PDA

View Full Version : W32/Mebroot infection



nofam
06-09-2010, 12:48 PM
Hi All,

I have a notebook (XP Pro/SP3) with a rather stubborn variant of the above on it. Have tried the following to get rid of it:

- MBAM
- Spyware Terminator
- Spybot
- NOD32
- Trojan Remover
- Eset's Mebroot removal tool
- HJT

NOD32 detects an infection, and blocks an outbound web request, but can't remove the infection. Eset's removal tool also detects the infection but can't remove it. All the others found nothing.

This seems to be a rootkit, so can someone suggest a course of action. Will rebuild if I have to of course, but would rather avoid this.

:thumbs:

1101
06-09-2010, 01:21 PM
A problem is there is no standardized naming for virus's, often the different
AV companies will asssign slightly/completely different names to the same virus.
So a 'patch' fix from another company may not be for a slightly differnt virus.

try tdsskiller to remove SOME(1) hard to detect rootkits
http://support.kaspersky.com/viruses/solutions?qid=208280684

Also spywaredoctor - update to v6 (be sure to uninstall after use)
This can find infections that the other programs miss
http://majorgeeks.com/Spyware_Doctor_-_Starter_Edition_d5790.html

Also try removing HD & scan via a clean pc: best 1st step of the process
or scan & clean in safe mode.

Speedy Gonzales
06-09-2010, 01:28 PM
Did you disable system restore first?

nofam
06-09-2010, 01:57 PM
Thanks 1101 - will look into those.

Speedy - yes, SR is disabled (forgot to mention that sorry)

nofam
06-09-2010, 02:32 PM
TDSSKiller found two entries and removed them on reboot, so fingers crossed!!

Will see if NOD32 finds any more infections. Thanks 1101/Speedy!

1101
06-09-2010, 03:07 PM
if you still find infections
Have a look at just where & what the infected files are

ie :perhaps its finding old infected emails, another AV's quarenteen etc etc, false postives

definitly run "spyware doctor", Ive found (on average) it has the best hit rate for spyware (but its unstable so uninstall afterwards)

GameJunkie
06-09-2010, 04:14 PM
combofix??

nofam
06-09-2010, 04:29 PM
combofix??

TBH, Combofix scares me - I've never used it, so am never really sure when the right time to use it is!! :blush:

NOD32 scan came up clear, so I'll let it run for the day, and see if it tries to send packets out again.

GameJunkie
06-09-2010, 05:20 PM
fair enough :)