Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

is there any way to remove mebroot trojan?


  • This topic is locked This topic is locked
13 replies to this topic

#1 CurtDZ

CurtDZ

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 24 March 2009 - 10:53 PM

SpyBot S&D and my NOD32 has just detected a mebroot trojan :thumbsup: please point me in the right direction of removing this evil beast from my computer. I've read about all the evils it does and I want a way to fight back....HELP PLEASE!!!!!

(Moderator edit: post moved to more appropriate forum. jgw)

Edited by jgweed, 25 March 2009 - 07:58 AM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 25 March 2009 - 09:18 AM

Welcome to BC.. Please run 2 scans and post back the logs. There may be a purchase offer in the first,I don't want you to buy anything here.
Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Next run MBAM:
Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.
alternate download link 1
alternate download link 2
If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.
  • Make sure you are connected to the Internet.
  • Double-click on mbam-setup.exe to install the application.
  • When the installation begins, follow the prompts and do not make any changes to default settings.
  • When installation has finished, make sure you leave both of these checked:
    • Update Malwarebytes' Anti-Malware
    • Launch Malwarebytes' Anti-Malware
  • Then click Finish.
MBAM will automatically start and you will be asked to update the program before performing a scan.
  • If an update is found, the program will automatically update itself.
  • Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install. Alternatively, you can update through MBAM's interface from a clean computer, copy the definitions (rules.ref) located in C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware from that system to a usb stick or CD and then copy it to the infected machine.
On the Scanner tab:
  • Make sure the "Perform Quick Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply and exit MBAM.
Note: If MBAM encounters a file that is difficult to remove, you may be asked to reboot your computer so it can proceed with the disinfection process. Regardless if prompted to restart the computer or not, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware. MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you after scanning with MBAM. Please temporarily disable such programs or permit them to allow the changes.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 CurtDZ

CurtDZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 25 March 2009 - 06:38 PM

thank u for the warm welcome and advice, i've already ran MBAM (a fresh new version) and it caught it and said it removed it but when I scanned again with it, it was gone but my NOD32 continuously shows the threat as still being there. Will run the Panda scan and post the log from that. My MBAM log is below:

Malwarebytes' Anti-Malware 1.34
Database version: 1893
Windows 5.1.2600 Service Pack 3

3/25/2009 6:55:29 PM
mbam-log-2009-03-25 (18-55-29).txt

Scan type: Quick Scan
Objects scanned: 82558
Time elapsed: 8 minute(s), 8 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 25 March 2009 - 08:05 PM

You're welcome. Where is NOD show that file is located?
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 CurtDZ

CurtDZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 26 March 2009 - 12:37 AM

it says it's in the boot sector

Scan Log
Version of virus signature database: 3961 (20090325)
Date: 3/26/2009 Time: 1:37:09 AM
Scanned disks, folders and files: C:\Boot sector
MBR sector of the 1. physical disk - Win32/Mebroot.K trojan
MBR sector of the 2. physical disk - Win32/Mebroot.K trojan
Number of scanned objects: 7
Number of threats found: 2
Number of cleaned objects: 0
Time of completion: 1:37:21 AM Total scanning time: 12 sec (00:00:12)

#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 26 March 2009 - 02:22 PM

Hi that was good.. Now run Gmer.

Please download gmer.zip and save to your desktop.
  • Extract (unzip) the file to its own folder such as C:\Gmer. (Click here for information on how to do this if not sure.)
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security program drivers will not conflict with gmer's driver.
  • Click on this link to see a list of programs that should be disabled.
  • Double-click on gmer.exe to start the program.
  • Allow the gmer.sys driver to load if asked.
  • Do NOT click scan. GMER does an automatic quick scan when run.
  • Click the copy button on the right side of GMER and then paste into your next reply.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 CurtDZ

CurtDZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 26 March 2009 - 02:32 PM

Here is what the panda scan picked up:

