remove Exploit.CAN.2003-0533

  • Thread starter Thread starter ale
  • Start date Start date
A

ale

Can anybody help me to remove this trojan?
I updated NOD32 AV and found it.
If i don't update i have no problems.

Thank's a lot !!!
 
ale said:
Can anybody help me to remove this trojan?
I updated NOD32 AV and found it.
If i don't update i have no problems.

Thank's a lot !!!
Click to expand...


I can only confirm that the 1.807 definitions are showing one of my
w2k machines to be infected as well. I am try to track this down...
 
Can anybody help me to remove this trojan?
I updated NOD32 AV and found it.
If i don't update i have no problems.

Thank's a lot !!!
Click to expand...


I had this same problem, also with Nod32 and also on July 10th. I
suspect that the infection had occurred earlier and July 10th was just
the date Nod32 learned to recognize it.

I was seriously annoyed at the lack of information on eset's web site and
really po'd that Nod32 could tell me I had a problem but couldn't do
anything about it. Maybe that's normal with trojans and I just don't
know it... this was my first.

What I finally did was to power-off (as opposed to shutdown) my system.
Then I rebooted into safe mode (press F8 while booting) and ran the on-
demand scanner. That found the infected file and set it up to be renamed
on reboot. Then I rebooted into safe mode again to verify that Windows
had replaced the necessary-but-now-renamed file with an uninfected
version. Then, being paranoid I reran the scan on everything as
Administrator in normal mode.

Anyway, it seems to have cleared up the problem.

For what it's worth, I am running win2k. I use PocoMail for mail, never
OE. And I use Mozilla's Firefox for my browser as much as possible.
Unfortunately there are sites that only work with IE and I have no doubt
that's where my problem came from.

<begin rant>

It's bad enough that the Redmond crew gives us shoddy and vulnerable
software, but what benighted fools deliberately develop their web sites
to ONLY work with this shoddy crap? Are they just that stupid? Or just
too lazy to develop good sites? Yes, I know that IE has more than 90% of
the market share but why glorify mediocrity by catering to it?

<end rant><sigh>

su
 
This past Saturday I had two computers infected with the
Exploit.CAN.2003-0533 trojan.

netapi32.dll was the target file in both systems. The first system
was infected in the WINNT/system32 directory, and the other sytstem
was infected in the WINNT/servicepackfiles/i386/ and in one of the
service pack uninstall directories (but not the system32 directory).
I'm not sure how the first system got infected, but I suspect that the
second was infected after doing searches on Google for the trojan name
and then going to a couple of websites.

NOD32 would not clean any of these files, so we had to delete them
where possible. Of course, this was not possible for the netapi32.dll
in the system32 directory since the dll file was in use while the OS
was running.

This system is having many problems as a result...for example, it
cannot connect to the Internet and many programs and services will not
run.

I did not contact NOD32 support because they have always been
unavailable or unhelpful in the past. Does anyone know how to clean
the virus for the netapi32.dll file, other than rebuild the system?

Thanks!
 
sukelis said:
I had this same problem, also with Nod32 and also on July 10th. I
suspect that the infection had occurred earlier and July 10th was just
the date Nod32 learned to recognize it.

I was seriously annoyed at the lack of information on eset's web site and
really po'd that Nod32 could tell me I had a problem but couldn't do
anything about it. Maybe that's normal with trojans and I just don't
know it... this was my first.

What I finally did was to power-off (as opposed to shutdown) my system.
Then I rebooted into safe mode (press F8 while booting) and ran the on-
demand scanner. That found the infected file and set it up to be renamed
on reboot. Then I rebooted into safe mode again to verify that Windows
had replaced the necessary-but-now-renamed file with an uninfected
version. Then, being paranoid I reran the scan on everything as
Administrator in normal mode.

Anyway, it seems to have cleared up the problem.

For what it's worth, I am running win2k. I use PocoMail for mail, never
OE. And I use Mozilla's Firefox for my browser as much as possible.
Unfortunately there are sites that only work with IE and I have no doubt
that's where my problem came from.

<begin rant>

It's bad enough that the Redmond crew gives us shoddy and vulnerable
software, but what benighted fools deliberately develop their web sites
to ONLY work with this shoddy crap? Are they just that stupid? Or just
too lazy to develop good sites? Yes, I know that IE has more than 90% of
the market share but why glorify mediocrity by catering to it?

<end rant><sigh>

su
Click to expand...

Thanks for the work-around. Equally ticked about the Eset site. Will
try this out tomorrow evening.

As for the IE rant, I agree. Been on the dev side. Mostly it comes
down Java/ECMAScript DOM. Netscape/Mozilla/IE all have bastardized
implementations. Royal pain to get all browsers and subsequent
versions to work.
 
Back
Top