Over 1 million tech questions and answers.

Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

Q: Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

Lately my computer has been exceptionally slow. Blue screens a time or two. Ive recognized a few other suspicious things such as 'Service Distribution Software 3.0' trying to install at 3 am for the past 2 weeks. I also looked at my ReportingEvents.log and noticed that even though Microsoft updates were downloading successfully they were not installing since 6-10-2010 (i went ahead and attached a copy of that as well). Also, Firefox was acting really funny. Taking a huge amount of time to load. I also found that even if I shut Firefox down, it was always running. Even if I went to Task Manager to kill firefox.exe, it was very difficult to get it to finally stop running.I even saw a post here saying: ------------------------------------------------------------------------QUOTELets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 localhost, you may have to fix it.Lets check your HOSTS file.It's located at c:\windows\system32\drivers\etc\hosts.You can open it up in Notepad.If it's just some lines on top with a # in front of it and followed by 127.0.0.1 localhost, then you don't need to post it;however, if there are others following 127.0.0.1 localhost, you may have to fix it.Post it here if that's the case.------------------------------------------------------------------------I had all types of websites listed after the localhost. DIDNT LOOK GOOD. Ive attached that txt file as well. - Malwarebytes' Anti-Malware 1.46 finally found Trojan.Tracur. ( C:\WINDOWS\system32\sl489302579 (Trojan.Tracur) -> Quarantined and deleted successfully. ) - Lenovo's Client Security Solution and other programs were also starting to make me wonder.The more I dug and the more research I did I couldnt pin point the issue. Was it Trojan.Mebroot. Mebroot/Sinowal Infection? or Trojan.Tracur or Trojan.TDSS or what? Had drove me crazyAny help at all would be absolutely awesome. Ive spent 2 days around the clock trying to decide what and how needed fixed.Actually, I couldnt attach any more files than just the one Attach.txt file. If you would like to see any additional logs, I guess someone will request them. Thanks in advance.ThanksDeannaDDS (Ver_10-03-17.01) - NTFSx86 Run by Deanna at 16:58:18.04 on Thu 06/24/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3070.1895 [GMT -5:00]AV: ZoneAlarm Extreme Security Antivirus *On-access scanning enabled* (Updated) {5D467B10-818C-4CAB-9FF7-6893B5B8F3CF}AV: Trend Micro OfficeScan Antivirus *On-access scanning disabled* (Outdated) {A1D0AB07-8822-42BB-B46B-32D05AE756AC}AV: Sunbelt VIPRE *On-access scanning enabled* (Updated) {964FCE60-0B18-4D30-ADD6-EB178909041C}FW: ZoneAlarm Extreme Security Firewall *enabled* {829BDA32-94B3-44F4-8446-F8FCFF809F8B}============== Running Processes ===============C:\WINDOWS\system32\ibmpmsvc.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcsC:\Program Files\Intel\WiFi\bin\S24EvMon.exesvchost.exesvchost.exeC:\WINDOWS\system32\ZoneLabs\vsmon.exeC:\Program Files\CheckPoint\ZAForceField\IswSvc.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\LENOVO\HOTKEY\TPHKSVC.exeC:\WINDOWS\system32\IPSSVC.EXEC:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exeC:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\WINDOWS\system32\crypserv.exeC:\Program Files\ThinkPad\Utilities\DOZESVC.EXEC:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXEC:\Program Files\Intel\WiFi\bin\EvtEng.exeC:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exeC:\WINDOWS\System32\svchost.exe -k HTTPFilterC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\WINDOWS\system32\nvsvc32.exeC:\Program Files\Nero\Nero BackItUp 4\IoctlSvc.exeC:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exeC:\WINDOWS\system32\svchost.exe -k imgsvcC:\WINDOWS\system32\Pen_Tablet.exeC:\Program Files\Common Files\Lenovo\tvt_reg_monitor_svc.exeC:\WINDOWS\System32\TPHDEXLG.exeC:\Program Files\Lenovo\Rescue and Recovery\rrservice.exec:\Program Files\Common Files\Lenovo\Scheduler\tvtsched.exeC:\Program Files\Lenovo\Rescue and Recovery\UpdateMonitor.exeC:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exec:\program files\lenovo\system update\suservice.exeC:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exeC:\WINDOWS\system32\WTablet\Pen_TabletUser.exeC:\WINDOWS\system32\Pen_Tablet.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Synaptics\SynTP\SynTPEnh.exeC:\WINDOWS\system32\rundll32.exeC:\WINDOWS\system32\TpShocks.exeC:\PROGRA~1\ThinkPad\UTILIT~1\EzEjMnAp.ExeC:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exeC:\Program Files\Lenovo\HOTKEY\TPOSDSVC.exeC:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exeC:\PROGRA~1\Lenovo\NPDIRECT\TPFNF7SP.exeC:\Program Files\Lenovo\HOTKEY\TPONSCR.exeC:\PROGRA~1\THINKV~1\PrdCtr\LPMGR.exeC:\Program Files\Lenovo\Zoom\TpScrex.exeC:\PROGRA~1\THINKV~1\PrdCtr\LPMLCHK.exeC:\Program Files\Lenovo\Client Security Solution\cssauth.exeC:\WINDOWS\system32\rundll32.exeC:\Program Files\Lenovo\AwayTask\AwaySch.EXEC:\Program Files\Analog Devices\Core\smax4pnp.exeC:\Program Files\Lenovo\HOTKEY\TPFNF6R.exeC:\WINDOWS\system32\RUNDLL32.EXEC:\Program Files\Zone Labs\ZoneAlarm\zlclient.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exeC:\WINDOWS\system32\ctfmon.exeC:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exeC:\Program Files\CheckPoint\ZAForceField\ForceField.exeC:\Program Files\Lenovo\Client Security Solution\password_manager.exeC:\WINDOWS\system32\wuauclt.exeC:\Documents and Settings\Deanna \Desktop\dds.scr============== Pseudo HJT Report ===============uSearch Page = uSearch Bar = uStart Page = hxxp://google.com/uInternet Settings,ProxyOverride = *.localmSearchAssistant = BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dllBHO: Adobe PDF Link Helper: {18df081c-e8ad-4283-a596-fa578c2ebdc3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelperShim.dllBHO: WormRadar.com IESiteBlocker.NavFilter: {3ca2f312-6f6e-4b53-a66e-4e65e497c8c0} - AVG Safe SearchBHO: ZoneAlarm Toolbar Registrar: {8a4a36c2-0535-4d2c-bd3d-496cb7eed6e3} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dllBHO: {a057a204-bacc-4d26-9990-79a187e2698e} - AVG Security ToolbarBHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\4.1.805.4472\swg.dllBHO: IePasswordManagerHelper Class: {bf468356-bb7e-42d7-9f15-4f3b9bcfced2} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dllBHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dllBHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dllTB: Contribute Toolbar: {517bdde4-e3a7-4570-b21e-2b52b6139fc7} - c:\program files\adobe\/Adobe Contribute CS3/contributeieplugin.dllTB: Adobe PDF: {47833539-d0c5-4125-9fa8-0819e2eaac93} - c:\program files\adobe\acrobat 8.0\acrobat\AcroIEFavClient.dllTB: AVG Security Toolbar: {a057a204-bacc-4d26-9990-79a187e2698e} - TB: ZoneAlarm Toolbar: {ee2ac4e5-b0b0-4ec6-88a9-bca1a32ab107} - c:\program files\checkpoint\zaforcefield\trustchecker\bin\TrustCheckerIEPlugin.dlluRun: [Ncr3] uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exemRun: [SynTPEnh] %ProgramFiles%\Synaptics\SynTP\SynTPEnh.exemRun: [PWRMGRTR] rundll32 c:\progra~1\thinkpad\utilit~1\PWRMGRTR.DLL,PwrMgrBkGndMonitormRun: [TpShocks] TpShocks.exemRun: [EZEJMNAP] c:\progra~1\thinkpad\utilit~1\EzEjMnAp.ExemRun: [ACWLIcon] c:\program files\thinkpad\connectutilities\ACWLIcon.exemRun: [TPHOTKEY] c:\program files\lenovo\hotkey\TPOSDSVC.exemRun: [SynTPLpr] c:\program files\synaptics\syntp\SynTPLpr.exemRun: [TVT Scheduler Proxy] c:\program files\common files\lenovo\scheduler\scheduler_proxy.exemRun: [nwiz] nwiz.exe /installquiet /keeploaded /nodetectmRun: [TPFNF7] c:\progra~1\lenovo\npdirect\TPFNF7SP.exe /rmRun: [TPKMAPHELPER] c:\program files\thinkpad\utilities\TpKmapAp.exe -helpermRun: [LPManager] c:\progra~1\thinkv~1\prdctr\LPMGR.exemRun: [LPMailChecker] c:\progra~1\thinkv~1\prdctr\LPMLCHK.exemRun: [cssauth] "c:\program files\lenovo\client security solution\cssauth.exe" silentmRun: [NvCplDaemon] RUNDLL32.EXE c:\windows\system32\NvCpl.dll,NvStartupmRun: [AwaySch] c:\program files\lenovo\awaytask\AwaySch.EXEmRun: [SoundMAXPnP] c:\program files\analog devices\core\smax4pnp.exemRun: [LENOVO.TPFNF6R] c:\program files\lenovo\hotkey\TPFNF6R.exemRun: [NvMediaCenter] RUNDLL32.EXE c:\windows\system32\NvMcTray.dll,NvTaskbarInitmRun: [ZoneAlarm Client] "c:\program files\zone labs\zonealarm\zlclient.exe"mRun: [iTunesHelper] "c:\program files\itunes\iTunesHelper.exe"mRun: [LXBSCATS] rundll32 c:\windows\system32\spool\drivers\w32x86\3\LXBStime.dll,[email protected]: [Malwarebytes' Anti-Malware] "c:\program files\malwarebytes' anti-malware\mbamgui.exe" /starttraymRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -kmRun: [QuickTime Task] "c:\program files\quicktime\QTTask.exe" -atboottimedRun: [DWQueuedReporting] "c:\progra~1\common~1\micros~1\dw\dwtrig20.exe" -tStartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\monaco~1.lnk - c:\program files\monaco systems\monacooptix 2.0\MonacoGamma.exeIE: Sothink SWF Catcher - c:\program files\common files\sourcetec\swf catcher\InternetExplorer.htmIE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exeIE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exeIE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dllIE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\micros~3\INetRepl.dllIE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office11\REFIEBAR.DLLIE: {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - {F4F55DC8-0B69-4DFE-BA94-CB677B88B2A3} - c:\program files\lenovo\client security solution\tvtpwm_ie_com.dllDPF: CabBuilder - hxxp://ak.imgag.com/imgag/kiw/toolbar/download/InstallerControl.cabDPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper20073151.dllDPF: {33704B0F-9EB7-434B-B752-EA6CFFB87423} - hxxp://192.168.1.253/JpegInst.cabDPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} - hxxp://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1207178822468DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} - hxxp://upload.facebook.com/controls/2009.07.28_v5.5.8.1/FacebookPhotoUploader55.cabDPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {C7DB51B4-BCF7-4923-8874-7F1A0DC92277}DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.5.0/jinstall-1_5_0_06-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_07-windows-i586.cabDPF: {CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}DPF: {CAFEEFAC-0016-0000-0020-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_20-windows-i586.cabDPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cabDPF: {E2883E8F-472F-4FB0-9522-AC9BF37916A7} - hxxp://platformdl.adobe.com/NOS/getPlusPlus/1.6/gp.cabDPF: {F3D4C08D-3616-43F0-9E29-44C749B0664B} - hxxp://192.168.1.253/JpegInst.cabNotify: ACNotify - ACNotify.dllNotify: AutorunsDisabled - c:\program files\lenovo\hotkey\notifyf2.dllSSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dllSecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,LSA: Notification Packages = scecli ACGinaHosts: 127.0.0.1 www.spywareinfo.com============= SERVICES / DRIVERS ===============R0 DozeHDD;DozeHDD;c:\windows\system32\drivers\DOZEHDD.SYS [2010-3-23 24304]R0 kl1;kl1;c:\windows\system32\drivers\kl1.sys [2010-1-18 128016]R0 TPDIGIMN;TPDIGIMN;c:\windows\system32\drivers\ApsHM86.sys [2007-10-16 19504]R1 KLIF;Kaspersky Lab Driver;c:\windows\system32\drivers\klif.sys [2010-1-18 317072]R1 tvtumon;tvtumon;c:\windows\system32\drivers\tvtumon.sys [2007-12-5 46144]R1 vsdatant;vsdatant;c:\windows\system32\vsdatant.sys [2010-1-18 486280]R2 DozeSvc;Lenovo Doze Mode Service;c:\program files\thinkpad\utilities\DOZESVC.EXE [2010-3-23 132456]R2 FreeAgentGoNext Service;Seagate Service;c:\program files\seagate\seagatemanager\sync\FreeAgentService.exe [2009-5-1 181544]R2 ISWKL;ZoneAlarm ForceField ISWKL;c:\program files\checkpoint\zaforcefield\ISWKL.sys [2009-10-14 25208]R2 IswSvc;ZoneAlarm ForceField IswSvc;c:\program files\checkpoint\zaforcefield\ISWSVC.exe [2009-10-14 476528]R2 MBAMService;MBAMService;c:\program files\malwarebytes' anti-malware\mbamservice.exe [2010-2-18 304464]R2 TabletServicePen;TabletServicePen;c:\windows\system32\Pen_Tablet.exe [2008-5-16 1373480]R2 TPHKSVC;On Screen Display;c:\program files\lenovo\hotkey\TPHKSVC.exe [2007-3-30 62320]R2 TVT_UpdateMonitor;TVT Windows Update Monitor;c:\program files\lenovo\rescue and recovery\UpdateMonitor.exe [2007-12-5 360448]R2 vsmon;TrueVector Internet Monitor;c:\windows\system32\zonelabs\vsmon.exe -service --> c:\windows\system32\zonelabs\vsmon.exe -service [?]R3 icsak;icsak;c:\program files\checkpoint\zaforcefield\ak\icsak.sys [2009-10-14 35448]R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [2010-2-18 20952]R3 shwMirror;shwMirror;c:\windows\system32\drivers\shwMirror.sys [2006-8-29 3584]R3 TVTI2C;Lenovo SM bus driver;c:\windows\system32\drivers\tvti2c.sys [2006-9-13 30336]S2 LENOVO.MICMUTE;Lenovo Microphone Mute;c:\program files\lenovo\hotkey\micmute.exe [2009-5-21 45424]S3 bcm;WiMAX Network Adapter;c:\windows\system32\drivers\drxvi314.sys [2009-9-3 280576]S3 bcmbusctr;WiMAX Bus Driver;c:\windows\system32\drivers\BcmBusCtr.sys [2009-9-3 51456]S3 cm_net;C-motech USB Network Adapter Drivers;c:\windows\system32\drivers\cm_net.sys [2010-3-23 112640]S3 cm_ser;C-motech USB Serial Port2 Driver;c:\windows\system32\drivers\cm_ser.sys [2010-3-23 103680]S3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [2003-7-24 17149]S3 HTCAND32;HTC Device Driver;c:\windows\system32\drivers\ANDROIDUSB.sys [2010-5-31 24576]S3 ICDUSB2;Sony IC Recorder (P);c:\windows\system32\drivers\IcdUsb2.sys [2008-6-22 39048]S3 Revoflt;Revoflt;c:\windows\system32\drivers\revoflt.sys [2010-1-20 27064]S3 WN111v2;NETGEAR WN111v2 USB2.0 Wireless Card Service;c:\windows\system32\drivers\WN111v2.sys [2008-9-30 453120]S3 X-Rite;X-Rite USB Service;c:\windows\system32\drivers\XrUsb.sys [2008-5-21 14936]============== File Associations ===============regfile=regedit.exe "%1" %*scrfile="%1" %*=============== Created Last 30 ================2010-06-24 21:56:21 0 ----a-w- c:\documents and settings\deanna \defogger_reenable2010-06-24 18:35:18 0 d-----w- C:\HelpAsst_backup2010-06-24 18:34:44 82944 ----a-w- c:\windows\sed.exe2010-06-24 18:34:44 278016 ----a-w- c:\windows\swreg.exe2010-06-24 18:34:43 77312 ----a-w- c:\windows\mbr.exe2010-06-24 17:16:05 54016 ----a-w- c:\windows\system32\drivers\cjpa.sys2010-06-24 08:19:29 0 d-----w- c:\program files\Autoruns2010-06-24 07:50:09 0 d-----w- c:\program files\Avenger2010-06-24 07:38:33 0 d-----w- c:\program files\ProcessExplorer2010-06-24 07:12:21 0 d-----w- c:\program files\Trend Micro2010-06-11 06:09:44 743424 ------w- c:\windows\system32\dllcache\iedvtool.dll2010-06-07 04:05:52 73728 ----a-w- c:\windows\system32\javacpl.cpl2010-06-07 04:05:51 411368 ----a-w- c:\windows\system32\deployJava1.dll2010-06-02 22:35:42 0 d-----w- C:\ruu_log2010-05-31 19:57:36 0 d-----w- c:\docume~1\alluse~1\applic~1\HTC2010-05-31 19:57:32 0 d-----w- c:\program files\common files\Teleca Shared2010-05-31 19:57:32 0 d-----w- c:\docume~1\alluse~1\applic~1\Teleca2010-05-31 19:55:07 24576 ----a-w- c:\windows\system32\drivers\ANDROIDUSB.sys2010-05-31 19:55:07 1122664 ----a-w- c:\windows\system32\WdfCoInstaller01007.dll2010-05-31 19:55:02 0 d-----w- c:\program files\Spirent Communications2010-05-31 19:54:50 0 d-----w- c:\program files\HTC2010-05-26 17:20:19 0 d-----w- c:\docume~1\deanna~1\applic~1\Update==================== Find3M ====================2094-01-20 10:55:14 48268 ------w- c:\windows\fonts\Anke Print.TTF2012-12-18 15:11:34 9056 ------w- c:\windows\fonts\NothingNet.ttf2010-06-24 20:49:04 4212 ---ha-w- c:\windows\system32\zllictbl.dat2010-06-24 03:10:43 305560 ----a-w- c:\windows\system32\nvModes.dat2010-06-21 00:40:44 20 ---h--w- c:\docume~1\alluse~1\applic~1\PKP_DLbz.DAT2010-05-05 13:30:57 173056 ------w- c:\windows\system32\dllcache\ie4uinit.exe2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\win32k.sys2010-05-02 05:22:50 1851264 ------w- c:\windows\system32\dllcache\win32k.sys2010-04-29 20:39:38 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys2010-04-29 20:39:26 20952 ----a-w- c:\windows\system32\drivers\mbam.sys2010-04-20 05:30:08 285696 ----a-w- c:\windows\system32\atmfd.dll2010-04-20 05:30:08 285696 ------w- c:\windows\system32\dllcache\atmfd.dll2010-04-09 02:47:45 275140 ---ha-w- c:\windows\system32\mlfcache.dat2010-04-06 09:52:46 2462720 ------w- c:\windows\system32\dllcache\WMVCore.dll2010-04-05 20:56:26 203776 --sh--w- c:\windows\system32\unrar.exe2008-09-25 05:59:56 12686 ------w- c:\program files\INSTALL.LOG2008-04-24 03:57:11 0 ------w- c:\program files\temp012010-01-04 14:39:37 16384 --sh--w- c:\windows\system32\config\systemprofile\ietldcache\index.dat2008-04-02 19:02:44 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\application data\microsoft\feeds cache\index.dat2008-06-26 04:27:26 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008062520080626\index.dat2010-01-04 14:39:37 32768 --sh--w- c:\windows\system32\config\systemprofile\local settings\temporary internet files\content.ie5\index.dat============= FINISH: 17:02:50.03 ===============

