• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
Guest Raven

MERSTING.B

6 posts in this topic

Hello one and all.

Configuration : Winxp Pro with all MS critical updates installed, Firewall and AV installed too.

Problem : mersting.b trojan found in %system32% resl.dll

 

Troubleshooting done :

1.Disabled system restore, cleared internet explorer cookies and temp files.

2.Have the latest sig files for the AV and ran a full scan with delete option for infected files. Ran scan in both normal and in safe mode.

3.Used third party utilites and removed ALL startup items. No malicious services run in the services tab of msconfig.

4.checked registry run method of startup for both local machine and current user.

5.D'loaded and ran lavasofts adaware , CWS shredder AND spybot.None of them detect it.

 

Impact on the system : Other than the warning message , the system doesnt show any performance degradation OR any abnormal behaviour in terms of files being modified.

 

Other info : Could rename the file resl.dll , but couldnt delete it , due to lack of permissions. I've logged in as the admin though. File system in NTFS , but cant see any permissions set to this file , so unable to change the attributes either. All of them give an access denied message.

 

Will not be able to scan using anyother AV. ANY help on this issue would be GREATLY appreciated.

 

P.S : I've tried almost everything i can and i cant figure out the file that's causing this dll file to be executed everytime windows is rebooted.

 

Thanks in advance.

Raven.

Share this post


Link to post
Share on other sites

Hi

 

heres a link below which may or may not help?

 

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39113

 

has following info

 

The .DLL file, which is copied to the %System% directory with a random filename, installs itself via the following registry entry:

 

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=c:\windows\system32\mdm.dll

 

This means that the specified dll will be loaded by each application running within the current logon session.

 

On NTFS partitions the DLL will also remove various permissions which stop the user from being able to read the file. This action makes the removal of such an infection more difficult.

 

Permissions which allow the removal of the DLL can be restored via the following command:

 

%System%\cacls.exe %System%\<filename>.dll /g Everyone:f

Share this post


Link to post
Share on other sites

Thank you so much for taking the time to reply. I really appreciate it. Wanna know what's the funny part ??.....I'm an employee of CA which owns that site u gave and i already read that link before i posted in here :D . I ended up getting a cleaning tool from the specialists down here and the mersting was indeed deleted.

Thanks once again for taking the time to reply to the post

Share this post


Link to post
Share on other sites

thyme - UnlikRaven, I am not luck enough to work for CA and I the links at the site you suggest don't help. How can I use to command you gave to get rid of Mersting.B?

 

Thanks,

Jeffrey

Share this post


Link to post
Share on other sites

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

 

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

 

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

 

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

 

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

 

To see information about it, go to:

 

http://vic.zonelabs.com/body/CA/virusDetails.jsp?VId=39113

http://www3.ca.com/securityadvisor/virusin...s.aspx?id=39113

http://uk.trendmicro-europe.com/enterprise...me=TROJ_AGENT.A

 

For information on the Reg Start page, go to:

 

http://www3.ca.com/securityadvisor/virusin...s.aspx?ID=28683

 

Trend micros removal too for this particular mofo is at:

 

https://beta.activeupdate.trendmicro.com/fi...gentv1.0007.zip

 

I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:

 

 

@echo off

rem Grant everyone full access to the file

echo y| cacls.exe %1 /g everyone:f

rem Access the file to trigger resident protection

type %1 > nul

rem Wait 10 seconds to allow system clean to run

delay 10

rem In case system clean didn't run, delete the file manually

del /q /f %1

 

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

 

I hope this will help everyone who went thru the nightmare I've gone thru too!!

 

If you need the command file or more info, my email address is Mrfullsrvc at aol.com. (Don't for to use the '@' symbol in the email).

Share this post


Link to post
Share on other sites
Sign in to follow this  
Followers 0