Mebroot trojan in operational memory (Not in MBR)

Discussion in 'ESET NOD32 Antivirus' started by chanakya, Jul 20, 2008.

Thread Status:
Not open for further replies.
  1. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    Hi,
    My computer has been under severe virus attack. Worms/trojans in the hundreds have been cleaned, thanks to NOD32.
    However one problem (or possibly 2) remains:

    Scanning of the operating memory gives the following message from NOD32:

    Operating memory - Win32/Mebroot trojan - unable to clean.
    I am running on a very old PC, with WIN XP pro. 384Mb Ram (Yes....)

    Having read other threads here on the Mebroot trojan, it seems that this strain is different, as the previously mentioned cases on this forum refers to the virus present on the physical disk (MBR sector).

    Additionally, my screen saver has been hijacked, and now displays a fake windows reboot session, combined with a Windows blue screen. (Although I have disabled screen saver alltogether). NOD32 did not detect this.

    Any help in this matter would be greatly appreciated.

    Thanks
     
  2. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Hello,

    perform scan in safe mode -> Run egui.exe and window with offer to scan PC will appear -> Click on "Yes"

    Log from SysInspector should tell more informations.
     
  3. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    Thanks for the suggestion.
    It seems that the sysinspector program has helped me cleaning the registry and thus removing the fake screen saver.
    But the Mebroot trojan lives on !
    The scan in safe mode does not reveal any attempts at removing the Mebroot trojan.

    Any other suggestions, please ?
     
  4. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    Send me log from SysInspector. There can be shown startup objects, drivers and services of malware.
     
  5. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    Hi,
    I have attached the log from sysinspector.

    regards
     
  6. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    I had to rename the zip file to .txt in order to get the attachment done.
    Pls rename to .zip before unpacking.

    Thanks

    ~removed sysinspector.txt file attachment....Bubba~
     
  7. Bubba

    Bubba Updates Team

    Joined:
    Apr 15, 2002
    Posts:
    11,271
    Hello chanakya,

    You may not be aware but posting of logs, whether they be sysinspector logs, highjackthis logs or other similar logs are not allowed unless requested by Wilders Team Member or in this case by an Eset support person.
    I'll do what I can to bring this support issue to Eset's attention.
     
  8. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    Hi Bubba,

    I was not aware of that. I apologize for the infringement.
     
  9. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    I sent you instructions for cleaning malware. :thumb:
     
  10. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    Hi Kosak,

    Thanks. I tried it. I sent the backup file to your email address.
    As mentioned in that mail, the trojan persists !
    Could it be related to the fact that I have more than one disk in the infected computer ?

    I have cleaned the hosts file as per your instructions.

    (I still haven't checked the individual files on the link you gave me.
    I am reluctant to put the infected computer on the internet.
    It has been quarantined until now. (I am using another one for this communication)
     
  11. Kosak

    Kosak Registered Member

    Joined:
    Jul 25, 2007
    Posts:
    711
    Location:
    Slovakia
    There can be option that SysInspector didn't show everything. It's a pity, but I got PM that I cannot advice you. :doubt:
     
  12. chanakya

    chanakya Registered Member

    Joined:
    Jul 20, 2008
    Posts:
    7
    Location:
    Denmark
    I tested the files as you recommended.
    Tried to copy the files to a USB key, and dispatch them from another computer.
    That computer detected a virus in msdvdr.sys and deleted the file before I was able to upload it for test.
    I subsequently deleted it from the infected computer.

    The other files were ok.
     
Thread Status:
Not open for further replies.