Win32 MBRoot - J[Trj] detected

greetings

i have recently needed to start using my desktop again after around 18 months (it is running win xp sp3). when i first started it all of my anti virus software was out of date, so i down loaded avast and comodo firewall.

after installation an avast detection popup appeared saying there was a rootkit on the system:

ROOTKIT INFORMATION
MBR: \.\PHYSICALDRIVE0

i choose Delete Now and OK and was asked to run a boot-time scan, which i did.

during that process a second threat was discovered

Win32: MBRoot - J [Trj]

the thing is the location of the file was

C:\Documents and Settings\All Users\Application Data\ AVAST Software\Avast\arpot

so, as i wasnt sure if that meant the file had been moved to that location when detected or if in fact that avast file was infected, i chose to move it the virus chest.

now i continually get a repetation of this chain of events. should i re-run the boot-time scan and choose to delete the files?

also something else that has started happening is that whenever i turn the computer on it’s bios settings are reset, so the clock is 1 jan 1970 etc.

i have run a Malwarebytes quickscan and it detected 5 infected registry keys which were quarantined and deleted successfully.

the log is as follows:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6624

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

20/05/2011 11:26:58
mbam-log-2011-05-20 (11-26-58).txt

Scan type: Quick scan
Objects scanned: 152729
Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) → Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

thanks in advance your help will be much appreciated :slight_smile:

also here is my aswBoot.txt:

05/16/2011 09:51
Scan of all local drives

File MBR 0 is infected by Win32:MBRoot-J [Trj]
File C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot\7fea1-934-0.dat is infected by Win32:MBRoot-J [Trj], Moved to chest
File C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot\83b0e-d1c-0.dat is infected by Win32:MBRoot-J [Trj], Moved to chest
Number of searched folders: 33082
Number of tested files: 275045
Number of infected files: 3

This C:\Documents and Settings\All Users\Application Data\ AVAST Software\Avast\arpot is the location of the AntiRootkit Protection arpot folder, it has a temp folder but other than that it should be empty. So I don’t know if this is just temporary data whilst the anti-rootkit scan is running.

The C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\arpot.log file contains any anti-rootkit detection information. Check that file for more information.

Try running this tool to confirm if you actually have an MBR rootkit:

‘also something else that has started happening is that whenever i turn the computer on it’s bios settings are reset, so the clock is 1 jan 1970 etc’

Sounds like the CMOS battery is dying on your Motherboard…

thanks both of you for your rapid replies, here is the aswMBR.exe scan log:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 13:53:22

13:53:22.359 OS Version: Windows 5.1.2600 Service Pack 3
13:53:22.359 Number of processors: 2 586 0x2B01
13:53:22.359 ComputerName: SAMSUNG01 UserName: UserName
13:53:23.578 Initialize success
13:53:27.218 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP4T0L0-9
13:53:27.218 Disk 0 Vendor: SAMSUNG_HD160JJ ZM100-47 Size: 152627MB BusType: 3
13:53:29.218 Disk 0 MBR read successfully
13:53:29.218 Disk 0 MBR scan
13:53:29.218 Disk 0 Windows XP default MBR code found via API
13:53:29.218 Disk 0 unknown MBR code
13:53:29.218 Disk 0 MBR hidden
13:53:31.218 Disk 0 scanning sectors +268414020
13:53:31.234 Disk 0 malicious Win32:MBRoot code @ sector 268414023 !
13:53:31.234 Disk 0 PE file @ sector 268414045 !
13:53:31.234 Disk 0 MBR [Win32:MBRoot] ROOTKIT
13:53:31.250 Disk 0 trace - called modules:
13:53:31.250 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86225a8b]<<
13:53:31.250 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x870ebab8]
13:53:31.250 3 CLASSPNP.SYS[f755cfd7] → nt!IofCallDriver → \Device\0000007d[0x8714ef18]
13:53:31.265 5 ACPI.sys[f73f3620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP4T0L0-9[0x870dad98]
13:53:31.265 Scan finished successfully
13:53:52.671 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\UserName\Desktop\MBR.dat”
13:53:52.671 The log file has been saved successfully to “C:\Documents and Settings\UserName\Desktop\aswMBR.txt”

@jacksticks ah sounds likely - i’ll look into that!

