. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Boot sector viruses can only be cleaned from within DOS.
     
  11. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Any command line to using NOD32 for DOS to clean boot sector virus? I think for trial version there is no NOD32 for DOS right? correct me if i'm wrong.o_O
     
  12. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
  13. puff-m-d

    puff-m-d Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    4,451
    Location:
    North Carolina, USA
    I do not know the current policy, but it used to be if you were a licenced user of NOD32, then you could also use the dos version as your user name and password also works to download it. At least that is how it was a couple years back....
     
  14. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    that's amazing how fast does scorpion change her avatar. :p :D
     
  15. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Thank you pykko...you know my mates show me the DOS version of another antivirus that can clean Polyboot or boot virus.And its free for home user only.That is F-Prot for DOS.Wow thanks goodness it clean. Now the NOD32 never show again message master boot record infected by Wyx.C or Polyboot.
    Anyone here know how to retrieve back all the application that was infected by virus W32.Blebla.B ? what is NOD name for this virus? You know all the icons in my mates desktop change to windows blank icons and if you want to start the applications windows is searching and cannot run the program. What happening to her system? Looks like all the application is missing.And the anti-virus programming also cannot execute.Please...:-*
     
  16. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Still that way to my understanding :)
     
  17. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    Scorpion, NOD32 calls it the same way...at least this is what I found. http://nod32sse.hotserv.dk/view.php?id=449&highlight=Blebla.B

    About your applications what do you want to say? Try installing them again. ;)

    See Program Files folder for your programs..but I think their .exe files were deleted by the virus.
    Your mates have NOD32 installed on their PC?
     
  18. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Ohh..poor for her to install all over again..actually before the system infected by this virus she did not install NOD32.She only use removal tools like McAfee Stinger and Trend Micro Sysclean.However after all the icons missing,she try to scan using these tools and found the virus BleBla.The Sysclean automatically delete all the files that infected by this virus.I think its true what you said about.Maybe all the exe file also deleted by Sysclean.I recommend her to use NOD32 but until now I think its too late for her to get all her applications back.Poor for her..:p
     
  19. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    My mate check her task manager in proses she found ccApps.exe. 4 of them appear in her task manager.What is that process actually? It takes a lot of CPU usage.Can she terminate that application? Is that is some kind of trojan or virus? o_O
     
  20. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    ccApps.exe seems to be associated with several differently named trojans/worms.
    Did you say your friend uses NOD32? It must be about time they try it :)
     
  21. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    I dont know what she did to her pc.Its too slow to open even a single application.Sometimes her XP will reboot automatically..yes she install NOD32 but i never see the control panel at her taskbar.I try to activate the control panel but windows message appear that NOD32 crash the system and give a choice to send or not to send a report.After that,her pc reboot.Something wrong about her system or NOD32 itself?
     
  22. pykko

    pykko Registered Member

    Joined:
    Apr 27, 2005
    Posts:
    2,236
    Location:
    Romania...and walking to heaven
    hmm...my oppinion is to reinstall Windows with all apps than NOD32 and everything will be just fine. ;)
     
  23. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    For sure.
    At the very least, download a fresh copy of NOD32, making sure that it is the correct version for the operating system being used and do a clean install of NOD32. If you search the forum, Blackspear has posted several times how he suggests to do a clean install.
    HTH :)
     
  24. scorpionzero

    scorpionzero Registered Member

    Joined:
    Feb 16, 2006
    Posts:
    22
    Location:
    Malaysia
    Thanks guys. I will ask her to do that. One more thing for sure, if she want to reinstall the o/s again with all the application, can she format the hard disk or just reinstall all over again? Do you think her system crash by a virus? And if her just reinstall all over again without format, can the previous virus (if any) infected her system again? o_O
     
  25. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,763
    Location:
    Texas
    scorpionzero

    Have your friend post a hijack log at any of these forums. CastleCops, SpywareInfo and TomCoyote.
    An expert will help your friend find the problems.
     
Thread Status:
Not open for further replies.