WinMX-NapMX users please read!
Results 1 to 11 of 11

Thread: WinMX-NapMX users please read!

  1. #1
    Join Date
    Aug 2001
    Location
    Keizer,Orygun USofA
    Posts
    10,636

    WinMX-NapMX users please read!

    OK,,here's the deal. I have recommended in other forums here in the past to use NapMX for access to opennap servers when using WinMX. I now have to retract that recommendation. If you have NapMX installed on your PC, uninstall it now!!

    Here's why,,My second,networked PC sometimes gets neglected because i usually just use it to store and transfer files. I had not updated eTrust AV on it to the latest version until i happened to think about it today. I did a complete uninstall of the old version to be safe. When i installed the new version,i let it set itself to defaults. It then autoupdates the sig file and runs a scan. When it ran the scan,it found "2" instances of Win32.Agobot.C . This is a "dropper". Both instances were found in "napmx300b2.exe" This is the install file for NapMX. NapMX is now long gone from both my 'puters and will never be allowed back! Oh yeah,,for confirmation, eTrust also found 1 instance of this nasty on my main computer and in the same location.

    Very sorry now that i recommended this plugin before. I have,however,found a replacement for NapMX that does not contain nasties. That would be "NapTrack" and can be found at:
    http://www.xcubed.co.uk/naptrack/index.php

    Kell~~~~
    Stupid question? No such thing!
    Virtual Dr. to the rescue!
    Just ask. Bookmark your post for easy reference.
    ==================================

  2. #2
    Join Date
    Sep 2002
    Location
    Alabama, USA
    Posts
    146

    Question

    I'm still using 5.4 and it found the same thing on my computer today in the old NAPmx install file that I had never deleted. It alarmed when I tried to open the folder to open a file (startled the ---- outta me too), would not let me right click on the file and examine it (properties, etc.) and would not let me access the file at all. I finally had to open EZ AV, scan the folder, then let EZ AV delete the file - it gave me no other options. That "trojan" or whatever was apparantly incorporated as a "nasty" in this mornings (or yesterday morning's) Virus Sig. update file.

    I found it (Win32.Agobot.C) listed under Google but no info was available about it....


  3. #3
    Daizy is offline Virtual PC Specialist!!!
    Join Date
    May 2001
    Location
    Edmonton, Alberta, Canada
    Posts
    2,987
    Hi Le boule
    Does this help?

    Daizy
    Hope this helps.

  4. #4
    Join Date
    Aug 2001
    Location
    Keizer,Orygun USofA
    Posts
    10,636
    Yep,,must be a new version of Win32 nasties..Found a lot of the Win32's on eTrust's library site,but not the Agobot.C version. Guess that's why it wasn't detected before on my main machine. Must have just been added to the sigs.

    Just another reason to have a decent AV prog and to update/run it regularly...

    Glad to hear you found it and got rid of it too. And,,as you said, eTrust was adamant on not letting me open the file and deleted it straightaway...
    Stupid question? No such thing!
    Virtual Dr. to the rescue!
    Just ask. Bookmark your post for easy reference.
    ==================================

  5. #5
    Join Date
    Aug 2001
    Location
    Keizer,Orygun USofA
    Posts
    10,636
    Thanks Daizy,,Went over to Trend and ran housecall to be on the safe side,but didn't think to look for a page on it.
    Stupid question? No such thing!
    Virtual Dr. to the rescue!
    Just ask. Bookmark your post for easy reference.
    ==================================

  6. #6
    Join Date
    Sep 2002
    Location
    Alabama, USA
    Posts
    146
    Daizy,

    Never thought about searching TREND. After reading info you directed me to, I've checked and did not find anything in registry or start-up menu to indicate "Agobot" had been active...I have ZA 2.6 and don't recall anything occuring that indicated "Agobot" had activated and tried to make an outgoing connection so I guess it was dormant.

    This was a strange "alert" by EZ AV (on an old file) but since it was a file I should have already removed anyway I'm satisfied with the outcome.

    Thanks...




  7. #7
    Daizy is offline Virtual PC Specialist!!!
    Join Date
    May 2001
    Location
    Edmonton, Alberta, Canada
    Posts
    2,987
    Hi again Le Boule
    Glad you found the info useful. If ever in doubt, you can always play it safe and do an online scan at housecall as well?

    Daizy
    Hope this helps.

