Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 4161 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

manual cleanup of memory infection?

grazzer

Hi there,

Whilst Sophos is able to quarantine and "cleanup" infections such as .exe's, .dll's and .htm i've unfortunately been infected with a Troj/ZbotMem-A that resides within my memory. Sophos suggests a manual removal, and whilst i've managed to manually remove items Sophos has not been able to remove itself before, I am not entirely sure how to clean my memory or the infected "explorer.exe" in my system files without causing collateral damage.

As a university student using sophos on a desktop i don't exactly have a system administrator to turn to.

Sophos lists this as a low threat, but symantec lists the damage as high, and currently sophos is running well into over 2 thousand cleaned/removed infected files.

Also what worried me is that the virus/trojan has gotten to my registry as well so i imagine it's going to perform some nasty business on startup too. What was also worrying was that Windows Firewall blocked an attempting breach of security that tried to come through my media player. I suppose it still got onto my system though...

I guess i should end this post already so i can get some responses about this little devil.

Grahame.

:5376


This thread was automatically locked due to age.
Parents
  • 0

    Hello grazzer,

    Sophos can only handle 200 infected files per scan

    This applies to the quarantine manager when you are using the GUI. As you noticed this doesn't help at all because the files are reinfected immediately afterwards.

    Caution: If you haven't already done so - backup your important  data

    Sounds pretty bad but that doesn't mean it can't be stomped out.  As SAV is obviously still working you should set the on-access settings to scan on read, write and rename, and in the cleanup tab automatic cleanup and deny access only. Also turn off System restore (you will of course lose all restore points). Together this could reduce reinfections. Boot into safe mode and run SAV32CLI -f -di (do not use -remove at first) -nc (otherwise you are prompted for every detection) - see Scanning options with SAV32CLI and Removing malicious files with SAV32CLI. If the number of detected items decreases with subsequent runs there's a chance that you can get rid of the infection without reinstalling. Make a note of the files which can't be cleaned up (and why). Normally you can safely remove (delete) HTML files - to do so use SAV32CLI C:\*.ht* D:\*.ht* -remove (assuming your partitions are C: and D:). Removing .exe or .dll files will likely corrupt your installation. If you have infected .exe or .dll and the Windows installation CD/DVD is available try to use its repair option.

    A better option is to boot from a LiveCD/DVD (WinPE or BartPE) and scan your disks from there. Still you'd have to restore corrupt system files and revert any harmful registry modifications. But you'll probably need "local assistance".

    Christian

    :5396
Reply
  • 0

    Hello grazzer,

    Sophos can only handle 200 infected files per scan

    This applies to the quarantine manager when you are using the GUI. As you noticed this doesn't help at all because the files are reinfected immediately afterwards.

    Caution: If you haven't already done so - backup your important  data

    Sounds pretty bad but that doesn't mean it can't be stomped out.  As SAV is obviously still working you should set the on-access settings to scan on read, write and rename, and in the cleanup tab automatic cleanup and deny access only. Also turn off System restore (you will of course lose all restore points). Together this could reduce reinfections. Boot into safe mode and run SAV32CLI -f -di (do not use -remove at first) -nc (otherwise you are prompted for every detection) - see Scanning options with SAV32CLI and Removing malicious files with SAV32CLI. If the number of detected items decreases with subsequent runs there's a chance that you can get rid of the infection without reinstalling. Make a note of the files which can't be cleaned up (and why). Normally you can safely remove (delete) HTML files - to do so use SAV32CLI C:\*.ht* D:\*.ht* -remove (assuming your partitions are C: and D:). Removing .exe or .dll files will likely corrupt your installation. If you have infected .exe or .dll and the Windows installation CD/DVD is available try to use its repair option.

    A better option is to boot from a LiveCD/DVD (WinPE or BartPE) and scan your disks from there. Still you'd have to restore corrupt system files and revert any harmful registry modifications. But you'll probably need "local assistance".

    Christian

    :5396
Children
No Data
Unfiltered HTML