Hey all, I'm back again My dad has a Toshiba laptop that is a couple of years old, and has seen a lot of use. Just yesterday, it went a bit weird with a flash disk my dad plugged in. The flash disk worked fine when I plugged it in again, but it git me thinking a virus might be the culprit. Now I've had some virus issues with the laptop in the past, but I thought it was all good once I installed NOD32. Since my dad barely ever uses the internet on it (uses his office pc), the AV doesn't get updated regularly, however he has quite a few flash disks that are plugged into a number of pcs in his hospital for presentations and such, and i have clue as to how well those are secured So, today I updated NOD32 to the latest definitions, and ran a scan of operating memory and HD. As soon as it started this popped up. Operating Memory - Win32/Mebroot trojan - cannot clean I let the scan finish and there were no other infections. This is the first time I have come across this problem, and I'm not sure what to do, as NOD doesn't seem to be able to do anything to fix it. All help is appreciated, thanks
Hi Ray92, Try the removal tool for Mebroot -> http://www.softpedia.com/get/Antivirus/Trojan-Mebroot-Removal-Tool.shtml 2OG
Thanks I'll give it a go and then get back to you. Also, how does this work??? Do I just run it Thanks
OK, will do. I don't mind peeing on the fence BUT I don't want to mess up my dad's lappy. Also, where are the instructions??? In the .exe???? Thanks
Well, I ran the program, I clicked I agree, and Scan, and after a small amount of time, it popped up with a message saying Trojan.Mebroot has not been found active on your computer. It then made me restart This time, I scanned the operating memory with nod32 and then ran the program again. NOD showed the trojan, but the program did not. Here is a screen of that: This is the FixMebroot Log: I thought this was strange, so I install Malwarebytes Anti-Malware on the laptop and did a quick scan, without updating to the latest version of the database. It came up with ~50 infections, but to be safe, I took no action, and instead saved a log file. Here it is Malwarebytes' Anti-Malware 1.26 Database version: 1103 Windows 5.1.2600 Service Pack 2 15/12/2008 20:32:14 mbam-log-2008-12-15 (20-32-10).txt Scan type: Quick Scan Objects scanned: 45045 Time elapsed: 3 minute(s), 20 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 17 Registry Values Infected: 8 Registry Data Items Infected: 1 Folders Infected: 7 Files Infected: 18 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\myglobalsearchbar.settingsplugin.1 (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\myglobalsearchbar.toolbarplugin.1 (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\Interface\{37b85a2a-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\Interface\{37b85a2c-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{014da6c9-189f-421a-88cd-07cfe51cff10} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{37b85a29-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\CLSID\{ef281620-a3a3-4f08-874f-d68cfc9b7945} (Adware.MyWebSearch) -> No action taken. HKEY_CLASSES_ROOT\Typelib\{37b85a20-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Trojan.Agent) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{37b85a21-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{37b85a2b-692b-4205-9cad-2626e4993404} (Adware.MyWebSearch) -> No action taken. HKEY_CURRENT_USER\SOFTWARE\IST (Trojan.ISTBar) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\MyGlobalSearch (Adware.BookedSpace) -> No action taken. Registry Values Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DXDLG32 (Spyware.OnlineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdcg32 (Spyware.OnlineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdwg32 (Spyware.OnLineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdog32 (Spyware.OnLineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdsg32 (Spyware.OnLineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdmg32 (Spyware.OnLineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdhg32 (Spyware.OnLineGames) -> No action taken. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\msdqg32 (Spyware.OnLineGames) -> No action taken. Registry Data Items Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (Hijack.System.Hidden) -> Bad: (0) Good: (1) -> No action taken. Folders Infected: C:\Program Files\MyGlobalSearch (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\1.bin (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Cache (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\History (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Settings (Adware.MyWebSearch) -> No action taken. C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013 (Trojan.Agent) -> No action taken. Files Infected: C:\WINDOWS\system32\n1215088046k.exe (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\n1215088064k.exe (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\n1215088083k.exe (Trojan.Downloader) -> No action taken. C:\WINDOWS\system32\n1215088123k.exe (Trojan.Downloader) -> No action taken. C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.JAR (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\1.bin\M9FFXTBR.MANIFEST (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.JAR (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\1.bin\M9NTSTBR.MANIFEST (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\1.bin\NPMYGLSH.DLL (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Cache\000D30A6 (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Cache\0096AB3E.bin (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Cache\0096AD1F.bin (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Cache\0096AE73.bin (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Cache\files.ini (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\History\search (Adware.MyWebSearch) -> No action taken. C:\Program Files\MyGlobalSearch\bar\Settings\prevcfg.htm (Adware.MyWebSearch) -> No action taken. C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\Desktop.ini (Trojan.Agent) -> No action taken. C:\WINDOWS\SVCHOST.INI (Heuristics.Reserved.Word.Exploit) -> No action taken. Another strange think I noticed is that when I hit Ctrl+Alt+Del, it gave me a strange message. something like: the admin has locked this feature. What could cause this, as there is only one account on my dad's laptop and that is his. I also think it is the admin account. Please help me clean up this laptop Thanks
Do a Full Scan with Malwarebytes’ AntiMalware and this time FIX Everything…… Download Malwarebytes' Anti-Malware to your desktop. Double-click mbam-setup.exe and follow the prompts to install the program. • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish. • If an update is found, it will download and install the latest version. • Once the program has loaded, select Perform full scan, then click Scan. • When the scan is complete, click OK, then Show Results to view the results. • Make sure that everything is checked, and click Remove Selected. <-- Don't forget this. • When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be found here: C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt • Please post the MBAM Log and a fresh HJT log in your next reply. 2OG