WIN32/mebroot (eset)

Hi,

Although my home PC uses Avast my work PC uses ESET.

Today it got infected with WIN32/mebroot. The ESET removal tool did not work and neither did combofix.

Anyone know how to remove this pesky little rootkit.

Cheers

Baz

Have you tried Malwarebytes ? http://filehippo.com/download_malwarebytes_anti_malware/

from what i see here this may not be easy http://www.bleepingcomputer.com/forums/topic301111.html

if so, you need our best tool…Essexboy http://forum.avast.com/index.php?topic=53253.0

Hi if it is Mebroot we will need to use some specialist tools

First I will need to confirm that

Could you post the combofix log please

Will post log when I get to the office tommorow morning :slight_smile:

Could any idea where it would have stored it?

Hi Baz8755,

Essexboy is a top eliminator and you are in good hands with him, not sure he can do without
Give in this at the command prompt: FXMBR like “fixmbr x:” (without "')
where x is the drive letter, for instance G
So: FIXMBR \Device\DRIVE_G

  1. boot on XP CD
  2. Press R for repair
  3. In recovery console type the following
  4. fixmbr \device\harddrive0
    Are you sure you want to replace MBR blablabla… y (yes)
  5. fixmbr \device\harddrive1
  6. fixmbr \device\harddrive2
    (for as much drives as you have)

After typing fixmbr \device… there is a warning message, if you dont see that warning message it means that you mistyped the command.
I first tried with “/” instead of ""

Well look also for these in the register:
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973} deleteflag
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973} errorcontrol
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}\enum nextinstance
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}\parameters
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}\parameters servicedll
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973} imagepath
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973} objectname
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}\enum
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}\enum 0
HKEY_LOCAL_MACHINE\system\currentcontrolset\services{bee686b9-4c84-4487-9d72-9f40f051e973}\enum count

But first use all of essexboy’s instructions to the dot, before you should have to try out the solution above presented as a last resort,

polonus
恶意网站分布图

That will not work Damien as there is an additional user generated on the system and it will just re-write the MBR

As it is at the office - use this diagnostic tool instead

Download and run HAMeb_check.exe
Post the contents of the resulting log.

Hi essexboy,

I leave that to the victim then, thanks for the instruction, you have looked at it from all angles then
from the outset on…;D

D

OK will download and run HAMeb_check.exe as soon as I get in this morning.

It should be noted that this is a Windows 7 machine and was built from a microsoft action pack license so we have no windows disk for it :frowning:

Baz

The HAMeb_check.exe tool states that it is not compatible with my system and exits

Now about to back up valuable data and will attempt to rebuild the machine in a few hours time.

Any advice would be much appreciated as I will check back before rebuilding

Baz

Hi Baz,

You could try this tool MBR rootkit detector.

Download; http://www2.gmer.net/mbr/mbr.exe
(run, there will be a dos/cmd window in a flash and you will find the mbr.log on the desktop)

When there is no MBR rootkit you will find a txt like this in the mbr.log;

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK

Is somethin being found up, you will see something like this:

Stealth MBR rootkit detector 0.2.4 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
MBR rootkit code detected !
malicious code @ sector 0xe4f8121 size 0x2c3 !
copy of MBR has been found in sector 62 !
MBR rootkit infection detected ! Use: “mbr.exe -f” to fix
But essexboy must have other options…

But what you can do is using a scan with Prevx CSI http://info.prevx.com/downloadcsi.asp

polonus

The machine has now been rebuilt and the companies ESET software is now reporting the machine as clean.

However, it was built by simply running the Windows 7 install disk and clearing partitions. It then showed two partitions, one small undeletable and one where windows was installed.

Would this type of installation procedure have got rid of the virus or has it just gone to ground only to emerge at a later date and are there any tools I can use to double check (I will be trying the one suggested by polonus tommmorow).

One further question, can this virus infect a USB drive. I have reformatted all the drives that were in use and am hoping that this is enough.

Cheers

Baz

One further question, can this virus infect a USB drive. I have reformatted all the drives that were in use and am hoping that this is enough.
you will find some info about it here. Microsoft (and some others) calls it Sinowal http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?name=VirTool%3aWinNT%2fSinowal.A http://www.microsoft.com/security/portal/Threat/Encyclopedia/Search.aspx?query=sinowal http://www.google.no/search?hl=no&client=opera&rls=nb&q=mebroot+virus+info&btnG=S%C3%B8k&aq=f&aqi=&aql=&oq=&gs_rfai=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "3246:TCP"= 3246:TCP:Services "2479:TCP"= 2479:TCP:Services "3389:TCP"= 3389:TCP:[b]Remote Desktop[/b]
This is the sign of the infection

So if I don’t have these ports (but do have others) then it should be OK?

Also ran mbr.exe and showed clean :slight_smile:

3389:TCP:Remote Desktop
It is remote desktop than confirms the infection

Thanks Essexboy

I have a line that reads

3389:TCP:*:Enabled:@xpsp2res.dll,-22009

but not remote desktop

That’s legit ;D