Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan.Mebroot?


  • Please log in to reply
23 replies to this topic

#1 Problemmm

Problemmm

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 05 August 2009 - 07:04 PM

Hi,

Lately my computer has been freezing and when it does I can move the mouse but not click anything, then eventually it causes a total crash. Norton says something about a trojan.mebroot but doesn't remove it.

Can anyone help me with whats going on?

Thanks so much

EDIT: Well as it turns out, norton did remove it, yet my computer still crashed earlier today. Any other ideas on what could be going on?

Edited by Problemmm, 05 August 2009 - 07:05 PM.


BC AdBot (Login to Remove)

 


#2 Budapest

Budapest

    Bleepin' Cynic


  • Moderator
  • 23,579 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:12:19 PM

Posted 05 August 2009 - 07:09 PM

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.

Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.
alternate download link
Note: The file will be randomly named (i.e. 5mkuvc4z.exe).

Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Scan with Dr.Web CureIt as follows:
  • Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current version
  • Read the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.
  • The Express scan will automatically begin.
    (This is a short scan of files currently running in memory, boot sectors, and targeted folders).
  • If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.
  • If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files to the C:\Documents and Settings\userprofile\DoctorWeb\Quarantine folder if they can't be cured)
  • After the Express Scan is finished, put a check next to Complete scan to scan all local disks and removable media.
  • In the top menu, click Settings > Change settings, and uncheck "Heuristic analysis" under the "Scanning" tab, then click Apply, Ok.
  • Back at the main window, click the green arrow "Start Scanning" button on the right under the Dr.Web logo.
  • Please be patient as this scan could take a long time to complete.
  • When the scan has finished, a message will be displayed at the bottom indicating if any viruses were found.
  • Click Select All, then choose Cure > Move incurable.
  • In the top menu, click file and choose save report list.
  • Save the DrWeb.csv report to your desktop.
  • Exit Dr.Web Cureit when done.
  • Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web in your next reply. (You can use Notepad to open the DrWeb.cvs report)

The power of accurate observation is commonly called cynicism by those who haven't got it.

—George Bernard Shaw

#3 Problemmm

Problemmm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 06 August 2009 - 09:23 AM

Thanks for the help so far

Here's the scan:

stbapp.exe;C:\Documents and Settings\All Users\Application Data\{017115B5-2F29-4ECD-8FD6-329F9F107B86}\OFFLINE\69E6D3E5\3E688669;Win32.Sector.19;Incurable.Moved.;
keyfinder.exe;C:\Documents and Settings\Cameron Gibson\Desktop\keyfinder.2.0.5;Trojan.PWS.Banker.26872;Deleted.;
ladies and gentleman hot hot 192kb.mp3;C:\Documents and Settings\Cameron Gibson\My Documents\LimeWire\liem;Trojan.WMALoader;Cured.;
oh goddamnit hot hot heat .mp3;C:\Documents and Settings\Cameron Gibson\My Documents\LimeWire\liem;Trojan.WMALoader;Cured.;
stbapp.exe;C:\Program Files\DoubleD\Desktop Smiley Toolbar\3.9.1.9350;Win32.Sector.19;Incurable.Moved.;
A0029352.exe;C:\System Volume Information\_restore{C2A9FEFB-3589-4B73-9F0A-4B72EEDB07DE}\RP67;Win32.HLLW.Viking.34;Deleted.;
A0074820.dll;C:\System Volume Information\_restore{C2A9FEFB-3589-4B73-9F0A-4B72EEDB07DE}\RP99;Trojan.Blackmailer.1135;Deleted.;
A0075771.exe;C:\System Volume Information\_restore{C2A9FEFB-3589-4B73-9F0A-4B72EEDB07DE}\RP99;Win32.Sector.19;Incurable.Moved.;
A0075772.exe;C:\System Volume Information\_restore{C2A9FEFB-3589-4B73-9F0A-4B72EEDB07DE}\RP99;Trojan.PWS.Banker.26872;Deleted.;
A0075773.exe;C:\System Volume Information\_restore{C2A9FEFB-3589-4B73-9F0A-4B72EEDB07DE}\RP99;Win32.Sector.19;Incurable.Moved.;

