Hello, we have a trojan on our computer Win32:MBRoot-J [Trj].
It was detected by Avast Internet Security. Most of the times it says it is found in MBR:|.|PhysicalDrive 0, other times it says it is in Disk 0 Master Opstart Record, or in d:\documents\MBR.dat
When in MBR:|.|PhysicalDrive 0 it cannot be moved to the vault, but it says it can be removed, it says it will do so on next restart. At first the warning kept popping up everytime I start the computer.
I tried to remove it with Avast, that did not work.
I tried Malwarebytes Anti-Malware, that does not find any virus
I tried aswMBR, that finds the same infection and says it can fix it but next restart…it’s there again.
I brought the computer to a company, they scanned with G-Data but did not find this Win32:MBRoot-J [Trj]. They did find other infections though, the 75e40981-2f78ac3e and Main.class and were able to remove them succesfully.
They said that if Win32:MBRoot-J [Trj] kept showing up here anyway, I should just keep on scanning with Avast untill it was able to remove it.
Now after this the Avast-warning does not pop-up again everytime I start the computer, but when I scan (quick scan and/or full scan) with Avast or aswMBR it keeps telleing me I have a Win32:MBRoot-J [Trj].
I scanned today again, and it said the Win32:MBRoot-J [Trj] was found in Disk 0 Master Opstart Record (no option of removing to vault or deleting !!) and in d:\documents\MBR.dat (could not be moved to vault, but was succefully deleted)
Again I tried aswMBR, that finds again Win32:MBRoot-J [Trj and says it can fix it but next restart…it’s there again.
I tried to install this otl.exe, to send you a log, but avast will not allow me to run the programm.
I know virtually nothing about fixing these kinds of problems, which programms to trust etc. What to do ???
eh…because I actually have no idea what kind of information I have just put on the internet :-[
For all I know this can also be read and used in someway by people who do not have the best intentions
I guess I just have to trust everyone on the avast forum to be as good and kind as I am myself. ;D
I understand your concern for putting some of this information out here but let me assure you that there is nothing that will show in the scans that I myself would not show as well.
[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan
[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now
[*]Attach the log in your next reply
[*]A copy of the log will be saved automatically to the root of the drive (typically C:)
Good job getting that ran. We got rid of the really bad one but there are still more. We will need to keep OTL for the duration, so if you need to be sure to add OTL to avast’s exclusion list.
Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.
Run OTL.exe
[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL
[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and attach a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )
For the backup of the registry → can I savely backup to my normal external harddrive? Or could that cause the viruses to transfer to the external harddrive ?
For the rest → I have to go away for a part of the evening now, so that will take a bit longer. But thanks for your help so far, and please wait for my response later this evening or tomorrow
For the backup of the registry --> can I savely backup to my normal external harddrive? Or could that cause the viruses to transfer to the external harddrive ?
It's possible that it could jump but not very likely...I think you will be ok. :)
For the rest --> I have to go away for a part of the evening now, so that will take a bit longer
I will folow your next steps soon, but I would also like to let you know that I ran Avast full scan again while I was away. it found the Win32:MBRoot-J [Trj] in
C:.…Documents & Settings\Downloads\MBR.dat and
(no surprise I think) in C:|TDSSKiller-Quarantine\12.04.2012_17.10.24|mbr0000\mbr0000\tsk0000.dta and …tsk00001.dta
When I try to move these to the virusvault it says (translated from Dutch by myself…) “Virusvault server is not operational. RPC communication failed (2147422219)”.
Can I do / Do I have to do something to activate the virusvault server ?
Done, please find the logs attached. The first log is from the Run Fix, the second log is from a normal scan not of a quickscan, because when I start a quickscan the LOP and Purity Check are checked automatically
It looks like the fix did not take correctly. Could you follow the same set of instructions in post #11 and attach the new logs that are made please.
Oh…by the way the files you are trying to remove are locked in the TDSSKiller quarantine and we will remove those later. Avast is probably just picking them up but they are fine now.