Virus in operating memory before and after offline scan

[BrownB 0]

Hello, I have a PC in my organization where Nod32 v.4 is running.

In the last 3 days it is showing an alert about Win32/Ramnit.CS virus found in operating memory=c:\windows\system32\wups.dll

it seems to happen randomly during the day.

I tried the offline scan using latest image of ESET SysRescue Live, updated when started, and it founds 0 threats.

Then I let the user work again on the PC, but after some hours again the alert was popped up.

I asked the user about his activities ant everything seems ok. What other problems could make the malware remain on the pc after a SysRescue scan?

Thank you all for the support.

[Marcos 5,085]

V4 is an ancient version which does not provide sufficient protection against current threats and is not supported any more either.

Uninstall it and install the latest Endpoint v7 (or 6.5 in case of WinXP) asap without disabling any protection features or default settings. After activation and update, run a full scan and reboot the machine after the scan was completed.

Should the problem persist:
- gather logs with ESET Log Collector (select Threat detection in the ELC menu)
- Procmon boot log

Upload the stuff in an archive encrypted with the password "infected" to a safe location and email samples[at]eset.com while providing a download link as well as a link to this topic.