#4 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 06 August 2009 - 12:58 PM

Please download mbr.exe (Stealth MBR rootkit detector) and save it to your desktop.
  • Double-click on mbr.exe and allow it to run. (If asked about "mbr.sys" service being created, please allow)
  • The process is automatic...a black DOS window will open and quickly disappear. This is normal.
  • A log file named mbr.log will be created on the desktop.
  • Copy and paste the results of the mbr.log in your next reply.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#5 ComputerNutjob

ComputerNutjob

  • Banned
  • 125 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:19 PM

Posted 06 August 2009 - 03:03 PM

He does have a rootkit. Direct from Wikipedia: Torpig, also known as Sinowal or Anserin (mainly spread together with Mebroot rootkit), is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows. Torpig circumvents anti-virus applications through the use of rootkit technology and data mines the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer.

As of November 2008 it has been responsible for stealing the details of about 500,000 online bank accounts and credit and debit cards and is described as "one of the most advanced pieces of crimeware ever created"[1].

In early 2009, a team of security researchers from UCSB took control of the botnet for ten days. During that time, they extracted an unprecedented amount (over 70GB) of stolen data. The report[2] goes into great detail about how the botnet operates.


He may be part of a botnet.

#6 Problemmm

Problemmm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 06 August 2009 - 04:13 PM

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0950E4C1
malicious code @ sector 0x0950E4C4 !
PE file found in sector at 0x0950E4DA !



And apparently this is really bad. I don't wanna be part of a botnet :thumbsup:

Any help you guys can offer would be wonderful

#7 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 06 August 2009 - 08:46 PM

Open Windows Explorer and rename the C:\mbr.log to C:\mbr.old
Go to Start > Run and type: cmd
press Ok.
At the command prompt, type: cd \
press Enter.
At the command prompt, type: mbr.exe -f
(make sure you have a space before the e and the -f)
press Enter.
At the command prompt, type: exit
press Enter.

It will produce a new report at C:\mbr.log. Please copy/paste the results in your next reply.
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#8 Problemmm

Problemmm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 06 August 2009 - 09:15 PM

Okay I attempted to follow the instructions and I ran into an error when I tried to enter the mbr.exe - f. The screen said mbr.exe is not an recognized as an internal or external command, operable program or batch file.

Did I do something wrong?

#9 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 06 August 2009 - 09:53 PM

You probably were not running the command from the proper path.

You need to be at the root directory C:\>

To change to the ROOT directory, at the command prompt type: cd \
press Ok.

Edited by quietman7, 06 August 2009 - 09:54 PM.

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#10 Problemmm

Problemmm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 06 August 2009 - 10:07 PM

You probably were not running the command from the proper path.

You need to be at the root directory C:\>

To change to the ROOT directory, at the command prompt type: cd \
press Ok.

I was indeed in that path

Posted Image

#11 Blade

Blade

    Strong in the Bleepforce


  • Site Admin
  • 12,704 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:US
  • Local time:10:19 PM

Posted 06 August 2009 - 10:39 PM

is mbr.exe (the file you downloaded) saved to your desktop?

~Blade

Posted Image

If I am helping you, it has been 48 hours since your last post, and I have yet to reply to your topic, please send me a PM
Become a BleepingComputer fan: Facebook
Follow us on Twitter!
Circle us on Google+


#12 Problemmm

Problemmm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 06 August 2009 - 11:07 PM

yes it is

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 07 August 2009 - 07:49 AM

Lets try RootRepeal which has an option to fix the MBR if it detects a mismatch.

