Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 1 subscriber
  • Views 2021 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problems with Troj/ZbotMem-A

spielchecker

I am having trouble with a rather persistent trojan.

Sophos has it listed in the quarantine manager as "TrojZbotMem-A". Under location, it lists "memory" and it insists that a manual clean-up is required.

I have followed the steps for manual clean-up, listed here and here, but it does not appear to be having any success. This thread indicates that it should be purged from memory during shutdown, and it is stored on the disk instead, but not infected files have been found on the disk. When Sophos failed to find any infected files, I tried about half a dozen other programs, but all of them couldn't find a hint of the trojan. I tried running all the programs (including sophos) in both regular and safe mode, and I even tried running a scan from a seperate rescue CD.

The computer is running windows 7.

I would add to this post the log file produced when I scanned all files with sav32cli in safe mode, but I am limited to no more than 20,000 characters in this post. It failed to find any viruses, but it had some interesting contents: there appear to be a lot of nested "Application Data" folders, containing files (with names such as "UsrClass.dat") that sav32cli could not open.

:10991


This thread was automatically locked due to age.
Parents
  • 0

    The quarantine is "something" where Sophos keeps information about detected threats with outstanding actions. If a threat "disappeared" by other means it is not removed from the list as Sophos can't determine what has happened to it. Just that a subsequent (unrelated) scan comes up empty is not sufficient for an item to be (silently) removed. This would complicate the scans and the logic for the quarantine. Of course if you use the Cleanup action from the Quarantine Manager it can clear the item if it has successfully dealt with it - but you will get an alert if the item(s) couldn't be found.

    In an extreme example: While your computer is unattended a threat is generically detected but some rootkit component is involved which hides the item immediately afterwards. A while later a scheduled scan fails to detect it because of the rootkit. Should the threat now be removed from the quarantine list?

    Clearly for similar reasons memory detections "stick" if Sophos can't remove the threat immediately.

    Christian         

    :11143
Reply
  • 0

    The quarantine is "something" where Sophos keeps information about detected threats with outstanding actions. If a threat "disappeared" by other means it is not removed from the list as Sophos can't determine what has happened to it. Just that a subsequent (unrelated) scan comes up empty is not sufficient for an item to be (silently) removed. This would complicate the scans and the logic for the quarantine. Of course if you use the Cleanup action from the Quarantine Manager it can clear the item if it has successfully dealt with it - but you will get an alert if the item(s) couldn't be found.

    In an extreme example: While your computer is unattended a threat is generically detected but some rootkit component is involved which hides the item immediately afterwards. A while later a scheduled scan fails to detect it because of the rootkit. Should the threat now be removed from the quarantine list?

    Clearly for similar reasons memory detections "stick" if Sophos can't remove the threat immediately.

    Christian         

    :11143
Children
No Data