|
NOD32 detected virus in operating memory !?!?!
|
|
Senior Member
2 product reviews
|
14. December 2008 @ 16:20 |
Link to this message
|
Hey all, I'm back again ;)
My dad has a Toshiba laptop that is a couple of years old, and has seen a lot of use.
Just yesterday, it went a bit weird with a flash disk my dad plugged in. The flash disk worked fine when I plugged it in again, but it git me thinking a virus might be the culprit.
Now I've had some virus issues with the laptop in the past, but I thought it was all good once I installed NOD32. Since my dad barely ever uses the internet on it (uses his office pc), the AV doesn't get updated regularly, however he has quite a few flash disks that are plugged into a number of pcs in his hospital for presentations and such, and i have clue as to how well those are secured
So, today I updated NOD32 to the latest definitions, and ran a scan of operating memory and HD.
As soon as it started this popped up.
Operating Memory - Win32/Mebroot trojan - cannot clean
I let the scan finish and there were no other infections.
This is the first time I have come across this problem, and I'm not sure what to do, as NOD doesn't seem to be able to do anything to fix it.
All help is appreciated, thanks
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P |
|
Advertisement
|
 |
|
|
AfterDawn Addict
|
14. December 2008 @ 23:42 |
Link to this message
|
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Senior Member
2 product reviews
|
15. December 2008 @ 05:06 |
Link to this message
|
|
Thanks I'll give it a go and then get back to you.
Also, how does this work???
Do I just run it
Thanks
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
AfterDawn Addict
|
15. December 2008 @ 05:13 |
Link to this message
|
|
It has instructions?. Check my signature ; )
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
Senior Member
2 product reviews
|
15. December 2008 @ 09:42 |
Link to this message
|
|
OK, will do.
I don't mind peeing on the fence :P
BUT I don't want to mess up my dad's lappy.
Also, where are the instructions???
In the .exe????
Thanks
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
Senior Member
2 product reviews
|
15. December 2008 @ 12:49 |
Link to this message
|
Well, I ran the program, I clicked I agree, and Scan, and after a small amount of time, it popped up with a message saying Trojan.Mebroot has not been found active on your computer.
It then made me restart
This time, I scanned the operating memory with nod32 and then ran the program again. NOD showed the trojan, but the program did not.
Here is a screen of that:
This is the FixMebroot Log:
Originally posted by FixMebroot:
Symantec Trojan.Mebroot Removal Tool 1.0.1
Found drive \\.\PhysicalDrive0, analyzing MBR...
Creating FixMebroot service driver
Running driver...
Trojan.Mebroot has not been found active on your computer.
Delete service driver
Delete driver file
End
The system requires a reboot but was not rebooted.
To clean up all remnants of the threat from the system it must be rebooted.
I thought this was strange, so I install Malwarebytes Anti-Malware on the laptop and did a quick scan, without updating to the latest version of the database.
It came up with ~50 infections, but to be safe, I took no action, and instead saved a log file. Here it is
Malwarebytes' Anti-Malware 1.26
Database version: 1103
Windows 5.1.2600 Service Pack 2
15/12/2008 20:32:14
mbam-log-2008-12-15 (20-32-10).txt
Scan type: Quick Scan
Objects scanned: 45045
Time elapsed: 3 minute(s), 20 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 17
Registry Values Infected: 8
Registry Data Items Infected: 1
Folders Infected: 7
Files Infected: 18
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin.1 (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{37b85a2a-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Interface\{37b85a2c-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\CLSID\{ef281620-a3a3-4f08-874f-d68cfc9b7945} (Adware.MyWebSearch) -> No action taken.
HKEY_CLASSES_ROOT\Typelib\{37b85a20-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\IST (Trojan.ISTBar) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> No action taken.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DXDLG32 (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdcg32 (Spyware.OnlineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdwg32 (Spyware.OnLineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdog32 (Spyware.OnLineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdsg32 (Spyware.OnLineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdmg32 (Spyware.OnLineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdhg32 (Spyware.OnLineGames) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdqg32 (Spyware.OnLineGames) -> No action taken.
Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.
Folders Infected:
C:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\1.bin (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Cache (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\History (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Settings (Adware.MyWebSearch) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> No action taken.
Files Infected:
C:\WINDOWS\system32\n1215088046k.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\n1215088064k.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\n1215088083k.exe (Trojan.Downloader) -> No action taken.
C:\WINDOWS\system32\n1215088123k.exe (Trojan.Downloader) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.JAR (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.MANIFEST (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.JAR (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.MANIFEST (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Cache\000D30A6 (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Cache\0096AB3E.bin (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Cache\0096AD1F.bin (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Cache\0096AE73.bin (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\History\search (Adware.MyWebSearch) -> No action taken.
C:\Program Files\MyGlobalSearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> No action taken.
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> No action taken.
C:\WINDOWS\SVCHOST.INI (Heuristics.Reserved.Word.Exploit) -> No action taken.
Another strange think I noticed is that when I hit Ctrl+Alt+Del, it gave me a strange message. something like: the admin has locked this feature.
What could cause this, as there is only one account on my dad's laptop and that is his.
I also think it is the admin account.
Please help me clean up this laptop
Thanks
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
AfterDawn Addict
|
15. December 2008 @ 15:18 |
Link to this message
|
Do a Full Scan with Malwarebytes? AntiMalware and this time FIX Everything??
Download Malwarebytes' Anti-Malware to your desktop.
Double-click mbam-setup.exe and follow the prompts to install the program.
? At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
? If an update is found, it will download and install the latest version.
? Once the program has loaded, select Perform full scan, then click Scan.
? When the scan is complete, click OK, then Show Results to view the results.
? Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
? When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
? Please post the MBAM Log and a fresh HJT log in your next reply.
2OG
There are three kinds of men: The ones that learn by reading; The few who learn by observation;
The rest of them have to pee on the electric fence and find out for themselves... |
|
Advertisement
|
|
|
Senior Member
2 product reviews
|
16. December 2008 @ 09:12 |
Link to this message
|
|
Ok thanks
I'll do that and then get back to you
(+[_]%) 1: 2.60 > 2.80 > 2.81 >3.03 > 1.50 > 3.52M33 > 3.52M33-4 > 3.90M33 > 3.90M33-3 > 4.01M33 > 4.01M33-2 > 5.00M33 > 5.00M33-3
My GAMING LAPTOP!! : Acer Aspire 5930G - P8400 2.26Ghz//4 GB DDR2//GeForce 9600M GT 512MB GDDR3
Ultimate Handheld/Portable Gaming Device :P
|
