So I've been having issues with a hacker giving me the Mebromi trojan. It comes in the form of a windows update that forces my computer to install it. This is probably the 6th time its happened and I've finally figured out whats going on.
Trojan.Mebromi.B Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2012-061210-3452-99&tabid=2
When the Trojan is executed, it may copy itself to the following location: %SystemDrive%\RECYCLER\[RANDOM NUMBER].tmp
Next, the Trojan deletes the following registry subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Win
The Trojan then accesses the BIOS information of the compromised computer. If the BIOS is an Award BIOS and the BIOS is not already infected, the Trojan attempts to infect the BIOS by creating the following file: C:\bios.bin
Next, the Trojan connects to the following remote location:
Trojan.Mebromi Reference: http://www.symantec.com/security_response/writeup.jsp?docid=2011-090609-4557-99&tabid=2
When the Trojan is executed, it drops the following file: %Temp%\cbrom
The above file is a tool that is used by the Trojan to check the status of the BIOS. If it is an Award BIOS and it has not been infected, the Trojan creates and executes the following file, which infects the BIOS: C:\bios.bin
Next, the Trojan infects the Master Boot Record (MBR).
Note: If the tool determines that the computer is not running an Award BIOS, it does not infect the BIOS and only infects the MBR.
The Trojan then infects the following files, depending on the operating system: %System%\winlogon.exe (if the operating system is Windows XP or 2003) %System%\winnt.exe (if the operating system is Win2000)
The Trojan then drops and executes the following file: C:\my.sys
Next, it downloads a file from the following location:
The file is saved to the following location and executed: C:\calc.exe
The only solution is for me to DBAN my system, which takes about 18 hours. (1)Does anyone know of a shorter DBAN process? I dont care about the files, just the MBR being clean.
DBAN Free does not find and wipe 'Remapped sectors and hidden areas' so the trojan can hide there.
CLEAN [ALL] (remove all partition and volume info from the hard drive)
The diskpart commands may be placed in a text file (one command per line) and used as an input file to diskpart.exe: DiskPart.exe < myscript.txt
Example of myscript.txt
Alternatively, KillDisk Windows Suite v.9 with single pass.http://www.killdisk.com/downloadfree.htmhttp://www.killdisk.com/screen.htm#win
5.3.2 DOS Command Line Mode. http://www.killdisk.com/commandline.htm
( 2) How do I hide my system so that his server or whatever cannot keep sending it to my computer? This has happened over 4 different networks, so he's somehow tracking me and then forcefully infecting my system.
Because your BIOS and MBR are infected.
Edited by Crazy Cat, 16 September 2014 - 10:54 PM.