Just curious if anyone has NOD32 anti-virus because-I got this message around yesterday when I logged on my account, and every time I log on.
I did a virus scan and it found nothing. Not sure what the message means. Can anyone help? Is it a serious threat? Why does the message show every time I log on?
Pic:
Image removed to hide the URL.
Any NOD32 users?
Sir Seifus Halbred
Smal
I'm using NOD32 but haven't seen that before. I see that it's about an internet site, have you tried deleting your browser history? (just a wild guess)
fusa
I use nod32, never seen that message before. I would go to Tools>Quarantine and delete the object. It looks like its blocking access to that website. Although I always get messages in the web browser that the site is blocked, not as a pop-up from system tray. Looks like something is trying to download a worm and nod32 is doing its job. I would run a few anti-spyware applications to find out what. Nod32 does a good job with viruses but pretty much useless for spyware.
Sir Seifus Halbred
Quote:
|
Originally Posted by fusa
I use nod32, never seen that message before. I would go to Tools>Quarantine and delete the object. It looks like its blocking access to that website. Although I always get messages in the web browser that the site is blocked, not as a pop-up from system tray. Looks like something is trying to download a worm and nod32 is doing its job. I would run a few anti-spyware applications to find out what. Nod32 does a good job with viruses but pretty much useless for spyware.
|
Are you sure it's safe to delete the object under "quarantine?" I also see some other files under there.
Thanks for the help.
Lyynyyrd
Quote:
|
Originally Posted by Sir Seifus Halbred
Ah "tools" is only shown under advanced mode, just figured that out. I had it on standard. Hmm I don't even recall the site only the "/youtube"
Are you sure it's safe to delete the object under "quarantine?" I also see some other files under there. Thanks for the help. |
Can you find out the entire link? "Setup" suggests that it may be a download for an infected .exe or something like that.
fusa
Yes its safe to delete anything in quarantine, they're completely unaccessable to you anyway, unless you tell nod32 to restore them. If you see something there that you know is a false positive then restore, else delete. Not sure which firewall you have, if you don't have comodo or a decent one get one. But probably the most important thing to do is run antispyware soon, especially since nod32 isn't picking it up. There's free versions of Malwarebyte's Antimalware & Rogue-remover, Adaware 2008, Superantispyware, Spybot Search and Destroy, and SpywareBlaster. Unfortunately there isn't one good antispyware app so it might take 2-3 to find what it is that's trying to download bnsetup18...
fusa
http://vil.nai.com/vil/content/v_148955.htm also read this, see if you find any of the files mentioned. If you do, delete them in safe mode. Also search registry using regedit and remove registry keys mentioned. And go to c:\windows\system32\drivers\etc open hosts in notepad and remove the sites mentioned. Also if you see any other that seem suspicious remove them.
good entry for hosts: (blocks access to bad sites by redirecting to access to yourself)
127.0.0.1 localhost #needed as first entry
127.0.0.1 www.virusrus.com
0.0.0.0 www.spyonyou.com
bad entry: (reroutes attempt to use www.google.com to another site, mostly likely not wanted)
67.43.2.45 www.google.com
There's some good apps to use to manage hosts file, but this will be deleted if I say anything more...
good entry for hosts: (blocks access to bad sites by redirecting to access to yourself)
127.0.0.1 localhost #needed as first entry
127.0.0.1 www.virusrus.com
0.0.0.0 www.spyonyou.com
bad entry: (reroutes attempt to use www.google.com to another site, mostly likely not wanted)
67.43.2.45 www.google.com
There's some good apps to use to manage hosts file, but this will be deleted if I say anything more...
Tarun
You are not supposed to use the Hosts file to block websites.
fusa
Why not? if it directing to 127.0.0.1 or 0.0.0.0 and you dont have malware running as a webserver its a good way to block bad sites, pornography, etc. Unless you use a pac file, which also does the same thing. Unless you mean it against guru rules, then tough shit, I'm not compromising security to view your ads.
Tarun
This is taken directly from my wiki article.
What is the Hosts file?
This segment from the MSKB is why users should not alter their services unless under direct instruction from a technician.
What is the Hosts file?
The Hosts file is used to look up the Internet Protocol address of a device connected to a computer network. The Hosts file describes a many-to-one mapping of device names to IP addresses. When accessing a device by name, the networking system will attempt to locate the name within the Hosts file if it exists. Typically, this is used as a first means of locating the address of a system, before accessing the Internet domain name system. The reason for this is that the Hosts file is stored on the computer itself and does not require any network access to be used, whereas DNS requires access to an external system, which is typically slower.What should the Hosts file be used for?
