Win32/mebroot Trojan can't clean????

Discussion in 'ESET NOD32 Antivirus' started by ihatetrojans, Jun 25, 2010.

Thread Status:
Not open for further replies.
  1. ihatetrojans

    ihatetrojans Registered Member

    Joined:
    Jun 25, 2010
    Posts:
    7
    Scan pulled up this little guy but cannot clean it. It seems to have done something to the sound capability, nothing is now working, no sound and the volume buttons also are now not making the pretence of working which they initially did.

    I have tried to use the ESET mebroot fix to no avail and have also been dealing with ESEt support but haven't heard back since the first contact (guessing they did not get my reply).

    Doesn't seem like I have any other problems, well major ones, but would love some help getting rid of the bug asap and getting my sound capability back.

    I have included the combo fix scan that was requested by ESET support.

    Someone please help, this is getting annoying.
     

    Attached Files:

    • Log.txt
      File size:
      13.8 KB
      Views:
      70
    Last edited by a moderator: Jun 25, 2010
  2. overangry

    overangry Registered Member

    Joined:
    Apr 4, 2009
    Posts:
    309
  3. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    There is a removal tool at this Link

    Would you point to exact URL where you obtained the above removal tool ? The exact link is here

    Who at ESET support informed you that ComboFix would remove this infection, if it does not target this type of infection, use of it is moot.

    Try running a full scan in Safe Mode, post back your findings.

    Regards,
     
    Last edited: Jun 26, 2010
  4. ihatetrojans

    ihatetrojans Registered Member

    Joined:
    Jun 25, 2010
    Posts:
    7
    Took the trojan fix from that exact spot from ESEt site, but doesn't clean, or atleast is unable. Basically says new version of MBR root kit found unable to clean.

    Will run the ESET scan in safe and let you know?? I was under the impression that the combo fix would give details only, so if Manny from ESET thought that it would solve the problem I would be surprised, but you never know.

    Will post asap.

    Thanks
     
    Last edited: Jun 27, 2010
  5. ihatetrojans

    ihatetrojans Registered Member

    Joined:
    Jun 25, 2010
    Posts:
    7
    Scan log is attached.

    On restart from safe mode ESET also pulled up the following:
    6/27/2010 1:04:31 AM Startup scanner file C:\System Volume Information\Microsoft\smss.exe a variant of Win32/TrojanDownloader.Unruy.BV trojan cleaned by deleting (after the next restart) - quarantined
    6/27/2010 1:03:00 AM Startup scanner file C:\System Volume Information\Microsoft\services.exe a variant of Win32/TrojanDownloader.Unruy.BV trojan cleaned by deleting (after the next restart) - quarantined
    But did not clean on restart as it was there again.

    Let me know and again I really appreciate the help.
     

    Attached Files:

  6. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    That's in your restore points so disable system restore and reboot your rig. After windows loads, create a new restore point and all should be gone.
     
  7. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    It would appear the Safe Mode Scan has managed to quarantine the files at issue. Meanwhile, someone from ESET has to read your attached scan log file to determine if you are good to go or not.
    Also, as suggested in this thread, do not flush your System Restore Archive, you do not want to do this unless instructed to do so by someone that I qualified to do so.
     
  8. ihatetrojans

    ihatetrojans Registered Member

    Joined:
    Jun 25, 2010
    Posts:
    7
    The problem is all still there and now there is the other as mentioned above. The help from ESET is not particularly helpfull, I first contacted them a week ago. Any other ideas?
     
  9. Nerimash

    Nerimash Registered Member

    Joined:
    Apr 14, 2009
    Posts:
    86
    Location:
    Ukraine
  10. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    You could wait for someone for ESET to verify your safe mode scan log, or, submit an issue ticket online to ESET Call the person that you spoke with at ESET back, I would do the latter to expedite your issue.

     
  11. ihatetrojans

    ihatetrojans Registered Member

    Joined:
    Jun 25, 2010
    Posts:
    7
    NEver heard back from ESET, so have had no real contact from them in two weeks when the original issue ticket was submitted.

    Anyone have any ideas.
     
  12. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you're logged in as an admin with r+w permissions to the C:\System Volume Information folder, scan it in safe mode or better create a rescue media and run a full disk scan from there. Also enclose the threat log and the respective on-demand scanner log with Mebroot detection; it's not clear if it was detected in MBR or only in files (ecls doesn't scan boot sectors by default, you need to use the "/boots" parameter).
    Is the Mebroot infection reported also in SysInspector logs?
    What message does the stand-alone Mebroot removal tool return?
     
  13. Marcos

    Marcos Eset Staff Account

    Joined:
    Nov 22, 2002
    Posts:
    14,374
    If you come across a problem removing Mebroot using the stand-alone ESET Mebroot cleaner, create a complete memory dump per the instructions here and let me know when done.
     
  14. egomoo

    egomoo Registered Member

    Joined:
    Aug 28, 2007
    Posts:
    115
    It's a MBR infected virus.

    XueTr could detect and fix it.

    But in my test, Partition Table was broken after xuetr fix it.

    So I reboot in PE and use Partition Table Doctor rebuild the Partition Table.

    then reboot ,all is ok.
     
  15. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    We are awaiting a reply from the OP as per last request from Marcos here

     
  16. ihatetrojans

    ihatetrojans Registered Member

    Joined:
    Jun 25, 2010
    Posts:
    7
    Don't have the option of full system dump, only small and kernel, what would you like me to do??
     
  17. siljaline

    siljaline Former Poster

    Joined:
    Jun 29, 2003
    Posts:
    6,619
    Send a private message to Marcos advising him you wish further instructions.

     
    Last edited: Jul 20, 2010
Thread Status:
Not open for further replies.