  8. #8
    Join Date
    Apr 2000
    Location
    Rock Hill, SC, USA
    Posts
    353
    Rr - Kind of interesting (in a FP, kind of way) that it just showed up in the virus defs.

    Did you by chance submit the file to any of the other AV vendors for analysis?

    http://kaspersky.com/remoteviruschk.html is good for stuff like that. You might want to keep it in mind for the next time this happens.

    Since I'm using NOD32, I've removed all other "back-up" AV's - if I get a "hit" on something from NOD, I'd first check it out with Kaspersky's site before taking any action. Pete
    Compaq Presario 7110US, 1.3GHz ThunderBird, 1GB RAM, 160GB HD, WinXP Pro w/SP2, TDS-3, WormGuard, Port Explorer v2.0, Process Guard v.3.150, The Cleaner Pro v.4.1 b.4252, TrojanHunter v.4.2 b.908, NOD32, XP ICF, ALL javacool programs, SBS&D, SPYCOP, Opera v.8.0 Build 7561, FireFox v1.0.4, ShadowUser v.2.5, SpyBlocker v8.7, RegDefend v1.300

  9. #9
    Join Date
    Sep 2002
    Location
    Alabama, USA
    Posts
    146

    Question

    Daizy & Pete,

    I use Housecall about once a month and used it less than ten days ago after I accidentally tried to open a message containing Win.magistr.29188;etrust warned me and I deleted the message but still did a HOUSECALL as a precaution...I got DSL and it takes just a few minutes to do it so I check behind etrust periodically...no alarm ref Agobot at that time from Trend....

    I did not send the file to anybody for review cause I couldn't....for some reason etrust took away my options when it said Agobot was in the Mapmx file and it would not let me access the file to see anything about it - could not open file with right click even (see my first post); the only thing it would allow me to do was open EZ Anti-virus, scan the folder containing the file and the etrust advised it the file had been deleted - sure enough, it was gone to never, never land.

    Tis a bit confusing that yesterday etrust (EZ AV) found it in an old Napmx install file but Trend and etrust (EZ AV) had not found it before;according to a Google search that virus/trojan/dropper or whatever was added to the Computer Associates virus update files on March 31, 2003.

    I'm like Ridge....was strange the way it found and handled the "offender" but EZ AV made sure I wasn't gonna screw up and do something with the file that might cause a problem;as I've said before, sometimes EZ AV is almost idiot proof (to the extreme) but I guess that's better than letting me download a "nasty."

    I wish those folks that send out viruses had a idiot proof anti-virus program....

  10. #10
    Join Date
    Jul 2001
    Location
    NY USA
    Posts
    1,010
    Hi LeBoule,
    I wonder if in EZ Trust's configuration, you have "report and deny access" for an uncleanable file. I have "report only" in case a system file was infected.
    I used the Panda online scanner once and it put files in my C\Windows\System area. Whenever I scan with EZ Trust it reports three dropper files as infected and uncleanable:

    "Number of infections: 3
    Number of infected files not cleaned/deleted/renamed: 3
    C:\WINDOWS\SYSTEM\ActiveScan\pav.sig (Win32.Thorin.11932 dropper)
    C:\WINDOWS\SYSTEM\ActiveScan\imscan.dll (Win32.Maya.4108/4113 dropper)
    C:\WINDOWS\SYSTEM\pav.sig (Win32.Thorin.11932 dropper)"

    These are Panda files and EZTrust told me since they're not encrypted they're coming up infected and are false/positive.

    I'm glad you and Ridge got rid of the files in any event. But since nothing showed up in the registry I'm wondering if it could be a false/positive.

    Sincerely, Nancee

  11. #11
    Join Date
    Sep 2002
    Location
    Alabama, USA
    Posts
    146

    Cool False-Positive Pandas

    Panda Online Scan leaves some remnants in your computer as you stated in your post. I'm not concerned about those remnants being in my PC - don't think it's indicative of a problem.

    I've used it before and so has Allyn. Both of us have since seen those same "false-positive" readings when using EZ AV in the "full scan" mode.

    I use the "Report and Deny Access" setting for uncleanable files. That way if I screw up and try to open a file that EZ AV says is infected, EZ AV will not let me open it. It also will not let my stepdaughter or her best friend or my bride or anybody else using my computer open an infected file if you get my drift. EZ AV is almost idiot proof and I consider myself one of the idiots.

    Last edited by Le Boule; April 17th, 2003 at 11:51 PM.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •