win32/Kheagol.c trojan - netpqbs.dll

Discussion in 'ESET NOD32 Antivirus' started by ffcoltddp, Mar 23, 2010.

Thread Status:
Not open for further replies.
  1. ffcoltddp

    ffcoltddp Registered Member

    Joined:
    Mar 23, 2010
    Posts:
    1
    NOD32 version 3 today detected c:\windows\system32\netpqbs.dll as a variant of win32/Kheagol.c trojan. It appears that today's update (4969) has definitions for this. NOD32 quarantined this file. Now Cisco VPN, Microsoft Outlook and other programs complain that this dll no longer exists.

    I checked two other systems and they don't have this dll. I restored the dll and everything works fine, however NOD32 just removes it on the next scan. I searched the registry for this dll. It does not find it.

    Anyone have any suggestions? I don't have much time. I'll most likely just have to restore the PC.

    Thanks,
     
  2. carlangaslangas

    carlangaslangas Registered Member

    Joined:
    Mar 24, 2010
    Posts:
    1
    Do not restore any netxxxx.dll that comes up missing, those are the infected ones! Mine was called neteisbvb.dll. I am guessing that the virus randomizes the dll name.
    The virus modifies the imm32.dll so it calls the netxxxx.dlls, but NOD does not have a way to restore the original imm32.dll.
    What you need to do is restore the imm32.dll from the windows CD.
    You do that by using the EXPAND command on the imm32.dl_ file that's on the CD and replacing the infected imm32.dll on your system32 folder.
    Once you do that, the imm32.dll won't try to call the netxxxx.dlls anymore and you won't get any more messages.
    I hope this helps. It solved my problem.
    If you need additional help on restoring the DLL google it.
     
Thread Status:
Not open for further replies.