Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mebroot trojan in operating memory


  • Please log in to reply
20 replies to this topic

#1 PendingLudite?

PendingLudite?

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 29 September 2011 - 09:28 AM

Eset antivirus indicates at every login that have a mebroot trojan in the operating memory but unable to clean. When first detected, ESET did remove another infection, related? (C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\9\3709fec9-22d0b18a - a variant of Java/TrojanDownloader.OpenStream.NCI trojan - cleaned by deleting - quarantined [1]). Since infection, unable to use flash drives; response is drive is not formatted and earlier today began receiving spurious audio though not currently. Know that you have addressed this for another earlier this year, topic382494. (How I found you.)

BC AdBot (Login to Remove)

 


#2 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 29 September 2011 - 09:51 AM

Run RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill), SUPERAntiSpyware (http://www.superantispyware.com/)(Update before scanning), and MalwareBytes (http://www.malwarebytes.org/)(Update before scanning) in this order in safe mode (With Networking)

Edited by Spartacus1, 29 September 2011 - 09:51 AM.

May thou virus bow at thy mercy when you come to me...

#3 PendingLudite?

PendingLudite?
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 29 September 2011 - 06:51 PM

Ran RKill and Malwarebytes in safe mode and while eliminated some malware, still receiving message that the trojan is in operating memory. Retried two more times, last time purchasing the full version of Malwarebytes vs. the free version but no change in results.

#4 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 29 September 2011 - 06:55 PM

Rerun SUPERAntiSpyware but this time, go to Settings and select "Terminate Resident Memory Threat" before scanning

Edited by Spartacus1, 29 September 2011 - 06:56 PM.

May thou virus bow at thy mercy when you come to me...

#5 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,331 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:09:48 PM

Posted 29 September 2011 - 08:23 PM

Win32/Mebroot replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code, as well as placing additional code to load and patch the following files:

Win32/Mebroot is a trojan that installs Win32/PSW.Sinowal malware.

Win32/PSW.Sinowal is a trojan that steals passwords and other sensitive information.

The trojan is able to log keystrokes. The trojan can send the information to a remote machine.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still clean this machine but I can't guarantee that it will be 100% secure afterwards. Let me know what you decide to do.


The next clean up step is>>>
Norton Power Eraser
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#6 PendingLudite?

PendingLudite?
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 30 September 2011 - 06:39 PM

Reran the "triple cocktail" as suggested (safe mode and with terminate resident memory threat selected) but still receive message of Mebroot trojan in operating memory upon reboot. I remain hopeful that if CatByte could help corahsmommy back in March that a similar approach might be successful here so I would like to continue. I do not have the original OS disc so a reformat and reload is not a viable option.

#7 Spartacus1

Spartacus1

  • Members
  • 86 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:48 PM

Posted 30 September 2011 - 10:15 PM

Do the same process that you do to get into safe mode, but this time, instead of selecting "Safe Mode", select "Return to OS choice menu" and select the "Windows Recovery Console" Option, if available.
May thou virus bow at thy mercy when you come to me...

#8 PendingLudite?

PendingLudite?
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 01 October 2011 - 07:46 AM

Option unavailable

#9 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:48 PM

Posted 01 October 2011 - 08:58 AM

Hi PendingLudite?,

:welcome: to Bleeping Computer.

Please be advised that:

As this is an open area, available for any member to post in, please use caution when following the advice given. Instructions from the following member groups is to be considered trusted:
Admin | Site Admin | Global Moderator | Moderator | Malware Study Hall Admin | Malware Response Instructor | Malware Response Team | BC Advisor

Other trusted helpers include Malware Study Hall Junior and Malware Study Hall Senior with "Member of the Bleeping Computer A.I.I. early response team!" in their signature.


From this topic: http://www.bleepingcomputer.com/forums/topic182397.html This doesn't mean that others are not allowed to post advice in the Am I Infected forum, just that the only trusted advice is from members in the above groups.

 

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code boxes.
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

Click on the Watch Topic button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 

:step1: Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
When asked to update to the latest definitions, click Yes.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Save log", save it to your desktop and post in your next reply:
Posted Image

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


In your next reply, please include:
  • aswMBR log
  • How's your computer running now? Please provide a detailed description of any remaining problems, detailed word-for-word error messages that you are receiving, and/or screenshots of strange behavior.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#10 PendingLudite?

