Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Boot.Mebroot


  • Please log in to reply
3 replies to this topic

#1 Tuqiri

Tuqiri

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 08 August 2010 - 06:28 PM

Hello forum,

My USB HD was infected with a boot.mebroot virus and every time I connected it, Norton would block it under "Boot.Mebroot". I never thought about searching about the virus so i reformatted it. But recently the 2 PCs are now suddenly affected with this virus today. The PC i am currently using now is Windows 7 64bit using an SDD to run windows and 1TB HD to run other programs. The other PC (That is being hit hard by the virus) is using Windows 7 64bit and has 2 HD's no SDD's; the virus is downloading other viruses like "0.exe" and "0.rar". I have tried using doctor web to remove the virus, it picked something up in the memory and removed it but the virus is still there.

http://www.screencast.com/users/Tuqiri/fol...61-1f07dfd150d4 This is a print screen of my Norton history on the PC im using now.

Edited by Tuqiri, 08 August 2010 - 06:51 PM.


BC AdBot (Login to Remove)

 


#2 Tuqiri

Tuqiri
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 09 August 2010 - 05:25 AM

Still having a lot of trouble with this virus

#3 Tuqiri

Tuqiri
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 09 August 2010 - 11:40 AM

5 accounts was stolen due to this virus even when reformatting it will still be there

#4 Tuqiri

Tuqiri
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:01:21 PM

Posted 10 August 2010 - 05:21 AM

Here are the logs from the virus scanner (AVG) and spybot in safe mode

AVG:

AVG 9.0 Anti-Virus command line scanner
Copyright 1992 - 2010 AVG Technologies
Program version 9.0.832, engine 9.0.846
Virus Database: Version 271.1.1/3061 2010-08-09

HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\\AVP Found Adware.Generic Object was moved to Virus Vault.
C:\Documents and Settings\ Locked file. Not tested.
C:\hiberfil.sys Locked file. Not tested.
C:\pagefile.sys Locked file. Not tested.
C:\ProgramData\Desktop\ Locked file. Not tested.
C:\ProgramData\Documents\ Locked file. Not tested.
C:\ProgramData\Favorites\ Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\20e17358e6d2c7160442a457cdd41e7a_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\26eceed1a525eb8118fc981c654dfe6a_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\2bb4c3076f13d5278ba3452924b9f2b5_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\3995ecbc6852a43e04d4c8f93f33a67e_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\51108401892bc24e0b9d0530c399e418_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\59654432f86a15e1569a0862b8ef67a3_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\be9eb2048417f8f586cebaf92c18ac02_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f087dd67ac57bb829a99e84fd340716f_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f88e1fcd672eeeb98fa52595bb2f052b_b24059af-ee9c-462c-a6bb-b0747187c672 Locked file. Not tested.
C:\ProgramData\Templates\ Locked file. Not tested.
C:\System Volume Information\ Locked file. Not tested.
C:\Users\Default\AppData\Local\History\ Locked file. Not tested.
C:\Users\Default\AppData\Local\Temporary Internet Files\ Locked file. Not tested.
C:\Users\Default\Cookies\ Locked file. Not tested.
C:\Users\Default\Documents\My Music\ Locked file. Not tested.
C:\Users\Default\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Default\Documents\My Videos\ Locked file. Not tested.
C:\Users\Default\NetHood\ Locked file. Not tested.
C:\Users\Default\PrintHood\ Locked file. Not tested.
C:\Users\Default\Recent\ Locked file. Not tested.
C:\Users\Default\Templates\ Locked file. Not tested.
C:\Users\Nathan\AppData\Local\History\ Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Microsoft\Windows\UsrClass.dat Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG1 Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Microsoft\Windows\UsrClass.dat.LOG2 Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Temp\00542058-0b4d-499f-8b8f-9bde10fb6596.tmp Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Temp\075ef700-5630-419f-87b8-5426ae4f33e1.tmp Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Temp\8a17f5ba-7e6e-4912-a61f-039a3c938d95.tmp Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Temp\8b856413-0d3a-4166-8d95-7692f2ea27b3.tmp Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Temp\8f3ca8f7-84de-407b-9516-57b27a08586e.tmp Locked file. Not tested.
C:\Users\Nathan\AppData\Local\Temp\d52ee7e5-20be-43a8-b1bd-50e10505f1d5.tmp Locked file. Not tested.
C:\Users\Nathan\Documents\My Music\ Locked file. Not tested.
C:\Users\Nathan\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Nathan\Documents\My Videos\ Locked file. Not tested.
C:\Users\Nathan\NetHood\ Locked file. Not tested.
C:\Users\Nathan\NTUSER.DAT Locked file. Not tested.
C:\Users\Nathan\ntuser.dat.LOG1 Locked file. Not tested.
C:\Users\Nathan\ntuser.dat.LOG2 Locked file. Not tested.
C:\Users\Nathan\PrintHood\ Locked file. Not tested.
C:\Users\Nathan\Templates\ Locked file. Not tested.
C:\Users\Public\Documents\My Music\ Locked file. Not tested.
C:\Users\Public\Documents\My Pictures\ Locked file. Not tested.
C:\Users\Public\Documents\My Videos\ Locked file. Not tested.
C:\Windows\CSC\v2.0.6\ Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG1 Locked file. Not tested.
C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT.LOG2 Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG1 Locked file. Not tested.
C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT.LOG2 Locked file. Not tested.
C:\Windows\System32\catroot2\edb.log Locked file. Not tested.
C:\Windows\System32\catroot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Locked file. Not tested.
C:\Windows\System32\catroot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Locked file. Not tested.
C:\Windows\System32\config\DEFAULT Locked file. Not tested.
C:\Windows\System32\config\DEFAULT.LOG1 Locked file. Not tested.
C:\Windows\System32\config\DEFAULT.LOG2 Locked file. Not tested.
C:\Windows\System32\config\RegBack\DEFAULT Locked file. Not tested.
C:\Windows\System32\config\RegBack\SAM Locked file. Not tested.
C:\Windows\System32\config\RegBack\SECURITY Locked file. Not tested.
C:\Windows\System32\config\RegBack\SOFTWARE Locked file. Not tested.
C:\Windows\System32\config\RegBack\SYSTEM Locked file. Not tested.
C:\Windows\System32\config\SAM Locked file. Not tested.
C:\Windows\System32\config\SAM.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SAM.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SECURITY Locked file. Not tested.
C:\Windows\System32\config\SECURITY.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SECURITY.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SOFTWARE.LOG2 Locked file. Not tested.
C:\Windows\System32\config\SYSTEM Locked file. Not tested.
C:\Windows\System32\config\SYSTEM.LOG1 Locked file. Not tested.
C:\Windows\System32\config\SYSTEM.LOG2 Locked file. Not tested.
C:\Windows\System32\LogFiles\WMI\RtBackup\ Locked file. Not tested.
D:\System Volume Information\ Locked file. Not tested.