The Hosts file should only be used for redirecting a website or a new IP address. This generally happens if your favorite website has relocated to a new host or their IP has changed. It sometimes takes a few days to update your DNS cache and sometimes it's also up to your ISP to refresh this information on their local cache.What do you not use the Hosts file for?
Under no circumstance should you ever use your Hosts file to block malware or advertisements. It is not designed to be used in this manner despite what many websites falsely report. Coincidentally those sites also offer their own malware and ad-blocking Hosts files. Some websites will also recommend disabling the DNS Client service or setting it to Manual. By default it is set to Automatic and should not be changed.
Quote:
|
Originally Posted by MSKB 31880
Note: The overall performance of the client computer decreases and the network traffic for DNS queries increases if the DNS resolver cache is deactivated.
The DNS Client service optimizes the performance of DNS name resolution by storing previously resolved names in memory. If the DNS Client service is turned off, the computer can still resolve DNS names by using the network's DNS servers. When the Windows resolver receives a positive or negative response to a query, it adds that positive or negative response to its cache, and as a result, creates a DNS resource record. The resolver always checks the cache before querying any DNS server. If a DNS resource record is in the cache, the resolver uses the record from the cache instead of querying a server. This behavior expedites queries and decreases network traffic for DNS queries. You can use the Ipconfig tool to view and to flush the DNS resolver cache. To view the DNS resolver cache, type ipconfig /displaydns at a command prompt. Ipconfig displays the contents of the DNS resolver cache, including the DNS resource records that are preloaded from the Hosts file and any recently queried names that were resolved by the system. After a certain time period, the resolver discards the record from the cache. The time period is specified in the Time to Live (TTL) associated with the DNS resource record. You can also flush the cache manually. After you flush the cache, the computer must query DNS servers again for any DNS resource records previously resolved by the computer. To delete the entries in the DNS resolver cache, type ipconfig /flushdns at a command prompt. |
fusa
So? I increase traffic for my dns server and the net. People using usenet or torrents take up more bandwidth than repeated dns queries. The slow down form not caching locally isn't noticeable. The article you referred to just explains how to disable client side dns, it doesn't say this is a dangerous method at all. Referencing your own wiki as a source is ridiculous, try that in a college class and you're sure to get a F. Also some of the software you recommend adds entries to hosts files to block access to bad sites, Spyware S&D for one, I've also seen Malwarebyte's Rogue remover recommended here, which adds entries to hosts file. Using hosts file isn't a method to block spyrware in itself, but I dont see it being bad as long as your source is a trusted one. PAC files can be used also, but most people aren't going to know how to edit it to remove a false positive.
Anyway I was explaining how to remove the entries the trojan the op said was detected, not how to block web sites. The trojan adds entries to hosts file, so I told him what to look for.
Anyway I was explaining how to remove the entries the trojan the op said was detected, not how to block web sites. The trojan adds entries to hosts file, so I told him what to look for.
Tarun
The slowdown is noticeable in two ways.
One: Using the Hosts file with excessive entries. Every time you open your browser or even start Windows it has to load and parse every line inside the Hosts file. Windows uses the IECore so even Windows Explorer has to deal with all those entries.
Two: Disabling the DNS Client service. By disabling this service you no longer keep a local cache of your favorite and frequently visited websites. So your browser has to refer to the Hosts file. Oh but look, nothing in there except blocked sites. So after checking these two places it now has to go to your ISP's DNS and get the IP for the domain name.
Both of these cause much more work than you know. Every time you visit a website you're forcing your computer to access the ISP's DNS. Now this isn't just for first visit, it's for every single visit! That is a degrade in performance, increasing network activity in a very unnecessary manner as well.
On top of that, malware can quite easily compromise the Hosts file and alter it completely. It's safer to use SpywareBlaster, IESpyAds and other items which use the proper methods for blocking websites that are malicious. Even Spybot S&D's Immunize works well.
Flat out: It's just not a good idea, at all.
Sir Seifus Halbred:
It looks like your NOD32 took care of the problem. It also looks like a website tried to pose as YouTube and wanted you to download some "codecs" that are actually malware.
What site are you encountering this issue on?
One: Using the Hosts file with excessive entries. Every time you open your browser or even start Windows it has to load and parse every line inside the Hosts file. Windows uses the IECore so even Windows Explorer has to deal with all those entries.
Two: Disabling the DNS Client service. By disabling this service you no longer keep a local cache of your favorite and frequently visited websites. So your browser has to refer to the Hosts file. Oh but look, nothing in there except blocked sites. So after checking these two places it now has to go to your ISP's DNS and get the IP for the domain name.