PendingLudite?
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 01 October 2011 - 12:23 PM

Jason

Thank you for your support. While running aswMBR, my ESET antivirus reported quaranteeing unruy.ae trojan from two files. Upon reboot of system, still receiving mebroot trojan message and continue to be unable to use USB ports to read flash drives; system believes the drives need to be formated. Below is the aswMBR log.

aswMBR version 0.9.8.986 Copyright© 2011 AVAST Software
Run date: 2011-10-01 12:32:34
-----------------------------
12:32:34.796 OS Version: Windows 5.1.2600 Service Pack 3
12:32:34.796 Number of processors: 1 586 0xD06
12:32:34.796 ComputerName: PFIZER-45FE5722 UserName: user
12:32:36.849 Initialize success
12:35:17.911 AVAST engine defs: 11100100
12:35:53.582 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-12
12:35:53.592 Disk 0 Vendor: Size: 0MB BusType: 0
12:35:55.625 Disk 0 MBR read successfully
12:35:55.625 Disk 0 MBR scan
12:35:55.685 Disk 0 MBR:Whistler-C [Rtk]
12:35:55.685 Disk 0 Whistler@MBR code has been found
12:35:55.685 Disk 0 MBR hidden
12:35:55.685 Disk 0 MBR [Whistler] **ROOTKIT**
12:35:55.735 Disk 0 scanning C:\WINDOWS\system32\drivers
12:36:23.605 Service scanning
12:36:25.428 Modules scanning
12:36:33.289 Disk 0 trace - called modules:
12:36:33.289 ntoskrnl.exe >>UNKNOWN [0x85d0ea0a]<<
12:36:33.299 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86fa2208]
12:36:33.299 \Driver\Disk[0x86f2a7f0] -> IRP_MJ_READ -> 0x85d0ea0a
12:36:34.631 AVAST engine scan C:\WINDOWS
12:36:53.808 AVAST engine scan C:\WINDOWS\system32
12:39:13.489 AVAST engine scan C:\WINDOWS\system32\drivers
12:39:36.522 AVAST engine scan C:\Documents and Settings\user
13:04:05.074 AVAST engine scan C:\Documents and Settings\All Users
13:04:38.973 Scan finished successfully
13:06:16.213 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\user\Desktop\MBR.dat"
13:06:16.223 The log file has been saved successfully to "C:\Documents and Settings\user\Desktop\aswMBR.txt"

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:48 PM

Posted 01 October 2011 - 12:36 PM

Hi PendingLudite?,

Please re-run aswMBR.
Double click the aswMBR.exe to run it.
Click the "Scan" button to start scan:
Posted Image

On completion of the scan click "Fix MBR", button.
Posted Image
Follow the prompts. Then restart your computer.
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 PendingLudite?

PendingLudite?
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 01 October 2011 - 01:30 PM

Hi Jason.

Done. Received no prompts other than do you want to proceed (little frightening)? Did and restarted. No message from ESET re: Mebroot trojan and now able to read flash drives. Thanks. Done (other than a donation to great support)?

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:48 PM

Posted 01 October 2011 - 01:59 PM

Hi PendingLudite?,

Let's double check we've found everything. Please complete the following steps in Normal Mode (not Safe Mode).

:step1: As boopme said: IMPORTANT NOTE: One or more of the identified infections is a backdoor Trojan. Backdoor Trojans, Botnets, and IRCBots are very dangerous because they compromise system integrity by making changes that allow it to be used by the attacker for malicious purposes. They can disable your anti-virus and security tools to prevent detection and removal. Remote attackers use backdoors as a means of accessing and taking control of a computer that bypasses security mechanisms. This type of exploit allows them to steal sensitive information like passwords, personal and financial data which is then sent back to the hacker. Read Danger: Remote Access Trojans.

If your computer was used for online banking, has credit card information or other sensitive data on it, all passwords should be changed immediately to include those used for banking, email, eBay, paypal and any online activities which require a username and password. You should consider them to be compromised and change passwords from a clean computer, not the infected one. If not, an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified immediately of the possible security breach. Failure to notify your financial institution and local law enforcement can result in refusal to reimburse funds lost due to fraud or similar criminal activity. If using a router, you need to reset it with a strong logon/password so the malware cannot gain control before connecting again.

Although the infection has been identified and may be removed, your machine has likely been compromised and there is no way to be sure the computer can ever be trusted again. It is dangerous and incorrect to assume the computer is secure even if the malware appears to have been removed. In some instances an infection may have caused so much damage to your system that it cannot be successfully cleaned or repaired. The malware may leave so many remnants behind that security tools cannot find them. Many experts in the security community believe that once infected with this type of malware, the best course of action is to wipe the drive clean, reformat and reinstall the OS. Please read:

Whenever a system has been compromised by a backdoor payload, it is impossible to know if or how much the backdoor has been used to affect your system...There are only a few ways to return a compromised system to a confident security configuration. These include:

  • Reimaging the system
  • Restoring the entire system using a full system backup from before the backdoor infection
  • Reformatting and reinstalling the system

Backdoors and What They Mean to You

:step2: Please download MiniToolBox and run it.

