Trojan threat detected

Discussion in 'NOD32 version 2 Forum' started by Huwge, Jul 18, 2005.

Thread Status:
Not open for further replies.
  1. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Been using NOD for a while but this is the first time I have had an alert.

    I had a pop up telling me to send a copy of the file to NOD for evaluation. When I look in the threat log it comes up as a threat of the win32 trojan along with the link from the site ( I was looking to buy some software, cant find a UK supplier and google threw up a site that turned out to be warez :mad: with no other details.
    I then had the alert....this wasnt the the window with red in it...it was a bubble from the NOD taskbar icon. I have run a full scan and nothing shows up.

    So has NOD blocked it or is it sitting on my PC somewhere and how do I find out...thanks in advance
     
  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    submitted files are encrypted in the eset/cache folder.
     
  3. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Thanks, but that doesnt answer my question
     
  4. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,727
    Location:
    Texas
    What does your threat log say? Does it give a path to the file? Any more info?
     
  5. webyourbusiness

    webyourbusiness Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    2,640
    Location:
    Throughout the USA and Canada
    if you have NOD32's IMON configured to protect you, it should have disconnected before downloading it - alternatively, AMON would have detected the file at access, and quarantined it, the prompted for submission.

    Quarantined items are encrypted and therefore, rendered 'safe'.

    My guess is that it downloaded it and quarantined it. Subsequent scans won't turn up your quarantined items - that would result in a LOT of stop-start for those that want to be told about everything found.

    hth

    Greg
     
  6. rumpstah

    rumpstah Registered Member

    Joined:
    Mar 19, 2003
    Posts:
    486
    Hi Huwge:

    If you scroll to the right in the Threat Log, it should show under the "Action" column "Connection terminated". If this is the case, then the infiltration did not reach the hard drive.

     
  7. ragnarok

    ragnarok Registered Member

    Joined:
    Jul 14, 2005
    Posts:
    36
    thats right, as you ppl said it, you always can check what happened with a threat in the threat log, connection terminated assures you that the infection was stopped at the move and did not reach your pc, i remember one time that i got into a page where i was attacked by like 5 w32trojan.downloaders and one did reach my pc, but i did not have to do anything cuz in inmediate action amon detected it twice, one on the temporary internet files and the other on system restore, and i was cleaned withouth doing a thing, so you dont have to worry about it then. :D
     
  8. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    The threat log has nothing in the action taken column. I didnt click on anything at the website.

    Time Module Object Name Threat Action User Information
    18/07/2005 18:01:38 IMON file www2.xmirror.us/download_plugin.exe a variant of Win32/TrojanDownloader.INService trojan YOUR-8QSS7CQGKG\Administrator

    Thuis is what shows up on the threat log. I have taken out the http part so noone will click on it. It doesnt show up on the quarantine log and I didnt get the usual red warning window, just the bubble in the taskbar same as I getr when I download a new defenition.
     
  9. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    So can anyone offer an explanation.....maybe from eset if no other ? o_O
     
  10. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    I got the red warning window.

    In the Event log it shows:
    Time Module Event User
    7/20/2005 8:57:31 AM Kernel The file '
    (edit)/download_plugin.exe' has been sent to Eset's labs for analysis.

    Does your Event log show the same?
     
  11. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    My event log shows this

    Time Module Event User
    18/07/2005 18:02:56 Kernel The file 'http://www2.xmirror.us/download_plugin.exe' has been sent to Eset's labs for analysis.

    Im concerned that I didnt get any warning. NOD is set up as per Blackspears settings
     
  12. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    On the IMON Setup, HTTP tab under "Actions" do you have "Display warning window with action selection" marked?
     
  13. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Nope, deny download....does this mean no warning at all ?
     
  14. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    With that marked you won't see the usual red warning window.

    If you change it to "Display warning window with action selection"
    you will get the red warning window.
     
  15. Huwge

    Huwge Registered Member

    Joined:
    Oct 21, 2004
    Posts:
    405
    Location:
    UK
    Thanks Stan, much appreciated :D
     
  16. Stan999

    Stan999 Registered Member

    Joined:
    Sep 27, 2002
    Posts:
    566
    Location:
    Fort Worth, TX USA
    Hi Huwge,

    Glad to be of some help.
     
Thread Status:
Not open for further replies.