6 replies to this topic

[deagle]

NOD32 reports that I'm infected with the Win32/Mebroot trojan whenever I boot up, but when I hit clean, NOD32 cannot preform the action. Also, if it helps - nod tells me the trojan is in my operating memory. On Eset's website they have a tool to get rid of this trojan, however I ran it, rebooted, and NOD32 still tells me that I'm infected.

Edited logs to second post.

[deagle]

Sorry, it might be better if I attach the logs instead of copying and pasting them.

I'm not sure if I used root repeal correctly..but it told me I have 0 hidden services.

Attached Files

•  hjt.txt   9.63K   0 downloads
•  mbam.txt   5.81K   1 downloads
•  rooter.txt   3.67K   1 downloads
•  otl.txt   78.52K   0 downloads
•  RootRepeal_report_07_16_09__13_58_35_.txt   500bytes   1 downloads
•  rootrepealservices.txt   6.69K   1 downloads

[Rorschach112]

hi

Download this tool to desktop:

http://www2.gmer.net/mbr/mbr.exe

Double click it & post the log it creates on desktop. (mbr.log)

[deagle]

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
detected MBR rootkit hooks:
\Driver\ACPI -> 0x863dd250
NDIS: Intel® Wireless WiFi Link 4965AGN -> SendCompleteHandler -> 0x86416f30
Warning: possible MBR rootkit infection !
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !
MBR rootkit infection detected ! Use: "mbr.exe -f" to fix.

[Rorschach112]

hi

Open the Start > run box
type cmd hit the ok button.

At the DOS promt type mbr.exe -f (make sure you have a space before the -f)

hit the enter key.

Type exit at the prompt and hit the enter key.

Restart the computer normally.



Run the mbr.exe again.

Let me see the results.

[deagle]

Here's the new log:
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.6 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF8F900
malicious code @ sector 0x0DF8F903 !
PE file found in sector at 0x0DF8F919 !

[Rorschach112]

hi

Download TFC to your desktop

• Open the file and close any other windows.
  
• It will close all programs itself when run, make sure to let it run uninterrupted.
  
• Click the Start button to begin the process. The program should not take long to finish its job
  
• Once its finished it should reboot your machine, if not, do this yourself to ensure a complete clean

Please download Malwarebytes' Anti-Malware from Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  
• If an update is found, it will download and install the latest version.
  
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
  
• The scan may take some time to finish,so please be patient.
  
• When the scan is complete, click OK, then Show Results to view the results.
  
• Make sure that everything is checked, and click Remove Selected.
  
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.






Go to Kaspersky website and perform an online antivirus scan.

• Read through the requirements and privacy statement and click on Accept button.
  
• It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  
• When the downloads have finished, click on Settings.
  
• Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
  Spyware, Adware, Dialers, and other potentially dangerous programs
  Archives
  Mail databases
• Click on My Computer under Scan.
  
• Once the scan is complete, it will display the results. Click on View Scan Report.
  
• You will see a list of infected items there. Click on Save Report As....
  
• Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button. Then post it here.