MEDBOT

Discussion in 'NOD32 version 2 Forum' started by TEEH, May 5, 2007.

Thread Status:
Not open for further replies.
  1. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Finally, I started my Lan Pc's in safe mode and NOD32 found thee following :
    MEDBOT IE Win 32 trojan
    MEDBOT HZ Win 32 trojan
    MEDBOT HR Win 32 trojan

    This trojan keeps creating the files autorun.inf and setup.exe in my shared folders and this way it was transmitted to all the LAN computers.
    Nod 32 does delete the MEDBOT setup infected file in the shared folder but I have to manually delete the autorun.inf file. I do not know what to do from now on because it seems it is a extended trojan problem, but the question is who or where are this files created.

    Any idea.

    Thor Hedderich
     
  2. ASpace

    ASpace Guest

    Re: Medbot.BD trojan again

    Hello TEETH !

    Make sure your definition is up-to-date by pressing Control Center -> Update -> Update now.

    Make sure your settings are the same as this tutorial.

    If you have problems deleting them in Normal mode , boot in Safe Mode and then perform full scan there . Open NOD32 on-demand scanner from Start->Programs->ESET->NOD32 , make sure you use Control Center profile and perforum full Scan&Clean over your hard drives . NOD32 will take care of these threats :)

    If they are in System Restore , too , you'll have to flush it to remove Medbot from there.You must also perform scan on all computers in your LAN .

    If you continue having problems contact ESET Technical Support and provide them with a log file of HijackThis and MS AutoRuns
     
  3. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    Autorun.inf is not detected as it's just a pure text file. Are these files created even with the computer unplugged from network?
     
  4. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    I have not tried that. I have three Pc's connected in m y LAN Windows XP Pro in all and also the "shared" folder is shared. Of all the Laptop does not get infected but the other two does. I tried Mcafee, disabled the restore and finally started the infected Pc's in safe mode, when I started both again in safe mode the setup.exe file was in the quarantine folder in both computer, today Sunday they have not appeared again. I am just waiting to see if this critter reappears again . I do remember ( I think) was that I deactivated the shared folder and both files did not appear but when I activated the shared folder again they did.

    Three month fighting and medbot is still winning.

    I tried Bit defender, Norton, Mcafee, and finally I am with NOD32 which does delete the setup file but not the autorun.inf.

    Thanks and will wait for your advice.

    Thor Hedderich
     
  5. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Re: Medbot.BD trojan again

    Well, I am still waiting to see if the vicious files appear again. I am prepared with Hijack, Autoruns and Look into my Pc for that moment meanwhile I am getting all the information required. Anothe question if there is a dropper in the registry does NOD32 also cleans it ? .

    Thanks again to all

    Thor Hedderich
     
  6. Togg

    Togg Registered Member

    Joined:
    Jun 24, 2003
    Posts:
    177
    If it comes back you could trial Trojan Remover for 30 days (Medbot is in its database); http://www.simplysup.com/tremover/details.html

    I have this program but have never had to use its removal feature because I haven't got infected (yet).

    I imagine it would be reasonably safe to use as long as you have a good restore point!
     
  7. TEEH

    TEEH Registered Member

    Joined:
    Apr 20, 2007
    Posts:
    17
    Gone, what McAfee, Norton, Bitdefender and AVG could not do NOD 32 did, I con fess I was really afraid of goin g into safe mode but everything went ok and from yesterday I have not seen this critters appear again, thanks to all the guys that helped me deal with this MEDBOT trojan and specially to Blackspear.

    Two days "clean" and running.

    Regards,

    Thor Hedderich
     
  8. Blackspear

    Blackspear Global Moderator

    Joined:
    Dec 2, 2002
    Posts:
    15,115
    Location:
    Gold Coast, Queensland, Australia
    Good news, and you are welcome Thor.

    Cheers :D
     
Thread Status:
Not open for further replies.