RELEVANCY SCORE 200
Preferred Solution: Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

I recommend downloading and running DAP. It can help sort out any driver and firmware related issues on your system

It's worked out well for many of us in the past.

You can download it direct from this link http://downloaddap.org. (This link will open the download page of DAP so you can save a copy to your computer.)

A: Trojan horse Vundo.JW - Trojan.Mebroot. Mebroot/Sinowal Infection, Trojan.Tracur, Trojan.TDSS or what?

Hi deetheis,Welcome to Bleeping Computer!My name is mpascal, and I will be helping you fix your problem.Before we begin, I would like to make a few things clear so that we can fix your problem as efficiently as possible:Be sure to follow all my instructions carefully! If there is anything you don't understand, don't hesitate to ask.Please do not do anything or perform other steps unless I have asked you to do so.Please make sure you post all logs I ask you to, and make sure that the entire log gets posted.Don't attach any logs unless asked. Posting them in the forums will make them easier to analyze.If you are unsure of how to reply, or need help with anything regarding the website, please look here.STEP 1 - MBAMOpen Malwarebyte's Anti-Malware.Under the Updates tab, click Check for Updates. Let the updates install (if any).After that, under the Scanner tab, click Perform Quick Scan and then Scan.The scan may take some time to finish,so please be patient.When the scan is complete, click OK, then Show Results to view the results.Make sure that everything is checked, and click Remove Selected.When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.Copy and paste the contents of that report in your next reply. Be sure to post the complete log to include the top portion which shows MBAM's database version and your operating system.Exit MBAM when done.Note: If MBAM encounters a file that is difficult to remove, you will be asked to reboot your computer so MBAM can proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot normally (not into safe mode) will prevent MBAM from removing all the malware.STEP 2 - OTLDownload OTL to your desktop.Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.When the window appears, underneath Output at the top change it to Minimal Output.In the Custom Scans box, copy and paste the following:CODEnetsvcsdrivers32 /all%SYSTEMDRIVE%\*.*%systemroot%\system32\Spool\prtprocs\w32x86\*.dll%systemroot%\system32\*.wt%systemroot%\system32\*.ruy%systemroot%\Fonts\*.com%systemroot%\system32\spool\prtprocs\w32x86\*.tmp%systemroot%\*. /mp /sCREATERESTOREPOINT%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%systemroot%\System32\config\*.sav%systemroot%\system32\user32.dll /md5%systemroot%\system32\ws2_32.dll /md5%systemroot%\system32\ws2help.dll /md5HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AUHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install|LastSuccessTime /rsClick the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTListIt.Txt and Extras.txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of the files, and post it with your next reply.STEP 3 - ReplyPlease reply with the following logs:MBAM LogOTL Log

Read other 2 answers
RELEVANCY SCORE 198.8

Hello all,

My laptop was hit with a multiple virus infection while using Firefox.
Symantec seemed to have taken care of things at the time but I was still having some problems, and it didn't seem to be able to get rid of TDSS. I disabled system restore and tried to clean the registry manually, but wasn't able to find all the entries listed on the Symantec site. I disabled the TDSS driver via the control panel.
MBAM wouldn't install, so I tried Spybot which found a few other issues. Finally I was able to install MBAM and HJT from a disc, and connected back to the internet again briefly to update both.
I ran CCCleaner then MBAM in safe mode and MBAM seems to have cleaned everything (both MBAM and HJT scans looked ok afterwards, though there are still a few entries in the HJT log that look suspicious to me).
Everything seems to be fine now, and I proceeded to uninstall the old Java updates, got all the latest Windows updates, and then turned system restore on again.
I'm basically looking for some advice on what to do to make sure everything is in fact gone as there are those few HJT entries that look suspicious to me.
Thanks in advance!
DDS (Version 1.1.0) - NTFSx86
Run by mo at 16:50:17.96 on Tue 01/06/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_11
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3071.2532 [GMT -6:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated)

============== Running Processes ====... Read more

A:Multiple Virus Infection: Trojan.Vundo, Trojan.VundoH, Trojan.BHO, Trojan.TDSS, Trojan.Agent, Trojan.Downloader, Malware.Trace...

