Win32:MBRoot-J [Trj] I have it.

It would appear that I have this “thing” and would like it gone. Avast found it. Malware bytes did not. Computer is starting to hang and do odd things. About the only program that still runs fine is MSTS and that has a lot of payware attached to it so I do not want to have to reinstall it. (Backups made of all the payware stuff I have for the game and also the hard won updates, scene files and so forth, but I guess that is not the point.
What would you need me to do to get the ball rolling on removal.
Thank you in advance
Grant

you say avast found it…what did avast do with it?

follow this guide and attach (not copy and paste) logs from malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

I have downloaded the programs you suggested and will attach the files you requested asap. avast would not move the thing to the virus chest with a error code of (50)

OK

when you have attached the logs, a malware remover will be notified…

They are volunteer workers and do this on there free time
depending on what time zone and what else they have to do in there life…it may take several hours before any arrive so just be patient

Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Database version: v2012.05.23.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
grant :: GKERR_HOME [administrator]

23/05/2012 6:18:54 PM
mbam-log-2012-05-23 (18-18-54).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM | P2P
Scan options disabled:
Objects scanned: 216176
Time elapsed: 4 minute(s), 48 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

Hope this was quick enough. Will try to run the next program as suggested when the machine stops freezing. Please be patient with me.

I cannot save in ANSI. machine just freezes up. This is getting quite frustrating for me as I know roughly what is needed but cannot get it to do it. Sorry

Same thing again. Only this time the DAT file will not post Sorry. Guess it is F disc time tomorrow
OK. I have managed after much hassle to get the MBR log file into text only. ansi is not going to happen

Copy of TDSSKiller

well, you must have done it… saved as ansi… if not the logs would look like chinese

malware remover i notified…should be here in 4 - 5 hours

Well TDSSKiller took out the mebroot infection … On completion of this run can you let me know what problems you are having

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

If you have Malwarebytes 1.6 or better installed please disable it for the duration of this run
To disable MBAM
Open the scanner and select the protection tab
Remove the tick from “Start with Windows”
Reboot and then run OTL

http://i1224.photobucket.com/albums/ee362/Essexboy3/mbamstop.jpg

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xpsec.sys -- (xpsec) DRV - File not found [Kernel | On_Demand | Running] -- C:\WINDOWS\system32\drivers\xcpip.sys -- (xcpip) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\7r6gi.sys -- (7r6gi.sys) IE - HKU\S-1-5-21-1292428093-1897051121-1417001333-1003\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.searchqu.com/421 IE - HKU\S-1-5-21-1292428093-1897051121-1417001333-1003\..\SearchScopes\{1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}: "URL" = http://www.crawler.com/search/dispatcher.aspx?tp=bs&qkw={searchTerms}&tbid=60347 IE - HKU\S-1-5-21-1292428093-1897051121-1417001333-1003\..\SearchScopes\{9BB47C17-9C68-4BB3-B188-DD9AF0FD2421}: "URL" = http://www.searchqu.com/web?src=ieb&appid=0&systemid=421&sr=0&q={searchTerms} IE - HKU\S-1-5-21-1292428093-1897051121-1417001333-1003\..\SearchScopes\{afdbddaa-5d3f-42ee-b79c-185a7020515b}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT2786678 O2 - BHO: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll () O2 - BHO: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKLM\..\Toolbar: (Searchqu Toolbar) - {99079a25-328f-4bd4-be04-00955acaa0a7} - C:\Program Files\Windows Searchqu Toolbar\Datamngr\ToolBar\searchqudtx.dll () O3 - HKLM\..\Toolbar: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O3 - HKLM\..\Toolbar: (no name) - 10 - No CLSID value found. O3 - HKU\S-1-5-21-1292428093-1897051121-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {4B3803EA-5230-4DC3-A7FC-33638F3D3542} - No CLSID value found. O3 - HKU\S-1-5-21-1292428093-1897051121-1417001333-1003\..\Toolbar\WebBrowser: (no name) - {D4027C7F-154A-4066-A1AD-4243D8127440} - No CLSID value found. O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Infodelivery present

:Files
ipconfig /flushdns /c

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]


[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

Thank you for the assistance, Greatly appreciated. Machine appears to be functioning OK. Anything else that you may see in the log file I will try and fix at your suggestions. Again, Thank you.
Grant

I will remove the Kaspersky drivers and the last of Searchq

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run OTL
[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

:OTL DRV - File not found [Kernel | On_Demand | Stopped] -- -- (61356194) DRV - [2012/05/23 21:36:41 | 000,098,992 | ---- | M] (Kaspersky Lab, GERT) [Kernel | On_Demand | Stopped] -- C:\WINDOWS\system32\drivers\12945924.sys -- (30950800) [2012/05/23 21:46:43 | 000,000,000 | ---D | C] -- C:\TDSSKiller_Quarantine [2012/05/23 21:36:41 | 000,098,992 | ---- | C] (Kaspersky Lab, GERT) -- C:\WINDOWS\System32\drivers\12945924.sys [2012/05/23 21:14:27 | 002,108,352 | ---- | M] () -- C:\Documents and Settings\grant\Desktop\tdsskiller (1).zip [2010/11/01 18:48:08 | 000,000,000 | ---D | M] -- C:\Documents and Settings\grant\Application Data\AVP 2009 [2011/12/29 18:53:03 | 000,000,000 | ---D | M] -- C:\Documents and Settings\grant\Application Data\searchquband [2011/12/29 18:53:12 | 000,000,000 | ---D | M] -- C:\Documents and Settings\grant\Application Data\searchqutoolbar

:Commands
[resethosts]
[emptytemp]
[CLEARALLRESTOREPOINTS]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

We will now confirm that your hidden files are set to that, as some of the tools I use will change that
[*]Click Start.
[*]Open My Computer.
[*]Select the Tools menu and click Folder Options.
[*]Select the View Tab.
[*]Under the Hidden files and folders heading select Do not show hidden files and folders.
[]Click Yes to confirm.
[
]Click OK.

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave:

A big Thank you and done what you asked. MBAM I already have and is version 1.61.0.1400. Firewall is normally on and I dropped it to make it easier for you. :). it is back on. File hippo is downloaded and I will run it shortly. Windows is set to auto update so it should be OK but I will check with Explorer as MS does not like Chrome.
Again, a big Thanks and waving…not drowning. :slight_smile:

Glad to assist - enjoy ;D