BleepingComputer.com: New version of MBR rootkit (win32/mebroot)

Jump to content

Forum Guidelines

Posted Image Read the following topic before creating a new topic in this forum. It contains instructions on the what we would like you to post, which will enable us to help you more quickly.

Preparation Guide For Use Before Using Malware Removal Tools and Requesting Help


Posted Image Unfortunately, with the amount of logs we receive per day, the average response time is 5 days. I want to assure you, though, that your topic will be looked at and responded to. So please be patient.


Posted Image DO NOT RUN ComboFix unless requested to.


Posted Image Only members of the Malware Response Team or Moderators are allowed to help people with logs. Anyone else should refrain from posting to another user's log.


Posted Image When posting a log please put the type of infection you have in the topic title. IE: Winfixer, Virtumonde, WinTools, WebSearch, Home Search Assistant, etc.


Posted Image Do not bump your topic. We try to resolve logs on a first come/first served basis. By bumping your log you will be pushed back in line due to the new date of your bump.
Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

New version of MBR rootkit (win32/mebroot) Win32 mebroot

#1 User is offline   Ace3 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-September 11
  • Gender:Male
  • Location:Greece

Posted 05 September 2011 - 01:09 PM

NOD32 says

Scan Log
Version of virus signature database: 6436 (20110904)
Date: 5/9/2011 Time: 5:16:58 πμ
Scanned disks, folders and files: Operating memory
Operating memory - Win32/Mebroot trojan - action selection postponed until scan completion
Number of scanned objects: 504
Number of threats found: 1
Number of cleaned objects: 0
Time of completion: 5:26:08 πμ Total scanning time: 550 sec (00:09:10)

1.Tryed the EMebRemover.exe but it says
New version of MBR rootkit (win32/mebroot)detected
Unable to clean the rootkit.

2. Tryed mbam
Sees nothing wrong..

?? Can me someone help me?

6-9 steps
Done.Did it as shown in the example.

Merged topics then posts pruning off no longer relevant posts. ~ OB

Attached File(s)

  • Attached File  DDS.txt (23.2K)
    Number of downloads: 7
  • Attached File  attach.txt (5.94K)
    Number of downloads: 5
  • Attached File  ark.txt (83K)
    Number of downloads: 5

This post has been edited by Orange Blossom: 05 September 2011 - 11:28 PM

#2 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,053
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 10 September 2011 - 01:09 PM

Hello, Welcome to BleepingComputer.
I'm nasdaq and will be helping you.

Download http://public.avast.com/~gmerek/aswMBR.exe (aswMBR.exe) ( 511KB ) to your desktop. Double click the aswMBR.exe to run it

  • Click the "Scan" button to start scan.
  • Upon completion of the scan, click Save log, and save it to your desktop. (Note - do not select any Fix at this time) <- IMPORTANT
  • Please post the contents of that log in your next reply.
There shall also be a file on your desktop named MBR.dat. Right click that file and select Send To>Compressed (zipped) folder. Please attach that zipped file in your next reply.
===

Please Download
TDSSKiller.zip

>>> Double-click on TDSSKiller.exe to run the application.
  • Click on the Start Scan button and wait for the scan and disinfection process to be over.
  • If an infected file is detected, the default action will be Cure, click on Continue
    Posted Image
  • If a suspicious file is detected, the default action will be Skip, click on Continue
    Posted Image
  • If you are asked to reboot the computer to complete the process, click on the Reboot Now button. A report will be automatically saved at the root of the System drive ((usually C:\) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt" (for example, C:\TDSSKiller.2.2.0_20.12.2009_15.31.43_log.txt). Please copy and paste the contents of that file here.
  • If no reboot is required, click on Report. A log file will appear. Please copy and paste the contents of that file in your next reply.


Please post the logs for my review.

Wait for further instructions.

#3 User is offline   Ace3 

  • New Member
  • Pip
  • Find Topics
  • Group: Members
  • Posts: 6
  • Joined: 04-September 11
  • Gender:Male
  • Location:Greece

Posted 10 September 2011 - 02:17 PM

Hello nasdaq.
The labtop crashed becouse of the scans of the hard disk...
Went it to the store and they did a format!!!
40 Euro.. only! But a new labtop.. only it's empty!!
Thank you anyway for trying to help me...
But it was too late.. i ll sent you a pm and explain to you what happend from the beginning!

#4 User is offline   nasdaq 

  • Forum Addict
  • PipPipPipPipPipPip
  • Find Topics
  • Group: Malware Response Team
  • Posts: 5,053
  • Joined: 16-June 06
  • Gender:Male
  • Location:Montreal, QC. Canada

Posted 11 September 2011 - 08:47 AM

Thank you for the feed back.

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • This topic is locked

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users