Skip to main content

How do you remove the Mebroot/Sinowal Boot Sector Trojan also called the HelpAssistant Virus?

Blog Post Update: Mebroot can now be removed using Kaspersky TDSSKiller.  For complete steps, please read this remove virus blog post.

The Mebroot Boot Sector Trojan also called Sinowal or the HelpAssistant Virus is a stealth infection that is not normally detected by antivirus/antimalware applications including Malwarebytes  It is a "banking trojan" which attaches itself to the boot sector of a device.  The trojan secretly captures and transmits user banking information without user intervention to outside parties.  The user of the computer is unaware of this process being performed by the trojan. According to Cisco, "Trojan.Mebroot is reported to have infected nearly 300,000 machines and successfully stolen 270,000 bank account numbers and details for 240,000 credit and debit cards.  Trojan.Mebroot does not contain a method of self-propagation and requires some type of user interaction to spread. Users may download this trojan over P2P networks, IRC servers, FTP servers, or in an e-mail attachment sent from the attacker."

The current version of the Mebroot Boot Sector Trojan cannot be removed by any known antivirus/antimalware application.  Previous versions could be removed using vendor tools such as the Symantec Mebroot Removal Tool.  Other methods that would remove previous versions of this infection included the Microsoft Malicious Software Removal Tool, the Microsoft Recovery Console Command FixMBR/FixBoot, the Gmer MBR -F and the Mebroot Fix by NoahDFear.  (FDisk /R is a deprecated command which was replaced by FixMBR.)

At this writing, there is no known method to remove the current version of this infection.  It cannot be removed using a low level nor standard format.  This is due to the fact that this is a boot sector infection with no known removal method.  Strangely, the only solution for the current version of the Mebroot Boot Sector Trojan infection is to replace the hard disc with a new hard disc.  However if you are infected with a previous version of the Mebroot Boot Sector Trojan, the methods mentioned above will in fact resolve this issue.

Please Note: Your Internet Service Provider may classify the Mebroot Boot Sector Trojan as a "Bot Infection" and disable your internet connection.

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0BA50E41
malicious code @ sector 0x0BA50E44 !
PE file found in sector at 0x0BA50E5A !
Labels:

Comments

Post a Comment

Popular posts from this blog

Access Denied (policy_denied). Your system policy has denied access to the requested URL. For assistance, contact your network support team.

While browsing the internet, you may encounter the message: "Access Denied (policy_denied).  Your system policy has denied access to the requested URL.  For assistance, contact your network support team."   This message indicates the internet traffic is being filtered.  The most common source of an internet traffic filter is in corporate environments that use a proxy server or a firewall appliance designed to filter web traffic.  Some businesses are configured as satellite locations using a VPN tunnel.  In these configurations, the VPN may be configured to filter internet traffic.  In rare instances, the Internet Service Provider is filtering internet traffic.  Typically though, your IT Department or a Network Management Team has configured your internet traffic to be filtered.  Isolating Source of Web Filtering In an environment that is unmanaged and the source of the filtering is unknown, following are some steps you may wish to peform: Th...
3 comments
Read more

Event ID: 7001 - Source: VSS - Unable to create a shadow copy

When using Microsoft Windows Server, you may encounter the error message: "Unable to create a shadow copy."  In the Event Viewer, you may find the following Event: "Event ID: 7001 - Source: VSS - Unable to create a shadow copy."  This event involves the Volume Shadow Copy Service (VSS).  Most likely the Server was rebooted while creating a Shadow Copy.  Many websites describe deleting or renaming the C:\WINDOWS\SYSTEM32\WBEM directory used by Windows Management Instrumentation to resolve this issue.  This is not correct.  Following are the steps to resolve this issue: Double-click My Computer. Right-mouse click the Hard Drive causing the problem. Click the Shadow Copies tab. Select the appropriate Volume. Click Disable. Click OK. Click Start - Control Panel - Administrative Tools - Scheduled Tasks. Delete all tasks related to the Volume Shadow Copy Service. Reboot the Server. Double-click My Computer. Right-mouse click the Hard Drive causing the problem. Cl...
Post a Comment
Read more

How do you stop an unstoppable Windows Service?

You may encounter a Windows Service in Services that has the buttons for Start, Stop, Pause and Resume greyed out.  If you attempt to stop the Service using sc stop [servicename], you encounter the error message: "The requested control is not valid for this service."  To resolve this issue, please perform the following steps: Click Start - Control Panel - Administrative Tools - Services. Double-click the relevant Service. Change the Service Start-Up Type to Disabled. Click Apply. Click OK. Hit CTRL-ALT-DEL on your keyboard. Select Task Manger. Perform an End Task on the relevant Service. This issue has been resolved. http://www.smartnetadmin.com
Post a Comment
Read more