Curse

Sir Seifus Halbred · Sep 25, 2008, 07:37 PM // 19:37

Just curious if anyone has NOD32 anti-virus because-I got this message around yesterday when I logged on my account, and every time I log on.

I did a virus scan and it found nothing. Not sure what the message means. Can anyone help? Is it a serious threat? Why does the message show every time I log on?

Pic:

Image removed to hide the URL.

Smal · Sep 25, 2008, 08:32 PM // 20:32

I'm using NOD32 but haven't seen that before. I see that it's about an internet site, have you tried deleting your browser history? (just a wild guess)

fusa · Sep 25, 2008, 08:37 PM // 20:37

I use nod32, never seen that message before. I would go to Tools>Quarantine and delete the object. It looks like its blocking access to that website. Although I always get messages in the web browser that the site is blocked, not as a pop-up from system tray. Looks like something is trying to download a worm and nod32 is doing its job. I would run a few anti-spyware applications to find out what. Nod32 does a good job with viruses but pretty much useless for spyware.

Sir Seifus Halbred · Sep 25, 2008, 09:49 PM // 21:49

Quote:

Originally Posted by fusa

I use nod32, never seen that message before. I would go to Tools>Quarantine and delete the object. It looks like its blocking access to that website. Although I always get messages in the web browser that the site is blocked, not as a pop-up from system tray. Looks like something is trying to download a worm and nod32 is doing its job. I would run a few anti-spyware applications to find out what. Nod32 does a good job with viruses but pretty much useless for spyware.

Ah "tools" is only shown under advanced mode, just figured that out. I had it on standard. Hmm I don't even recall the site only the "/youtube"

Are you sure it's safe to delete the object under "quarantine?" I also see some other files under there.

Thanks for the help.

Lyynyyrd · Sep 25, 2008, 10:54 PM // 22:54

Quote:

Originally Posted by Sir Seifus Halbred

Ah "tools" is only shown under advanced mode, just figured that out. I had it on standard. Hmm I don't even recall the site only the "/youtube"

Are you sure it's safe to delete the object under "quarantine?" I also see some other files under there.

Thanks for the help.

bnsetup......

Can you find out the entire link? "Setup" suggests that it may be a download for an infected .exe or something like that.

fusa · Sep 25, 2008, 11:14 PM // 23:14

Yes its safe to delete anything in quarantine, they're completely unaccessable to you anyway, unless you tell nod32 to restore them. If you see something there that you know is a false positive then restore, else delete. Not sure which firewall you have, if you don't have comodo or a decent one get one. But probably the most important thing to do is run antispyware soon, especially since nod32 isn't picking it up. There's free versions of Malwarebyte's Antimalware & Rogue-remover, Adaware 2008, Superantispyware, Spybot Search and Destroy, and SpywareBlaster. Unfortunately there isn't one good antispyware app so it might take 2-3 to find what it is that's trying to download bnsetup18...

fusa · Sep 25, 2008, 11:25 PM // 23:25

http://vil.nai.com/vil/content/v_148955.htm also read this, see if you find any of the files mentioned. If you do, delete them in safe mode. Also search registry using regedit and remove registry keys mentioned. And go to c:\windows\system32\drivers\etc open hosts in notepad and remove the sites mentioned. Also if you see any other that seem suspicious remove them.

good entry for hosts: (blocks access to bad sites by redirecting to access to yourself)
127.0.0.1 localhost #needed as first entry
127.0.0.1 www.virusrus.com
0.0.0.0 www.spyonyou.com

bad entry: (reroutes attempt to use www.google.com to another site, mostly likely not wanted)
67.43.2.45 www.google.com

There's some good apps to use to manage hosts file, but this will be deleted if I say anything more...

Tarun · Sep 25, 2008, 11:43 PM // 23:43

You are not supposed to use the Hosts file to block websites.

fusa · Sep 25, 2008, 11:52 PM // 23:52

Why not? if it directing to 127.0.0.1 or 0.0.0.0 and you dont have malware running as a webserver its a good way to block bad sites, pornography, etc. Unless you use a pac file, which also does the same thing. Unless you mean it against guru rules, then tough shit, I'm not compromising security to view your ads.

Tarun · Sep 25, 2008, 11:59 PM // 23:59

This is taken directly from my wiki article.

What is the Hosts file?

The Hosts file is used to look up the Internet Protocol address of a device connected to a computer network. The Hosts file describes a many-to-one mapping of device names to IP addresses. When accessing a device by name, the networking system will attempt to locate the name within the Hosts file if it exists. Typically, this is used as a first means of locating the address of a system, before accessing the Internet domain name system. The reason for this is that the Hosts file is stored on the computer itself and does not require any network access to be used, whereas DNS requires access to an external system, which is typically slower.

What should the Hosts file be used for?

The Hosts file should only be used for redirecting a website or a new IP address. This generally happens if your favorite website has relocated to a new host or their IP has changed. It sometimes takes a few days to update your DNS cache and sometimes it's also up to your ISP to refresh this information on their local cache.