My name is BHowett and I will be helping you to get sorted. If for any reason you do not understand any of the instructions, or are just unsure then please do not guess , simply post back with your question, and we will go through it again. This seems like a tech issue and not a malware problem, but lets take a look and see what we find.Sorry for the delay, please do the following...ComboFix Please ownload ComboFix from Here or Here* IMPORTANT !!! Save ComboFix.exe to your DesktopDisable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : Protective Programs
Double click on ComboFix.exe & follow the prompts.
As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License A... Read more

Read other 12 answers
RELEVANCY SCORE 173.2

I don't know if the problem that has developed for the last week is a virus/Trojan problem or a hardware/pc problem and I am hoping someone can help me figure out which it may be.

The problem is when starting my desktop up and all of a sudden developed (I did notice previous to noticing this problem that my pc raced up one morning. I was not yet doing anything on it, it was just setting on after I had started it). I turn my desktop off every night and start it back up in the mornings. Lately, when I push the start button on the CPU, the light flashes orange off and on for approx. 1 minute and then it will turn green and go ahead and boot up. This happens every time I shut down and restart the pc.

How can I find out if this is a hardware problem or a Trojan. Why I ask if it could be a Trojan is because I was reading about the Sinowal/Mebroot Trojan that infects a PC's Master Boot Record, that when the pc is infected and is started the Mebroot loads first and then Windows boots. Could this be what is happening when I start my pc and it flashes orange for at least 1 minute before it actuals boots up and Windows starts?

I have also noticed that all processes are noticeably slow - browsers, opening Outlook Express, opening folders, etc.

Any help with this would be most appreciated. I have included hijackthislog below.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:54 PM, on 7/21/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v... Read more

Read other answers
RELEVANCY SCORE 173.2

Greetings.For the past 2-3 weeks, I've been getting random system freezes, with or without Firefox or IE running, requiring a hard reboot. This can happen while working in an application, or with the system left idle (sometimes after just a few minutes, but other times I've left it up and running all night and found it to be fine the next am).Since all this started, I've noticed that it takes fully 5-8 minutes after starting windows for the CPU to quit churning at 90-100%. Safe mode starts quickly, as usual. I have experienced at least one freeze in Safe Mode, however. My system specs and many more details of the various problems I've encountered, as well as the fixes/cleanup I've already tried, are contained in Hanging XP....., the thread I started first, and Random XP Pro Freezes, the next thread I started, on the advice of my troubleshooter in the first thread.Broni, in the second thread, felt that my troubles might be due to the remnants of Sinowal and/or Mebroot, which may not have been completely cleaned by my run of a-squared free.Today, I've been plagued with repeated freezes, despite having worked through all the suggestions in The Preparation Guide for Use Before...., as well as the suggestions in the Slow Computer? guide referenced therein. I haven't gotten a blue screen in about a week, now, however. Usually just a system hang. Oddly, Firefox will put up a crash reporting window sometimes, even when there hasn't been one and I've closed it normally. I've trie... Read more

A:Trouble with backdoor Sinowal and trojan Mebroot

Hello , And to the Bleeping Computer Malware Removal Forum. My name is Elise and I'll be glad to help you with your computer problems.I will be working on your malware issues, this may or may not solve other issues you may have with your machine.Please note that whatever repairs we make, are for fixing your computer problems only and by no means should be used on another computer.The cleaning process is not instant. Logs can take some time to research, so please be patient with me. I know that you need your computer working as quickly as possible, and I will work hard to help see that happen. Please reply using the Add/Reply button in the lower right hand corner of your screen. Do not start a new topic. The logs that you post should be pasted directly into the reply. Only attach them if requested or if they do not fit into the post.Unfortunately, if I do not hear back from you within 5 days, I will be forced to close your topic. If you still need help after I have closed your topic, send me or a moderator a personal message with the address of the thread or feel free to create a new one.You may want to keep the link to this topic in your favorites. Alternatively, you can click the button at the top bar of this topic and Track this Topic, where you can choose email notifications. The topics you are tracking are shown here.-----------------------------------------------------------If you have since resolved the original problem you were having, we would appreciate you let... Read more

Read other 22 answers
RELEVANCY SCORE 160

I have Symantec Antivirus and already followed their removal guide which consists of running Windows Recovery Console, fixing the MBR, and then running a virus scan to clean everything up. I repaired the MBR and it seems that my computer is locking up less and crashing less often, but I still had the "HelpAssistant" user profile in Documents and Settings after restarting. An updated Malwarebytes and Symantec scan don't pick up anything as being infected, but I'm not so sure.

Here are the logs:
DDS (Ver_09-12-01.01) - NTFSx86
Run by Marc at 17:04:53.84 on Fri 12/04/2009
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_16
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.3582.2605 [GMT -5:00]

AV: Symantec AntiVirus Corporate Edition *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: ActiveArmor Firewall *enabled* {EDC10449-64D1-46c7-A59A-EC20D662F26D}

============== Running Processes ===============

C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\amBX\Syst... Read more

A:Trojan.Mebroot Infection

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 2 answers
RELEVANCY SCORE 156.4

Hello! I just have some simple questions.So, Symantec picked up a virus: Boot.Mebroot. I googled it and came up with links to Boot.Mebroot and Trojan.Mebroot. Is there a difference? I'm afraid I know little about viruses and less about the MBR. If I have Boot.Mebroot, do also have Trojan.Mebroot? Does Symantec just arbitrarily differentiate the two? Would restarting the computer be bad since mebroot alters the MBR?Additionally, are the instructions for removal on Symantec's page the best way to get rid of it?Only Symantec seems to be picking it up. I ran Dr. Web's Cureit and MBAM full scans and neither of them picked up on mebroot (though I did find some some unexpected viruses, haha).Thanks!Edit: I am on XP SP3. Thus far, I have not seen any strange behavior or received any error messages. I got the virus off a friend's flash drive (infected). I initially copied over files and received a (presumably infected) email attachment from her; those files and that email I have since deleted.

Read other answers
RELEVANCY SCORE 151.6

Desktop Sony Vaio, Windows XP + SP3, 1GB RAM.These four infections - HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE periodically try to execute and Norton Security Suite BLOCKS them all. Along with these four, about 16 files are also blocked, all associated - fpq52.tmp (TROJAN HORSE), fpq4b.tmp (HACKTOOL.ROOTKIT), fpq4c.tmp (TROJAN HORSE), fpq4a.tmp (TROJAN.PANDEX), fpq4f.tmp (TROJAN HORSE), fpq4e.tmp (TROJAN.VUNDO), etc.I am presently running Norton Security Suite 4, F-PROT Antivirus, IObit Security 360, SpyBot-SD Resident, SuperAntiSpyware, Malwarebytes and Secunia PSI. These will not eliminate the infections.This PC is a neighbor's which originally had the Windows firewall OFF and greyed out, Firefox Google Hijack and the following infections, which are all now repaired -- HIJACK.WINDOWSUPDATE, Hiloti.B.gen!Eldorado, Trojan2.HZYZ, WORM.BDQA, TROJAN.AGENT.APHZ, ROGUE.AGENT/GEN-NULLO(dll), WORM.BLAH. (I mention these to provid a little background info). There were about 50 Windows Updates that were blocked but now installed.Thanks in advance for your assistance.DDS (Ver_10-03-17.01) - NTFSx86 Run by Leah at 13:31:16.40 on Thu 06/03/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_20Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.992.95 [GMT -5:00]AV: Norton Security Suite *On-access scanning enabled* (Updated) {E10A9785-9598-4754-B552-92431C1C35F8}AV: F-PROT Antivirus for Windows *On-access scanning enabled* (Updated) {3... Read more

A:Infected with HACKTOOL.ROOTKIT TROJAN.VUNDO TROJAN.PANDEX and TROJAN HORSE

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the results.Foll... Read more

Read other 47 answers
RELEVANCY SCORE 144

I used to think that I knew quite a bit about how to properly maintain a healthy computer. But that was until my laptop became infested with these trojans and whatever else they are. It started out with a couple notifications from my AVG and this was not out of the ordinary. My internet started acting up and booting me offline every 30 minutes or so. Then the websites that I was trying to look at were "redirected" to http://bts.scour.com/index.html?3. I thought I'd be smart and block bts.scour.com in my Internet Options but it simply chose another route. So I blocked that site. Then it sent in another reroute site. These sites remind me of popups or those annoying "scan your computer for faster service" sites. Y'know the ones that would entice you to scan your computer and make you believe there was something wrong with your computer, but there wasn't.(that is until you scanned with their program and it would take control of your computer at the worst of times.) The Trojan Horse Back Door Generic 15 made its entrance right after the "bt.scour" did. AVG 's only option was to ignore it, but I still wasnt worried.Everytime I blocked at redirect, the more intense the attack on my computer became. I gradually lost control of my computer. When I thought I should check Windows firewall, it was to late for any security measures. It was turned off and when I tried to turn it back on, it would give me an error(0x8000ffff). It wou... Read more

A:HELP!! UNINVITED GUESTS: Lune.Sirefef.A,Trojan horse Patched_C.LYU, Trojan horse Generic_r,Trojan horse Back Door Gener...

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 13 answers
RELEVANCY SCORE 144

My son's Windows 7 computer has two trojan horse infections that were detected by AVG, but AVG was unable to quarantine or remove them
 Trojan 1.PNG   72.1KB
  8 downloads
 Trojan 2.PNG   55.63KB
  8 downloads. He has known about the infection for some time, but has continued to use the computer. I first became aware of the situation when he asked for help when, on boot up, he got a message "missing operating system." We were able to boot from the recovery disk, but now the infection remains and the system runs extremely slowly. We were able to download and run DDS; however, it does not create the dds.txt file, but only the attach.txt file. We ran it several times, and sometimes it creates the attach.txt file (version attached called attach2.txt
 Attach2.txt   811bytes
  4 downloads) and a couple of times it created a version which includes restore points (version attached called attach3.txt
 Attach3.txt   1.02KB
  3 downloads).
 
Internet connection on the computer has been intermittent. It was connected earlier this morning, long enough to download and run DDS and email the attach.txt files to me (I'm doing this post from my uninfected computer). Right now the infected computer is "not connected - no connection available." It should connect to the same wireless network in our home that my uninfected computer is connected to.  ****UPDATE**** The internet connecti... Read more

A:Infected with Trojan horse TDSS.CA and Trojan horse Dropper.Generic8.AXHI

Here are some more files that might help you. They are AVG Resident Shield results.
 AVG Resident Shield results 1.png   812.84KB
  3 downloads There are three more screen shots to this report, but it won't let me upload any more.

Read other 47 answers
RELEVANCY SCORE 142

A few days ago, I received a call from Symantec stating that my laptop was infected with Mebroot Trojan. I called Comcast, my IP, who confirmed that the call was from Symantec. Symantec could not provide any further info to me except to run the antivirus. I ran Norton, and it showed nothing. I have since ran Malwarebytes and nothing there either. I was able to run DDS and will post that info. When I tried to run GMER, it would not allow me to mark the appropriate ticks, so when I did the scan it said there was nothing to report. I am running Windows 7 64bit - Home Premium on a Emachines E725. Is there an issue with Win7 and GMER or am I doing something wrong? Thank you for your help.DDS (Ver_10-03-17.01) - NTFSX64 Run by BUTCH at 11:34:54.90 on Sat 08/28/2010Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Home Premium 6.1.7600.0.1252.1.1033.18.3002.1843 [GMT -5:00]============== Running Processes ===============C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\svchost.exe -k RPCSSC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\svchost.exe -k NetworkServiceC:\Windows... Read more

A:Possible Mebroot Trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a clear description of the problems you're having, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed.Use the 'Add Reply' and add the new log to this thread.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scan:Download DDS by sUBs from one of the following links. Save it to your desktop.DDS.scrDDS.pifDouble click on the DDS icon, allow it to run.A small box will open, with an explaination about the tool. No input is needed, the scan is running.Notepad will open with the ... Read more

Read other 15 answers
RELEVANCY SCORE 142

Help! ESET 32 4.0 says I have a Mebroot trojan. It can't get rid of it. I would really appreciate some assistance. Here are the files you say you need, in the appropriate manner. Thank you for your time!

