Medbot.BD trojan again

Discussion in 'NOD32 version 2 Forum' started by KiLL, Aug 23, 2006.

Thread Status:
Not open for further replies.
  1. KiLL

    KiLL Registered Member

    Joined:
    Aug 22, 2006
    Posts:
    6
    there was no need to close my previous thread. you could just remove the log.
    Anyways can anyone help me remove this Medbot.BD trojan.

    It creates setup.exe and autorun.inf on all partitions. NOD detects it all the times and removes setup.exe and i remove autorun.inf manually. but it keeps comming. Here are my running processes:

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\csrss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Eset\nod32krn.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\alg.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\AGRSMMSG.exe
    C:\PROGRA~1\GAMING~1\MouseElf.EXE
    C:\PROGRA~1\KYE\ERGOME~1\SyTray.exe
    C:\Program Files\Eset\nod32kui.exe
    C:\Program Files\Neobee Speeedy Internet Accelerator\speeedycore.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe
    C:\WINDOWS\system32\devldr32.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\taskmgr.exe

    I don't see anything suspicious here. Any assistance would help.
    thank you.
     
  2. NOD32 user

    NOD32 user Registered Member

    Joined:
    Jan 23, 2005
    Posts:
    1,766
    Location:
    Australia
    Re: Medbot.BD trojan aggain

    Last post in your previous question is here.
    Cheers :)
     
  3. ctrlaltdelete

    ctrlaltdelete Registered Member

    Joined:
    Oct 16, 2005
    Posts:
    318
    Location:
    NL
    Re: Medbot.BD trojan aggain

    Check the file C:\WINDOWS\System32\smss.exe for infection on VIRUSTOTAL

    Check if there is any other smss.exe on your system and scan those files on virustotal.
     
    Last edited: Aug 23, 2006
  4. webvida

    webvida Registered Member

    Joined:
    Sep 4, 2006
    Posts:
    1
    Re: Medbot.BD trojan aggain

    I have this problem as well - I have looked everywhere on the net but can't find anyway to fix it. This is getting to be a real hassle - especially when I am playing games and the Nod32 warning box kicks me back to the desktop....

    Is there anyway that Nod can deal with this Medbot trojan, or should i try another antivirus application...

    Thanks
     
  5. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Re: Medbot.BD trojan aggain

    NOD32 detects and removes Medbot. If there's a problem deleting it, try booting to safe mode first. Another possibility is that something keeps dropping the malicious file. In such case I'd recommend that you contact ESET's support for further instructions. NOD32 is usually one of the few AVs to detect Medbot proactively:

    Original file name: nvsvcd.exe
    Already detected as:
    Trojan-Proxy.Win32.Horst.av (Kaspersky)
    a variant of Win32/Medbot.BK (NOD32v2)
     
  6. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Hi, I aldso have medbot trojjan and have not been able to clean it. Nod 32 does detect it and cleans the setup.exe, the autorun.inf is deleted manually both in the shared folder, still the files keep appearing and infecting my LAN Pc's.

    Any solution found.

    Regards,

    Thor Hedderich
     
  7. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
Thread Status:
Not open for further replies.