What do you not use the Hosts file for?

Under no circumstance should you ever use your Hosts file to block malware or advertisements. It is not designed to be used in this manner despite what many websites falsely report. Coincidentally those sites also offer their own malware and ad-blocking Hosts files. Some websites will also recommend disabling the DNS Client service or setting it to Manual. By default it is set to Automatic and should not be changed.

Quote:

Originally Posted by MSKB 31880

Note: The overall performance of the client computer decreases and the network traffic for DNS queries increases if the DNS resolver cache is deactivated.

The DNS Client service optimizes the performance of DNS name resolution by storing previously resolved names in memory. If the DNS Client service is turned off, the computer can still resolve DNS names by using the network's DNS servers.

When the Windows resolver receives a positive or negative response to a query, it adds that positive or negative response to its cache, and as a result, creates a DNS resource record. The resolver always checks the cache before querying any DNS server. If a DNS resource record is in the cache, the resolver uses the record from the cache instead of querying a server. This behavior expedites queries and decreases network traffic for DNS queries.

You can use the Ipconfig tool to view and to flush the DNS resolver cache. To view the DNS resolver cache, type ipconfig /displaydns at a command prompt. Ipconfig displays the contents of the DNS resolver cache, including the DNS resource records that are preloaded from the Hosts file and any recently queried names that were resolved by the system. After a certain time period, the resolver discards the record from the cache. The time period is specified in the Time to Live (TTL) associated with the DNS resource record. You can also flush the cache manually. After you flush the cache, the computer must query DNS servers again for any DNS resource records previously resolved by the computer. To delete the entries in the DNS resolver cache, type ipconfig /flushdns at a command prompt.

This segment from the MSKB is why users should not alter their services unless under direct instruction from a technician.

fusa · Sep 26, 2008, 12:19 AM // 00:19

So? I increase traffic for my dns server and the net. People using usenet or torrents take up more bandwidth than repeated dns queries. The slow down form not caching locally isn't noticeable. The article you referred to just explains how to disable client side dns, it doesn't say this is a dangerous method at all. Referencing your own wiki as a source is ridiculous, try that in a college class and you're sure to get a F. Also some of the software you recommend adds entries to hosts files to block access to bad sites, Spyware S&D for one, I've also seen Malwarebyte's Rogue remover recommended here, which adds entries to hosts file. Using hosts file isn't a method to block spyrware in itself, but I dont see it being bad as long as your source is a trusted one. PAC files can be used also, but most people aren't going to know how to edit it to remove a false positive.

Anyway I was explaining how to remove the entries the trojan the op said was detected, not how to block web sites. The trojan adds entries to hosts file, so I told him what to look for.

Tarun · Sep 26, 2008, 12:41 AM // 00:41

The slowdown is noticeable in two ways.

One: Using the Hosts file with excessive entries. Every time you open your browser or even start Windows it has to load and parse every line inside the Hosts file. Windows uses the IECore so even Windows Explorer has to deal with all those entries.
Two: Disabling the DNS Client service. By disabling this service you no longer keep a local cache of your favorite and frequently visited websites. So your browser has to refer to the Hosts file. Oh but look, nothing in there except blocked sites. So after checking these two places it now has to go to your ISP's DNS and get the IP for the domain name.

Both of these cause much more work than you know. Every time you visit a website you're forcing your computer to access the ISP's DNS. Now this isn't just for first visit, it's for every single visit! That is a degrade in performance, increasing network activity in a very unnecessary manner as well.

On top of that, malware can quite easily compromise the Hosts file and alter it completely. It's safer to use SpywareBlaster, IESpyAds and other items which use the proper methods for blocking websites that are malicious. Even Spybot S&D's Immunize works well.

Flat out: It's just not a good idea, at all.

Sir Seifus Halbred:
It looks like your NOD32 took care of the problem. It also looks like a website tried to pose as YouTube and wanted you to download some "codecs" that are actually malware.

What site are you encountering this issue on?

fusa · Sep 26, 2008, 01:00 AM // 01:00

I installed a 130,000 entry hosts file on a P4 1.8ghz computer with 768mb of ram, and there's no slow down. There's another computer here that is slightly faster with a 300,000 entry host file that also isn't affected. The slow down from using your isp's host is extremely minimal. Even if its a second or two its worth it to be sure a site your visiting isn't a bad site.

Malware can change your hosts file entries wether or not you are using it to block sites.
BTW Spybot S&D uses hosts file to block sites also....

Sir Seifus Halbred · Sep 26, 2008, 08:34 PM // 20:34

Quote:

Originally Posted by Tarun

Sir Seifus Halbred:
It looks like your NOD32 took care of the problem. It also looks like a website tried to pose as YouTube and wanted you to download some "codecs" that are actually malware.

What site are you encountering this issue on?

So I shouldn't need to worry then? If it took care of the problem why do I get this message every time I log on then?

What site am I encountering this issue? I don't know what you mean. That image I posted is from NOD32 not from a website.

