Posted 07 June 2004 - 07:33 PM
Configuration : Winxp Pro with all MS critical updates installed, Firewall and AV installed too.
Problem : mersting.b trojan found in %system32% resl.dll
Troubleshooting done :
1.Disabled system restore, cleared internet explorer cookies and temp files.
2.Have the latest sig files for the AV and ran a full scan with delete option for infected files. Ran scan in both normal and in safe mode.
3.Used third party utilites and removed ALL startup items. No malicious services run in the services tab of msconfig.
4.checked registry run method of startup for both local machine and current user.
5.D'loaded and ran lavasofts adaware , CWS shredder AND spybot.None of them detect it.
Impact on the system : Other than the warning message , the system doesnt show any performance degradation OR any abnormal behaviour in terms of files being modified.
Other info : Could rename the file resl.dll , but couldnt delete it , due to lack of permissions. I've logged in as the admin though. File system in NTFS , but cant see any permissions set to this file , so unable to change the attributes either. All of them give an access denied message.
Will not be able to scan using anyother AV. ANY help on this issue would be GREATLY appreciated.
P.S : I've tried almost everything i can and i cant figure out the file that's causing this dll file to be executed everytime windows is rebooted.
Thanks in advance.
Posted 11 June 2004 - 01:12 AM
heres a link below which may or may not help?
has following info
The .DLL file, which is copied to the %System% directory with a random filename, installs itself via the following registry entry:
This means that the specified dll will be loaded by each application running within the current logon session.
On NTFS partitions the DLL will also remove various permissions which stop the user from being able to read the file. This action makes the removal of such an infection more difficult.
Permissions which allow the removal of the DLL can be restored via the following command:
%System%\cacls.exe %System%\<filename>.dll /g Everyone:f
Posted 17 June 2004 - 07:45 AM
Thanks once again for taking the time to reply to the post
Posted 28 June 2004 - 02:27 PM
Posted 01 July 2004 - 12:01 PM
From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."
Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.
Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.
My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.
To see information about it, go to:
For information on the Reg Start page, go to:
Trend micros removal too for this particular mofo is at:
I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
rem In case system clean didn't run, delete the file manually
del /q /f %1
Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.
I hope this will help everyone who went thru the nightmare I've gone thru too!!
If you need the command file or more info, my email address is Mrfullsrvc at aol.com. (Don't for to use the '@' symbol in the email).
Posted 06 July 2004 - 02:24 PM
Edited by Raven, 06 July 2004 - 02:37 PM.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users