Nod32

[Guest]

I recently had a trojan horse virus in my system32 folder. F-Prot Antivirus
detected it but would not clean it, move it, or delete it. I installed the
trial version of Nod32 and updated to the latest signature files. Nod 32
didn't even detect the trojan horse. It only indicated that there was a
file it couldn't open.

I then installed AVG Antivirus Free Edition and ran a scan. AVG detected
the trojan horse and moved it to the Virus Vault.

Maybe I'm missing something here but it looks as though AVG runs circles
around both F-Prot and Nod32. I'm far from an expert on the subject so if
anyone has relevant information, I'd appreciate it greatly.

Oh, by the way, the trojan horse was identified as winjhe32.dll

-- Mike

 

[Duane Arnold]

I recently had a trojan horse virus in my system32 folder. F-Prot
Antivirus detected it but would not clean it, move it, or delete it. I
installed the trial version of Nod32 and updated to the latest signature
files. Nod 32 didn't even detect the trojan horse. It only indicated that
there was a file it couldn't open.

I then installed AVG Antivirus Free Edition and ran a scan. AVG detected
the trojan horse and moved it to the Virus Vault.

Maybe I'm missing something here but it looks as though AVG runs circles
around both F-Prot and Nod32. I'm far from an expert on the subject so if
anyone has relevant information, I'd appreciate it greatly.

Oh, by the way, the trojan horse was identified as winjhe32.dll

NOD32 does have several options that can be enabled in scanning detection.
When I first used NOD32, it had missed some things and I ran that way for
sometime, until I changed its scanning to make it do more deeper scans.

NOD32 also has the its Deep analysis feature and that takes at least an hour
to run on my laptop. I use that feature on occasions.

Duane

 

[David H. Lipman]

From: <[email protected]>

| I recently had a trojan horse virus in my system32 folder. F-Prot Antivirus
| detected it but would not clean it, move it, or delete it. I installed the
| trial version of Nod32 and updated to the latest signature files. Nod 32
| didn't even detect the trojan horse. It only indicated that there was a
| file it couldn't open.
|
| I then installed AVG Antivirus Free Edition and ran a scan. AVG detected
| the trojan horse and moved it to the Virus Vault.
|
| Maybe I'm missing something here but it looks as though AVG runs circles
| around both F-Prot and Nod32. I'm far from an expert on the subject so if
| anyone has relevant information, I'd appreciate it greatly.
|
| Oh, by the way, the trojan horse was identified as winjhe32.dll
|
| -- Mike
|

Yep...

You missed somethinh alright.

For example what was the fully qualified name and path to the file that was deemed to be
infected and the name both F-Prot and AVG declared to be infected with.

 

[Guest]

c:\windows\system32\winjhe32.dll (Trojan Horse Generic. YIG.)

 

[David H. Lipman]

From: <[email protected]>

| c:\windows\system32\winjhe32.dll (Trojan Horse Generic. YIG.)
|

You are saying that BOTH F-Prot and AVG called "winjhe32.dll" a generic Trojan ?

I am wondering if this is really a heuristic detection or a adware Trojan.

It is also possible that the reason it could not easily be removed becuase it is being used
by the Winlogon Notify function.

Is the following in the Registry ? ( NOTE: it may have already been removed )
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winjhe32

 

[Guest]

Dave:

Yes, both F-Prot and AVG. Like you, I have to wonder if it really is a
Trojan. Nod32 doesn't seem to have an issue with it; but then again Nod32
consideres it a locked file. AVG moved the file to the Virus Vault and all
my programs still function normally. I don't know; so I'll have to defer to
your expertise. I did a search on the web for information on the file and
nothing shows up. I have a e-mail in to F-Prot regarding the situations so
maybe they'll have some more info on it. Computers!

Thanks for taking the time to think about it.

-- Mike

 

[David H. Lipman]

From: <[email protected]>

| Dave:
|
| Yes, both F-Prot and AVG. Like you, I have to wonder if it really is a
| Trojan. Nod32 doesn't seem to have an issue with it; but then again Nod32
| consideres it a locked file. AVG moved the file to the Virus Vault and all
| my programs still function normally. I don't know; so I'll have to defer to
| your expertise. I did a search on the web for information on the file and
| nothing shows up. I have a e-mail in to F-Prot regarding the situations so
| maybe they'll have some more info on it. Computers!
|
| Thanks for taking the time to think about it.
|
| -- Mike
|


Mike:

If it is in the vault, extraxt it and then please submit a sample to Virus Total --
http://www.virustotal.com/flash/index_en.html
The submission will then be tested against many different AV vendor's scanners.
That will give you an idea what it is and who recognizes it. In addition, unless told
otherwise, Virus Total will provide the sample to all participating vendors.

You can also submit a suspect, one at a time, via the following email URL...
mailto:[email protected]?subject=SCAN

When you get the report, please post back the exact results.

 

[Guest]

Complete scanning result of "winjhe32.dll", received in VirusTotal at
07.24.2006, 02:22:51 (CET).

Antivirus Version Update Result
AntiVir n - no virus found
Authentium n - no virus found
Avast n - no virus found
AVG n - no virus found
BitDefender n - no virus found
CAT-QuickHeal n - no virus found
ClamAV n - no virus found
DrWeb n - no virus found
eTrust-InoculateIT n - no virus found
eTrust-Vet n - no virus found
Ewido n - no virus found
Fortinet n - no virus found
F-Prot n - no virus found
F-Prot4 n - no virus found
Ikarus n - no virus found
Kaspersky n - no virus found
McAfee n - no virus found
Microsoft n - no virus found
NOD32v2 n - no virus found
Norman n - no virus found
Panda n - no virus found
Sophos n - no virus found
Symantec n - no virus found
TheHacker n - no virus found
UNA n - no virus found
VBA32 n - no virus found
VirusBuster n - no virus found


Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

 

[David H. Lipman]

From: <[email protected]>

< snip >

|
| Aditional Information
| File size: 0 bytes
| MD5: d41d8cd98f00b204e9800998ecf8427e
| SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709
|


File size: 0 bytes -- it really weasn't submitted { sigh }

 

[Guest]

I will now do what the French do best -- give up. :>)

 

[David H. Lipman]

From: <[email protected]>

| I will now do what the French do best -- give up. :>)
|

OK :-(