Both of these cause much more work than you know. Every time you visit a website you're forcing your computer to access the ISP's DNS. Now this isn't just for first visit, it's for every single visit! That is a degrade in performance, increasing network activity in a very unnecessary manner as well.
On top of that, malware can quite easily compromise the Hosts file and alter it completely. It's safer to use SpywareBlaster, IESpyAds and other items which use the proper methods for blocking websites that are malicious. Even Spybot S&D's Immunize works well.
Flat out: It's just not a good idea, at all.
Sir Seifus Halbred:
It looks like your NOD32 took care of the problem. It also looks like a website tried to pose as YouTube and wanted you to download some "codecs" that are actually malware.
What site are you encountering this issue on?
fusa
I installed a 130,000 entry hosts file on a P4 1.8ghz computer with 768mb of ram, and there's no slow down. There's another computer here that is slightly faster with a 300,000 entry host file that also isn't affected. The slow down from using your isp's host is extremely minimal. Even if its a second or two its worth it to be sure a site your visiting isn't a bad site.
Malware can change your hosts file entries wether or not you are using it to block sites.
BTW Spybot S&D uses hosts file to block sites also....
Malware can change your hosts file entries wether or not you are using it to block sites.
BTW Spybot S&D uses hosts file to block sites also....
Sir Seifus Halbred
Quote:
|
Originally Posted by Tarun
Sir Seifus Halbred: It looks like your NOD32 took care of the problem. It also looks like a website tried to pose as YouTube and wanted you to download some "codecs" that are actually malware. What site are you encountering this issue on? |
What site am I encountering this issue? I don't know what you mean. That image I posted is from NOD32 not from a website.
Oh and by the way I took fusa's advice and ran Spybot, it found nothing so I tried running Ad Aware 2008 but this happened...
So I opened Ad aware 2008 (Free Version) today and decided to run a update. During the update Ad Aware 2008 closed and I got the windows error message about how the program had an unexpected error and to send the message or not to send it.
Now I can't even run Ad Aware 2008? It won't open or it is open but I can't see it?
I got this message when I clicked on the desktop shortcut.
I got this message when I clicked on the "ad watch" desktop shortcut
fusa
Open task manager and close any program that might be adaware. I haven't used that in a few months so not very familiar with the name of the applications in taskmanager. Then try to run adaware, if that doesn't work, try rebooting.
Did you try this http://vil.nai.com/vil/content/v_148955.htm It shows how to get rid of the koobface worm, although you might have more than one infestation.
Also try the other's I mentioned too, they are all free unless you want scheduling etc.
Did you try this http://vil.nai.com/vil/content/v_148955.htm It shows how to get rid of the koobface worm, although you might have more than one infestation.
Also try the other's I mentioned too, they are all free unless you want scheduling etc.
Sir Seifus Halbred
Quote:
|
Originally Posted by fusa
Open task manager and close any program that might be adaware. I haven't used that in a few months so not very familiar with the name of the applications in taskmanager. Then try to run adaware, if that doesn't work, try rebooting.
|
Quote:
|
Originally Posted by fusa
Did you try this http://vil.nai.com/vil/content/v_148955.htm It shows how to get rid of the koobface worm, although you might have more than one infestation. Also try the other's I mentioned too, they are all free unless you want scheduling etc. |
I like ad aware (well did until now) and spybot.
Tarun
You said,
So I figured you were getting it when you logged into a website. As such, as I asked which one. You say you're encountering it when you log on. What are you logging on to that causes this problem?
Ad-Aware was good until the 2007 series. With all the things that used to be standard that they now want people to pay for they have effectively crippled the application. Spybot is good at detecting traces that some programs like SUPERAntiSpyware and Malwarebytes Anti-Malware miss. The best part of Spybot is the Immunization feature though.
If you're concerned about infections, then please download my Anti-Malware Toolkit and get the Professional package. You can then follow the wiki guide to clean up your computer.
It would be wise to run the scans and post a HijackThis log. Wait for myself or someone else from the Technician group to assist you further in order to prevent any potential confusion.
Quote:
|
Originally Posted by Sir Seifus Halbred
Just curious if anyone has NOD32 anti-virus because-I got this message around yesterday when I logged on my account, and every time I log on.
|
Ad-Aware was good until the 2007 series. With all the things that used to be standard that they now want people to pay for they have effectively crippled the application. Spybot is good at detecting traces that some programs like SUPERAntiSpyware and Malwarebytes Anti-Malware miss. The best part of Spybot is the Immunization feature though.
If you're concerned about infections, then please download my Anti-Malware Toolkit and get the Professional package. You can then follow the wiki guide to clean up your computer.