Spybot:

DoubleClick: Tracking cookie (Internet Explorer: Nathan) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


FastClick: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Statcounter: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Clickbank: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Zedo: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


Win32.PornPopUp: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


BurstMedia: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


DoubleClick: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)


MediaPlex: Tracking cookie (Firefox: Nathan (default)) (Cookie, nothing done)



--- Spybot - Search & Destroy version: 1.6.2 (build: 20090126) ---

2009-01-26 blindman.exe (1.0.0.8)
2009-01-26 SDFiles.exe (1.6.1.7)
2009-01-26 SDMain.exe (1.0.0.6)
2009-01-26 SDShred.exe (1.0.2.5)
2009-01-26 SDUpdate.exe (1.6.0.12)
2009-01-26 SDWinSec.exe (1.0.0.12)
2009-01-26 SpybotSD.exe (1.6.2.46)
2009-01-26 TeaTimer.exe (1.6.4.26)
2010-08-10 unins000.exe (51.49.0.0)
2009-01-26 Update.exe (1.6.0.7)
2009-01-26 advcheck.dll (1.6.2.15)
2007-04-02 aports.dll (2.1.0.0)
2008-06-14 DelZip179.dll (1.79.11.1)
2009-01-26 SDHelper.dll (1.6.2.14)
2008-06-19 sqlite3.dll
2009-01-26 Tools.dll (2.1.6.10)
2009-01-16 UninsSrv.dll (1.0.0.0)
2010-06-29 Includes\Adware.sbi (*)
2010-07-27 Includes\AdwareC.sbi (*)
2010-01-25 Includes\Cookies.sbi (*)
2009-11-03 Includes\Dialer.sbi (*)
2010-07-27 Includes\DialerC.sbi (*)
2010-01-25 Includes\HeavyDuty.sbi (*)
2009-05-26 Includes\Hijackers.sbi (*)
2010-07-27 Includes\HijackersC.sbi (*)
2010-06-02 Includes\iPhone.sbi (*)
2010-08-02 Includes\Keyloggers.sbi (*)
2010-08-02 Includes\KeyloggersC.sbi (*)
2004-11-29 Includes\LSP.sbi (*)
2010-06-01 Includes\Malware.sbi (*)
2010-08-02 Includes\MalwareC.sbi (*)
2010-05-18 Includes\PUPS.sbi (*)
2010-07-20 Includes\PUPSC.sbi (*)
2010-01-25 Includes\Revision.sbi (*)
2009-01-13 Includes\Security.sbi (*)
2010-07-27 Includes\SecurityC.sbi (*)
2008-06-03 Includes\Spybots.sbi (*)
2008-06-03 Includes\SpybotsC.sbi (*)
2010-06-29 Includes\Spyware.sbi (*)
2010-07-27 Includes\SpywareC.sbi (*)
2010-03-08 Includes\Tracks.uti
2010-08-04 Includes\Trojans.sbi (*)
2010-07-28 Includes\TrojansC-02.sbi (*)
2010-07-28 Includes\TrojansC-03.sbi (*)
2010-07-28 Includes\TrojansC-04.sbi (*)
2010-08-02 Includes\TrojansC-05.sbi (*)
2010-08-02 Includes\TrojansC.sbi (*)
2008-03-04 Plugins\Chai.dll
2008-03-05 Plugins\Fennel.dll
2008-02-26 Plugins\Mate.dll
2007-12-24 Plugins\TCPIPAddress.dll


The "Adware.Generic" would not let me remove it since it said Access denied i am the admin of the system i could only remove it in safe mode

Edited by Tuqiri, 10 August 2010 - 05:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users