Oh and by the way I took fusa's advice and ran Spybot, it found nothing so I tried running Ad Aware 2008 but this happened...

So I opened Ad aware 2008 (Free Version) today and decided to run a update. During the update Ad Aware 2008 closed and I got the windows error message about how the program had an unexpected error and to send the message or not to send it.

Now I can't even run Ad Aware 2008? It won't open or it is open but I can't see it?

I got this message when I clicked on the desktop shortcut.

I got this message when I clicked on the "ad watch" desktop shortcut

fusa · Sep 26, 2008, 09:30 PM // 21:30

Open task manager and close any program that might be adaware. I haven't used that in a few months so not very familiar with the name of the applications in taskmanager. Then try to run adaware, if that doesn't work, try rebooting.

Did you try this http://vil.nai.com/vil/content/v_148955.htm It shows how to get rid of the koobface worm, although you might have more than one infestation.

Also try the other's I mentioned too, they are all free unless you want scheduling etc.

Sir Seifus Halbred · Sep 26, 2008, 10:04 PM // 22:04

Quote:

Originally Posted by fusa

Open task manager and close any program that might be adaware. I haven't used that in a few months so not very familiar with the name of the applications in taskmanager. Then try to run adaware, if that doesn't work, try rebooting.

None of that worked. There was nothing on applications to I had to find it in the processes tab.

Quote:

Originally Posted by fusa

Did you try this http://vil.nai.com/vil/content/v_148955.htm It shows how to get rid of the koobface worm, although you might have more than one infestation.

Also try the other's I mentioned too, they are all free unless you want scheduling etc.

No, I didn't try any of those. I thought too many adware programs are bad and conflict with each other?

I like ad aware (well did until now) and spybot.

Tarun · Sep 26, 2008, 10:22 PM // 22:22

You said,

Quote:

Originally Posted by Sir Seifus Halbred

Just curious if anyone has NOD32 anti-virus because-I got this message around yesterday when I logged on my account, and every time I log on.

So I figured you were getting it when you logged into a website. As such, as I asked which one. You say you're encountering it when you log on. What are you logging on to that causes this problem?

Ad-Aware was good until the 2007 series. With all the things that used to be standard that they now want people to pay for they have effectively crippled the application. Spybot is good at detecting traces that some programs like SUPERAntiSpyware and Malwarebytes Anti-Malware miss. The best part of Spybot is the Immunization feature though.

If you're concerned about infections, then please download my Anti-Malware Toolkit and get the Professional package. You can then follow the wiki guide to clean up your computer.

It would be wise to run the scans and post a HijackThis log. Wait for myself or someone else from the Technician group to assist you further in order to prevent any potential confusion.

fusa · Sep 26, 2008, 10:22 PM // 22:22

I have all the ones I listed installed, and have had no conflicts. I don't like rogue remover too much. Also I uninstalled adaware when it refused to update, wouldn't connect to the update site. But not as bad as the problems you are having. You can only have one AV installed at a time so don't try that, nod32 is enough.

Sir Seifus Halbred · Sep 26, 2008, 10:37 PM // 22:37

Quote:

Originally Posted by Tarun

You said,

So I figured you were getting it when you logged into a website. As such, as I asked which one. You say you're encountering it when you log on. What are you logging on to that causes this problem?

Log on to my computer account. You know the windows main screen? (log-in screen-You click your name and enter your password and log in)

Quote:

Originally Posted by Tarun

Ad-Aware was good until the 2007 series. With all the things that used to be standard that they now want people to pay for they have effectively crippled the application. Spybot is good at detecting traces that some programs like SUPERAntiSpyware and Malwarebytes Anti-Malware miss. The best part of Spybot is the Immunization feature though.

If you're concerned about infections, then please download my Anti-Malware Toolkit and get the Professional package. You can then follow the wiki guide to clean up your computer.

It would be wise to run the scans and post a HijackThis log. Wait for myself or someone else from the Technician group to assist you further in order to prevent any potential confusion.

Oh god the thought of posting hijack this log sends me chills. I followed that advice on a PC forum by a PC analysist expert and it didn't help.

He made me run Hijack this for a issue I was having that had nothing to do with malware, viruses, etc. And the other times I did need to do Hijack this it was a looong and extremely frustrating process.

Especially since I share this computer and I can't just leave it on. I had to basically sit on my computer for hours waiting for him to reply. He'd tell me to do the steps for hijack this then leave and not come back for 2 days.

I'm not having any serious or any issues just curious what that message means if it isn't serious and NOD32 is doing it's job then it's fine. Just curious why the message shows every time I log onto my account.

Regarding Ad Aware 2008:

P.S So does anyone know about the Ad aware issue? I think I'm just going to uninstall it. However-will I be notified if it turns out it is still running when I attempt to uninstall it? I hear whenever you want to uninstall something it should NOT be running.

Tarun · Sep 26, 2008, 10:47 PM // 22:47

Well I'm not going to leave you waiting for days.

I removed your screenshot of the NOD result because that did show the link to malware. I'm going to drop it into a VM and see how it reacts.