Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2020 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with Troj/ZbotMem-A

spielchecker

I am having trouble with a rather persistent trojan.

Sophos has it listed in the quarantine manager as "TrojZbotMem-A". Under location, it lists "memory" and it insists that a manual clean-up is required.

I have followed the steps for manual clean-up, listed here and here, but it does not appear to be having any success. This thread indicates that it should be purged from memory during shutdown, and it is stored on the disk instead, but not infected files have been found on the disk. When Sophos failed to find any infected files, I tried about half a dozen other programs, but all of them couldn't find a hint of the trojan. I tried running all the programs (including sophos) in both regular and safe mode, and I even tried running a scan from a seperate rescue CD.

The computer is running windows 7.

I would add to this post the log file produced when I scanned all files with sav32cli in safe mode, but I am limited to no more than 20,000 characters in this post. It failed to find any viruses, but it had some interesting contents: there appear to be a lot of nested "Application Data" folders, containing files (with names such as "UsrClass.dat") that sav32cli could not open.

:10991


This thread was automatically locked due to age.
  • 0

    Some malware is active in safe mode too and therefore you get odd result. So shoot an email to Sophos Support and ask for Sophos Bootable CD. Of course you could also use any Rescue CD from competitors if you want a second opinion (AVIRA for example: http://www.avira.com/en/support-download-avira-antivir-rescue-system ).

    :10997
  • 0

    I have tried rescue CDs, but scans run from them are not detecting anything.

    :11037
  • 0

    Just to make sure - it is still detected in memory after a normal boot?

    Christian

    :11039
  • 0

    Yes - upon booting, sophos still lists it in quarantine.

    :11047
  • 0
    To make sure it is again found clear it from the list and then run another scan. It might no longer be present.

    Christian
    :11053
  • 0

    I removed it from the quarantine list, ran another scan, and it was not picked up again - presumeably one of the things and gotten rid of it, but it had not been removed from quarantine.

    Many thanks.

    :11071
  • 0

    The quarantine is "something" where Sophos keeps information about detected threats with outstanding actions. If a threat "disappeared" by other means it is not removed from the list as Sophos can't determine what has happened to it. Just that a subsequent (unrelated) scan comes up empty is not sufficient for an item to be (silently) removed. This would complicate the scans and the logic for the quarantine. Of course if you use the Cleanup action from the Quarantine Manager it can clear the item if it has successfully dealt with it - but you will get an alert if the item(s) couldn't be found.

    In an extreme example: While your computer is unattended a threat is generically detected but some rootkit component is involved which hides the item immediately afterwards. A while later a scheduled scan fails to detect it because of the rootkit. Should the threat now be removed from the quarantine list?

    Clearly for similar reasons memory detections "stick" if Sophos can't remove the threat immediately.

    Christian         

    :11143