Avast WEBforum
Other => Viruses and worms => Topic started by: seahorses on September 13, 2011, 10:49:58 AM
-
Hello,
theres a trojan on my computer: Win32:MBRoot-j
i have scanned my computer with aswMBR
and this is my log:
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-13 10:35:56
-----------------------------
10:35:56.968 OS Version: Windows 5.1.2600 Service Pack 3
10:35:56.968 Number of processors: 2 586 0xF0D
10:35:56.968 ComputerName: PC_JOELLE UserName: cbt
10:35:57.593 Initialize success
10:35:57.687 AVAST engine defs: 11091201
10:36:00.078 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
10:36:00.078 Disk 0 Vendor: WDC_WD80 10.0 Size: 76293MB BusType: 3
10:36:02.078 Disk 0 MBR read successfully
10:36:02.078 Disk 0 MBR scan
10:36:02.078 Disk 0 Windows XP default MBR code
10:36:02.078 Disk 0 scanning sectors +156232125
10:36:02.187 Disk 0 scanning C:\WINDOWS\system32\drivers
10:36:16.046 Service scanning
10:36:17.359 Modules scanning
10:36:21.750 Disk 0 trace - called modules:
10:36:21.750 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86d42000]<<
10:36:21.750 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dd2ab8]
10:36:21.750 3 CLASSPNP.SYS[f75e6fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86d7b030]
10:36:22.093 AVAST engine scan C:\WINDOWS
10:36:45.328 AVAST engine scan C:\WINDOWS\system32
10:38:16.968 AVAST engine scan C:\WINDOWS\system32\drivers
10:38:29.421 AVAST engine scan C:\Documents and Settings\cbt
10:40:02.875 AVAST engine scan C:\Documents and Settings\All Users
10:40:17.921 Scan finished successfully
10:47:28.750 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\cbt\Mijn documenten\MBR.dat"
10:47:28.750 The log file has been saved successfully to "C:\Documents and Settings\cbt\Mijn documenten\aswMBR.txt"
What do i need to do next?
-
follow the guide here and attach the logs http://forum.avast.com/index.php?topic=53253.0
lower left corner > additional options > attach
if the logs are to big, upload to http://www.mediafire.com/ and post the download link here
Essexboy will look at the logs when he arrive, usually around 08:00pm - 11:59pm UK time
-
Thank you
see attached files!
-
and the log from aswmbr
aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-09-13 11:42:21
-----------------------------
11:42:21.781 OS Version: Windows 5.1.2600 Service Pack 3
11:42:21.781 Number of processors: 2 586 0xF0D
11:42:21.781 ComputerName: PC_JOELLE UserName: cbt
11:42:22.453 Initialize success
11:42:22.640 AVAST engine defs: 11091300
11:42:24.500 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
11:42:24.500 Disk 0 Vendor: WDC_WD80 10.0 Size: 76293MB BusType: 3
11:42:26.500 Disk 0 MBR read successfully
11:42:26.500 Disk 0 MBR scan
11:42:26.500 Disk 0 Windows XP default MBR code
11:42:26.500 Disk 0 scanning sectors +156232125
11:42:26.562 Disk 0 scanning C:\WINDOWS\system32\drivers
11:42:34.796 Service scanning
11:42:35.718 Modules scanning
11:42:39.890 Disk 0 trace - called modules:
11:42:39.890 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x86d3d000]<<
11:42:39.890 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86dd2ab8]
11:42:39.890 3 CLASSPNP.SYS[f75e6fd7] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x86d6b030]
11:42:40.250 AVAST engine scan C:\WINDOWS
11:42:54.796 AVAST engine scan C:\WINDOWS\system32
11:44:19.156 AVAST engine scan C:\WINDOWS\system32\drivers
11:44:31.781 AVAST engine scan C:\Documents and Settings\cbt
11:44:43.265 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\cbt\Bureaublad\MBR.dat"
11:44:43.281 The log file has been saved successfully to "C:\Documents and Settings\cbt\Bureaublad\aswMBR.txt"
-
and Malwarebytes log ?
-
Hello,
theres a trojan on my computer: Win32:MBRoot-j
<snip>
Lets not forget the basic questions:
What is the infected file name, where was it found e.g. (C:\windows\system32\infected-file-name.xxx) ?
What scan detected this ?
