Trying to permanently remove trojan

Discussion in 'NOD32 version 2 Forum' started by chmiller, Feb 8, 2007.

Thread Status:
Not open for further replies.
  1. chmiller

    chmiller Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    41
    Forgive me if this sort of question is off topic for this forum, but I'm new to NOD32 and don't know of a more appropriate place to look for answers.

    I have a server running SBS2003, and installed NOD32 several weeks ago (on this server and all clients), setting things up essentially like Blackspear's suggested settings (Thanks for that resource, btw). On the server, the AMON is picking up a trojan, and has been since day one (I was running symantec previously which never saw this). AMON will delete the affected file. At some point later, my exchange store will be very active in terms of hard disk usage (routine re-indexing or whatever it routinely does, i don't know) and the trojan will then appear in a new file. NOD32 finds and deletes it, but I'd like to find the source of the file which hosts the trojan.

    Here's the alert report:

    02/07/2007 16:24:55 PM AMON file C:\WINDOWS\TEMP\NOD4EBE.tmp JS/TrojanDownloader.Tivso.gen trojan quarantined - deleted - error while cleaning - operation unavailable for this type of object NT AUTHORITY\SYSTEM Event occurred on a new file created by the application: D:\Program Files\Exchsrvr\bin\store.exe. The file was moved to quarantine. You may close this window.

    ESET's website does give info about this trojan, but no further instructions about removal.

    Is there a process that I should try to find the source of the trojan? Is there another program that I should try in conjunction with NOD32 (such as spybot etc) that maybe can find it? I know this trojan isn't the biggest threat ever, and NOD32 is stopping it from acting, but especially since this is on my server, I'd sure like to find a permanent solution.
     
  2. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    The best would be to exclude tmp extension from scanning in the AMON setup. Also make sure that AMON is set to prompt for an action instead of cleaning automatically.
     
  3. chmiller

    chmiller Registered Member

    Joined:
    Feb 7, 2007
    Posts:
    41
    Thanks. I've changed the settings as you've suggested. I understand how this will prevent the alert in the future. My concern, though, is whether there is a email, file, or something in registry etc that causes the presence of the trojan to be recreated when exchange info store does its maintenance. Or is the file that AMON is finding totally a non-issue, and therefore not something that indicates the presence of a trojan. And, in principle, how do I assure myself of that?
     
Thread Status:
Not open for further replies.