Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

manual cleanup of memory infection?

grazzer

Hi there,

Whilst Sophos is able to quarantine and "cleanup" infections such as .exe's, .dll's and .htm i've unfortunately been infected with a Troj/ZbotMem-A that resides within my memory. Sophos suggests a manual removal, and whilst i've managed to manually remove items Sophos has not been able to remove itself before, I am not entirely sure how to clean my memory or the infected "explorer.exe" in my system files without causing collateral damage.

As a university student using sophos on a desktop i don't exactly have a system administrator to turn to.

Sophos lists this as a low threat, but symantec lists the damage as high, and currently sophos is running well into over 2 thousand cleaned/removed infected files.

Also what worried me is that the virus/trojan has gotten to my registry as well so i imagine it's going to perform some nasty business on startup too. What was also worrying was that Windows Firewall blocked an attempting breach of security that tried to come through my media player. I suppose it still got onto my system though...

I guess i should end this post already so i can get some responses about this little devil.

Grahame.

:5376


This thread was automatically locked due to age.
  • 0

    Hello Grahame,

    I don't know whether you've read Further steps when removing problem files. It hasn't been updated for Win7 (what's your Windows version, btw?) and it finishes with a chapter on reinstalling Windows but it lists a number of actions step by step.

    Memory is usually volatile and "cleanup" is performed by switching off the computer. An infection "survives" by either storing code on disk or non-volatile memory (USB sticks) or by tweaking the registry so that the code is downloaded again on start. It's not possible to tell which steps you have to perform as Troj/ZbotMem-A is a more general detection.

    Maybe your university's IT-department offers some help. If you are "on your own" follow the advice in the article as far as you can and post your findings here.

    Christian

    :5377
  • 0

    Thanks for the speedy and informative reply.

    I've managed to reduce the infection spread from the thousands to just tens, but i can't seem to remove the original source from the memory. After restarting the computer (when the physical infection seems to be braught to a hault) the same original infection remains present in the memory. Perhaps sophos simply isn't finding what's allowing the infection to come back...

    Reading the article, it appears that a safe mode boot allows a more thorough scan?

    :5379
  • 0

    Reading the article, it appears that a safe mode boot allows a more thorough scan?

    If you have a memory component you should always scan in safe mode. 

    And please post what else has been found.

    Christian 

    :5380
  • 0

    Sorry,

    The memory infection is: C:\windows\explorer.exe:pid:000007e8:thread:00000654

    Whilst the physical infection continues from W32/Patched-I and VBS/Inor-AA (i just went to my machine and found sophos cleared another 1000 files so it isn't mostly cleared afterall).

    I'll attempt a safeboot + scan and let you know what happens.

    :5381
  • 0

    It appears i cannot clear this infection, it has infected nearly if not all my dll's, .exe's, .htm's and .html's. Across both partitions, surprisingly.

    Sophos can only handle 200 infected files per scan (unless i pause and clear the list every time it fills). But the infection just infects the cleared files shortly after, with ~6000 infected files. Even in safe mode the infection was spreading through the system.

    I also still couldn't find out how to prevent the infection in the memory, which i assume is what was causing/allowing the infection to continue to spread itself.

    I simply don't no how to prevent it from spreading/copying itself. Especially when sophos wont touch my memory, nor find the offending source.

    :5386
  • 0

    Hello grazzer,

    Sophos can only handle 200 infected files per scan

    This applies to the quarantine manager when you are using the GUI. As you noticed this doesn't help at all because the files are reinfected immediately afterwards.

    Caution: If you haven't already done so - backup your important  data

    Sounds pretty bad but that doesn't mean it can't be stomped out.  As SAV is obviously still working you should set the on-access settings to scan on read, write and rename, and in the cleanup tab automatic cleanup and deny access only. Also turn off System restore (you will of course lose all restore points). Together this could reduce reinfections. Boot into safe mode and run SAV32CLI -f -di (do not use -remove at first) -nc (otherwise you are prompted for every detection) - see Scanning options with SAV32CLI and Removing malicious files with SAV32CLI. If the number of detected items decreases with subsequent runs there's a chance that you can get rid of the infection without reinstalling. Make a note of the files which can't be cleaned up (and why). Normally you can safely remove (delete) HTML files - to do so use SAV32CLI C:\*.ht* D:\*.ht* -remove (assuming your partitions are C: and D:). Removing .exe or .dll files will likely corrupt your installation. If you have infected .exe or .dll and the Windows installation CD/DVD is available try to use its repair option.

    A better option is to boot from a LiveCD/DVD (WinPE or BartPE) and scan your disks from there. Still you'd have to restore corrupt system files and revert any harmful registry modifications. But you'll probably need "local assistance".

    Christian

    :5396