mbroot-J trojan; unable to delete

Hi, I am new on this forum
I recently got a warning (from the bank) that my PC was infected; eventhough I use Windowns defender and Avast.
Upon notification i dit the following

  • run full scan Avast antivirus: no viruses found
  • run bootscan Avast antivirus: 2 successfully eliminated (both in Java directory)
  • Run F-secure: finds mebroot virus
  • Run bootscan Avast again: MBR0 is infected by WIN32: MBRoot-J [Trj]
  • run aswMBR scan and succesfully fixed MBR (default windows MBR)
  • run full scan ánd quick scan Malwarebytes: in both cases no viruses found

looks to me reasonably safe, HOWEVER
aswMBR continues to issue a warning in relation to the following
10:51:25.578 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8237f0e0]<<
Please help how to fix it (the fix button in aswMBR is NOT highlighted for selection)

Help much appreciated!

is it reported in red?

then we have to ask essexboy to take a look at that…

YES, it is reported in red;
is there a specific method to get in touch with Essexboy (remember:…I am new on this forum)

Thanks in advance

he will arrive by night and will see this…

Follow the guide here and attach the OTL logs
http://forum.avast.com/index.php?topic=53253.0

- Run F-secure: finds mebroot virus
do you have avast and F-secure installed ?

otl reports attached.

f-secure will not run in full )gets 'hung’when scanning applicaion data)

Never install more then one AV.
Running multiple AV can/will create all kind if windows errors and false positive detections

hi,
what do you exeactly suggest to turn off. (I’am not really a whizz-kid)

I am not saying you should turn off anything…

from your post above i got the impression that you had avast and F-secure installed at the same time ?
if so, that is something you should not do

Did your bank give any indication as to the infection or why they thought you had one ? Also was the warning by phone or was it an e-mail

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Running] -- -- (xpsec) DRV - File not found [Kernel | On_Demand | Running] -- -- (xcpip) O33 - MountPoints2\{2153b658-60a2-11dc-b230-0008a188a519}\Shell\AutoRun\command - "" = C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe .MS32DLL.dll.vbs

:Files
ipconfig /flushdns /c

:Commands
[purity]
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

bank account was automatically blocked. Upon inquiry by telephone (initiative by myself; i.e. I called the bank), they indicated they identified a security threat. They did not mention the specific threat, but indicated it was a trojan

i will start the procedure as indicated by Essexboy

Essexboy, OTL is now running
Next step is Combofix. I disabled F-secure, Spybots and windows defender.
Should I also disable AVAST?

regards

Yes right click the blob and select shield control and select for 1 hour - once combofix has finished the run and rebooted then re-enable Avast

here is the OTL log
note that only OTL.txt was created; there was NO extras.txt report created this time

There are only two on the first run unless we ask for another ;D

Combofix completed succesfully; log file attached.

I rebooted the computer after running Combofix. Observations:

  • boot process extremely slow (first time??)
  • it looks like the number of processes running simultaniously (as identified by Windows task manager) is 1-2 processes less than before (can not proof this)
  • the AVAST bulb on the bottomright corner did not pop up , although the microsoft security center indicates AVAST is active (and so does task manager)

looking forward to the next step…

There is often a system hang after running combofix, so rebooting a couple of times usually fix it…

seems that the prvious actions have not yet had the desired result

I just ran the AVST bootscan and got the same result as before:
File MBR 0 is infected by win32: MBRoot-J [Trj]

I also ran the aswMBR scan again with the same result (highlighted in RED)
12:59:30.562 ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x821b2798]<<

logfile aswMBR and OTL attached

the positive side of the actions so far: it looks like the machine is faster than before (apart from the booting process)

any further suggestions to cure the MBRoot-J problem?

U may want to try this:

Download Dr Web from here Fill in the small form and download
http://www.freedrweb.com/download+cureit+free/?lng=en
It will download as an 8 digit file save it to your desktop
Restart in safe mode and run
Accept the enhanced version
Then run the full scan allow it to cure all infections found.
Once finished it will generate a log please attach that log here.

The drivers di not get removed by OTL so lets use Combofix to do it

Once combofix has run could you re-run aswMBR please

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\system32\drivers\xcpip.sys c:\windows\system32\drivers\xpsec.sys

Driver::
xcpip
xpsec

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.