Win32 MBRoot - J[Trj] detected

Viruses and worms
41

Are you still getting reports of having malware ?

42

i have just tried the website i’ve been having trouble accessing and it is suddenly working!

i arranged to talk to the webhost first thing in the morning so i will try and find out if they can shed some further light as to what the problem was. (maybe we solved the actual issue on friday and it’s taken a while for the server to refresh?) i’ll post any findings or explanations.

in the meantime i am slightly confused but indeed joyous! ;D

thank you all for your persistence and patience in trying to solve this issue - it’s been fascinating, i only wish i knew what you could see in all tho se logs 8)

43

I like mysteries - they tax the old grey matter

I believe it was one of the dll’s taken out by combofix, although I feel comodo may have been slowing CF down, do you have the hips running ?

44

sorry, hips?

(i had completely disabled and closed comodo btw)

45

also one thing i noticed is that the first kapersky scan totally changed my hosts file to just my localhost and nothing else…

46

as an update i have noticed that my default browser has somehow been reset and now firefox just will not accept being the default. i have researched this and done all of the suggested methods (running as administrator, run commands, toggling between browsers, control panel > add remove programs > set program access and defaults etc) but with no luck.

could that be caused by a registry key change during the clean up process?

47

Did you double check in FF that FF is your default browser? Go to Tools > Options > Advanced.

Edit: I would run another scan with Avast and MBAM. Can you please run a fresh OTS log and post as an attachment?

I have also notified Essexboy to check in with you regarding your issue. Let us know if you have any questions. Thank you.

48

hi SafeSurf

yep like i say ive tried all of the obvious methods.

when i go to options > advanced > check if ff is your default browser it always says that it is not my default browser and would i like to change it, but it never changes.

(sorry i realise this might not be an Avast! issue but it did start occurring after all the scans i ran so i figured it could have been caused during that process)

49

OK…I just edited my post above. See additional instructions and I have also notified Essexboy to check in with you.

50

thanks for that. i will redo those scans.

51

The OTS log will tell us if anything is left over from the clean up or any malware as well. Please post that as an attachment.

The other scans you can let us know if clean; if infected, give a screen shot of Avast and MBAM give an attachment of log. Thanks.

52

the avast scan was clean no threats.

here’s my mbam log:

Malwarebytes’ Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6675

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

25/05/2011 20:13:29
mbam-log-2011-05-25 (20-13-29).txt

Scan type: Quick scan
Objects scanned: 161723
Time elapsed: 5 minute(s), 38 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

and i have attached my latest ots log.

thanks!

53

First could you disable Teatimer and then reset FF as default… Does that work

If not then download and re-install Firefox … Does that work

54

that did it. the installation must have been corrupted because it would not allow me to uninstall firefox via the control panel or ccleaner either. overwriting it with a new installation has fixed it.

thanks essexboy, i should really have thought of that myself ::slight_smile: :wink:

re: the webhost access issue
the webhost has gone through all of their logs but have not been able to determine an exact cause of the problem, so i guess we will never know what it was, nevermind. you can close this issue now.

thank you all again for your time and effort, you really helped me out ;D

55

Glad everything worked out for you. Feel free to come back if you have any other problems. :slight_smile:

56

thanks SafeSurf - i have a feeling that might happen sooner than you think as my laptop doesnt seem very happy right now either! (i’ll start a new thread for that one though)

57

Did you share a USB with your friend by any chance?

58

i do use a usb stick on both machines but i have scanned it and seems clean… i’ll start a new thread for that though :wink:

59

I got the same message while running the Avast boot scan. (MBR 0 is infected by win32:MBROOT-J [Trj]) I downloaded and ran aswMBR.exe and here is the log.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-10 15:17:53

15:17:53.312 OS Version: Windows 5.0.2195 Service Pack 4
15:17:53.312 Number of processors: 1 586 0x209
15:17:53.312 ComputerName: PAYROLLPC2008 UserName: 786
15:17:54.406 Initialize success
15:17:57.390 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-2
15:17:57.390 Disk 0 Vendor: Maxtor_6E040L0 NAR61EA0 Size: 0MB BusType: 3
15:17:59.406 Disk 0 MBR read successfully
15:17:59.406 Disk 0 MBR scan
15:17:59.406 Disk 0 unknown MBR code
15:17:59.406 Disk 0 MBR hidden
15:17:59.406 Disk 0 scanning C:\WINNT\system32\drivers
15:18:03.468 Service scanning
15:18:04.515 Disk 0 trace - called modules:
15:18:04.515 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x81c91668]<<
15:18:04.515 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x82046910]
15:18:04.515 3 CLASSPNP.SYS[eb420c60] → nt!IofCallDriver → \Device\0000001d[0x81e4ceb0]
15:18:04.515 5 ACPI.sys[bffde46b] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-2[0x81e35270]
15:18:04.515 Scan finished successfully
15:20:05.875 Disk 0 MBR has been saved successfully to “Q:\tcom\Meg\System Error\MBR.dat”
15:20:05.890 The log file has been saved successfully to “Q:\tcom\Meg\System Error\aswMBR.txt”

Anything I can do to fix this?

Thanks

60

It may be TDL3

Please read carefully and follow these steps.

[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillermain.png

[*]If an infected file is detected, the default action will be Cure, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerMal-1.png

[*]If a suspicious file is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerSuspicious.png

[*]It may ask you to reboot the computer to complete the process. Click on Reboot Now.

http://i466.photobucket.com/albums/rr21/JSntgRvr/TDSSKillerCompleted.png

[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.