Win32:MBRoot-j found in MBR; repairing crashes the computer

Greetings!

Not a newbie in computers (but mainly using Macs), I have a problem I can’t seem to resolve. I’m asking here, while knowing this has already been asked, because all solutions I found so far are subject to unsuccessfulness (see below).
One friend gave me her computer for troubleshooting. I first found Avast needed to be registered, which I did. Then the scan revealed 2 viruses, successfully removed.
Restarted the computer, and now Avast tells me there’s some kind of virus in the MBR (“MBR:\.\PHYSICALDRIVE0”). It suggests me to delete the file (can we really call “file” for data in the MBR, BTW?). I accept and it suggests me to restart the computer to make a scan on boot (SOB :P). As soon as I click “Yes” (to restart), I get a Blue Screen of Death. But, unlike everything mentioned on the Internet, mine has no useful information (just the Stop field) so I can’t reliably figure out what is the culprit (I really think people should update their webpages, mentioning there can also be no uppercase description of the crash, BTW). The “Stop” field mentions “0x<leading 0’s>8E>” (KERNEL_MODE_EXCEPTION_NOT_HANDLED, according to a website).
I’ve tried various tools, including “mbr.exe” and “aswMBR.exe” but none worked (“mbr” also produces a Blue Screen of Death and “aswMBE” says “Drivers not installed” and exits). Since I assume “aswMBE” is a software from Avast, I’m starting to guess about a problem in Avast’s installation at that point (it would explain the first BSoD which happens when I answer “yes” to avast).
If I try to put this virus in quarantine, Avast just tells me the operation is unsupported (well, I’m aware of what is the MBR, and why it’s dangerous to deal with it). I also tried to repair the problem, and the problem is still there.
When I unplug my USB flash drive, used to transmit the exe files, without ejecting properly (yes, I know, but on Macs, I just eject once and I’m done; I don’t have the Windows’ habit to eject in the Explorer and then also in the TaskBar), I also get a BSoD (which mentions 0x<leading 0’s>7E for the “Stop” field).
I’ve also encountered random hangs at startup, with the screen staying black (which also happens if I put the computer to sleep, by all means).

Now, I think I’ve said all I did (sorry if something is missing), but I’m wondering what others would suggest.

Hi there lets have a look at the MBR

Download aswMBR.exe ( 4.1mb ) to your desktop.
Double click the aswMBR.exe to run it Click the “Scan” button to start scan

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRScan.gif

On completion of the scan click save log, save it to your desktop and post in your next reply

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswMBR%20shots/aswMBRsavelog.gif

THEN

Download OTL to your Desktop

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
[*]Select All Users
[*]Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%*.exe
/md5start
consrv.dll
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
C:\Windows\assembly\tmp\U*.* /s
%Temp%\smtmp\1*.*
%Temp%\smtmp\2*.*
%Temp%\smtmp\3*.*
%Temp%\smtmp\4*.*
Drives
CREATERESTOREPOINT

[*]Click the Quick Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Post both logs

Thanks for your answer.
As I said in my post, I’ve tried aswMBR.exe but it says “Drivers not loaded” (instead of “Initialize success”) and exits. That’s why I’m seeking for help, because the standard tools don’t seem to work.

Update: Ok, I’ve tried once more (not sure what changed, perhaps because I restarted again) and it worked. This is the log:

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-15 16:56:30

16:56:30.093 OS Version: Windows 5.1.2600 Service Pack 3
16:56:30.093 Number of processors: 2 586 0x4802
16:56:30.093 ComputerName: ACER-318DE0055E UserName: Sylvie
16:56:33.546 Initialize success
16:56:37.453 AVAST engine defs: 12031500
16:56:42.140 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
16:56:42.140 Disk 0 Vendor: HTS541010G9AT00 MBZOA60A Size: 95396MB BusType: 3
16:56:42.156 Device owAZEVAoRGRCZ → DriverStartIo RGRCZ@J@ b9f01864
16:56:42.218 Disk 0 MBR read successfully
16:56:42.218 Disk 0 MBR scan
16:56:42.250 Disk 0 Win32:MBRoot-J [Trj]
16:56:42.265 Disk 0 MBR hidden
16:56:42.265 Disk 0 Partition 1 00 12 Compaq diag MSWIN4.1 4996 MB offset 63
16:56:42.296 Disk 0 Partition 2 80 (A) 0C FAT32 LBA MSWIN4.1 44947 MB offset 10233405
16:56:42.312 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 45449 MB offset 102285855
16:56:42.328 Disk 0 MBR [Win32:MBRoot] ROOTKIT
16:56:42.343 Disk 0 trace - called modules:
16:56:42.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8a9b4000]<<
16:56:42.375 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a93f228]
16:56:42.390 3 CLASSPNP.SYS[ba188fd7] → nt!IofCallDriver → \Device\000000b6[0x8aa183b8]
16:56:42.406 5 ACPI.sys[b9f7e620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x8a9b2d98]
16:56:43.281 AVAST engine scan C:\WINDOWS
16:57:08.171 AVAST engine scan C:\WINDOWS\system32
16:58:36.421 AVAST engine scan C:\WINDOWS\system32\drivers
16:58:44.015 File: C:\WINDOWS\system32\drivers\int15.sys INFECTED Win32:Zeroot-B [Rtk]
16:58:45.578 AVAST engine scan C:\Documents and Settings<username>
17:00:36.062 AVAST engine scan C:\Documents and Settings\All Users
17:00:52.125 Scan finished successfully
17:01:09.328 Disk 0 MBR has been saved successfully to “C:\Documents and Settings<username>\Mes documents\MBR.dat”
17:01:09.343 The log file has been saved successfully to “C:\Documents and Settings<username>\Mes documents\aswMBR.txt”

I’m seeing the driver\int15.sys is infected. Since one of the BSoD I see (with 0x000…07E) can be related to drivers, it might be a track to follow. I’m going to check what’s the purpose of this file and run OTL. Other ideas welcome.

Ok, here are the two files, attached. They are in french, ask me if you want to know anything (just not “how big is the universe?” ;)).

Aye it is worth retrying aswMBR as it pointed out the type of miscreant to me

I will clear the MBR first and then tackle the other infected file on completion

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

THEN

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

  • IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[]Accept the disclaimer and allow to update if it asks
[
]Allow the installation of the recovery console

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

Hmm… These detailed steps are nice!
Thanks for your help.

I’ve joined the relevant files.

As for how the computer behaves now, I’ve seen a blue screen of death when ComboFix ended.

(sorry for the delay, I was busy this week-end)

One or two bits to remove, you also appear to have a wmi problem which we will fix first

Download Windows Repair (all in one) from this site

Install the programme then run

Go to step 2 and allow it to run Disc check

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture3.gif

Once that is done then go to step 3 and allow it to run SFC

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture.gif

On the start repairs tab select advanced mode and click start

http://i1224.photobucket.com/albums/ee362/Essexboy3/Capture1.gif

Select the items in the red surround (remove the ticks from the rest ) and tick restart system when finished
(screenshot at the bottom)

THEN

  1. Close any open browsers.
  2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  3. Open notepad and copy/paste the text in the quotebox below into it:
File:: c:\windows\system32\drivers\xpsec.sys

Driver::
xpsec

Save this as CFScript.txt, in the same location as ComboFix.exe

http://img.photobucket.com/albums/v666/sUBs/CFScriptB-4.gif

Refering to the picture above, drag CFScript into ComboFix.exeWhen finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.
  3. If after the reboot you get errors about programmes being marked for deletion then reboot, that will cure it.

Ok. May I ask you what wmi means?

