Mebroot.mbr trojan

Discussion in 'Malware Help (A Specialist Will Reply)' started by dims3, Dec 30, 2009.

  1. dims3

    dims3 Private E-2

    Yesterday I got this message from NOD32
    Threat found!
    Object: MBR sector of the 1. physical disk
    Threat: Win32/Mebroot.mbr trojan

    I googled it and ended up in your forum, unfortunately after I had already tried some things like mbr.exe.

    I've went through the cleaning procedure etc and here are the logs

    Thanks!!
     

    Attached Files:

    dims3, Dec 30, 2009
    #1
  2. dims3

    dims3 Private E-2

    Please ignore the previous logs.
    I run the programmes according to the instructions now
     

    Attached Files:

    dims3, Dec 30, 2009
    #2
  3. dims3

    dims3 Private E-2

    And here's the MGlog.zip
     

    Attached Files:

    dims3, Dec 30, 2009
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    There are no signs of this MBR infection in your logs. Are you sure you don't already have it fixed? Have you tried to use Control Panel -> User Accounts to delete the Help Assistant account?

    You do need to uninstall your outdated Sun Java version and update to the current version as requested in the READ & RUN ME.
     
    chaslang, Dec 31, 2009
    #4
  5. dims3

    dims3 Private E-2

    Well, every time I turn the pc on, I got the same message from NOD32.
    I also run the gmer tool and it still reports "copy of MBR in sector XXXX" etc.

    In "Control Panel -> User Accounts" there is only one account (the one I log in) and a Guest account which is not active.

    I uninstalled the Java version, do I have to install the updated one and then re-scan my pc with the specified software?
     
    dims3, Jan 2, 2010
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    When an infection had existed in the past and has been cleaned by running fixmbr you will still see GMER or the mbr program from them detecting signs left over from the infection in other sectors. fixmbr restores only sector 0 (MBR) and in such case mbr.exe will always show all sectors related to Mebroot. If the rootkit was still really active you would see lines like below:

    Warning: possible MBR rootkit infection !
    MBR rootkit infection detected !

    NOD32 is likely only seeing the same thing.

    Yes as stated, you need to install the current version. But no you do not need to run anymore scans. Your logs are clean.
     
    chaslang, Jan 3, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds