Finally, I started my Lan Pc's in safe mode and NOD32 found thee following : MEDBOT IE Win 32 trojan MEDBOT HZ Win 32 trojan MEDBOT HR Win 32 trojan This trojan keeps creating the files autorun.inf and setup.exe in my shared folders and this way it was transmitted to all the LAN computers. Nod 32 does delete the MEDBOT setup infected file in the shared folder but I have to manually delete the autorun.inf file. I do not know what to do from now on because it seems it is a extended trojan problem, but the question is who or where are this files created. Any idea. Thor Hedderich
Re: Medbot.BD trojan again Hello TEETH ! Make sure your definition is up-to-date by pressing Control Center -> Update -> Update now. Make sure your settings are the same as this tutorial. If you have problems deleting them in Normal mode , boot in Safe Mode and then perform full scan there . Open NOD32 on-demand scanner from Start->Programs->ESET->NOD32 , make sure you use Control Center profile and perforum full Scan&Clean over your hard drives . NOD32 will take care of these threats If they are in System Restore , too , you'll have to flush it to remove Medbot from there.You must also perform scan on all computers in your LAN . If you continue having problems contact ESET Technical Support and provide them with a log file of HijackThis and MS AutoRuns
Autorun.inf is not detected as it's just a pure text file. Are these files created even with the computer unplugged from network?
I have not tried that. I have three Pc's connected in m y LAN Windows XP Pro in all and also the "shared" folder is shared. Of all the Laptop does not get infected but the other two does. I tried Mcafee, disabled the restore and finally started the infected Pc's in safe mode, when I started both again in safe mode the setup.exe file was in the quarantine folder in both computer, today Sunday they have not appeared again. I am just waiting to see if this critter reappears again . I do remember ( I think) was that I deactivated the shared folder and both files did not appear but when I activated the shared folder again they did. Three month fighting and medbot is still winning. I tried Bit defender, Norton, Mcafee, and finally I am with NOD32 which does delete the setup file but not the autorun.inf. Thanks and will wait for your advice. Thor Hedderich
Re: Medbot.BD trojan again Well, I am still waiting to see if the vicious files appear again. I am prepared with Hijack, Autoruns and Look into my Pc for that moment meanwhile I am getting all the information required. Anothe question if there is a dropper in the registry does NOD32 also cleans it ? . Thanks again to all Thor Hedderich
If it comes back you could trial Trojan Remover for 30 days (Medbot is in its database); http://www.simplysup.com/tremover/details.html I have this program but have never had to use its removal feature because I haven't got infected (yet). I imagine it would be reasonably safe to use as long as you have a good restore point!
Gone, what McAfee, Norton, Bitdefender and AVG could not do NOD 32 did, I con fess I was really afraid of goin g into safe mode but everything went ok and from yesterday I have not seen this critters appear again, thanks to all the guys that helped me deal with this MEDBOT trojan and specially to Blackspear. Two days "clean" and running. Regards, Thor Hedderich