DDS.TXT

DDS (Ver_09-07-30.01) - NTFSx86
Run by *HIDDENTOPROTECTTHEINNOCENT* at 13:42:54.85 on Fri 07/31/2009
Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_14
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.511.113 [GMT -5:00]

AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

============== Running Processes ===============

C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup
C:\WINDOWS\system32\Ati2evxx.exe
svchost.exe
svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\WINDOWS\system32\svchost.exe -k hpdevmgmt
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\M-Audio\M-Audio Micro\MAUSBMRInst.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
G:\Program Files\CDBurnerXP\NMSAccess.exe
C:\WINDOWS\System32\svchost.exe -k HPZ12
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe -k ... Read more

A:Mebroot Trojan help

hello? anyone there?

Read other 15 answers
RELEVANCY SCORE 142

Referred from here: http://www.bleepingcomputer.com/forums/topic423903.html ~ OBEset smart security 5 detects mebroot trojan at startup but is unable to clean it here is the dds log..DDS (Ver_2011-08-26.01) - NTFSx86 Internet Explorer: 7.0.6002.18005 BrowserJavaVersion: 1.6.0_18Run by Agnew at 18:04:12 on 2011-10-18Microsoft® Windows Vista™ Home Premium 6.0.6002.2.1252.44.1033.18.2813.1944 [GMT 1:00].AV: ESET Smart Security 5.0 *Enabled/Updated* {77DEAFED-8149-104B-25A1-21771CA47CD1}SP: ESET Smart Security 5.0 *Enabled/Updated* {CCBF4E09-A773-1FC5-1F11-1A056723366C}FW: ESET Personal firewall *Enabled* {4FE52EC8-CB26-1113-0EFE-8842E2773BAA}.============== Running Processes ===============.C:\Windows\system32\wininit.exeC:\Windows\system32\lsm.exe"C:\Windows\system32\svchost.exe""C:\Windows\system32\svchost.exe"C:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\Microsoft.Net\Framework\v3.0\WPF\PresentationFontCache.exeC:\Windows\system32\svchost.exe -k rpcssC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestrictedC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestrictedC:\Windows\system32\svchost.exe -k netsvcsC:\Windows\system32\svchost.exe -k GPSvcGroupC:\Windows\system32\SLsvc.exeC:\Windows\system32\svchost.exe -k Loc... Read more

A:Mebroot trojan

Hello and Welcome to the forums!My name is Gringo and I'll be glad to help you with your computer problems.Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.Do not run any other tool untill instructed to do so!Click on the Watch Topic Button and select Immediate Notification and click on proceed, this will help you to get notified faster when I have replied and make the cleaning process faster.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.Run Combofix:You may be asked to install or update the Recovery Console (Win XP Only) if this happens please allow it to do so (you will need to be connected to the internet for this)Before you run Combofix I will need you to turn off any security software you have running, If you do not know how to do this you can find out >here< or >here<Combofix may need to reboot your computer more than once to do its job this is normal.You can download Combofix from one of these links.Link 1Link 2Link 31. Close any open browsers or any other programs that are open.2. Close/disable all anti virus and anti malware programs so they do not interfere with the runn... Read more

Read other 14 answers
RELEVANCY SCORE 142

Hi,

Lately my computer has been freezing and when it does I can move the mouse but not click anything, then eventually it causes a total crash. Norton says something about a trojan.mebroot but doesn't remove it.

Can anyone help me with whats going on?

Thanks so much

EDIT: Well as it turns out, norton did remove it, yet my computer still crashed earlier today. Any other ideas on what could be going on?

A:Trojan.Mebroot?

Before we start fixing anything you should print out these instructions or copy them to a NotePad file so they will be accessible. Some steps will require you to disconnect from the Internet or use Safe Mode and you will not have access to this page.Please download Dr.Web CureIt and save it to your desktop. DO NOT perform a scan yet.alternate download linkNote: The file will be randomly named (i.e. 5mkuvc4z.exe).Reboot your computer in "Safe Mode" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".Scan with Dr.Web CureIt as follows:Double-click on the randomly named file to open the program and click Start. (There is no need to update if you just downloaded the most current versionRead the Virus check by DrWeb scanner prompt and click Ok where asked to Start scan now? Allow the setup.exe to load if asked by any of your security programs.The Express scan will automatically begin.
(This is a short scan of files currently running in memory, boot sectors, and targeted folders).If prompted to dowload the Full version Free Trial, ignore and click the X to close the window.If an infected object is found, you will be prompted to move anything that cannot be cured. Click Yes to All. (This will move any detected files ... Read more

Read other 23 answers
RELEVANCY SCORE 142

My internet provider has emailed me saying I have a Mebroot trojan. Is this right and how do I remove it?
 
DDS (Ver_2012-11-20.01) - NTFS_x86 
Internet Explorer: 9.0.8112.16526  BrowserJavaVersion: 10.25.2
Run by bates at 18:50:33 on 2014-02-11
Microsoft® Windows Vista™ Home Premium   6.0.6002.2.1252.61.1033.18.3070.1356 [GMT 10.5:30]
.
AV: Microsoft Security Essentials *Enabled/Updated* {641105E6-77ED-3F35-A304-765193BCB75F}
SP: Windows Defender *Disabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
SP: Microsoft Security Essentials *Enabled/Updated* {DF70E402-51D7-30BB-99B4-4D23E83BFDE2}
.
============== Running Processes ================
.
C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\nvvsvc.exe
C:\Program Files\NVIDIA Corporation\3D Vision\nvSCPAPISvr.exe
c:\Program Files\Microsoft Security Client\MsMpEng.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ABBYY Screenshot Reader\NetworkLicenseServer.exe
C:\Program Files\AskPartnerNetwork\Toolbar\apnmcp.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Microsoft LifeCam\MSCamS32.exe
C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe
C:\Program Files\Nuance\PaperPort\PDFProFiltSrvPP.exe
C:\Windows\system32\IoctlSvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\PnkBstrB.exe
C:\Wi... Read more

A:Mebroot Trojan

Hi there,my name is Marius and I will assist you with your malware related problems.Before we move on, please read the following points carefully. First, read my instructions completely. If there is anything that you do not understand kindly ask before proceeding. Perform everything in the correct order. Sometimes one step requires the previous one. If you have any problems while following my instructions, Stop there and tell me the exact nature of your problem. Do not run any other scans without instruction or add/remove software unless I tell you to do so. This would change the output of our tools and could be confusing for me. Post all logfiles as a reply rather than as an attachment unless I specifically ask you. If you can not post all logfiles in one reply, feel free to use more posts. If I don't hear from you within 3 days from this initial or any subsequent post, then this thread will be closed. Stay with me. I will give you some advice about prevention after the cleanup process. Absence of symptoms does not always mean the computer is clean. My first language is not english. So please do not use slang or idioms. It could be hard for me to read. Thanks for your understanding.   Scan with TDSS-KillerPlease read and follow these instructions carefully. We do not want it to fix anything yet (if found), we need to see a report first.Download TDSSKiller.zip and extract to your desktopExecute TDSSKiller.exe by doubleclicking on it.
Press Start Scan
If Malicio... Read more

Read other 4 answers
RELEVANCY SCORE 142

Hi it appears I have the Trojan Mebroot virus. I received a note from my school that my wireless access had been removed: This computer has been removed from the network because it is compromised and being
used in a botnet: wireless
128.135.111.116
0026.5ee9.bb55
unknown
Behavior: Mebroot


I tried going to recovery console and received a blue screen of death multiple times from a CD and from selecting recovery console on load so have not been able to try "fixmbr".

I have access to a windows xp disc.

I am not able to get GMER to run all way through without a blue screen of death so i followed the second set of instructions.

I ran mbr exe and got the following info:
"copy of MBR has been found in sector 0x012A19000
malicious code @ sector 0x012A19003
PE File found in sector at 0x012A19019"

DDS txt:
DDS (Ver_09-12-01.01) - NTFSx86
Run by x at 14:46:12.17 on Tue 03/09/2010
Internet Explorer: 8.0.6001.18702
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3066.1881 [GMT -5:00]

AV: Symantec Endpoint Protection *On-access scanning enabled* (Updated) {FB06448E-52B8-493A-90F3-E43226D3305C}
FW: Symantec Endpoint Protection *enabled* {BE898FE3-CD0B-4014-85A9-03DB9923DDB6}

============== Running Processes ===============

C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
C:\Pro... Read more

A:Trojan.Mebroot Help

Hi, Please do the following


Download and run HAMeb_check.exe save it to your desktop.

Click on the icon to run it, when complete it will open a log for you, please post the content of the log in your next reply.

Note: The log is temporary - it will not be saved when closed, so please be sure to copy the content so that you can paste it into your next reply before you close the log.

Read other 19 answers
RELEVANCY SCORE 142

hey ppl,

I am knew around here ,and a friend of mine suggested to look for help here..

i am infected with Mebroot trojan virus which attack the boot sectors ..

i tried Trojan remover, Eset and Avira and couldnt remove it..

Tried Safe mood, Restoring same thing..

Any ideas??

also if it is possible to make a SD Card as bootable device ,if so i can reinstall windows using it

Thanks waiting for reply

A:Mebroot Trojan

Hello and welcome to fix this,We need a deeper look. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

Read other 1 answers
RELEVANCY SCORE 142

One of our offsite office PC keeps getting infected with Mebroot trojan. I fixed it about a month ago by fixing the MBR and now it's back.

Is there a way to figure out how this infection keeps coming back? Also, is there a way to remotely fix this machine since it's out of state and there's no easy way for me to get to it to fix.

Read other answers
RELEVANCY SCORE 142

Hello.Recently, my antivirus was disabled (for gaming purposes) and I forgot to put it back up. A couple days back, I started hearing unsual sounds coming form Internet Explorer which I never use. I activated Nod32 and came across a "Mebroot Trojan" found in Win32. I am running Windows 7 (32 bit).I have scanned my computer with Eset, and here are my results:Scan LogVersion of virus signature database: 5278 (20100714)Date: 14/07/2010 Time: 5:31:31 PMScanned disks, folders and files: Operating memory;C:\Boot sector;D:\Boot sector;C:\;D:\Operating memory - Win32/Mebroot trojan - action selection postponed until scan completionC:\hiberfil.sys - error opening [4]C:\pagefile.sys - error opening [4]Scan terminated by user!Number of scanned objects: 708Number of threats found: 1Number of cleaned objects: 0Time of completion: 5:32:26 PM Total scanning time: 55 sec (00:00:55)Notes:[4] Object cannot be opened. It may be in use by another application or operating system.And here are my DDS results:DDS (Ver_10-03-17.01) - NTFSx86 Run by Dipongkor Halder at 18:24:10.86 on 14/07/2010Internet Explorer: 8.0.7600.16385Microsoft Windows 7 Ultimate 6.1.7600.0.1252.2.1033.18.2046.1100 [GMT -4:00]AV: AVG Internet Security *On-access scanning enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}SP: AVG Internet Security *enabled* (Updated) {17DDD097-36FF-435F-9E1B-52D74245D6BF}FW: AVG Firewall *enabled* {8decf618-9569-4340-b34a-d78d28969b66}=... Read more

A:Mebroot Trojan, Please Help

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 22 answers
RELEVANCY SCORE 142

i have having alot of trouble with my pc the passed week, it has been freezing up within an hour after windows loads, and when it freezes up completely, a loud ringing noise comes out of my computer, so i hold the on button to turn it off. I have malwarebytes, spywaredoctor, and eset smart security. If freezes everytime i try to scan it but i was able to get a full scan of malwarebytes yesterday and it only found 1 trojan. Now the passed couple days when i turn my computer on, eset smart security tells me i have a mebroot trojan in the operating memory of win32 and it is unable to clean it. Can someone help me id really appreciate it

A:mebroot trojan help please

hi.

I will try to help you with your problem but we need a logs to start with.

