A variation of MSIL/Injector.YT trojan can't be deleted in operative memory

[Roberto Tafuro 0]

Hello and sorry for my bad english. i'm italian. This morning i've recieved this message from NOD32:  A variation of MSIL/Injector.YT trojan can't be deleted in operative memory. Type of object "FILE". Object "OPERATING MEMORY = mem_A50000_1376.dll" , "OPERATING MEMORY=mem_4660000_1376.dll". Action "Impossible to clean". I run NOD32 in italian.

What i can do about it?

Thank you so much in advice.

Bests,

Roberto

[Marcos 5,112]

It's Windows crack / activator that is detected. It's been already reclassified to potentially unsafe application which are not detected by default.

[Roberto Tafuro 0]

Hello Marcos and thank you for the reply. I have a licensed version of Win 7 Professional 64bit, and this is my main work machine. I've followed some guides on this forum :hxxp://www.bleepingcomputer.com/forums/t/580248/eset-found-in-memory-a-variant-of-msilinjectoryt-trojan-and-its-trending/

After scanning the pc with Junkware removal tool, Hitman Pro, Rogue Killer and Kaspersky TDSS killer, Nod 32 doesn't see the trojan anymore.

My question now is this: am i safe? Is Nod 32 able to solve this problem or i have to format my pc. This is a serious trojan and i'm not alone. I've found other people with the same problem. At this moment all seems good but i'm not sure if the virus is gone or not.

Thank you again for your time.

Bests,

Roberto

[Marcos 5,112]

Hi Roberto,

Please run ESET Log Collector on the infected computer(s) as per the instructions at hxxp://kb.eset.com/esetkb/index?page=content&id=SOLN3466and drop me a pm with the output attached.

[Asgaro 0]

Hi Roberto and Marcos,

 

I'm the author of the post where Roberto links to: hxxp://www.bleepingcomputer.com/forums/t/580248/eset-found-in-memory-a-variant-of-msilinjectoryt-trojan-and-its-trending/

(So only the author of that post. NOT the author of the malware removal guides I linked within that post.)

 

I want to bring to everyone's attention a follow-up post I made within that same forum: hxxp://www.bleepingcomputer.com/forums/t/580267/eset-found-in-memory-a-variant-of-msilinjectoryt-trojan-mbam-didnt/

Especially the edits at the top of that thread, are important to read.

My conclusion: it was actually a false positive, like Marcos also stated here. edit: See Marcos's statement below.

 

And Marcos, feel free to point out anything that's incorrect in that post I made.

 

 

Kind regards,

Asgaro

Edited June 24, 2015 by Asgaro

[sw34669 0]

A friend of mine called me today saying they have this issue also (they se nod32)

 

This prompted me to have a look at my system (ive been a nod user for 10 years) and to

my horror I see ive had it in my logs every day since last Thursday.

 

I had to run a manual smartscan to see this ... no popup boxes have appeared since

ive been infected with this and the smartscan on system start has never picked

this up or shown a red unsafe icon.

 

Its had enough I have something here but I cant get my head around why I had

to run a manual smartscan to see the problem.

 

All of the log entries show it being detected by nod32 every day I booted since

last week but not a single popup or red icon. Trojan aside this is a MAJOR

failing of nod32 .

 

Can someone please advise if im missing something here (been in IT 30 years)

 

thanks

 

scott.

[Marcos 5,112]

My conclusion: it was actually a false positive, like Marcos also stated here.

 

This statement is not correct. It was not a true false positive and the detection was actually correct. It was an Injector dll which was detected, however, the Injector didn't do anything malicious in this case.

[Roberto Tafuro 0]

Hello to all and sorry for the delay!

Marcus,i'm sending with a pm the result of ESET Log collector. After following the guide linked by Asgaro (thank you for posting it), as i said NOD32 seems to not find the trojan anymore. After the attach, i was searching on internet something about this malwere,and find only two or three infos. If i search now, i'll have a lot of results about it. It seems a new trojan that have been generated in this days...

Hope that all of us are safe now!

Roberto

[Marcos 5,112]

All of the log entries show it being detected by nod32 every day I booted since last week but not a single popup or red icon. Trojan aside this is a MAJOR failing of nod32.

First of all, the Injector dll didn't perform any malicious action which was the reason for reclassifying it to a potentially unsafe application (ie. it's not detected with default settings as potentially unsafe applications cover legitimate tools that can be misused in the wrong hands).

The reason why it was detected during an on-demand scan is that: 1, it's a memory detection, ie. not a detection of a file on a disk. 2, the dll was likely not loaded when memory was scanned during startup scans but that's just a speculation without checking log details.

[JonWUK 0]

I have had a customer who had injector.yt on his system, and his ESET installation was warning him about it each and every time he booted since the 20th June 2015.

 

(still took him 10 days to call in though!)

[dpramas 0]

I have a startup notification about MSIL Injector file that can't be cleaned. The file of ESET Log collector is 2.3 MB and can't be uploaded. How can I make it under 2 MB? Thanks in advance.

 

 

 

[dpramas 0]

Hi,

I have tried to upload the eav-logs but get the message that the file is larger than 2 mb. How do I make the size smaller?

I’ve received this message from NOD32:  A variation of MSIL/Injector.YT trojan can't be deleted in operative memory.

[Mortem 0]

Hello, new here!!

 

Someone commented about having the notification from the 20th of June, which is very close to when I started seeing it. I get the notification come up and I've run several scans, on both ESET and other Antiviruses, yet nothing is detected. I was wondering if someone could explain to me why this is, if what it's actually detecting is dangerous and if so how to remove it or stop ESET from detecting it please, thank you!!  

[katzy 0]

I clicked on a link in an email saying someone in hong kong bought something off our apple account on iTunes said and to press it if it wasn't us, so stupidly did.

 

The email contained about four lines yet the size was 1,591 kb with 455 pages from message source file.

 

I had to enter the password for the account but only got a picture of the page which was not operational. I looked at the email and all the misspellings so tried to find the message source on google - eservicesuport@acountinclogin.onmicrosoft.com

didn't find it.

 

looked at location of the link I pressed - already-inclink.com/conect.php - didn't come up on google and no longer functioning.

 

I searched my computer for today's date to look for evidence and found 12.4 MB folder named "eav_logs" hidden in documents with matching time.

 

It contains folders on windows, eset, configuration and more files, e.g. metadata, info.xml, much much more

 

There are three computers on the network and all have the same relevant HIPS log under 2000 pages.

 

I dont' know what has been done or what info they have besides apple password for iTunes. I found purchases we did not make on iTunes.

 

I don't know if they can follow our keystrokes.

i'm trying to put all computer files on external hard drive before using fixes.

can I shut down computer pressing start button?? can I use restore to previous date?

 

I deleted the eav_logs and sent email to spam server, deleated emails off computers and server but kept copy of eml file.

 

did deep scan of one computer so far and no threats found.

 

I need to know how to proceed or where to post this or who to contact at ESET.