Winlogon.exe and _ not detected

Discussion in 'NOD32 version 2 Forum' started by Phant0m, Mar 23, 2004.

Thread Status:
Not open for further replies.
  1. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    There have been user seriously infected, ran the bad file(S) through NOD32 with most recent definitions to no avail.

    At the moment E-mailing to submit isn't an option, i can however ICQ or MSN send highly compressed in .Zip format to whomever involved with NOD32...
     
  2. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    In addition; the NOD32 is properly configured. ;)
     
  3. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Phant0m,

    You do know my email address - password-protect the zip file and let me have it. Apart from that, info concerning the user in question would be appreciated.

    regards.

    paul
     
  4. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Paul

    I've sent the E-mail to the E-mail address available thats in your profile...
     
  5. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks! ;)

    regards.

    paul
     
  6. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you suspect your computer is contracted with a virus though NOD32 does not report anything I suggest you run NOD32 scanner with the /ah parameter and submit any found probably unknown New_PE viruses to samples@nod32.com (should there be any problem with scanning due to the virus infection, please carry out a scan in safe mode).
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No email as of yet, Phant0m o_O

    regards.

    paul
     
  8. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Not my computer, a user’s computer “was” infected.
    This person was using lame Norton Anti-Virus, was going to recommend them NOD32 but since NOD32 wouldn’t pick up the bad files which I highly compressed and sent over from Netmeeting & scanned, there was no point in that…

    As for my E-mail which didn’t arrive, as I had said in my first post that was not a option, but I tried all the same…
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Phant0m,

    That explains. Any reason why email isn't an option (we can take this to IM if you want to).

    regards.

    paul
     
  10. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Paul

    No need to take it to IM, I have nothing I can’t say in front of my wilders family…

    My SMTP server filters! Need to say more?
     
  11. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    if it's the bad winlogon.exe that is associated with a CWS hijack, then most antiviruses/anti trojans do not see it as a bad file. It's a very thin dividing line betweenm adawre/spyware and virus /trojan nowadays and almost all antiviruses do not detect most of the CWS hijackers.

    it has no viral code inside of it but is a dropper/installer for cws

    the only application I know that removes it and only in XP is CWshredder.

    otherwise it needs manually removing.
     
  12. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    We can talk about that as you are aware of - but that's a matter unrelated to this forum. In case you feel like it, drop me an IM.

    regards.

    paul
     
  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    There isn’t much to say, unless someone on NOD32 Team has MSN or ICQ, or upload service.
     
  14. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
  15. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Thanks for the files anyway - received in the meanwhile ;)

    regards.

    paul
     
  16. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
    I am glad we found what bthe problem is

    as I said in my previous post it is a very thin dividing line between adware/spyware and trojans viruses

    A lot of adware/spyware use trojan techniques to install on the computer.

    I wouldn't dream of suggesting whether an antivirus is right or wrong in not detecting these parasites as that is a matter for a different discussion, but NOD along with other Antiviruses have to make an educated decision about what detections to include and whether their user base needs protecting against that particular parasite.


    But I do wish NOD had an upload service rather than an email submission service as it makes it much easier & safer to send them suspicious samples & files
     
  17. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    To most this would be a problem, and it was a problem for the user I remoted yesterday evening. But it was far from being problem for me, using DC friendly dellater.exe program to mark main two executables for deletion on WinXP system for the next boot-up and removing its BHO and getting rid of its main source location (\System32\Services\), and the rest of its left behind registry entries it was easy as that.

    And unlike many I do know difference between Viruses, Trojans and Spywares…
    And this baby was definitely Trojan&Spyware, and I feel an AV should deal with these types of infections…

    As for an upload service, I agree.
     
  18. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    I'm sure you can handle these issues, Phantom ;)

    I for one do agree with your defenition from "this baby". In essence, I do agree with your conclusion as well. All in all, all this becomes more hybrid as we speak..

    That's quite a different story - worthy for a separate thread ;)

    regards.

    paul
     
Thread Status:
Not open for further replies.