Please download RootRepeal.zip and save it to your Desktop.
alternate download link 1
alternate download link 2
  • Unzip the file on your Desktop or create a new folder on the hard drive called RootRepeal (C:\RootRepeal) and extract it there.
    (click here if you're not sure how to do this. Vista users refer to these instructions.)
  • Disconnect from the Internet as your system will be unprotected while using this tool.
  • Close all programs and temporarily disable your anti-virus, Firewall and any anti-malware real-time protection before performing a scan.
    This will ensure more accurate results and avoid common issues that may cause false detections.
  • Click this link to see a list of such programs and how to disable them.
  • Open the RootRepeal folder and double-click on RootRepeal.exe to launch it. If using Vista, right-click and Run as Administrator...
  • Click on the Files tab, then click the Scan button.
  • In the Select Drives, dialog Please select drives to scan: select all drives showing, then click OK.
  • When the scan has completed, a list of files will be generated in the RootRepeal window.
  • Click on the Save Report button and save it as rootrepeal.txt to your desktop.
  • A copy of the report with the date (i.e. RootRepeal report 07-30-09 (17-35-54).txt) is also saved to the root of your system drive (usually C:\).
  • Open rootrepeal.txt in Notepad and copy/paste its contents in your next reply.
  • Exit RootRepeal and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.
Note: If RootRepeal cannot complete a scan and results in a crash report, try repeating the scan in "safe mode".
.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 Problemmm

Problemmm
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:19 PM

Posted 07 August 2009 - 02:23 PM

ROOTREPEAL © AD, 2007-2009
==================================================
Scan Start Time: 2009/08/07 15:19
Program Version: Version 1.3.3.0
Windows Version: Windows XP Media Center Edition SP3
==================================================

Hidden/Locked Files
-------------------
Path: c:\documents and settings\cameron gibson\local settings\temp\etilqs_ndvwazvqyfhm5mdst5xa
Status: Allocation size mismatch (API: 32768, Raw: 0)

Path: c:\documents and settings\cameron gibson\local settings\temp\etilqs_pvpryrs2wwoynqesjj3a
Status: Allocation size mismatch (API: 8192, Raw: 0)



While I was waiting for a reply I also ran a malwarebytes scan, but because you guys hadn't suggested it I didn't clean it up yet. But I can tell you it was really bad. 779 things were infected :thumbsup:

If you guys suggest it I will clean it up as the scan is still up.

#15 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 51,600 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:10:19 PM

Posted 07 August 2009 - 05:22 PM

Looks like you will have to fix MBR with the Windows XP Recovery Console.
  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • Watch for "Press any key to boot from CD" and then press any key to force the computer to boot from the Windows CD. If you do not press a key, the computer will continue to boot up normally. If that happens, try to boot to the Windows XP CD again.
  • When the "Welcome to Setup" screen appears, press R to enter the Recovery Console.
  • The Recovery Console will load and ask which Windows installation would you like to log onto.
  • In most cases, you will enter 1 (which will be the only choice). Note: If you press Enter without typing a number, Recovery Console will quit and restart your computer.
  • If prompted, type in your Administrator password and press Enter. If there is no password, leave it blank and just press enter.
  • At the Recovery Console command prompt, type: fixmbr and then verify that you want to proceed.
  • When finished, remove the XP CD, type exit and press enter to restart the computer.
When done, please post the results of your MBAM scan for review.

To retrieve the Malwarebytes Anti-Malware scan log information, launch MBAM.
  • Click the Logs Tab at the top.
    • The log will be named by the date of scan in the following format: mbam-log-date(time).txt
      -- If you have previously used MBAM, there may be several logs showing in the list.
  • Click on the log name to highlight it.
  • Go to the bottom and click on Open.
  • The log should automatically open in notepad as a text file.
  • Go to Edit and choose Select all.
  • Go back to Edit and choose Copy or right-click on the highlighted text and choose copy from there.
  • Come back to this thread, click Add Reply, then right-click and choose Paste.
  • Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Logs are saved to the following locations:
-- In XP: C:\Documents and Settings\<Username>\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs
-- In Vista: C:\Documents and Settings\Users\All Users\Malwarebytes\Malwarebytes' Anti-Malware\Logs

.
.
Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users