Choose the option “Fix”,reboot,scan again with aswMBR and post the log.
Regards

I believe it is Fix and not fixmbr.

If an MDR Rootkit found (confirmed):

  • scan again then click “FIX” and reboot
  • after reboot, scan again. then click “Save log” and post it in your next reply.
    After the fix, if the second report/log comes up clean, then MBAM (update before the scan) and avast may find other things that were previously hidden. So run those scans again.

I once said someone to choose fix and then asyn and essexboy told me that Fix is only for TDL.Anyway
*Edited.

here’s the log after the fix:

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 14:19:28

14:19:28.562 OS Version: Windows 5.1.2600 Service Pack 3
14:19:28.562 Number of processors: 2 586 0x2B01
14:19:28.562 ComputerName: SAMSUNG01 UserName: UserName
14:19:49.046 Initialize success
14:20:08.765 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP4T0L0-9
14:20:08.781 Disk 0 Vendor: SAMSUNG_HD160JJ ZM100-47 Size: 152627MB BusType: 3
14:20:10.796 Disk 0 MBR read successfully
14:20:10.796 Disk 0 MBR scan
14:20:10.796 Disk 0 Windows XP default MBR code
14:20:12.796 Disk 0 scanning sectors +268414020
14:20:12.812 Disk 0 scanning C:\WINDOWS\system32\drivers
14:20:25.812 Service scanning
14:20:30.953 Disk 0 trace - called modules:
14:20:30.968 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
14:20:30.968 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x87110ab8]
14:20:30.968 3 CLASSPNP.SYS[f755cfd7] → nt!IofCallDriver → \Device\0000007d[0x8714ef18]
14:20:30.984 5 ACPI.sys[f73f3620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP4T0L0-9[0x8714dd98]
14:20:30.984 Scan finished successfully
14:20:52.609 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\UserName\Desktop\MBR.dat”
14:20:52.609 The log file has been saved successfully to “C:\Documents and Settings\UserName\Desktop\aswMBR3.txt”

Looks clean,any other problems?

ok thanks i’ll run the MBAM and Avast scans again and let you know

one thing that did happen on reboot was a small windows error pop up entitled ‘SRY #001’ with the error message ‘CLED ERROR’ - any idea what that might be or if it’s related?

Do you Cubase installed?IOpen up task manager and close the application cled.exe if it is there.
Start->Run>type “msconfig”,and under the startup tab uncheck the cled.exe process.

thanks Left123 (i should really have web checked that one myself!)

when i run the avast scan should i run a quickscan or a boot-time scan?

Run a quick scan first.

hi thank you all for your help so far :slight_smile:

however i appear to still have a further complication.

one of the reasons i was alerted to the fact my desktop had an infection is that i have been experiencing connection timeouts when trying to access a specific website and it’s corresponding ftp (which i can view and connect to on my laptop using the same net connection). i contacted the webhost of the site and they have informed me that their security system had detected malware on my desktop and therefore were blocking it.

so after running all the scans suggested in this post i have tried to access the site again. my desktop still will not load the site, and when i contacted the host to explain that i had cleaned the infection they replied saying that they still detected a malware threat.

have you any further suggestions on what might be causing this please?

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log ) save OTS log as ANSI

Essexboy will look at the log when he arrive here later today…

thanks Pondus my ots log is attached

What malware does the site think you have ?

I see you still have AVG 7.5 antispyware installed - I think updates for that finished a few years ago… So I would recommend you uninstall it

hi essexboy

i asked the webhost about the malware. they replied saying that in the log they can only see the IP and HTTP request with a message in the security cluster showing Malware has been detected.

apparently they can enable further debugging, however it’s a global option which will log information about each HTTP request to all domains on the cloud, thus causing a lot of logs! i’ll ask if they can do that.

i’ll post a reply once i hear back from them again.

i have uninstalled AVG (this pc needs a little love as i havent used it in so long).

Any other problems remain?