Hi,
My computer has been under severe virus attack. Worms/trojans in the hundreds have been cleaned, thanks to NOD32.
However one problem (or possibly 2) remains:

Scanning of the operating memory gives the following message from NOD32:

Operating memory - Win32/Mebroot trojan - unable to clean.
I am running on a very old PC, with WIN XP pro. 384Mb Ram (Yes....)

Having read other threads here on the Mebroot trojan, it seems that this strain is different, as the previously mentioned cases on this forum refers to the virus present on the physical disk (MBR sector).

Additionally, my screen saver has been hijacked, and now displays a fake windows reboot session, combined with a Windows blue screen. (Although I have disabled screen saver alltogether). NOD32 did not detect this.

Any help in this matter would be greatly appreciated.

Thanks

Hello,

perform scan in safe mode -> Run egui.exe and window with offer to scan PC will appear -> Click on "Yes"

Log from SysInspector (http://www.eset.com/download/sysinspector.php) should tell more informations.

Thanks for the suggestion.
It seems that the sysinspector program has helped me cleaning the registry and thus removing the fake screen saver.
But the Mebroot trojan lives on !
The scan in safe mode does not reveal any attempts at removing the Mebroot trojan.

Any other suggestions, please ?

Send me log from SysInspector. There can be shown startup objects, drivers and services of malware.

Hi,
I have attached the log from sysinspector.

regards

I had to rename the zip file to .txt in order to get the attachment done.
Pls rename to .zip before unpacking.

Thanks

~removed sysinspector.txt file attachment....Bubba~

Hello chanakya,

You may not be aware but posting of logs, whether they be sysinspector logs, highjackthis logs or other similar logs are not allowed unless requested by Wilders Team Member or in this case by an Eset support person.
{QUOTE-> * The restriction on posting unsolicited HijackThis logs also applies to unsolicited ASviewer (Autostart Viewer), Spybot S&D, Ad-aware, plus the new generation of Anti-Rootkit detection logs (gmer, rkunhooker, etc.) and other similar product logs. <-QUOTE}I'll do what I can to bring this support issue to Eset's attention.

Hi Bubba,

I was not aware of that. I apologize for the infringement.

I sent you instructions for cleaning malware. :thumb:

Hi Kosak,

Thanks. I tried it. I sent the backup file to your email address.
As mentioned in that mail, the trojan persists !
Could it be related to the fact that I have more than one disk in the infected computer ?

I have cleaned the hosts file as per your instructions.

(I still haven't checked the individual files on the link you gave me.
I am reluctant to put the infected computer on the internet.
It has been quarantined until now. (I am using another one for this communication)

There can be option that SysInspector didn't show everything. It's a pity, but I got PM that I cannot advice you. :-\

I tested the files as you recommended.
Tried to copy the files to a USB key, and dispatch them from another computer.
That computer detected a virus in msdvdr.sys and deleted the file before I was able to upload it for test.
I subsequently deleted it from the infected computer.

The other files were ok.