It would be wise to run the scans and post a HijackThis log. Wait for myself or someone else from the Technician group to assist you further in order to prevent any potential confusion.
fusa
I have all the ones I listed installed, and have had no conflicts. I don't like rogue remover too much. Also I uninstalled adaware when it refused to update, wouldn't connect to the update site. But not as bad as the problems you are having. You can only have one AV installed at a time so don't try that, nod32 is enough.
Sir Seifus Halbred
Quote:
|
Originally Posted by Tarun
You said,
So I figured you were getting it when you logged into a website. As such, as I asked which one. You say you're encountering it when you log on. What are you logging on to that causes this problem? |
Quote:
|
Originally Posted by Tarun
Ad-Aware was good until the 2007 series. With all the things that used to be standard that they now want people to pay for they have effectively crippled the application. Spybot is good at detecting traces that some programs like SUPERAntiSpyware and Malwarebytes Anti-Malware miss. The best part of Spybot is the Immunization feature though.
If you're concerned about infections, then please download my Anti-Malware Toolkit and get the Professional package. You can then follow the wiki guide to clean up your computer. It would be wise to run the scans and post a HijackThis log. Wait for myself or someone else from the Technician group to assist you further in order to prevent any potential confusion. |
He made me run Hijack this for a issue I was having that had nothing to do with malware, viruses, etc. And the other times I did need to do Hijack this it was a looong and extremely frustrating process.
Especially since I share this computer and I can't just leave it on. I had to basically sit on my computer for hours waiting for him to reply. He'd tell me to do the steps for hijack this then leave and not come back for 2 days.
I'm not having any serious or any issues just curious what that message means if it isn't serious and NOD32 is doing it's job then it's fine. Just curious why the message shows every time I log onto my account.
Regarding Ad Aware 2008:
P.S So does anyone know about the Ad aware issue? I think I'm just going to uninstall it. However-will I be notified if it turns out it is still running when I attempt to uninstall it? I hear whenever you want to uninstall something it should NOT be running.
Tarun
Well I'm not going to leave you waiting for days. 
I removed your screenshot of the NOD result because that did show the link to malware. I'm going to drop it into a VM and see how it reacts.
I removed your screenshot of the NOD result because that did show the link to malware. I'm going to drop it into a VM and see how it reacts.
Lyynyyrd
Quote:
|
Originally Posted by tarun
well i'm not going to leave you waiting for days.
i removed your screenshot of the nod result because that did show the link to malware. I'm going to drop it into a vm and see how it reacts. |
Tarun
tinyproxy.exe is one of the processes that gets installed if the exe is allowed to run. Avast found and deleted it.
KZaske
Quote:
|
Originally Posted by Tarun
Sir Seifus Halbred:
It looks like your NOD32 took care of the problem. It also looks like a website tried to pose as YouTube and wanted you to download some "codecs" that are actually malware. What site are you encountering this issue on? |
Tarun, if you want the details I can provide most of them to you.
xRustyx
NOD32 is straight up G and I use it cuz it keeps the five-o off the block.
Tarun
Quote:
|
Originally Posted by KZaske
I managed to have malware installed from youtube just that way. But it was multi-part and the "codec" was a downloader that had a short field day. Both avast and Sypbot S&D missed it until I had another AV doing a scan.
Tarun, if you want the details I can provide most of them to you. |
The only scanner that found anything was avast; SAS, MBAM, and Spybot did not find anything.
Sir Seifus Halbred
Update: Got Ad Aware 2008 to open, did a FULL scan last night, it found the same thing NOD 32 found and removed it. Haven't seen the pop up message from NOD 32. I think it's solved.
Tarun
Could you post the log from Ad-Aware 2008 please? Be sure to wrap it in a codebox.
Sir Seifus Halbred
I would If I knew how. Care to explain, please?
Tarun
I just had to install it into a VM and I must say wow is it ever garbage. Even after cleaning out tracking cookies, I can't see a log through the program. Instead, you have to navigate to...
If installed for All Users:
If installed for just your account:
On Vista it will be slightly different.
My log was named: Ad-Aware 20080928 20-12-21.log.xml
You can copy it to the desktop, zip it and host it with a file sharing service like Rapidshare or Mediafire.
If installed for All Users:
Code:
C:\Documents and Settings\All Users\Application Data\Lavasoft\Ad-Aware\logs\
Code:
C:\Documents and Settings\USERNAME\Application Data\Lavasoft\Ad-Aware\logs\
My log was named: Ad-Aware 20080928 20-12-21.log.xml
You can copy it to the desktop, zip it and host it with a file sharing service like Rapidshare or Mediafire.