Actually, according to its creation date, the ComboFix.txt file is the old one (the one made when I ran the program the first time, 5 hours ago). So it seems the program did not make any log file this time. Since your notes mention I should not run Combofix twice, what should I do now? (I can either run the application again or send you the actual file which doesn’t seem the one from my last attempt)

Thanks

wmi is where windows registers the legality of your system files, at the moment Combofix does not recognise them as being logged

Yes post the log that you have and I will see if it ran

Thank you.

Well, they are the same, I’m sure now. I’ve checked them. Should I run the utility once more?

Yes please - although it is an orphaned file - it is just a bit of tidying up ;D

How is the computer behaving now

Ok, I did. I have to admit, I’ve never used these applications. I don’t know what I’m exactly doing (I somewhat follow, but not entirely). The file is attached.

Well, I’m not sure. These BSoD are sporadic, so I’ll be able to tell when I see one (until then, why not assuming it works better? :wink: ). I’ll also do another Avast scan, but only at the end, might that make things worse if I do that too soon.
Thanks!

Ok, I’ve done an Avast scan and this time no malware has been detected! Thank you very much, essexboy!
(this is the quick scan for now. I’m currently performing the deep scan and will update my post when done).

I’m still wondering how one learns for these tools. When I was in school (I don’t know how it is called in english, but this is an "high” school, optional, where I learnt computers science (on PCs)), we were learning about things more “traditional”. It was ten years ago. Now, how does one knows about tools like “TDSKiller” or “ComboFix”? Or perhaps they are just newer than 10 years ago?

Thanks again!

I learnt at an online school, but the malware and tools are changing almost daily

Let me know when you are happy and I will remove my tools and tidy up ;D

That’s why not everyone can do that, unless they follow that every day. Thanks for being a piece of the puzzle! :wink:

Oh, I am! The deep scan returned no malware, so I don’t see how it could not be fine!
I’ve saved the web page on my computer (for storing the steps), you may do whatever tidying up you want :wink:

Thanks again!

As the tools change regularly it is not worth keeping them

So …

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:Commands [resethosts] [emptytemp] [CLEARALLRESTOREPOINTS] [Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Remove ComboFix
[*]Hold down the Windows key + R on your keyboard. This will display the Run dialogue box
[*]In the Run box, type in ComboFix /Uninstall
(Notice the space between the “x” and “/”)
then click OK

http://i1224.photobucket.com/albums/ee362/Essexboy3/Misc%20screen%20shots/CF_Uninstall-1.jpg

[]Follow the prompts on the screen
[
]A message should appear confirming that ComboFix was uninstalled

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.gif
Your Java is out of date.
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version of Java components and upgrade the application.

Upgrading Java:
[] Go to this site and click Do I have Java
[
] It will check your current version and then offer to update to the latest version

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

Ok.

Nice!

I had planned to give the computer back to my friend, tomorrow. But I’ll ask her how it behaves. The thing is, beside using the computer to repair it, I don’t use it (I’m mostly not a PC guy, as I mentioned), so it’s not worth keeping it turned on for one day without doing anything on it, don’t you agree?

Yes! Anyway, I don’t feel satisfied of myself, having to ask other people for that (I usually know more about computers).

There’s one line I don’t understand: what hosts are reset?

The french version made me worrying about it (especially since it seemed to be the red button :wink: ). But I finally noticed you were also writing “Run Fix” in red, so I clicked (it wasn’t the exact same translation).

Hmm… I usually think it’s better to show them (so I can navigate wherever I want).

Thanks, I didn’t noticed that. Also thanks for the steps, because I’ve never installed java on a Windows machine.

Thanks, I’ll install them!

Clearing host file is a thing I always do when I tidy up… A hangover from when the host file was always being hijacked

I hide the system files as the unititated have been known to delete them due to the transparent effect

I do not anticipate any more problems so it should be OK to give it back ;D

Ah, ok, so this is a host file. I thought it was the host, as a computer (i.e. the computer itself).

That’s certainly true as well.

I share your opinion.
Thanks again!

My pleasure - keep safe