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-03-26 15:28:58
PROTECTIONS: 1
MALWARE: 15
SUSPECTS: 3
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0 3.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00034347 dialer.su Dialers No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\uninstall\switch
00139064 Cookie/Atlas DMT TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
00149116 Cookie/Ccbill TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ccbill[1].txt
00167677 Cookie/WebPower TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@webpower[1].txt
00169190 Cookie/Advertising TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@advertising[1].txt
00170495 Cookie/PointRoll TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@ads.pointroll[1].txt
00171982 Cookie/QuestionMarket TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
00194327 Cookie/Go TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@go[2].txt
00207338 Cookie/Target TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@target[2].txt
00207862 Cookie/did-it TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@did-it[1].txt
00262024 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@www.errorsafe[1].txt
00262025 Cookie/ErrorSafe TrackingCookie No 0 Yes No C:\Documents and Settings\Owner\Cookies\owner@errorsafe[2].txt
00484705 Application/IEDefender HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\SmitfraudFix\IEDFix.C.exe
00519333 Application/Processor HackTools No 0 Yes No C:\Documents and Settings\Owner\Desktop\Unused Desktop Shortcuts\VirtumundoBeGone.exe
03794921 Generic Trojan Virus/Trojan No 0 Yes No D:\Downloads\BSPlayer.zip[BSPlayer/BSPlayer/keygen.exe]
;===================================================================================================================================================================================
SUSPECTS
Sent Location Šy
;===================================================================================================================================================================================
No C:\Program Files\SUPERAntiSpyware\superantispyware.v4-patch.2.1.exe Šy
No C:\Program Files\SUPER_Pro.1154.V4P2.1.RES\SUPER Pro.1154.V4P2.1.RES\SUPERAntispyware.v4.Patcher.2.1-RES-patch.rar[SUPERAntispyware.v4.Patcher.2.1-RES-patch\superantispyware.v4-patch.2.1.exe]
No C:\Program Files\SUPER_Pro.1154.V4P2.1.RES.rar[SUPER Pro.1154.V4P2.1.RES\SUPERAntispyware.v4.Patcher.2.1-RES-patch.rar][SUPERAntispyware.v4.Patcher.2.1-RES-patch\superantispyware.v4-patch.2.1.exe]
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description Šy
;===================================================================================================================================================================================
;===================================================================================================================================================================================

#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 26 March 2009 - 08:29 PM

What about the GMer log??
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#9 CurtDZ

CurtDZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 27 March 2009 - 02:08 AM

Here's the Gmer log:

GMER 1.0.15.14944 - http://www.gmer.net
Rootkit scan 2009-03-27 03:04:21
Windows 5.1.2600 Service Pack 3


---- Disk sectors - GMER 1.0.15 ----

Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0xdf937c1 size 0x1aa
Disk \Device\Harddisk0\DR0 sector 62: copy of MBR

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)
AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET)

---- EOF - GMER 1.0.15 ----

#10 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 27 March 2009 - 01:29 PM

Does Nod still see it as i have another tool but want to be sure Nod sees Mebroot.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#11 CurtDZ

CurtDZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 27 March 2009 - 05:05 PM

yes NOD still picks it up :thumbsup:

#12 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 28 March 2009 - 11:36 PM

It appears this rootkit is embedded and We need to run HJT/DDS to remove it.
Please follow this guide. go and do steps 6 and 7 ,, Preparation Guide For Use Before Using Hijackthis. Then go here HijackThis Logs and Virus/Trojan/Spyware/Malware Removal ,click New Topic,give it a relevant Title and post that complete log.

Let me know if it went OK.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#13 CurtDZ

CurtDZ
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:11 AM

Posted 29 March 2009 - 05:25 PM

i did exactly as stated and am now just waitig patiently and thx for all your help in this matter :thumbsup: i would buy u a virtual beer if i could lol

#14 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,220 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:11 AM

Posted 29 March 2009 - 07:45 PM

You did well! Thanks but vitual hangovers are the worst. :thumbsup:

Now that your log is properly posted, you should NOT make further changes to your computer (install/uninstall programs, use special fix tools, delete files, edit the registry, etc) unless advised by a HJT Team member, nor should you continue to ask for help elsewhere. Doing so can result in system changes which may not show it the log you already posted. Further, any modifications you make on your own may cause confusion for the helper assisting you and could complicate the malware removal process which would extend the time it takes to clean your computer.

From this point on the HJT Team should be the only members that you take advice from, until they have verified your log as clean.

Please be patient. It may take a while to get a response because the HJT Team members are very busy working logs posted before yours. They are volunteers who will help you out as soon as possible. Once you have made your post and are waiting, please DO NOT make another reply until it has been responded to by a member of the HJT Team. Generally the staff checks the forum for postings that have 0 replies as this makes it easier for them to identify those who have not been helped. If you post another response there will be 1 reply. A team member, looking for a new log to work may assume another HJT Team member is already assisting you and not open the thread to respond.

To avoid confusion, I am closing this topic.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users