-
see attached file for malwarebytelog
-
virus was found by avast and Fcleaner
see attached files
-
seems you can try delete your system restore files and clean java cache
-
i have cleaned de java cache already, so that is solved
how do i delete my system restore files?
-
Could you not send them to the chest in the avast scan (it should be able to remove them) ?
The C:\System Volume Information folder is a part of the system restore function and as such is protected by windows, the only really effective way to clean infected _restore points is to disable system restore and reboot. This will clear ALL _restore points. Once you have disabled system restore, reboot, scan your PC again and if clear enable system restore.
- How to disable System Restore (http://www.pchell.com/virus/systemrestore.shtml)
-
http://windowxptutortips.blogspot.com/2006/07/how-to-delete-system-restore-points.html
-
Hi I can see two suspicious drivers - however OTL is not strong enough to remove them if they are what I suspect
Download and Install Combofix
Download ComboFix from one of the following locations:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *
IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here (http://forums.whatthetech.com/How_Disable_your_Security_Programs_t96260.html&pid=494216#entry494216")
- Double click on ComboFix.exe & follow the prompts.
- Accept the disclaimer and allow to update if it asks
(http://img.photobucket.com/albums/v706/ried7/NSIS_disclaimer_ENG.png)
(http://img.photobucket.com/albums/v706/ried7/NSIS_extraction.png)
- When finished, it shall produce a log for you.
- Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.
Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
-
DavidR: no this wasnt possible.
Essexboy: see attached file
computer seems to running normal, but before that also
-
I take it you mean move them to the chest ?
Or weren't you were able to manually disable system restore, reboot and enable system restore to clear all restore points ?
-
i mean move to chest,
i havnt restored yet
-
What are your current problems ?
-
there still is a trojan on my computer, (so the Fcleaner says)
1 have done a payment with ing online banking and my tan has been blocked, because they had found a virus in my computer. then i tried to clean my computer, but still it says it has the virus in my computer and it is not easy to clear it with another program.
so can cannot pay anymore with ing online banking.
my computer seems to work normaly, though it is slow sometimes. i do not know right now if the virus (trojan) is my computer for bad intentions.
-
What virus does Fcleaner detect and what is its location ?
-
This says the Fcleaner
------------------------------------------------------------------------------------------------------------------------
[13-09-2011 13:37:59] FCleaner v1.5.0.0 Loading...
[13-09-2011 13:38:00] Mebroot Infection Found!
[13-09-2011 13:38:00] FCleaner has detected malware on your system!
[13-09-2011 13:38:00] Please press the "Clean" button to remove the malware
it does not give an location, and if i want to clean it, it says that i have a big problem, and need assistance, because FCleaner, cant clean it...
-
There was no indication of mebroot on your logs
But for peace of mind ;D
Please read carefully and follow these steps.
- DownloadTDSSKiller (http://support.kaspersky.com/downloads/utils/tdsskiller.zip) and save it to your Desktop.
- Extract its contents to your desktop.
- Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillermain.png)
- If an infected file is detected, the default action will be Cure, click on Continue.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerMal-1.png)
- If a suspicious file is detected, the default action will be Skip, click on Continue.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerSuspicious.png)
- It may ask you to reboot the computer to complete the process. Click on Reboot Now.
(http://i1224.photobucket.com/albums/ee362/Essexboy3/TDSSKiller%20shots/TDSSKillerCompleted.png)
- If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
- If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
-
okay thank you, i wil do it tomorrow at the "infected" computer and let you know.
-
No problem, although as I say the original infection appears to have been removed by Combofix
-
I have runned the task killer (see results in the attached files)
then i runned avast (full scan and start up scan)
Result: no viruses found!
runned the fcleaner again, but still finds something
------------------------------------------------------------------------------------------------------------------------
[15-09-2011 10:42:30] FCleaner v1.5.0.0 Loading...
[15-09-2011 10:42:30] Mebroot Infection Found!
[15-09-2011 10:42:30] FCleaner has detected malware on your system!
[15-09-2011 10:42:30] Please press the "Clean" button to remove the malware
[15-09-2011 10:43:08] Cleaner finished! ...
(see attached file)
i think my computer is clean now, and fcleaner is wrong! ???
-
Run TDSSKiller again please and could you post the log
-
see attached file
-
again (ANSI) instead of Unicode
-
Methinks Fcleaner is providing a false positive, how is the computer behaving anything weird or unusual ?
-
no computer seems to work normally
-
Try an update on the Fcleaner and then re-run it