Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Hider.mpr


  • Please log in to reply
4 replies to this topic

#1 rwold

rwold

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 March 2013 - 01:53 PM

Hi all, this is my first post on this website. AVG keeps flagging up a problem on my girlfriend's computer (running Windows 7 64 bit). It claims that it fixes it, but obviously doesn't as the problem keeps reoccurring. A full scan reveals a nasty called "Trojan Hider.mpr". Rootkit scans reveal something with a name that seems to be randomised with every boot. Spybot S and D reports detects a registry change: 'Microsoft.WindowsSecurityCenter.FirewallOverride' but nothing else.

 

I've tried scanning with mbr.exe, aswmbr, MBRcheck and all seem to suggest that the MBR is normal for Windows as far as I can tell. I ran GMER (with a randomised name) but this didn't seem to find anything, ditto tdsskiller. I've had to install all of these via a USB from my computer, as hers seems now to have no internet connectivity at all. Someone on this forum (or rather, the forum for reporting logs) seems to have been successful in getting rid of it using combofix in a thread on here, a link to which I can't seem to paste (?). Apart from that thread, one in which someone advises you to dig into the registry manually, and one on mumsnet in which Spybot seemed to fix it, Google isn't showing me anything helpful. I think really I'll probably need help from someone who knows how to use combofix, but thought I'd start here as I don't have any helpful logs to post.

 

Thanks in advance to anyone who can help.



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 PM

Posted 16 March 2013 - 01:59 PM

. A full scan reveals a nasty called "Trojan Hider.mpr"

 

What is its location? Hider.Mpr is in no way related to  MBR infections.It is case of RAMINIT

 

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal
 

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)
    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:
    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.

Edited by narenxp, 16 March 2013 - 02:00 PM.


#3 rwold

rwold
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 March 2013 - 03:21 PM

Hi, thank you for your reply.

 

When I first log in, AVG tells me:

Trojan horse Hider.MPR

Object name: c:\Users\Mary\AppData\Local\Temp\qffnjhpt.sys

 

If I try and fix it, or ignore it, then scan for rootkits, it warns me about:

Hidden driver

\Device\mfeavfk01.sys

 

One problem is that her laptop seems to have no connectivity to the internet at all- as I mentioned above, I'm installing everything via USB from my laptop. So I can't install this online scanner. 

 

On a related note, how worried should I be about this spreading via this process? Am I right in thinking that my laptop is safe as it's a Macbook? (OS X 10.8.2) What about the USB key itself? Prior to today it just had the files on there needed to boot Ubuntu from it, but it's now got all the above mentioned scanning utilities, plus a couple of log files. I keep scanning it with ClamXav and it's not showing anything, but that may count for very little based on how it's laughing at my attempts to remove it...

 

Thanks,

Rob



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:01:03 PM

Posted 16 March 2013 - 03:42 PM


This may require advanced tools to remove.Read the guide here on preparing logs

http://www.bleepingcomputer.com/forums/topic34773.html

and create a topic here

http://www.bleepingcomputer.com/forums/forum22.html

Good luck
 



#5 rwold

rwold
  • Topic Starter

  • Members
  • 19 posts
  • OFFLINE
  •  
  • Local time:07:03 PM

Posted 16 March 2013 - 04:28 PM

Ok, thanks for your reply. If anyone could give me advice as to what I need to do to make sure my USB isn't infected, that would be greatly appreciated too.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users