Jump to content


  • Please log in to reply
5 replies to this topic

#1 Guest_Raven_*

  • Guests

Posted 07 June 2004 - 07:33 PM

Hello one and all.
Configuration : Winxp Pro with all MS critical updates installed, Firewall and AV installed too.
Problem : mersting.b trojan found in %system32% resl.dll

Troubleshooting done :
1.Disabled system restore, cleared internet explorer cookies and temp files.
2.Have the latest sig files for the AV and ran a full scan with delete option for infected files. Ran scan in both normal and in safe mode.
3.Used third party utilites and removed ALL startup items. No malicious services run in the services tab of msconfig.
4.checked registry run method of startup for both local machine and current user.
5.D'loaded and ran lavasofts adaware , CWS shredder AND spybot.None of them detect it.

Impact on the system : Other than the warning message , the system doesnt show any performance degradation OR any abnormal behaviour in terms of files being modified.

Other info : Could rename the file resl.dll , but couldnt delete it , due to lack of permissions. I've logged in as the admin though. File system in NTFS , but cant see any permissions set to this file , so unable to change the attributes either. All of them give an access denied message.

Will not be able to scan using anyother AV. ANY help on this issue would be GREATLY appreciated.

P.S : I've tried almost everything i can and i cant figure out the file that's causing this dll file to be executed everytime windows is rebooted.

Thanks in advance.

#2 thyme


    Full Member

  • Full Member
  • Pip
  • 93 posts

Posted 11 June 2004 - 01:12 AM


heres a link below which may or may not help?


has following info

The .DLL file, which is copied to the %System% directory with a random filename, installs itself via the following registry entry:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs=c:\windows\system32\mdm.dll

This means that the specified dll will be loaded by each application running within the current logon session.

On NTFS partitions the DLL will also remove various permissions which stop the user from being able to read the file. This action makes the removal of such an infection more difficult.

Permissions which allow the removal of the DLL can be restored via the following command:

%System%\cacls.exe %System%\<filename>.dll /g Everyone:f

#3 Guest_Raven_*

  • Guests

Posted 17 June 2004 - 07:45 AM

Thank you so much for taking the time to reply. I really appreciate it. Wanna know what's the funny part ??.....I'm an employee of CA which owns that site u gave and i already read that link before i posted in here :D . I ended up getting a cleaning tool from the specialists down here and the mersting was indeed deleted.
Thanks once again for taking the time to reply to the post

#4 Jeffrey



  • New Member
  • Pip
  • 1 posts

Posted 28 June 2004 - 02:27 PM

thyme - UnlikRaven, I am not luck enough to work for CA and I the links at the site you suggest don't help. How can I use to command you gave to get rid of Mersting.B?


#5 Mrfullsrvc



  • Full Member
  • Pip
  • 10 posts

Posted 01 July 2004 - 12:01 PM

I fought with this virus for a week and a half. It's a Win32MerstingB trojan. I believe it also contains variations of the CWS trojan too. Here are some useful sites and some information to help you get rid of it.

From ca's website: "Win32.Mersting is a trojan that is used to change a user's default Internet Explorer homepage and/or default search page that may also download other components and add pornography related Favorites to Internet Explorer."

Turns out it can enter your system through the Microsoft Java Virtual Machine. I had all the latest updates from Microsoft and it didn't stop it.

Aside from running the CWS shredder, Spybot, Adaware, pest patrol and an antivirus program, there are a couple of other things you can do too.

My antivirus program (eztrust from cai) would stop it from executing, but it wouldn't remove it. Below are some websites explaining what it is and a couple of ways to remove it.

To see information about it, go to:


For information on the Reg Start page, go to:


Trend micros removal too for this particular mofo is at:


I have a command file (.cmd) named delmer.cmd that will remove it for you too that was sent to me from CAI. If anyone needs it, email me and I can send it to you. You'll need software to be able to decode mime files tho. For anyone who knows how to create a command file, below is the contents of that command file:

@echo off
rem Grant everyone full access to the file
echo y| cacls.exe %1 /g everyone:f
rem Access the file to trigger resident protection
type %1 > nul
rem Wait 10 seconds to allow system clean to run
delay 10
rem In case system clean didn't run, delete the file manually
del /q /f %1

Make sure that once you run the command file, or the fixtool from Trend Micro that you turn off the system restore if you're using Win Me or XP. You'll need to reboot before the computer deletes all the system restore points. Your antivirus will detect the virus if you don't turn the system restore off.

I hope this will help everyone who went thru the nightmare I've gone thru too!!

If you need the command file or more info, my email address is Mrfullsrvc at aol.com. (Don't for to use the '@' symbol in the email).

#6 Guest_Raven_*

  • Guests

Posted 06 July 2004 - 02:24 PM


Edited by Raven, 06 July 2004 - 02:37 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button