Please complete the pre-removal instruction.

http://www.techsupportforum.com/f50/...lp-305963.html

--------------------------------------------------------------------------
Download this tool and save it to your Desktop

MBR.exe

Double click it & post the log it creates on desktop. (mbr.log)

-------------------------------------------------------------------------

In your reply, please post

DDS.txt
Attach.txt <--attached
GMER result
MBR.log

Post all your logs here and I will check it tonight GMT+8.

Mark

Read other 3 answers
RELEVANCY SCORE 140.4

This is what happens when I try and clean.

It showed up when I plugged my external hard drive after I restarted my computer.

Before it said it was on the 2. physical disk, that might have been my second hard drive which was disconnected when I plugged in my external, because prior I received the same alert saying it was on 2. physical disk when they were both plugged in. I disconnected the external and left my second hard drive plugged in, then I began to run scans and I followed some tips from a few sites to get rid of it. I've also reformatted windows and to get rid of it. I ran scans after and I had nothing, everything was fine, but then I was stupid and plugged in my external hard drive then I get the alert posted in the screen shot, I disconnected it quickly. I ran a scan after that and I have nothing.

Do I still have the bug? Because that only popped up because I connected my external hard drive. When I disconnected the external I ran scans, I get nothing on my computers hard drive. Is my pc and second hard drive clean and only my external is dirty? I ran scans on my second hard drive and it's clean as well. I read up on this virus and it's pretty nasty, I currently have Nod32 and Malwarebytes.

I want to know if the virus is hiding itself or if it's finally gone. Some help would be greatly appreciated, forgive me if my explanation sucks.
This is my Malwarebytes log

Malwarebytes' Anti-Malware 1.42
Database version: 3425
Windows 5.1... Read more

A:Win32/Mebroot.mbr trojan

SmitfraudFix LOG

SmitFraudFix v2.424

Scan done at 8:43:04.62, Thu 12/24/2009
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Owner\Desktop\SmitfraudFix\Policies.exe
C:\WINDOWS\system32\cmd.exe

hosts
C:\
C:\WINDOWS
C:\WINDOWS\system
C:\WINDOWS\Web
C:\WINDOWS\system32
C:\Documents and Settings\Owner
C:\DOCUME~1\Owner\LOCALS~1\Temp
C:\Documents and Settings\Owner\Application Data
Start Menu
C:\DOCUME~1\Owner\FAVORI~1
Desktop
?... Read more

Read other 1 answers
RELEVANCY SCORE 140.4

Hi there, I've read up on many threads here to try to solve this problem but I am having no luck. I installed windows new on a new hard disk which the partition was deleted and created again using windows cd, I have NOD32 and its reporting I "MBR sector of the 0. physical disk Win32/Mebroot.mbr trojan" I have run Malware Anti-bytes but it does not detect anything tried the NOD32 ESET Mebroot Remover it detects MBR rootkit (Win32/Mebroot) on my system but does not let me remove it, it says unable to clean. Used SuperAntiSpyware but it doesn't detect it either, used SpyBot Seek and Destroy but doesn't detect anything either.I can't get RootRepeal to work, everytime i try to run it my system just restarts it self.. I have attached a report from GMER which doesn't find no rootkit either.This is my report from DDSDDS (Ver_09-12-01.01) - NTFSx86 Run by Cem at 20:05:46.60 on 07/12/2009Internet Explorer: 6.0.2900.2180 BrowserJavaVersion: 1.6.0_10Microsoft Windows XP Professional 5.1.2600.2.874.44.1033.18.2047.1559 [GMT 7:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exeC:\WINDOWS\system32\Ati2evxx.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spo... Read more

A:Win32/Mebroot.mbr trojan

I've found the fix for this just incase anyone has this problem. "MBR sector of the 0. physical disk Win32/Mebroot.mbr trojan" shows that the problem is in disk 0. I have 3 hard disk's in the computer and I got error messages "MBR sector of the 0. physical disk Win32/Mebroot.mbr trojan" and "MBR sector of the 2. physical disk Win32/Mebroot.mbr trojan" constantly after Windows re-boot. I followed From Wilders security forumThe following should erase the contents of a USB flash RAM drive, including the master boot record and its associated partition table of data located in the first sector. 1. Open a Command Prompt (filename: CMD.EXE) in Windows. If you are running Microsoft Windows Vista or Windows 7, you will need to open an elevated command prompt. 2. Start DiskPart (filename: DISKPART.EXE), the command line disk partitioning tool. The DISKPART> will appear. 3. At the DISKPART> prompt, type "LIST DISK" (without quotes) and press enter. A list of currently-mounted disk drives will be displayed. Your USB flash RAM drive will show up with a number like 1, 2, 3, 4 and so forth. 4. At the DISKPART> prompt, type "SELECT DISK n" (without quotes), where n is the number of USB flash RAM drive and press enter. Assuming nothing has changed on the system, you would type "SELECT DISK 6" 5. At the DISKPART> prompt, type "CLEAN" (without quotes) and press enter. This tells DiskPart to zero-out (wri... Read more

Read other 4 answers
RELEVANCY SCORE 140.4

Hi!I've been having major problems with this virus for the past two days. No mATTER WHAT i DO i CAN'T FIX IT. iT MUTES THE WAVE of my sound periodically (like every 3 mins) and i have to keep on turning it back up. It also brings up random Internet Explorer pop-ups. ESET brought it up as Win32/ Mebroot Trojan and said it was in the operating memory, but it is unable to clean it. i've been going around forums and trying various things but none of the work so far. I tried Malwarebytes Ant-Malware software. I tried Dr. web's Cureit, I tried the standalone removal software of ESET and Norton. I also tried running both ESET and Malwarebytes in safe mode. ESET won't even open in safe mode. Malwarebytes deleted 8 viruses but can't pick up the Mebroot Trojan. I don't know what to do. I don't even know how to do the log thing. I saw some forums saying to use GMER but it crashed my computer 3 times within 2 minutes in normal mode. It crashed again in safe mode but it took like 15-20 mins that time. What should I do?k. so i found out about dds and ran it. here are the results:DDS (Ver_10-03-17.01) - NTFSx86 NETWORK Run by student at 10:01:40.90 on Mon 07/12/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3002.2560 [GMT -5:00]AV: ESET NOD32 Antivirus 4.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\svch... Read more

A:Win32/ Mebroot Trojan

Hello shanakmsWelcome to BleepingComputer ==========================Download OTL to your desktop.Double click on OTL to run it. When the window appears, underneath Output at the top change it to Minimal Output.Under the Standard Registry box change it to All.Under Custom scan's and fixes section paste in the below in boldnetsvcs%SYSTEMDRIVE%\*.*%systemroot%\*. /mp /s%systemroot%\system32\*.dll /lockedfiles%systemroot%\Tasks\*.job /lockedfiles%systemroot%\System32\config\*.sav %systemroot%\system32\drivers\*.sys /90%systemroot%\system32\Spool\prtprocs\w32x86\*.dllCheck the boxes beside LOP Check and Purity Check.Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.========== MBR.exePlease download and run MBR.exe by GMER:http://www2.gmer.net/mbr/mbr.exeIt will produce a log, mbr.txt in the same directory as the program. Please copy/paste that log here.============MBR CheckPlease download mbrcheck from HereSave that file to your desktop and double click on it to run it.It will show a Black screen with some data on it Right click on the screen and select MarkThen take your mouse and sele... Read more

Read other 5 answers
RELEVANCY SCORE 140.4

An online BitDefender scan found Trojan.Mebroot.B on my system and said it had deleted it but it reappears every time I restart the computer. Have run AVG, AdAware and Spybot S & D but none of them pick it up. I've also run fixmbr on all hard disks from Recovery Console but it still reappears. Does anyone know of a way to remove this completely please?

A:Help Wanted - Trojan.mebroot.b

Please download mbr.exe and save it to your root directory, usually C:\ <- (Important!).Go to Start > Run and type: cmd.exepress Ok.At the command prompt type: c:\mbr.exe >>"C:\mbr.log"press Enter.A "DOS" box will open and quickly disappear. That is normal.A log file named mbr.log will be created and saved to the root of the system drive (usually C:\).Copy and paste the results of the mbr.log in your next reply.

Read other 8 answers
RELEVANCY SCORE 140.4

This is what happens when I try and clean. It showed up when I plugged my external hard drive after I restarted my computer.Before it said it was on the 2. physical disk, that might have been my second hard drive which was disconnected when I plugged in my external, because prior I received the same alert saying it was on 2. physical disk when they were both plugged in. I disconnected the external and left my second hard drive plugged in, then I began to run scans and I followed some tips from a few sites to get rid of it. I've also reformatted windows and to get rid of it. I ran scans after and I had nothing, everything was fine, but then I was stupid and plugged in my external hard drive then I get the alert posted in the screen shot, I disconnected it quickly. I ran a scan after that and I have nothing.Do I still have the bug? Because that only popped up because I connected my external hard drive. When I disconnected the external I ran scans, I get nothing on my computers hard drive. Is my pc and second hard drive clean and only my external is dirty? I ran scans on my second hard drive and it's clean as well. I read up on this virus and it's pretty nasty, I currently have Nod32 and Malwarebytes.I want to know if the virus is hiding itself or if it's finally gone. Some help would be greatly appreciated, forgive me if my explanation sucks.This is my Malwarebytes logMalwarebytes' Anti-Malware 1.42Database version: 3425Windows 5.1.2600 Service Pack 2Internet Explorer 6.0.2900.... Read more

A:Win32/Mebroot.mbr trojan

GMER Rootkit Scanner - Download - HomepageWhy? Rootkits can generally be removed effectively, but they need to be removed before other malware can be cleaned, and they sometimes interfere with some of the tools we use. If you start a new topic, please include the GMER log as an initial check for the presence of rootkits: Extract the contents of the zipped file to desktop. Double click GMER.exe.
If it gives you a warning about rootkit activity and asks if you want to run a full scan...click on NO, then use the following settings for a more complete scan.. In the right panel, you will see several boxes that have been checked. Ensure the following are UNCHECKED ... Sections IAT/EAT Drives/Partition other than Systemdrive (typically C:\) Show All (don't miss this one) Click the image to enlarge it[*] Then click the Scan button & wait for it to finish. [*] Once done click on the [Save..] button, and in the File name area, type in "ark.txt" [*]Save the log where you can easily find it, such as your desktop.[/list]**Caution**Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries Please copy and paste the report into your Post.Download this tool to desktop:http://www2.gmer.net/mbr/mbr.exeDouble click it & post the log it creates on desktop. (mbr.log)

Read other 21 answers
RELEVANCY SCORE 140.4

Please Help!

I did have the antiviruspro_2010 virus which I managed to get rid of (at least there's no signs of it in the sytem tray).

Now ESET Smart Security 4 is saying there's a threat by the Win32/Mebroot Trojan but it's unable to clean it. I've tried running Malwarebytes but it only runs for about 5 seconds and then freezes. I've tried renaming the mbam.exe to stopzilla.exe, xxxx.exe but that didn't work.

I'm unable to connect to the internet (only in safe mode) and my CPU won't even shut down unless I power down manually. What can I do next?

I apologize in advance for not following the correct protocol.

Any help will be greatly appreciated.

Larry

A:Win32/Mebroot Trojan

Welcome to BCWe Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.----------------------------------Please note: If Rootrepeal fails to run, try this step: Click Settings - Options. Set the Disk Access slider to HighAlso try: right-click on rootrepeal.exe and rename it to tatertot.scr

Read other 7 answers
RELEVANCY SCORE 140.4

Hello folks!

First a little introduction about what I?ve done before I found this forum:
I live in a dormitory and got a message from the internet service provider that my computer is infected by the Mebroot/Torpig Trojan. They blocked my internet access because of that Trojan. Yesterday I scanned my computer with the anti-virus programs ?Avira Free Antivirus?, ?Malwarebytes Anti-Malware? and ?Spybot - Search and Destroy?. None of these programs was able to find the Trojan. The internet service provider advised GMER and Kaspersky TDSSKiller. With GMER I found ?MBRoot/[email protected] code?, with Kaspersky TDSSKiller I found ?Rootkit.Boot.Sinowal.b?. In Kaspersky TDSSKiller I chose the option ?Cure?, rebooted the computer and searched again with GMER and Kapspersky TDSSKiller. Nothing was found, so I wrote a mail to the internet service provider that my computer was clean now and today my internet access was activated again.

