mebroot/torpig?

Discussion in 'Malware Help (A Specialist Will Reply)' started by Jompalainen, Apr 3, 2013.

  1. Jompalainen

    Jompalainen Private E-2

    My broadband provider has blocked uploading access on my home network. They say it is because one or more of my PCs have been infected with mebroot/Torpig. They ask me to run virus checks to clean the computer(s). I have already tried a few antivirus tools that they have recommended, but not seen any signs of Torpig.

    My broadband provider has sent me this extract from their log to my IP-address (partly concealed with xxx):
    > ###LOG###
    > "2013-03-15
    > 17:13:46","88.89.xxx.xxx",2119,0,"","0.0.0.0",0,80,"","contacted known sinkhole (torpig)"

    Please find attached a few log files from the following tools:
    • RogueKiller
    • Malwarebytes Anti-Malware
    • TDSSKiller
    • HitmanPro
    • MGTools
    • MBRCheck (stalled but log file created)
    Please, if you could help me, I would greatly appreciate it!
     

    Attached Files:

    Jompalainen, Apr 3, 2013
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    I'm not seeing any obvious signs of these infections; however the below MBR status may be an issue
    Code:
    +++++ PhysicalDrive0: ST3200021A ATA Device +++++
--- User ---
[MBR] 70c8fb85dc0a10d83a8bb03b23503f4f
[BSP] e044b5f2ccd67701789dcad5e90183e2 : Empty MBR Code
Partition table:
0 - [XXXXXX] UNKNOWN (0xee) [VISIBLE] Offset (sectors): 1 | Size: 2097151 Mo
User = LL1 ... OK!
User = LL2 ... OK!
+++++ PhysicalDrive1: ST350062 0AS SCSI Disk Device +++++
--- User ---
[MBR] 05ae129256b942e8aaf6f70c9b825357
[BSP] cbe1a3892920c024e3e7b9efc684338e : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 465445 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 953232840 | Size: 11491 Mo
User = LL1 ... OK!
Error reading LL2 MBR!
    Do you have important data from these drives backed up elsewhere. Since you are being told there is a mebroot type infection, these could be problems. Fixing the MBR can possibly result in problems when there is an infection.

    Also do you have your Vista Boot DVD?
     
    chaslang, Apr 5, 2013
    #2
  3. Jompalainen

    Jompalainen Private E-2

    Thanks for looking at the files, chaslang. There seems to be a problem when I run MBRCheck. The computer freezed completely and I need to unplug power and reboot to get it operating again. It has happened twice with two different versions of MBRCheck.

    Yes, I have downloaded a Vista DVD image. I have tried running it once. I clicked "Repair your computer", but no Windows partition showed up on the screen, so therefore I was not able to run bootrec.exe. I wonder why I was not able to select any partitions to fix?

    The data I have on these disks are not critical, just documentaries on one disk and films on the other.
     
    Jompalainen, Apr 6, 2013
    #3
  4. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    MBRcheck is of very little use to anyone these days. It does not understand many legit MBR types and most of the time, it cannot repair/fix MBRs at all. Try this:


    Please download aswMBR ( 511KB ) to your desktop.
    • Double click the aswMBR.exe icon to run it
    • Click the Scan button to start the scan
    • On completion of the scan, click the save log button, save it to your desktop and post it in your next reply.


    You need to have an original Vista Boot DVD to know for sure. If you are downloading something than it is most likely illegal and not trust worthy.
     
    chaslang, Apr 8, 2013
    #4
  5. Jompalainen

    Jompalainen Private E-2

    Thanks for the tips. Please find attached the log file from aswMBR.exe.
    About the Vista DVD, I will try to create another DVD following the instructions here: http://www.vistax64.com/tutorials/141820-create-recovery-disc.html

    Another thing is that I keep seeing the process X10nets.exe occupy about 50% of the CPU of my PC. Can this be related to something "fishy"?
     

    Attached Files:

    Jompalainen, Apr 10, 2013
    #5
  6. Jompalainen

    Jompalainen Private E-2

    I probably also need to mention that after running Prevx 3.0, it found W32.Trojan.Gen in msdr.dll (c:\programdata\windows). I let Prevx remove it.

    Do you think W32.Trojan.Gen may be the torpig trojan that my broadband provider has detected?
     
    Jompalainen, Apr 12, 2013
    #6
  7. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Not that I know of. But perhaps it is related. Also I'm quite surprised this was not found and removed by Malwarebytes which has always detected and removed this. I wonder if it was a new infection.


    Now download and save a copy of combofix.exe and save it directly onto your Desktop folder.
    • Then right click on it and select Run As Administrator. Do not disturb it by clicking in the window that opens or it may stall.
    • After it finishes, it may reboot your PC. Attach the C:\combofix.txt log that it creates.
    • If after running Combofix you discover none of your programs will open up because you receive the following error:
      • Illegal operation attempted on a registry key that has been marked for deletion
    • Then you will need to reboot your computer which will normally fix this problem.
     
    chaslang, Apr 15, 2013
    #7

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds