Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Wanted - Trojan.mebroot.b


  • Please log in to reply
8 replies to this topic

#1 Baineth

Baineth

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 11 August 2008 - 09:06 AM

An online BitDefender scan found Trojan.Mebroot.B on my system and said it had deleted it but it reappears every time I restart the computer. Have run AVG, AdAware and Spybot S & D but none of them pick it up. I've also run fixmbr on all hard disks from Recovery Console but it still reappears. Does anyone know of a way to remove this completely please?

BC AdBot (Login to Remove)

 


#2 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:29 AM

Posted 11 August 2008 - 11:36 AM

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).
  • Go to Start > Run and type: cmd.exe
  • press Ok.
  • At the command prompt type: c:\mbr.exe >>"C:\mbr.log"
  • press Enter.
  • A "DOS" box will open and quickly disappear. That is normal.
  • A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).
  • Copy and paste the results of the mbr.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 Baineth

Baineth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 11 August 2008 - 12:20 PM

Hello Quietman7. I did as you suggested but the mbr.log file is totally blank.

Should have said in my original post, I'm running Windows 2000. Symantec do a 'remove' program but only for XP.

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:29 AM

Posted 11 August 2008 - 12:46 PM

I never dealt with this on a Win 2000 platform and don't have anything in my notes. I will have to check around to see what I can find.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 Baineth

Baineth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 11 August 2008 - 12:51 PM

Tried opening mbr.exe in windows rather than from the command prompt and it worked. mbr.log below:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

#6 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:29 AM

Posted 11 August 2008 - 01:11 PM

That's showing a clean log. mbr.exe will tell you if malicious code has been found and its a tool I trust. You may be dealing with a false detection.

As such, you probably should inquire about the scan results at the BitDefender Forum. The discussions are for the actual product but someone there may also be able to help with their on line scanner.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#7 Baineth

Baineth
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:04:29 PM

Posted 11 August 2008 - 01:24 PM

OK Thanks for the help Quietman7

#8 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,288 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:29 AM

Posted 11 August 2008 - 01:30 PM

You're welcome.

Please post back here with any info they provide. I'd be interested to since this is the first time I heard of BD encountering this on your platform.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#9 sermonize

sermonize

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:10:29 AM

Posted 07 November 2008 - 05:00 AM

Hello!I read this topic, i have the same problem... i think my pc is infected with Mebroot!!!I use nod- eset smart security antivir. and detected a treath in sector of 1 physical disk-Win 32/Mebroot.K trojan (error while cleaning- operration unaviable for this object type).
I run XP, sp2 in my computer.I make a scan with MBR rootkit detector and the log say:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
malicious code @ sector 0xdf937c1 size 0x1ac !
copy of MBR has been found in sector 62 !"
I make a scan with GMER and in Malware section found written in black:

Disk: \Device\Harddisk0\DR0 value: sector 61 : malicios code @sector 0xdf937c1 size 0x1ac and
Disk: \Device\Harddisk0\DR0 value: sector 62 : copy of MBR
I also perform a scan with Fix Mebroot (removal tool from symantec) and say mebroot was not found in my system with this log:
"Symantec Trojan.Mebroot Removal Tool 1.0.1
Found drive \\.\PhysicalDrive0, analyzing MBR...
Found drive \\.\PhysicalDrive1, analyzing MBR...
Creating FixMebroot service driver
Running driver...
Trojan.Mebroot has not been found active on your computer.
Delete service driver
Delete driver file
End


The tool initiated a system reboot."

I also make a scan with spyboot S&D and my system is clean.I don't know what can i do and what to believe.Please give me an advice what can i do in this situation!Thank you!





Edit: I escape from this malaware with Cure it program!Found it, cure it! My log files on nod, gmer are ok now!Thank you!

Edited by sermonize, 07 November 2008 - 11:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users