Now my problem:
As I said GMER no longer shows ?MBRoot/[email protected] code has been found? written in red after the scan anymore. But when I look closer there is still something that doesn?t sound that good (although it isn?t written in red, but in black letters): ?malicious Win32: MBRoot code @ sector 320143323?.
Furthermore I can find the files ?ibm00001.exe?, ?ibm00003.exe?, ?country.exe? and ?ibm00001.dll? in my registry and I read that these files are signs of the Torpig Trojan.

I would like to know if the Mebroot/Torpig Trojan still is on my computer ... Read more

A:Mebroot / Torpig Trojan

Good evening. When you ran TDSSKiller it should have created a log saved to the root of you hard drive as C:\TDSSKiller.Version_Date_Time_log.txt. - i'd like a copy of the contents in your next reply.Please check that you get the one with the right date and time. As I said GMER no longer shows ?MBRoot/[email protected] code has been found? written in red after the scan anymore. But when I look closer there is still something that doesn?t sound that good (although it isn?t written in red, but in black letters): ?malicious Win32: MBRoot code @ sector 320143323?.It is possible that this is just leftover junk from the infection, but we'll peek further in a while.Furthermore I can find the files ?ibm00001.exe?, ?ibm00003.exe?, ?country.exe? and ?ibm00001.dll? in my registry and I read that these files are signs of the Torpig Trojan.Can you tell me where exactly in the registry you find these file names?

Read other 9 answers
RELEVANCY SCORE 140.4

**In any case where you happen to be busy or unable to give us a reply, we would be grateful if you keep us informed in advance and we will be more than happy to wait. Failure to do so we will have your thread closed in THREE(3) days.

Hello there, blackeagle I'm Conspire, I'll be glad to help you with your computer problems.Please observe these rules while we work:Read the entire procedureIt is important to perform ALL actions in sequence.If you don't know, stop and ask! Don't keep going on.Please reply to this thread. Do not start a new topic.Stick with me till you're given the all clear.Remember, absence of symptoms does not mean the infection is all gone.Don't attempt to clean your computer with any tools other than the ones I ask you to use during the cleanup process.IMPORTANT NOTE : Please do not delete anything unless instructed to. Remember to backup all your important data(if possible) before moving on.

A:Infected with Mebroot trojan

Hi,Please download DeFogger to your desktop.Double click DeFogger to run the tool. The application window will appear Click the Disable button to disable your CD Emulation drivers Click Yes to continue A 'Finished!' message will appear Click OK If it needs to, DeFogger may ask to reboot the machine - click OKIMPORTANT! If you receive an error message while running DeFogger, please post the log defogger_disable which will appear on your desktop.Do not re-enable these drivers until otherwise instructed.===================================================Please read through these instructions to familarize yourself with what to expect when this tool runsRefer to the ComboFix User's GuideDownload ComboFix from one of these locations:Link 1Link 2* IMPORTANT- Save ComboFix.exe to your Desktop====================================================Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs====================================================Double click on combofix.exe & follow the prompts.When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply for further review.=================... Read more

Read other 17 answers
RELEVANCY SCORE 140.4

my computer was infected w/ win32/mebroot and my nod32 can delete it.. what should i do? if i reformat my drive c: will it remove it completely? please advise
 

A:win32/mebroot trojan please help!

Yes. Formatting the hard drive and doing a clean reinstall of Windows will erase everything and give your computer a fresh start.

You need to know what you did that infected your computer so you don't do it again.

--------------------------------------------------------
 

Read other 2 answers
RELEVANCY SCORE 140.4

Hello!I was asked to post this in the HJT forum per garmanma:http://www.bleepingcomputer.com/forums/t/260812/win32mebroot-trojan/After a few recommendations the only .exe file I was able to run successfully was the OTL report (logs posted below).Here's brief description of my problem:ESET Smart Security 4 is saying there's a threat by the Win32/Mebroot Trojan but it's unable to clean it. I've tried running Malwarebytes but it only runs for about 5 seconds and then freezes. I've tried renaming the mbam.exe to stopzilla.exe, xxxx.exe but that didn't work.I'm unable to connect to the internet (only in safe mode) and my CPU won't even shut down unless I power down manually.Here are the OTL logs:OTL.txtOTL logfile created on: 9/29/2009 6:54:00 PM - Run 1OTL by OldTimer - Version 3.0.16.0 Folder = C:\Documents and Settings\Larry\DesktopWindows XP Home Edition Service Pack 2 (Version = 5.1.2600) - Type = NTWorkstationInternet Explorer (Version = 6.0.2900.2180)Locale: 00000409 | Country: United States | Language: ENU | Date Format: M/d/yyyy510.98 Mb Total Physical Memory | 116.52 Mb Available Physical Memory | 22.80% Memory free1.22 Gb Paging File | 0.81 Gb Available in Paging File | 66.80% Paging File freePaging file location(s): C:\pagefile.sys 768 1536 [binary data]%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program FilesDrive C: | 111.70 Gb Total Space | 36.21 Gb Free Space | 32.42% Space Free | Partition Type: NTFSD: Drive not present or media not loaded... Read more

A:Win32/Mebroot Trojan

Hello L DubWelcome to Welcome to BleepingComputer =====================Please download and run MBR.exe by GMER:http://www2.gmer.net/mbr/mbr.exeIt will produce a brief log, mbr.txt in the same directory as the program. Please copy/paste that log here.============

Read other 54 answers
RELEVANCY SCORE 140.4

SpyBot S&D and my NOD32 has just detected a mebroot trojan please point me in the right direction of removing this evil beast from my computer. I've read about all the evils it does and I want a way to fight back....HELP PLEASE!!!!!(Moderator edit: post moved to more appropriate forum. jgw)

A:is there any way to remove mebroot trojan?

Welcome to BC.. Please run 2 scans and post back the logs. There may be a purchase offer in the first,I don't want you to buy anything here.Please go HERE to run Panda's ActiveScanOnce you are on the Panda site click the Scan your PC buttonA new window will open...click the Check Now buttonEnter your CountryEnter your State/ProvinceEnter your e-mail address and click sendSelect either Home User or CompanyClick the big Scan Now buttonIf it wants to install an ActiveX component allow itIt will start downloading the files it requires for the scan (Note: It may take a couple of minutes)When download is complete, click on My Computer to start the scanWhen the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan reportNext run MBAM:Please download Malwarebytes Anti-Malware (v1.34) and save it to your desktop.alternate download link 1alternate download link 2If you have a previous version of MBAM, remove it via Add/Remove Programs and download a fresh copy.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update... Read more

Read other 13 answers
RELEVANCY SCORE 140

Hiya, I've just had an awful couple of days removing these viruses, I'm surprised my computer still works!I'm sure there are still some infected files on my computer or possibly complete viruses because google chrome has ceased to work (even after reinstalling) and I am getting pop-ups in firefox which avast has to keep blocking.I've also reinstalled java.If anyone could help me that would be great. Thank you.Logfile of Trend Micro HijackThis v2.0.2Scan saved at 15:29:29, on 09/04/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v8.00 (8.00.6001.18702)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\nvsvc32.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Alwil Software\Avast5\AvastSvc.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Common Files\LightScribe ... Read more

A:Recovering from XP Antimalware 2010 + Trojan.Vundo + Trojan.BHO.H + Rootkit.TDSS + more

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. Please include a clear description of the problems you're having, along with any steps you may have performed so far.Please refrain from running tools or applying updates other than those we suggest while we are cleaning up your computer. The reason for this is so we know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Even if you have already provided information about your PC, we need a new log to see what has changed since you originally posted your problem.We need to create an OTL ReportPlease download OTL from one of the following mirrors:This is THE MirrorSave it to your desktop.Double click on the icon on your desktop.Click the "Scan All Users" checkbox.In the custom scan box paste the following:CODEnetsvcsmsconfigsafebootminimalsafebootnetworkactivexdrivers32%systemroot%�... Read more

Read other 25 answers
RELEVANCY SCORE 139.2

Hi friends, ironic I get infected? since I'm learning to avoid such things. I don't know how this happened, had a lot of popups from VirusRemover2008 earlier, tried to run mbam several times, wouldn't run. Tried in safe mode, would not run. Renamed it and it suddenly ran Ran it once in safe mode but had to abort pc really slowed down too much, it deleted some Vundo's on reboot, in normal mode things looked ok.. for a while. The popups soon returned and mbam ran but could not update, even though the internet worked fine, but it scanned and found a fair few infections (second log posted)RSIT will not scan, get the following error message when I try:Line -1:Error: Error parsing function call.I think I have a rootkit infection (TDSS I think is rootkit related)Sorry I can't post any diagnostic info (HJT will run but is clean ) all I can post is the mbam logs:Malwarebytes' Anti-Malware 1.31Database version: 1520Windows 5.1.2600 Service Pack 321/12/2008 03:15:39mbam-log-2008-12-21 (03-15-36).txtScan type: Quick ScanObjects scanned: 15662Time elapsed: 6 minute(s), 54 second(s)Memory Processes Infected: 0Memory Modules Infected: 3Registry Keys Infected: 11Registry Values Infected: 2Registry Data Items Infected: 2Folders Infected: 0Files Infected: 7Memory Processes Infected:(No malicious items detected)Memory Modules Infected:C:WINDOWSsystem32ljJAQGyW.dll (Trojan.Vundo.H) -> No action taken.C:WINDOWSsystem32tyshb36rfjdf.dll (Trojan.Fakealert) -> No action taken.C:WINDOWSsyste... Read more

A:Trojan.Vundo/Trojan.TDSS/FakeAlert/Zlob/VirusRemover2008

~Sorry for Bump~ (I don't mind being pushed back, but you should know this)I got further detections of TDSS (I thought it may have dissapeared because no symptoms were shown) so I ran SDFix in safe mode and it found the rootkit and removed it, RSIT now runs. I think my computer is ok now. Here are the logs:SDFix: Version 1.240 Run by Jat on 21/12/2008 at 13:12Microsoft Windows XP [Version 5.1.2600]Running From: C:\SDFixChecking Services :Name : TDSSserv.sysPath :\systemroot\system32\drivers\TDSSmfdc.sys TDSSserv.sys - DeletedRestoring Default Security ValuesRestoring Default Hosts FileRebootingChecking Files : Trojan Files Found:C:\windows\system32\drivers\TDSSmfdc.sys - DeletedC:\windows\system32\TDSSnirj.dat - DeletedC:\WINDOWS\SYSTEM32\TDSSNIRJ.dat - DeletedLogfile of random's system information tool 1.05 (written by random/random)Run by Jat at 2008-12-21 13:34:47Microsoft Windows XP Home Edition Service Pack 3System drive C: has 12 GB (31%) free of 38 GBTotal RAM: 894 MB (46% free)Logfile of Trend Micro HijackThis v2.0.2Scan saved at 13:34:55, on 21/12/2008Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.16762)Boot mode: NormalRunning processes:C:\windows\System32\smss.exeC:\windows\system32\winlogon.exeC:\windows\system32\services.exeC:\windows\system32\lsass.exeC:\windows\system32\Ati2evxx... Read more

Read other 2 answers
RELEVANCY SCORE 138.8

Basically I was infected by the mebroot virus via the drive by website method. I tried to clear it but to no avail. I have been infected before and decided the last route of action would be a reformat. I performed that and reinstalled Windows XP. Gmre.net' detector does not find it, it says that my kernal and mbr are fine. I have tried malwarebytesd software, that also say thats i am clean. But when i run combofix it says that a .dll called qprm is infected. The problem is, that if i boot into my windows installation my computer freezes so i cannot do anything. But when i boot into safe mode I cannot update virus defintions for norton anti virus checker and the computer just keeps freezing at every given oppurtunity so therefore i cannot complete gmre scans etc. I tried the fix mbr in windows recovery with a safe mode virus check - does not find anything. But the the computer is running choppy which is unusual and the system process keeps spiking up to 2% which it doesnt usually do and svchost sometimes goes to 50%. I would like to post my combofix.log file but it is on the infected computer which has no access to the interenet. If i cannot do anything then I am considering using something such as killdisk to change all entries on harddisk to '0'.Edit: Moved topic from Am I Infected to the more appropriate forum, with the addition of a ComboFix log. ~ Animal

A:Mebroot.Trojan Virus Problem?