Checkmark following boxes:
  • Report IE Proxy Settings
  • Report FF Proxy Settings
  • List content of Hosts
  • List IP configuration
  • List last 10 Event Viewer Log Errors
  • List Installed Programs
  • List Users, Partitions and Memory size
Click Go . Please put code boxes around just this entire log, like this, but without the letter x: [xcode] MiniToolBox log [/xcode]

:step3: Rerun Malwarebytes
Open Malwarebytes, click on the Update tab, and click the check for Updates button (the latest update as of this post is 7842)
  • If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.
  • If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.
On the Scanner tab:
  • Make sure the "Perform Full Scan" option is selected.
  • Then click on the Scan button.
  • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
  • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
  • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
  • Click OK to close the message box and continue with the removal process.
Back at the main Scanner screen:
  • Click on the Show Results button to see a list of any malware that was found.
  • Make sure that everything is checked, and click Remove Selected.
  • When removal is completed, a log report will open in Notepad.
  • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.
  • Exit MBAM when done.
Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.

If you have trouble updating, troubleshoot Malwarebytes' Anti-Malware

:step4: Superantisypware (SAS):

Download and scan with SUPERAntiSpyware Free for Home Users
  • Double-click SUPERAntiSpyware.exe and use the default settings for installation.
  • An icon will be created on your desktop. Double-click that icon to launch the program.
  • If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download them from http://www.superantispyware.com/downloads/SASDEFINITIONS.EXE (copy and paste that website address) and save SASDEFINITIONS.EXE to your desktop. Then double-click on SASDEFINITIONS.EXE to install the definitions.)
  • In the Main Menu, click the Preferences... button.
  • Click the Scanning Control tab.
  • Under Scanner Options make sure the following are checked (leave all others checked):
    • Close browsers before scanning.
    • Scan for tracking cookies.
    • Terminate memory threats before quarantining.
  • Click the "Home" button to leave the control center screen.
  • Back on the main screen, under "Select Scan Type" click Complete Scan.
  • On the left, make sure you check C:\.
  • Click Start Complete Scan > Please be patient while it scans your computer.
  • After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
  • Make sure everything has a checkmark next to it and click "Next".
  • A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
  • If asked if you want to reboot, click "Yes".
  • To retrieve the removal information after reboot, launch SUPERAntispyware again.
    • Click Preferences, then click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
    • Please copy and paste the Scan Log results in your next reply.
  • Click Close to exit the program.
If you have a problem downloading, installing or getting SAS to run, try downloading and using the SUPERAntiSpyware Portable Scanner instead. Save the randomly named file (i.e. SAS_1710895.COM) to a USB drive or CD and transfer to the infected computer. Then double-click on it to launch and scan. The file is randomly named to help keep malware from blocking the scanner.

:step5: Please download GMER from one of the following locations and save it to your desktop:
  • Main Mirror
    This version will download a randomly named file (Recommended)
  • Zipped Mirror
    This version will download a zip file you will need to extract first. If you use this mirror, please extract the zip file to your desktop.
  • Disconnect from the Internet and close all running programs.
  • Temporarily disable any real-time active protection so your security programs will not conflict with gmer's driver.
  • Double-click on the randomly named GMER file (i.e. n7gmo46c.exe) and allow the gmer.sys driver to load if asked.
  • Note: If you downloaded the zipped version, extract the file to its own folder such as C:\gmer and then double-click on gmer.exe.

    Posted Image
  • GMER will open to the Rootkit/Malware tab and perform an automatic quick scan when first run. (do not use the computer while the scan is in progress)
  • If you receive a WARNING!!! about rootkit activity and are asked to fully scan your system...click NO.
  • Now click the Scan button. If you see a rootkit warning window, click OK.
  • When the scan is finished, click the Save... button to save the scan results to your Desktop. Save the file as gmer.log.
  • Click the Copy button and paste the results into your next reply.
  • Exit GMER and be sure to re-enable your anti-virus, Firewall and any other security programs you had disabled.

IMPORTANT! If for some reason GMER refuses to run, try again.
If it still fails, try to UN-check "Devices" in right pane.
If still no joy, try to run it from Safe Mode.


In your next reply, please include:
  • MiniToolBox log
  • Malwarebytes log
  • SuperAntiSpyware log
  • GMER log
  • How's your computer running now?

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 PendingLudite?

PendingLudite?
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:48 PM

Posted 01 October 2011 - 02:15 PM

Jason - Please clarify instruction on MiniToolbox. Once I hit go, I next get the log text file. Use the code box as part of the log file name?

#15 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:09:48 PM

Posted 01 October 2011 - 02:21 PM

When replying, type this: [codex] but don't include the letter x, just include the word "code" between the brackets. Then, paste in the log. At the end of the log, type in: [/codex] (like before, don't include the letter x, just include the brackets, the backslash (next to the shift key) and the word "code"
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users