Jump to content
Sign in to follow this  
BrownB

Virus in operating memory before and after offline scan

Recommended Posts

Hello, I have a PC in my organization where Nod32 v.4 is running.

In the last 3 days it is showing an alert about Win32/Ramnit.CS virus found in operating memory=c:\windows\system32\wups.dll

it seems to happen randomly during the day.

I tried the offline scan using latest image of ESET SysRescue Live, updated when started, and it founds 0 threats.

Then I let the user work again on the PC, but after some hours again the alert was popped up.

I asked the user about his activities ant everything seems ok. What other problems could make the malware remain on the pc after a SysRescue scan?

Thank you all for the support.

Share this post


Link to post
Share on other sites

V4 is an ancient version which does not provide sufficient protection against current threats and is not supported any more either.

Uninstall it and install the latest Endpoint v7 (or 6.5 in case of WinXP) asap without disabling any protection features or default settings. After activation and update, run a full scan and reboot the machine after the scan was completed.

Should the problem persist:
- gather logs with ESET Log Collector (select Threat detection in the ELC menu)
- Procmon boot log

Upload the stuff in an archive encrypted with the password "infected" to a safe location and email samples[at]eset.com while providing a download link as well as a link to this topic.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

×