An update - I have searched the computer now thoroughly with eset nod 32 online scan , kapersky online scan, norton 360 scan, nod 32 program scan, none of which have found anything. MBAM found nothing, spy doctor found nothing, a2 sqaured found nothing, cureit found nothing, MBR.exe from gmer found nothing. Though the Gmer program sends my computer in to Blue screen everytime it reaches a certain system file :S and Combofix repreatedly finds a virus in qmgr.dll, says it has fixed it and then the file reappears the next time i run combofix. Here is the combofix log. ComboFix 09-12-11.05 - Matt 13/12/2009 16:01:50.5.2 - x86Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.3071.2647 [GMT 0:00]Running from: c:\documents and settings\Matt\Desktop\ComboFix.exe.((((((((((((((((((((((((( Files Created from 2009-11-13 to 2009-12-13 ))))))))))))))))))))))))))))))).2009-12-13 15:41 . 2009-12-13 15:41 -------- d-----w- c:\program files\ESET2009-12-13 14:43 . 2006-09-13 05:01 1084416 -c----w- c:\windows\system32\dllcache\msxml3.dll2009-12-13 14:43 . 2006-08-14 10:34 332928 -c----w- c:\windows\system32\dllcache\srv.sys2009-12-13 14:43 . 2006-06-22 05:06 1435648 -c----w- c:\windows\system32\dllcache\query.dll2009-12-13 14:43 . 2006-06-22 05:06 69120 -c----w- c:\windows\system32\dllcache\ciodm.dll2009-12-13 14:43 . 2006-09-04 06:08 1494016 -c----w- c:\windows\... Read more

Read other 6 answers
RELEVANCY SCORE 138.8

NOD32 is still reporting a Mebroot trojan. MalwareBytes says the computer is clean. Is this a false positive? Please help.It was discussed this thread, but it was never resolved. I will be out town and I will not be able to answer questions until 1/27/09.*******************************************************************************Here is the NOD32 log:Scan LogVersion of virus signature database: 3786 (20090121)Date: 1/21/2009 Time: 2:52:27 PMScanned disks, folders and files: Operating memoryOperating memory - Win32/Mebroot trojan - unable to cleanNumber of scanned objects: 423Number of threats found: 1Number of cleaned objects: 0Time of completion: 2:52:33 PM Total scanning time: 6 sec (00:00:06)*******************************************************************************Here is the DDS log:DDS (Ver_09-01-18.01) - NTFSx86 Run by Darla at 14:55:01.10 on Wed 01/21/2009Internet Explorer: 6.0.2900.5512 BrowserJavaVersion: 1.6.0_11Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1339 [GMT -7:00]AV: ESET NOD32 Antivirus 3.0 *On-access scanning enabled* (Updated)============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\Program Files\Windows Defender\MsMpEng.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\RTHDCPL.EXEC:\Program Files\Common Files\InstallShield\UpdateService\issch.exeC:\Program Files\CyberLink\PowerDVD DX\PDVDDXSr... Read more

A:NOD32 Reports Mebroot trojan

Hello and welcome to Bleeping ComputerWe apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help.If you have since resolved the original problem you were having, we would appreciate you letting us know. If not please perform the following steps below so we can have a look at the current condition of your machine. If you have not done so, include a description of your problem, along with any steps you may have performed so far.Upon completing the steps below another staff member will review and take the steps necessary with you to get your machine back in working order clean and free of malware.If you have already posted a DDS log, please do so again, as your situation may have changed. Use the 'Add Reply' and add the new log to this thread. Also please explain your problem as fully as possible. Each little detail will help in getting your system cleaned up and functional again.Thanks and again sorry for the delay.We need to see some information about what is happening in your machine. Please perform the following scans:Please download Malwarebytes Anti-Malware and save it to your desktop.alternate download link 1alternate download link 2Make sure you are connected to the Internet.Double-click on mba... Read more

Read other 27 answers
RELEVANCY SCORE 138.8

Hey all,Running ESET NOD32, plus superANTISPYWARE plus Spybot. Eset cannot remove the mebroot trojan, the malware scanners do detect and remove but it still is here :X. Logfile of Trend Micro HijackThis v2.0.4Scan saved at 12:27:09 AM, on 21/07/2010Platform: Windows XP SP3 (WinNT 5.01.2600)MSIE: Internet Explorer v7.00 (7.00.6000.17055)Boot mode: NormalRunning processes:C:\WINDOWS\System32\smss.exeC:\WINDOWS\system32\csrss.exeC:\WINDOWS\system32\winlogon.exeC:\WINDOWS\system32\services.exeC:\WINDOWS\system32\lsass.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\System32\WLTRYSVC.EXEC:\WINDOWS\System32\bcmwltry.exeC:\WINDOWS\system32\spoolsv.exeC:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exeC:\Program Files\Bonjour\mDNSResponder.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\system32\svchost.exeC:\WINDOWS\system32\svchost.exeC:\Program Files\Java\jre6\bin\jqs.exeC:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exeC:\WINDOWS\System32\svchost.exeC:\Progr... Read more

A:HijackThis Log Diagnosis (Mebroot Trojan)

Hello. I am PropagandaPanda (Panda or PP for short), and I will be helping you.Please tell me if the symptoms have changed or any new ones have appeared.Download and Run DDSPlease download DDS by sUBs from any of the links below:DDS.scr, DDS.pifDouble click its icon to run it. If you are using Windows Vista, right click it and select "Run as Administrator".When the scan is finished, two logs will open.Post DDS.txt directly into your reply. Attach Attach.txt.Download and Run Scan with GMERWe will use GMER to scan for rootkits.Please download GMER to your desktop. Note that the file will be randomly named to prevent active malware from stopping the download.Close all other open programs as there is a slight chance your computer will crash.Double click the GMER program ******.exe. Your security programs may detect GMER's driver trying to load. Allow it.You may see a warning saying "GMER has detected rootkit activity". If so, select NO.Leaving the settings at default, click Scan.When the scan is complete, click Save and save the log onto your desktop.Please include the log in your next reply.With Regards,The Panda

Read other 2 answers
RELEVANCY SCORE 138.8

My Eset nod 32 anti virus tells me at every log in that I have a mebroot trojan in the operating memory but that it can not be cleaned. I have done tons of research online and tried to get rid of it with no luck. I need help!

A:Mebroot trojan in operating memory

Hi Mom We need a deeper look and at least a DDS log. Please go here....Preparation Guide ,do steps 6 - 9.Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.If Gmer won't run,skip it and move on.Let me know if that went well.

Read other 3 answers
RELEVANCY SCORE 138.8

Greetings, selfless helpers,Today I was greeted by a trio of text messages informing me that my internet connection has been shut down because of a crimeware infection.I talked my ISP over to give me net access so I could try to resolve the issue without resorting to a format and re-install (which would be troublesome, as I don't currently have the means to backup everything beyond the essentials and since I got my Windows 7 (64bit) online from Microsoft's student license thingy (I'm not sure, it's been years) and don't actually have a DVD for re-installing it. The ISP told me that I'll eventually be shut down again if the troan persists.In any case, I was informed that the trojan in question is Mebroot / Tropig, and resides in the MBR, so a rootkit that avoids virus detection, then, and keylogs, provides remote access, all that nastiness.My Eset NOD 4.0 is able to find the Mebload.AR trojan in Firefox.exe, which I assume was used to deliver the Mebroot rootkit, but ESET cannot clean it. Additionally, I'm even having problems downloading Windows updates that could possibly help with these security holes, but updating always fails, and I've also failed to manually reset windows update (both bits and the other one cannot be stopped in order to reset), and clearing the downloads folder under the software distribution folder only allowed me to install some of the updates.I've run DDS as well as a full scan of C: (I haven't ran a full check ... Read more

A:Mebroot and Mebload.AR Trojan infections

Greetings and Welcome to The Forums!!My name is Gringo and I'll be glad to help you with your computer problems.I have put together somethings for you to keep in mind while I am helping you to make things go easier and faster for both of usPlease do not run any tools unless instructed to do so.
We ask you to run different tools in a specific order to ensure the malware is completely removed from your machine, and running any additional tools may detect false positives, interfere with our tools, or cause unforeseen damage or system instability.Please do not attach logs or use code boxes, just copy and paste the text.
Due to the high volume of logs we receive it helps to receive everything in the same format, and code boxes make the logs very difficult to read. Also, attachments require us to download and open the reports when it is easier to just read the reports in your post.Please read every post completely before doing anything.
Pay special attention to the NOTE: lines, these entries identify an individual issue or important step in the cleanup process.Please provide feedback about your experience as we go.
A short statement describing how the computer is working helps us understand where to go next, for example: I am still getting redirected, the computer is running normally, etc. Please do not describe the computer as "the same", this requires the extra step of looking back at your previous post.NOTE: At the ... Read more

Read other 17 answers
RELEVANCY SCORE 138.8

Hi all,

My Win 7 desktop has been infected with a nasty Win32/Mebroot Trojan and I'm unable to remove it.

The strange thing is this Trojan was infected on another operating system (XP) and hard disk. When I had that Trojan/virus last week I tried a number of different programs to kill it including Avast, Vipre, NOD32, Malwarebytes Anti-Malware and SuperAntiSpyware but none have been able to remove it. NOD32 picked it up but it's unable to delete or clean it.

So I gave up and bought a new HD and installed a legit copy of Windows 7 Pro 64 Bit on it.

Before shelfing the old HD, I backed up all the files I needed from the HD to the external HD. Yesterday I connected up my external HD to the desktop comp to retrieve some files.

I re-installed NOD32 today and I'm shocked, it's picked up the same Win32/Mebroot Trojan again and again NOD32 is unable to clean it or remove it (even in safe mode). I definitely have not visited any risky sites or let anything installed without my knowledge. Is it possible this Trojan has copied itself onto the new operating system from the external HD? How can I get rid of it?

Please help.

A:Infected with Win32/Mebroot Trojan

Hello as the proper logs are not posted I moved this to the Am I Infected forum.The infection is deeper than that.Win32/Mebroot replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code, as well as placing additional code to load and patch the following files: Win32/Mebroot is a trojan that installs Win32/PSW.Sinowal malware. Win32/PSW.Sinowal is a trojan that steals passwords and other sensitive information. The trojan is able to log keystrokes. The trojan can send the information to a remote machine. This allows hackers to remotely control your computer, steal critical system information and download and execute files.I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:How Do I Handle Possible Identify Theft, Internet ... Read more

Read other 4 answers
RELEVANCY SCORE 138.8

NOD32 has detected win32/mebroot trojan on my PC.I tried NOD32 own removal for it but I end up with a blue screen everytime I run it.http://www.eset.eu/buxus/generate_page.php...0689&lng=enUsing: Vista sp2.ESET NOD32.Please help!

A:NOD32 reproting: Mebroot Trojan.

