Win32:MBRoot-J [Trj]

Hello, we have a trojan on our computer Win32:MBRoot-J [Trj].
It was detected by Avast Internet Security. Most of the times it says it is found in MBR:|.|PhysicalDrive 0, other times it says it is in Disk 0 Master Opstart Record, or in d:\documents\MBR.dat
When in MBR:|.|PhysicalDrive 0 it cannot be moved to the vault, but it says it can be removed, it says it will do so on next restart. At first the warning kept popping up everytime I start the computer.

I tried to remove it with Avast, that did not work.
I tried Malwarebytes Anti-Malware, that does not find any virus
I tried aswMBR, that finds the same infection and says it can fix it but next restart…it’s there again.

I brought the computer to a company, they scanned with G-Data but did not find this Win32:MBRoot-J [Trj]. They did find other infections though, the 75e40981-2f78ac3e and Main.class and were able to remove them succesfully.
They said that if Win32:MBRoot-J [Trj] kept showing up here anyway, I should just keep on scanning with Avast untill it was able to remove it.
Now after this the Avast-warning does not pop-up again everytime I start the computer, but when I scan (quick scan and/or full scan) with Avast or aswMBR it keeps telleing me I have a Win32:MBRoot-J [Trj].

I scanned today again, and it said the Win32:MBRoot-J [Trj] was found in Disk 0 Master Opstart Record (no option of removing to vault or deleting !!) and in d:\documents\MBR.dat (could not be moved to vault, but was succefully deleted)
Again I tried aswMBR, that finds again Win32:MBRoot-J [Trj and says it can fix it but next restart…it’s there again.

I tried to install this otl.exe, to send you a log, but avast will not allow me to run the programm.

I know virtually nothing about fixing these kinds of problems, which programms to trust etc. What to do ???

Thanks for your help, Saskia

I tried to install this otl.exe, to send you a log, but avast will not allow me to run the programm.
if this is avast sandbox.... the click "run normal" if not.... right click avast tray icon and disable shields.... then try again

see the guide here and attach logs from Malwarebytes / OTL / aswMBR
http://forum.avast.com/index.php?topic=53253.0

The log from: Malwarebytes Anti-Malware 1.61.0.1400
www.malwarebytes.org

Databaseversie: v2012.04.12.02

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702

12-04-2012 15:12
mbam-log-2012-04-12 (15-12-27).txt

Scantype: Snelle scan
Ingeschakelde scanopties: Geheugen | Opstartitems | Register | Bestanden en mappen | Heuristiek/Extra | Heuristiek/Shuriken | PUP | PUM
Uitgeschakelde scanopties: P2P
Objecten gescand: 231999
Verstreken tijd: 3 minuut/minuten, 45 seconde(n)

Geheugenprocessen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Geheugenmodulen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registersleutels gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerwaarden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Registerdata gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Mappen gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

Bestanden gedetecteerd: 0
(Geen kwaadaardige objecten gedetecteerd)

(einde)

It was the Sandbox, i told it to open normally and it worked. Thanks. Now I just hope I have not been a fool to do so… :wink:

The logs from OTL.exe are attached

and last but not least the log from aswMBR

Now I just hope I have not been a fool to do so...
why ?

now relax and wait for Essexboy or jeffce to arrive :wink:

eh…because I actually have no idea what kind of information I have just put on the internet :-[
For all I know this can also be read and used in someway by people who do not have the best intentions

I guess I just have to trust everyone on the avast forum to be as good and kind as I am myself. ;D

mostly technical info…
anyway when the removal specialist are done cleaning your comp, you can edit your post(s) and delete the logs

Hi,

I understand your concern for putting some of this information out here but let me assure you that there is nothing that will show in the scans that I myself would not show as well. :slight_smile:

Seems like we have some work to do…

Please download TDSSKiller.zip

[*]Extract it to your desktop
[*]Double click TDSSKiller.exe
[*]when the window opens, click on Change Parameters
[*]under ”Additional options”, put a check mark in the box next to “Detect TDLFS File System”
[*]click OK
[*]Press Start Scan

[*]Only if Malicious objects are found then ensure Cure is selected
[*]Then click Continue > Reboot now

[*]Attach the log in your next reply

[*]A copy of the log will be saved automatically to the root of the drive (typically C:)


Thanks. Attached is the TDSSkiller-log

p.s.: Avast still does not trust OTL.exe and has asked me to send it to their Viruslab to be analysed.

Can I remove OTL.exe now from my computer, or will I be needing it again?

