Virus present, but NOD32 reports clean. What to do?

Discussion in 'ESET NOD32 Antivirus' started by Chippy_boy, Jun 25, 2011.

Thread Status:
Not open for further replies.
  1. Chippy_boy

    Chippy_boy Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    7
    Please help! (Sorry it's long).

    Last week I was working away and my firewall suddenly alerted me that an unrecongnised program was trying to connect to the internet, so I blocked it. This happened 5 times and on investigation I found 5 .exe's in my Users/<Username>/AppData/Local/Temp folder. All 41k in size. I scanned them with NOD32 and every online scanner I could find and no malware was reported. Still, I had not installed any software recently and there was nothing to identify these files, so I was concerned.

    I deleted the files, ran an in-depth scan - which reported clean - and moved on.

    Last night, I opened my email (using my normal Windows Live Mail email client). To my horror, I find an item in my inbox which is an email from me to a number of people in my address book. The email has clearly come from me because none of the recipients would have all the email addresses on the cc list - only I do.

    The email has no subject, just the single line:

    -http://brightstarresources.com/wp-content/plugins/mysite.html

    I don't know whether that's relevant or just some random URL.

    Anyway, clearly I have some malware on board, because needless to say, I didn't send the email.

    I have done a full In Depth scan with NOD32 and no viruses are found. I have also done a full scan with Malware Bytes Antimalware and that says I am clean too. Also clean according to Sophos rootkit scanner.

    Any ideas what to do? Clearly my PC is infected and yet nothing seems to find the infection.

    Thanks

    Chip
     
    Last edited by a moderator: Jun 25, 2011
  2. Chippy_boy

    Chippy_boy Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    7
    Panic over (or reduced), I think.

    Having got a few hours sleep, I thought of something. I checked the header in the malware email. I am not an expert on this stuff so I might be misinterpreting it, but there is a field "X-Originating-IP" and it does *not* show my IP address. I have checked other email from me and they *do* some my IP address, so it looks pretty conclusive that the malware email did not originate from my PC.

    This would explain - I guess - why all the scanners including NOD report my PC as being clean.

    But presumably it also means someone/something has managed to hack my server-side email account at Microsoft.

    Does this make sense? Can I be fairly confident my PC is "clean"? I use my PC for online banking, moving money around etc, so I am quite nervous.
     
  3. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    You can never be sure unless you restore with a back-up image that you have created. I hope that you have created a back-up image, did you?

    Did you also scan with MBAM, SAS and NPE? Be careful with NPE though because of false positives.

    Thanks.
     
    Last edited: Jun 25, 2011
  4. Chippy_boy

    Chippy_boy Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    7
    Thanks - yes, I have plenty of backups. I was hoping to not have to do that though because of all the hassle. But I can do so if it's the only safe thing to do.

    Here's another strange thing though: The suspect files (the 5 .exe's mentioned above) had a creation date of 16th May, but none of the backups either before or after that date contain the suspect files!??!? All of the other files in that folder have been backed up, but not those.

    Which leads me to believe the 16th May creation date is spoofed somehow and the files were created some time later.

    I have run MBAM already (still says clean) and I will try SAS and NPE.

    Cheers,

    Chip
     
  5. CogitoTesting

    CogitoTesting Registered Member

    Joined:
    Jul 4, 2009
    Posts:
    901
    Location:
    Sea of Tranquility, Luna
    My next step is to create a boot CD or DVD and scan; thus, you would probably have a better chance in cleaning your computer.

    Check this out: http://www.sarducd.it/


    Avira and Kaspersky rescue CDs are my two favorites

    Thanks.
     
    Last edited: Jun 25, 2011
  6. Hungry Man

    Hungry Man Registered Member

    Joined:
    May 11, 2011
    Posts:
    9,148
    Run rkill and then MBAM.

    Also run from a safe computer and a safe network and change your email password.
     
  7. Spooony

    Spooony Registered Member

    Joined:
    Apr 30, 2011
    Posts:
    514
    You will have to do manual cleaning routines first. Use Ccleaner to clean out the temp folders and clear your quarantine folders.

    Then uninstall your old java first. Install the newest updates for. Do the same with Adobe flash as well.

    Then disable your antivirus. Make sure that UAC is disabled as well and Make sure your booted into normal mode then run the following apps in the following order.
    Rkill
    Super antiSpyware
    Malwarebytes
    Tdskiller from Kaspersky
    Combofix

    When they're done
    enable UAC
    Disable system restore then reboot. Then enable system restore.
    enable you av update it full system scan. When its done go to cmd prompt and enter
    SFC /scannow with your windows disk in the tray.
     
  8. Chippy_boy

    Chippy_boy Registered Member

    Joined:
    Jun 25, 2011
    Posts:
    7
    Thanks everyone.

    I ran Kaspersky from the linux rescue disk and it came back clean (after god knows how many hours!).

    I just tried running Rkill and my Comodo firewall's "Defense+" engine objects, saying Rkill contains a trojan. Is this something I should be worried about? I don't like running something that my system is saying contains a trojan!
     
  9. rcdailey

    rcdailey Registered Member

    Joined:
    Dec 25, 2009
    Posts:
    233
    It's not your system that is saying this; it is Comodo, a thrid-party application, that is saying this.

    Having used Comodo with Defense+, I think you should disable Defense+ while you are trying to clean your system. Defense+ has to learn about every new application and will not allow anything new to run without your okay. It's not a scanner that is really identifying a dangerous app. Added: In the sense that Rkill is going to go into the root of your system and kill malware, it will be acting like a trojan, and that is what you want Rkill to do.

    In ancient times (in computer terms) there was a product from another vendor (who shall not be named) that relocated the MBR and replaced it with its own version, thus inoculating the system against a boot sector virus. Other products would sometimes identify this as an infection, because, in fact, it was an infection of the boot sector. It was a "good" infection, but an infection, nevertheless.
     
    Last edited: Jun 28, 2011
Thread Status:
Not open for further replies.