1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

NOD32 detected virus in operating memory !?!?!

Discussion in 'Windows - Virus and spyware problems' started by Ray92, Dec 14, 2008.

  1. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Hey all, I'm back again ;)

    My dad has a Toshiba laptop that is a couple of years old, and has seen a lot of use.
    Just yesterday, it went a bit weird with a flash disk my dad plugged in. The flash disk worked fine when I plugged it in again, but it git me thinking a virus might be the culprit.

    Now I've had some virus issues with the laptop in the past, but I thought it was all good once I installed NOD32. Since my dad barely ever uses the internet on it (uses his office pc), the AV doesn't get updated regularly, however he has quite a few flash disks that are plugged into a number of pcs in his hospital for presentations and such, and i have clue as to how well those are secured

    So, today I updated NOD32 to the latest definitions, and ran a scan of operating memory and HD.

    As soon as it started this popped up.

    Operating Memory - Win32/Mebroot trojan - cannot clean

    I let the scan finish and there were no other infections.
    This is the first time I have come across this problem, and I'm not sure what to do, as NOD doesn't seem to be able to do anything to fix it.

    All help is appreciated, thanks
     
  2. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
  3. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Thanks I'll give it a go and then get back to you.

    Also, how does this work???
    Do I just run it

    Thanks
     
  4. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    It has instructions…. Check my signature ; )

    2OG
     
  5. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    OK, will do.
    I don't mind peeing on the fence :p
    BUT I don't want to mess up my dad's lappy.

    Also, where are the instructions???
    In the .exe????

    Thanks
     
  6. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Well, I ran the program, I clicked I agree, and Scan, and after a small amount of time, it popped up with a message saying Trojan.Mebroot has not been found active on your computer.
    It then made me restart

    This time, I scanned the operating memory with nod32 and then ran the program again. NOD showed the trojan, but the program did not.
    Here is a screen of that:
    [​IMG]

    This is the FixMebroot Log:
    I thought this was strange, so I install Malwarebytes Anti-Malware on the laptop and did a quick scan, without updating to the latest version of the database.

    It came up with ~50 infections, but to be safe, I took no action, and instead saved a log file. Here it is

    Malwarebytes' Anti-Malware 1.26
    Database version: 1103
    Windows 5.1.2600 Service Pack 2

    15/12/2008 20:32:14
    mbam-log-2008-12-15 (20-32-10).txt

    Scan type: Quick Scan
    Objects scanned: 45045
    Time elapsed: 3 minute(s), 20 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 17
    Registry Values Infected: 8
    Registry Data Items Infected: 1
    Folders Infected: 7
    Files Infected: 18

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin.1 (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin.1 (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\Interface\{37b85a2a-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\Interface\{37b85a2c-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\CLSID\{ef281620-a3a3-4f08-874f-d68cfc9b7945} (Adware.MyWebSearch) -> No action taken.
    HKEY_CLASSES_ROOT\Typelib\{37b85a20-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken.
    HKEY_CURRENT_USER\SOFTWARE\IST (Trojan.ISTBar) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> No action taken.

    Registry Values Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DXDLG32 (Spyware.OnlineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdcg32 (Spyware.OnlineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdwg32 (Spyware.OnLineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdog32 (Spyware.OnLineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdsg32 (Spyware.OnLineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdmg32 (Spyware.OnLineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdhg32 (Spyware.OnLineGames) -> No action taken.
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdqg32 (Spyware.OnLineGames) -> No action taken.

    Registry Data Items Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken.

    Folders Infected:
    C:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\1.bin (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Cache (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\History (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Settings (Adware.MyWebSearch) -> No action taken.
    C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> No action taken.

    Files Infected:
    C:\WINDOWS\system32\n1215088046k.exe (Trojan.Downloader) -> No action taken.
    C:\WINDOWS\system32\n1215088064k.exe (Trojan.Downloader) -> No action taken.
    C:\WINDOWS\system32\n1215088083k.exe (Trojan.Downloader) -> No action taken.
    C:\WINDOWS\system32\n1215088123k.exe (Trojan.Downloader) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.JAR (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.MANIFEST (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.JAR (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.MANIFEST (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Cache\000D30A6 (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Cache\0096AB3E.bin (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Cache\0096AD1F.bin (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Cache\0096AE73.bin (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\History\search (Adware.MyWebSearch) -> No action taken.
    C:\Program Files\MyGlobalSearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> No action taken.
    C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> No action taken.
    C:\WINDOWS\SVCHOST.INI (Heuristics.Reserved.Word.Exploit) -> No action taken.



    Another strange think I noticed is that when I hit Ctrl+Alt+Del, it gave me a strange message. something like: the admin has locked this feature.
    What could cause this, as there is only one account on my dad's laptop and that is his.
    I also think it is the admin account.

    Please help me clean up this laptop
    Thanks
     
  7. 2oldGeek

    2oldGeek Active member

    Joined:
    Jun 16, 2005
    Messages:
    3,658
    Likes Received:
    38
    Trophy Points:
    78
    Do a Full Scan with Malwarebytes’ AntiMalware and this time FIX Everything……

    Download Malwarebytes' Anti-Malware to your desktop.

    Double-click mbam-setup.exe and follow the prompts to install the program.
    • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
    • If an update is found, it will download and install the latest version.
    • Once the program has loaded, select Perform full scan, then click Scan.
    • When the scan is complete, click OK, then Show Results to view the results.
    Make sure that everything is checked, and click Remove Selected. <-- Don't forget this.
    • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt

    • Please post the MBAM Log and a fresh HJT log in your next reply.


    2OG
     
  8. Ray92

    Ray92 Regular member

    Joined:
    Jul 18, 2007
    Messages:
    783
    Likes Received:
    0
    Trophy Points:
    26
    Ok thanks

    I'll do that and then get back to you
     

Share This Page