Please download Malwarebytes Anti-Malware and save it to your desktop.Download Link 1Download Link 2MBAM may "make changes to your registry" as part of its disinfection routine. If using other security programs that detect registry changes (ie Spybot's Teatimer), they may interfere or alert you. Temporarily disable such programs or permit them to allow the changes.Make sure you are connected to the Internet.Double-click on mbam-setup.exe to install the application.
For instructions with screenshots, please refer to the How to use Malwarebytes' Anti-Malware Guide.When the installation begins, follow the prompts and do not make any changes to default settings.When installation has finished, make sure you leave both of these checked:Update Malwarebytes' Anti-MalwareLaunch Malwarebytes' Anti-MalwareThen click Finish.MBAM will automatically start and you will be asked to update the program before performing a scan.If an update is found, the program will automatically update itself. Press the OK button to close that box and continue.If you encounter any problems while downloading the definition updates, manually download them from here and just double-click on mbam-rules.exe to install.On the Scanner tab:Make sure the "Perform Quick Scan" option is selected.Then click on the Scan button.If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.The scan will begin and "Scan in progress" will show at the top. It may take some time to comp... Read more

Read other 1 answers
RELEVANCY SCORE 138.8

Hello,

I'm hoping someone will be able to help me with removing this nasty piece of malware that could be the cause of my PC randomly giving me blue screen of death messages which say "bad_pool_caller".

My NOD32 v4 just gave me a warning saying that a threat was found in the object "MBR sector of the 1. physical disk" which was "Win32/Mebroot.BZ" trojan. Unfortunately it wasn't able to remove the infection.

I've already got Malwarebytes Anti-Malware installed, so I updated it and ran a full scan. It couldn't detect any malicious items to remove.

I then googled "how to repair" the MBR, so I used the recovery console to fix the mbr and although Windows said it was successful, when I checked it with gmer's MBR rootkit detector, it said there was still "malicious code" in one sector and a "PE file" found in another sector.

I leave my poorly PC in this forum's capable hands. Thanks in advance for any help.

Edit - I'm running Windows XP SP3.

A:Unable to remove Mebroot.BZ trojan

We Need to check for Rootkits with RootRepealDownload RootRepeal from the following location and save it to your desktop.Direct Download (Recommended)Primary MirrorSecondary MirrorSecondary MirrorSecondary MirrorZip Mirrors (Recommended if you have a slower connection or if the Direct Download mirror is down)
Primary MirrorSecondary MirrorSecondary MirrorRar Mirrors - Only if you know what a RAR is and can extract it.
Primary MirrorSecondary MirrorSecondary MirrorExtract RootRepeal.exe from the archive (If you did not use the "Direct Download" mirror).Open on your desktop.Click the tab.Click the button.Check all seven boxes: Push OkCheck the box for your main system drive (Usually C:), and press Ok.Allow RootRepeal to run a scan of your system. This may take some time.Once the scan completes, push the button. Save the log to your desktop, using a distinctive name, such as RootRepeal.txt. Include this report in your next reply, please.

Read other 1 answers
RELEVANCY SCORE 138.8

Eset antivirus indicates at every login that have a mebroot trojan in the operating memory but unable to clean. When first detected, ESET did remove another infection, related? (C:\Documents and Settings\user\Application Data\Sun\Java\Deployment\cache\6.0\9\3709fec9-22d0b18a - a variant of Java/TrojanDownloader.OpenStream.NCI trojan - cleaned by deleting - quarantined [1]). Since infection, unable to use flash drives; response is drive is not formatted and earlier today began receiving spurious audio though not currently. Know that you have addressed this for another earlier this year, topic382494. (How I found you.)

A:Mebroot trojan in operating memory

Run RKill (http://www.bleepingcomputer.com/download/anti-virus/rkill), SUPERAntiSpyware (http://www.superantispyware.com/)(Update before scanning), and MalwareBytes (http://www.malwarebytes.org/)(Update before scanning) in this order in safe mode (With Networking)

Read other 20 answers
RELEVANCY SCORE 138.8

My Eset nod 32 anti virus tells me at every log in that I have a mebroot trojan in the operating memory but that it can not be cleaned. I have done tons of research online and tried to get rid of it with no luck. I need help PLEASE! DDS LOGDDS (Ver_10-12-12.02) - NTFSx86 Run by Mama bug at 21:48:54.28 on Tue 03/01/2011Internet Explorer: 7.0.5730.11 BrowserJavaVersion: 1.6.0_23Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.72 [GMT -5:00]AV: ESET NOD32 Antivirus 4.0 *Enabled/Updated* {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchC:\WINDOWS\system32\svchost -k rpcssC:\WINDOWS\System32\svchost.exe -k netsvcsC:\WINDOWS\system32\svchost.exe -k WudfServiceGroupC:\WINDOWS\system32\svchost.exe -k NetworkServiceC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\WINDOWS\system32\spoolsv.exeC:\WINDOWS\system32\svchost.exe -k LocalServiceC:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exeC:\WINDOWS\system32\bgsvcgen.exeC:\Program Files\Spyware Doctor\BDT\BDTUpdateService.exeC:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exeC:\WINDOWS\Explorer.EXEC:\Program Files\Java\jre6\bin\jqs.exeC:\WINDOWS\system32\lxdrcoms.ex... Read more

A:Mebroot trojan in operating memory

Hi,Please do the following:Download ComboFix from one of the following locations:Link 1 Link 2 VERY IMPORTANT !!! Save ComboFix.exe to your Desktop * IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here Double click on ComboFix.exe & follow the prompts.As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures. Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:Click on Yes, to continue scanning for malware.When finished, it shall produce a log for you. Please include the C:\C... Read more

Read other 16 answers
RELEVANCY SCORE 138.8

my hotmail doesnt work from internt explorer , also my msn and yahoo msn , etc when i tried to run the sdfix my keybord is turn off to press the Y or any other key, thanks for the help

A:infected trojan win32/mebroot. k

What program is alerting you to the infection and where is it located at on your system?

Read other 5 answers
RELEVANCY SCORE 138.8

Greetings, When I run ESET Smart Security Scan I receive a threat found alert. The message says: Object: MBR sector of the 0. physical disk Threat: Win32/Mebroot.mbr trojanWhen I select the clean button another message pops up saying "Error while cleaning - operation unavailable for this object type.I have inserted a copy of the dds.scr script and attached the Attach.txt. Because the ark.txt file was larger than the 502.32k file upload limit, I split the ark.txt file into two file, ark1.txt and ark2.txt. ark2.txt will be attached in the following post. Any assistance would be greatly appreciated.ThanksDDS (Ver_09-12-01.01) - NTFSx86 Run by Ruben at 22:32:06.34 on Sat 03/06/2010Internet Explorer: 8.0.6001.18702 BrowserJavaVersion: 1.6.0_17Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.3007.2482 [GMT -8:00]AV: ESET Smart Security 3.0 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\Common Files\Acronis\Schedule2\schedul2.exeC:\Program Files\Common Files\Acronis\CDP\afcdpsrv.exeC:\Program Files\Common Files\Apple\Mob... Read more

A:Infected with Win32/Mebroot.mbr trojan

Hi and welcome to the Virus/Trojan/Spyware/Malware Removal forum,I am thcbytes and I am here to help you!I ask that you refrain from running tools other than those I suggest to you while I am cleaning up your computer. The reason for this is so I know what is going on with the machine at any time. Some programs can interfere with others and hamper the recovery process.Please perform all steps in the order received and do not proceed if you need clarification.Please copy and paste all logs into your post unless directed otherwise. Please do not re-run any programs I suggest. If you encounter problems please stop and tell me about it. When your computer is clean I will alert you of such. I will also provide you with detailed suggestions for prevention.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.After 5 days if your topic is not replied I we assume it has been abandoned and I will close it.I would also like to inform you that most of us here at Bleeping Computer offer our expert assistance out of the goodness of our hearts. Please be courteous and appreciative for the assistance provided!Again I would like to remind you to make no further changes to your computer unless I direct... Read more

Read other 4 answers
RELEVANCY SCORE 137.2

Thanks for helping!The issue is that the hard drive runs like crazy, and the CPU is running more than normal. There's a process called SERVICES.EXE and McShield.EXE that take up considerably more CPU time than normal resulting in noticeable degradation of computer performance. In addition, at the time of initial infection a pop-up window from FireFox warned that the computer had been infected was displayed for a fleeting moment. Then FireFox crashed. After reboot FireFox will successfully start up only on a second attempt. The first attempt is a complete failure with no warning. In addition, Google searches are redirected to ridiculous websites that are obviously meant for further infection.Tragically, my gmail and hotmail accounts have already been compromised. Upon logging into my gmail account, it was found that the account had been disabled due to suspicious activity. I had to reset the password, in order to use the account again. The hotmail account simply said that there had been a number of attempts to access the account. CRAZY!ESET and SpyWare Dr have successfully removed the viruses and spyware. I made sure to run both apps until no more problems were found. However, when starting up the computer the same symptoms are there with excessive hard drive and CPU activity. In addition, FireFox redirects Google searches to other locations. ESET and SpyWare Dr are fired up and more spyware and viruses are found!I tried using the GMER application... Read more

A:Multi-Infections: Win32/Mebroot.DT Trojan, and more ...

Hello, and to the Malware Removal forum! My online alias is Blade Zephon, or Blade for short, and I will be assisting you with your malware issues!If you have since resolved the original problem you were having, we would appreciate you letting us know.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.Before we begin cleaning your machine, I'd like to lay out some guidelines for us to follow while we are working together.I will be assisting you with your malware issues. This may or may not resolve other problems you are having with your computer. If you are still having problems after your machine has been determined clean, I will be glad to direct you to the proper forum for assistance.Even if things appear better, that does not mean we are finished. Please continue to follow my instructions until I give you the all clean. Absence of symptoms does not mean that all the malware has been removed. If a piece of the infection is left, it can regenerate and reinfect your machine. Attention to detail is important! Since I cannot see or directly interact with your computer I am dependent on you to "be my eyes" and provide as much information as you can regarding ... Read more

Read other 17 answers
RELEVANCY SCORE 137.2

Hi,I'm running Win XP and ESET gave me an alert "MBR Sector of the 2. Physical Disk" WIN32/mebroot.k trojan. I ran ESET and EMebRemover.exe, but it could not fix the problem.I've attached the logsDDS (Ver_10-03-17.01) - NTFSx86 Run by Administrator at 21:22:35.64 on Sun 09/26/2010Internet Explorer: 8.0.6001.18702Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1022.454 [GMT -7:00]AV: ESET Smart Security 4.2 *On-access scanning enabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}FW: ESET Personal firewall *enabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}============== Running Processes ===============C:\WINDOWS\system32\svchost -k DcomLaunchsvchost.exeC:\WINDOWS\System32\svchost.exe -k netsvcssvchost.exesvchost.exeC:\WINDOWS\system32\spoolsv.exesvchost.exeC:\Program Files\ESET\ESET Smart Security\ekrn.exeC:\WINDOWS\Explorer.EXEC:\WINDOWS\system32\igfxpers.exeC:\Program Files\ESET\ESET Smart Security\egui.exeC:\Program Files\Messenger\msmsgs.exeC:\WINDOWS\system32\ctfmon.exeC:\WINDOWS\system32\wuauclt.exeC:\Program Files\Spybot - Search & Destroy\TeaTimer.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Program Files\Internet Explorer\iexplore.exeC:\Documents and Setti... Read more

A:ESET found Win32/mebroot.k trojan and can't get rid of it

Hello and Welcome to the forums! My name is Gringo and I'll be glad to help you with your computer problems. Somethings to remember while we are working together.Do not run any other tool untill instructed to do so!Please Do not Attach logs or put in code boxes.Tell me about any problems that have occurred during the fix.Tell me of any other symptoms you may be having as these can help also.Do not run anything while running a fix.In the upper right hand corner of the topic you will see a button called Options. If you click on this in the drop-down menu you can choose Track this topic. By doing this and then choosing Immediate E-Mail notification and then clicking on Proceed you will be advised when we respond to your topic and facilitate the cleaning of your machine.We apologize for the delay in responding to your request for help. Here at Bleeping Computer we get overwhelmed at times, and we are trying our best to keep up. Please note that your topic was not intentionally overlooked. Our mission is to help everyone in need, but sometimes it takes just a little longer to get to every request for help. No one is ignored here.In order for me to see the status of the infection I will need a new set of logs to start with.Please print out or make a copy in notpad of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.DeFogger: Please download DeFogger to your desktop.Double click DeFogger to run the tool. The ap... Read more

Read other 48 answers