Nod32

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I recently had a trojan horse virus in my system32 folder.  F-Prot Antivirus
detected it but would not clean it, move it, or delete it.  I installed the
trial version of Nod32 and updated to the latest signature files.  Nod 32
didn't even detect the trojan horse.  It only indicated that there was a
file it couldn't open.

I then installed AVG Antivirus Free Edition and ran a scan.  AVG detected
the trojan horse and moved it to the Virus Vault.

Maybe I'm missing something here but it looks as though AVG runs circles
around both F-Prot and Nod32.  I'm far from an expert on the subject so if
anyone has relevant information, I'd appreciate it greatly.

Oh, by the way, the trojan horse was identified as winjhe32.dll

-- Mike




Re: Nod32

Quoted text here. Click to load it

NOD32 does have several options that can be enabled in scanning detection.
When I first used NOD32, it had missed some things and I ran that way for
sometime, until I changed its scanning to make it do more deeper scans.

NOD32 also has the its Deep analysis feature and that takes at least an hour
to run on my laptop. I use that feature on occasions.

Duane :)




Re: Nod32


| I recently had a trojan horse virus in my system32 folder.  F-Prot Antivirus
| detected it but would not clean it, move it, or delete it.  I installed the
| trial version of Nod32 and updated to the latest signature files.  Nod 32
| didn't even detect the trojan horse.  It only indicated that there was a
| file it couldn't open.
|
| I then installed AVG Antivirus Free Edition and ran a scan.  AVG detected
| the trojan horse and moved it to the Virus Vault.
|
| Maybe I'm missing something here but it looks as though AVG runs circles
| around both F-Prot and Nod32.  I'm far from an expert on the subject so if
| anyone has relevant information, I'd appreciate it greatly.
|
| Oh, by the way, the trojan horse was identified as winjhe32.dll
|
| -- Mike
|

Yep...

You missed somethinh alright.

For example what was the fully qualified name and path to the file that was
deemed to be
infected and the name both F-Prot and AVG declared to be infected with.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Nod32

c:\windows\system32\winjhe32.dll (Trojan Horse Generic. YIG.)


Quoted text here. Click to load it



Re: Nod32


| c:\windows\system32\winjhe32.dll (Trojan Horse Generic. YIG.)
|

You are saying that BOTH F-Prot and AVG called "winjhe32.dll" a generic Trojan ?

I am wondering if this is really a heuristic detection or a adware Trojan.

It is also possible that the reason it could not easily be removed becuase it is
being used
by the Winlogon Notify function.

Is the following in the Registry ? ( NOTE:  it may have already been removed )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\Notify\winjhe32


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Nod32

Dave:

Yes, both F-Prot and AVG.  Like you, I have to wonder if it really is a
Trojan.  Nod32 doesn't seem to have an issue with it; but then again Nod32
consideres it a locked file.  AVG moved the file to the Virus Vault and all
my programs still function normally.  I don't know; so I'll have to defer to
your expertise.  I did a search on the web for information on the file and
nothing shows up.  I have a e-mail in to F-Prot regarding the situations so
maybe they'll have some more info on it.  Computers!

Thanks for taking the time to think about it.

-- Mike



Quoted text here. Click to load it



Re: Nod32


| Dave:
|
| Yes, both F-Prot and AVG.  Like you, I have to wonder if it really is a
| Trojan.  Nod32 doesn't seem to have an issue with it; but then again Nod32
| consideres it a locked file.  AVG moved the file to the Virus Vault and all
| my programs still function normally.  I don't know; so I'll have to defer to
| your expertise.  I did a search on the web for information on the file and
| nothing shows up.  I have a e-mail in to F-Prot regarding the situations so
| maybe they'll have some more info on it.  Computers!
|
| Thanks for taking the time to think about it.
|
| -- Mike
|


Mike:

If it is in the vault, extraxt it and then please submit a sample to Virus Total
--
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it.  In addition,
unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:scan@virustotal.com?subject=SCAN

When you get the report, please post back the exact results.


--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Nod32

Complete scanning result of "winjhe32.dll", received in VirusTotal at
07.24.2006, 02:22:51 (CET).

      Antivirus Version Update Result
      AntiVir n - no virus found
      Authentium n - no virus found
      Avast n - no virus found
      AVG n - no virus found
      BitDefender n - no virus found
      CAT-QuickHeal n - no virus found
      ClamAV n - no virus found
      DrWeb n - no virus found
      eTrust-InoculateIT n - no virus found
      eTrust-Vet n - no virus found
      Ewido n - no virus found
      Fortinet n - no virus found
      F-Prot n - no virus found
      F-Prot4 n - no virus found
      Ikarus n - no virus found
      Kaspersky n - no virus found
      McAfee n - no virus found
      Microsoft n - no virus found
      NOD32v2 n - no virus found
      Norman n - no virus found
      Panda n - no virus found
      Sophos n - no virus found
      Symantec n - no virus found
      TheHacker n - no virus found
      UNA n - no virus found
      VBA32 n - no virus found
      VirusBuster n - no virus found


      Aditional Information
      File size: 0 bytes
      MD5: d41d8cd98f00b204e9800998ecf8427e
      SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

      ----------------------------------




Quoted text here. Click to load it



Re: Nod32


< snip >

|
|       Aditional Information
|       File size: 0 bytes
|       MD5: d41d8cd98f00b204e9800998ecf8427e
|       SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
|


File size: 0 bytes -- it really weasn't submitted { sigh }

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Re: Nod32

I will now do what the French do best -- give up.  :>)



Quoted text here. Click to load it



Re: Nod32


| I will now do what the French do best -- give up.  :>)
|

OK  :-(

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm



Site Timeline