Win32:MBRoot-J

Viruses and worms
1

Hello,
theres a trojan on my computer: Win32:MBRoot-j

i have scanned my computer with aswMBR
and this is my log:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-13 10:35:56

10:35:56.968 OS Version: Windows 5.1.2600 Service Pack 3
10:35:56.968 Number of processors: 2 586 0xF0D
10:35:56.968 ComputerName: PC_JOELLE UserName: cbt
10:35:57.593 Initialize success
10:35:57.687 AVAST engine defs: 11091201
10:36:00.078 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
10:36:00.078 Disk 0 Vendor: WDC_WD80 10.0 Size: 76293MB BusType: 3
10:36:02.078 Disk 0 MBR read successfully
10:36:02.078 Disk 0 MBR scan
10:36:02.078 Disk 0 Windows XP default MBR code
10:36:02.078 Disk 0 scanning sectors +156232125
10:36:02.187 Disk 0 scanning C:\WINDOWS\system32\drivers
10:36:16.046 Service scanning
10:36:17.359 Modules scanning
10:36:21.750 Disk 0 trace - called modules:
10:36:21.750 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86d42000]<<
10:36:21.750 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86dd2ab8]
10:36:21.750 3 CLASSPNP.SYS[f75e6fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x86d7b030]
10:36:22.093 AVAST engine scan C:\WINDOWS
10:36:45.328 AVAST engine scan C:\WINDOWS\system32
10:38:16.968 AVAST engine scan C:\WINDOWS\system32\drivers
10:38:29.421 AVAST engine scan C:\Documents and Settings\cbt
10:40:02.875 AVAST engine scan C:\Documents and Settings\All Users
10:40:17.921 Scan finished successfully
10:47:28.750 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\cbt\Mijn documenten\MBR.dat”
10:47:28.750 The log file has been saved successfully to “C:\Documents and Settings\cbt\Mijn documenten\aswMBR.txt”

What do i need to do next?

2

follow the guide here and attach the logs http://forum.avast.com/index.php?topic=53253.0

lower left corner > additional options > attach
if the logs are to big, upload to http://www.mediafire.com/ and post the download link here

Essexboy will look at the logs when he arrive, usually around 08:00pm - 11:59pm UK time

3

Thank you

see attached files!

4

and the log from aswmbr
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-13 11:42:21

11:42:21.781 OS Version: Windows 5.1.2600 Service Pack 3
11:42:21.781 Number of processors: 2 586 0xF0D
11:42:21.781 ComputerName: PC_JOELLE UserName: cbt
11:42:22.453 Initialize success
11:42:22.640 AVAST engine defs: 11091300
11:42:24.500 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
11:42:24.500 Disk 0 Vendor: WDC_WD80 10.0 Size: 76293MB BusType: 3
11:42:26.500 Disk 0 MBR read successfully
11:42:26.500 Disk 0 MBR scan
11:42:26.500 Disk 0 Windows XP default MBR code
11:42:26.500 Disk 0 scanning sectors +156232125
11:42:26.562 Disk 0 scanning C:\WINDOWS\system32\drivers
11:42:34.796 Service scanning
11:42:35.718 Modules scanning
11:42:39.890 Disk 0 trace - called modules:
11:42:39.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86d3d000]<<
11:42:39.890 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86dd2ab8]
11:42:39.890 3 CLASSPNP.SYS[f75e6fd7] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x86d6b030]
11:42:40.250 AVAST engine scan C:\WINDOWS
11:42:54.796 AVAST engine scan C:\WINDOWS\system32
11:44:19.156 AVAST engine scan C:\WINDOWS\system32\drivers
11:44:31.781 AVAST engine scan C:\Documents and Settings\cbt
11:44:43.265 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\cbt\Bureaublad\MBR.dat”
11:44:43.281 The log file has been saved successfully to “C:\Documents and Settings\cbt\Bureaublad\aswMBR.txt”

5

and Malwarebytes log ?

6

Lets not forget the basic questions:
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
What scan detected this ?

7

see attached file for malwarebytelog

8

virus was found by avast and Fcleaner
see attached files

9

seems you can try delete your system restore files and clean java cache

10

i have cleaned de java cache already, so that is solved

how do i delete my system restore files?

11

Could you not send them to the chest in the avast scan (it should be able to remove them) ?

The C:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only really effective way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.

12

http://windowxptutortips.blogspot.com/2006/07/how-to-delete-system-restore-points.html

13

Hi I can see two suspicious drivers - however OTL is not strong enough to remove them if they are what I suspect

Download and Install Combofix

Download ComboFix from one of the following locations:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

[*]Double click on ComboFix.exe & follow the prompts.
[*]Accept the disclaimer and allow to update if it asks

http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png

http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png

[*]When finished, it shall produce a log for you.
[*]Please include the C:\ComboFix.txt in your next reply.

Notes:

  1. Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
  2. Do not “re-run” Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

14

DavidR: no this wasnt possible.

Essexboy: see attached file

computer seems to running normal, but before that also

15

I take it you mean move them to the chest ?
Or weren’t you were able to manually disable system restore, reboot and enable system restore to clear all restore points ?

16

i mean move to chest,
i havnt restored yet

17

What are your current problems ?

18

there still is a trojan on my computer, (so the Fcleaner says)
1 have done a payment with ing online banking and my tan has been blocked, because they had found a virus in my computer. then i tried to clean my computer, but still it says it has the virus in my computer and it is not easy to clear it with another program.

so can cannot pay anymore with ing online banking.

my computer seems to work normaly, though it is slow sometimes. i do not know right now if the virus (trojan) is my computer for bad intentions.

19

What virus does Fcleaner detect and what is its location ?

20

This says the Fcleaner

[13-09-2011 13:37:59] FCleaner v1.5.0.0 Loading…
[13-09-2011 13:38:00] Mebroot Infection Found!
[13-09-2011 13:38:00] FCleaner has detected malware on your system!
[13-09-2011 13:38:00] Please press the “Clean” button to remove the malware

it does not give an location, and if i want to clean it, it says that i have a big problem, and need assistance, because FCleaner, cant clean it…