Jump to content

MBR Sector of the physical disk - win32/mebroot.BZtrojan


Recommended Posts

Been getting pop ups from NOD32 about this trojan which recently keylogged my wow account and possibly bank detials. Really getting on my nerves now as im trying to find a way to get rid of it without reformatting all my drives, got around 750GB >.< Some people seemed to have solved this problem however for this one I think it's best if I just ask for the help directly. I would much apprechiate it if anyone has any additional info about it.

So far I have Ad-Aware scanned, MBAM, NOD32, Spybot, and HJT - Have cleaned everything on my PC other than this one trojan. Also ran Combofix and then MBAM and HJT again.

help :)

Link to post
Share on other sites

Since you are posting in the PC help, I hope I am not stepping on any toes by offering this possible fix. You might want to hold off for a bit incase anyone wants to post any caveats to the process I am about to describe. I am a professional, and can often clean infections that others cannot, but I am by no means an expert on the behaviour of malware...

I had a customer with an infected PC, the MBR was coded with something that (when coupled with a rogue registry entry that I could not find) would hijack his attempts to log in to Bank Of America. He would be directed to the correct page, but he was also being asked for his mother's maiden name and debit card PIN number to continue. I later found that while most of his browser was at the true BOA page, there was an embedded frame that was making a HTTPS connection to a hosted web server in Russia, with a SSL key provided by a German hosting company (I forget the details at this time, but I am rambling anyway).

Anyway, before I attempt to fix a customer's PC, whenever possible, I get a snapshot of the harddrive. I installed / ran Macrium Reflect on his PC while at his location.

While trying fruitlessly to clean the infection -- I used all of tools you used to no avail -- I made things worse, but was not really prepared to wipe/reload since he had a LOT of apps and configuration on there that I had not yet made note of.

I decided to revert to earlier in the cleanup process by restoring the Macrium Reflect HDD image. Upon restoring from the bootable CD, I was offered the option to replace the MBR with a standard Windows XP version. I chose this option. When the PC was restored, the infection was gone. I held the PC for a few days in hopes that the antivirus companies would catch up with this thing, and they finally did find the rogue registry entry that was partnered with the MBR infection.

Lucky for me and the customer, he wasn't needing his PC for a few days, and I didn't have to wipe/reload.

It's worth a try.

Link to post
Share on other sites

  • Root Admin

Hello , and welcome to Malwarebytes.org

There are current Root kits that can evade almost everything out there. If you're still having redirect issues or other signs of an infection then please follow the advice below.

We don't work on Malware removal in the general forums.

Please print out, read and follow the directions here, skipping any steps you are unable to complete. Then post a NEW topic here.

One of the expert helpers there will give you one-on-one assistance when one becomes available.

After posting your new post make sure under options that you select Track this topic and choose one of the Email options so that you're alerted when someon has replied to your post.

Alternatively, as a paying customer, you can contact the help desk at support@malwarebytes.org

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.