Hi,

Good job getting that ran. We got rid of the really bad one but there are still more. We will need to keep OTL for the duration, so if you need to be sure to add OTL to avast’s exclusion list.

Please download ERUNT (Emergency Recovery Utility NT). This program allows you to keep a complete backup of your registry and restore it when needed. The standard registry backup options that come with Windows back up most of the registry but not all of it. ERUNT however creates a complete backup set, including the Security hive and user related sections. ERUNT is easy to use and since it creates a full backup, there are no options or choices other than to select the location of the backup files. The backup set includes a small executable that will launch the registry restore if needed. **Remember if you are using Windows Vista as your operating system right-click the executable and Run as Administrator.

Run OTL.exe

[*]Copy/paste the following text written inside of the code box into the Custom Scans/Fixes box located at the bottom of OTL


:Services

:OTL
IE - HKLM\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKLM\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://search.live.com/results.aspx?q={searchTerms}&src={referrer:source?}
IE - HKCU\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.google.nl/
IE - HKCU\..\SearchScopes,DefaultScope = {0633EE93-D776-472f-A0FF-E1416B8B2E3A}
IE - HKCU\..\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}: "URL" = http://www.bing.com/search?q={searchTerms}&src=IE-SearchBox&FORM=IE8SRC
O32 - AutoRun File - [2007-09-17 20:48:04 | 000,263,744 | R--- | M] (Firaxis Games) - G:\autorun.exe -- [ UDF ]
O32 - AutoRun File - [2007-09-20 04:18:35 | 000,006,276 | R--- | M] () - G:\autorun.inf -- [ UDF ]
O33 - MountPoints2\{71b335a1-183c-11e1-b97b-806d6172696f}\Shell - "" = AutoRun
O33 - MountPoints2\{71b335a1-183c-11e1-b97b-806d6172696f}\Shell\AutoRun\command - "" = H:\setup.exe
O33 - MountPoints2\G\Shell - "" = AutoRun
O33 - MountPoints2\G\Shell\AutoRun\command - "" = G:\autorun.exe -- [2007-09-17 20:48:04 | 000,263,744 | R--- | M] (Firaxis Games)
[7 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]
[1 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[2011-12-03 20:10:03 | 000,010,752 | ---- | C] () -- C:\Documents and Settings\Saskia & Theo\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2011-11-27 13:55:00 | 000,000,029 | ---- | C] () -- C:\WINDOWS\DEBUGSM.INI

:Files
ipconfig /flushdns /c

:Commands
[purity]
[emptytemp]
[start explorer]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered. There will be a log created when it completes that I will need in your next reply. Reboot when it is done.
[*]Then run a new scan and attach a new OTL log ( don’t check the boxes beside LOP Check or Purity this time )

For the backup of the registry → can I savely backup to my normal external harddrive? Or could that cause the viruses to transfer to the external harddrive ?

For the rest → I have to go away for a part of the evening now, so that will take a bit longer. But thanks for your help so far, and please wait for my response later this evening or tomorrow

For the backup of the registry --> can I savely backup to my normal external harddrive? Or could that cause the viruses to transfer to the external harddrive ?
It's possible that it could jump but not very likely...I think you will be ok. :)
For the rest --> I have to go away for a part of the evening now, so that will take a bit longer
Not a problem...take your time. :)

I will folow your next steps soon, but I would also like to let you know that I ran Avast full scan again while I was away. it found the Win32:MBRoot-J [Trj] in
C:.…Documents & Settings\Downloads\MBR.dat and
(no surprise I think) in C:|TDSSKiller-Quarantine\12.04.2012_17.10.24|mbr0000\mbr0000\tsk0000.dta and …tsk00001.dta

When I try to move these to the virusvault it says (translated from Dutch by myself…) “Virusvault server is not operational. RPC communication failed (2147422219)”.

Can I do / Do I have to do something to activate the virusvault server ?

Thanks again, Saskia

Done, please find the logs attached. The first log is from the Run Fix, the second log is from a normal scan not of a quickscan, because when I start a quickscan the LOP and Purity Check are checked automatically

Hi,

It looks like the fix did not take correctly. Could you follow the same set of instructions in post #11 and attach the new logs that are made please. :slight_smile:

Oh…by the way the files you are trying to remove are locked in the TDSSKiller quarantine and we will remove those later. Avast is probably just picking them up but they are fine now. :slight_smile:

including the ERUnt ?

Yes please. :slight_smile:

Done, see attached