Win32 MBRoot - J[Trj] detected

[noridge]

greetings

i have recently needed to start using my desktop again after around 18 months (it is running win xp sp3). when i first started it all of my anti virus software was out of date, so i down loaded avast and comodo firewall.

after installation an avast detection popup appeared saying there was a rootkit on the system:

ROOTKIT INFORMATION
MBR: \\.\PHYSICALDRIVE0

i choose Delete Now and OK and was asked to run a boot-time scan, which i did.

during that process a second threat was discovered

Win32: MBRoot - J [Trj]

the thing is the location of the file was

C:\Documents and Settings\All Users\Application Data\ AVAST Software\Avast\arpot

so, as i wasnt sure if that meant the file had been moved to that location when detected or if in fact that avast file was infected, i chose to move it the virus chest.

now i continually get a repetation of this chain of events. should i re-run the boot-time scan and choose to delete the files?

also something else that has started happening is that whenever i turn the computer on it's bios settings are reset, so the clock is 1 jan 1970 etc.


i have run a Malwarebytes quickscan and it detected 5 infected registry keys which were quarantined and deleted successfully.

the log is as follows:


Malwarebytes' Anti-Malware 1.50.1.1100
www.malwarebytes.org

Database version: 6624

Windows 5.1.2600 Service Pack 3
Internet Explorer 7.0.5730.13

20/05/2011 11:26:58
mbam-log-2011-05-20 (11-26-58).txt

Scan type: Quick scan
Objects scanned: 152729
Time elapsed: 9 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 5
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\TypeLib\{3C2D2A1E-031F-4397-9614-87C932A848E0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04A38F6B-006F-4247-BA4C-02A139D5531C} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\MiniBugTransporter.MiniBugTransporterX (Adware.Minibug) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)


thanks in advance your help will be much appreciated

[noridge]

also here is my aswBoot.txt:



05/16/2011 09:51
Scan of all local drives

File MBR 0 is infected by Win32:MBRoot-J [Trj]
File C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot\7fea1-934-0.dat is infected by Win32:MBRoot-J [Trj], Moved to chest
File C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\arpot\83b0e-d1c-0.dat is infected by Win32:MBRoot-J [Trj], Moved to chest
Number of searched folders: 33082
Number of tested files: 275045
Number of infected files: 3

[DavidR]

This C:\Documents and Settings\All Users\Application Data\ AVAST Software\Avast\arpot is the location of the AntiRootkit Protection arpot folder, it has a temp folder but other than that it should be empty. So I don't know if this is just temporary data whilst the anti-rootkit scan is running.

The C:\Documents and Settings\All Users\Application Data\AVAST Software\Avast\log\arpot.log file contains any anti-rootkit detection information. Check that file for more information.

Try running this tool to confirm if you actually have an MBR rootkit:

Download aswMBR.exe ( 575KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[jacksticks]

'also something else that has started happening is that whenever i turn the computer on it's bios settings are reset, so the clock is 1 jan 1970 etc'

Sounds like the CMOS battery is dying on your Motherboard.....

[noridge]

thanks both of you for your rapid replies, here is the aswMBR.exe scan log:




aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 13:53:22
-----------------------------
13:53:22.359    OS Version: Windows 5.1.2600 Service Pack 3
13:53:22.359    Number of processors: 2 586 0x2B01
13:53:22.359    ComputerName: SAMSUNG01  UserName: UserName
13:53:23.578    Initialize success
13:53:27.218    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-9
13:53:27.218    Disk 0 Vendor: SAMSUNG_HD160JJ ZM100-47 Size: 152627MB BusType: 3
13:53:29.218    Disk 0 MBR read successfully
13:53:29.218    Disk 0 MBR scan
13:53:29.218    Disk 0 Windows XP default MBR code found via API
13:53:29.218    Disk 0 unknown MBR code
13:53:29.218    Disk 0 MBR hidden
13:53:31.218    Disk 0 scanning sectors +268414020
13:53:31.234    Disk 0 malicious Win32:MBRoot code @ sector 268414023 !
13:53:31.234    Disk 0 PE file @ sector 268414045 !
13:53:31.234    Disk 0 MBR [Win32:MBRoot]  **ROOTKIT**
13:53:31.250    Disk 0 trace - called modules:
13:53:31.250    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x86225a8b]<<
13:53:31.250    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x870ebab8]
13:53:31.250    3 CLASSPNP.SYS[f755cfd7] -> nt!IofCallDriver -> \Device\0000007d[0x8714ef18]
13:53:31.265    5 ACPI.sys[f73f3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-9[0x870dad98]
13:53:31.265    Scan finished successfully
13:53:52.671    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\UserName\Desktop\MBR.dat"
13:53:52.671    The log file has been saved successfully to "C:\Documents and Settings\UserName\Desktop\aswMBR.txt"




@jacksticks ah sounds likely - i'll look into that!

[Left123]

Choose the option "Fix",reboot,scan again with aswMBR and post the log.
Regards

[DavidR]

I believe it is Fix and not fixmbr.

If an MDR Rootkit found (confirmed):
* scan again then click "FIX" and reboot
* after reboot, scan again. then click "Save log" and post it in your next reply.
After the fix, if the second report/log comes up clean, then MBAM (update before the scan) and avast may find other things that were previously hidden. So run those scans again.

[Left123]

I believe it is Fix and not fixmbr.

If an MDR Rootkit found (confirmed):
* scan again then click "FIX" and reboot
* after reboot, scan again. then click "Save log" and post it in your next reply.
After the fix, if the second report/log comes up clean, then MBAM (update before the scan) and avast may find other things that were previously hidden. So run those scans again.

I once said someone to choose fix and then asyn and essexboy told me that Fix is only for TDL.Anyway
*Edited.

[noridge]

here's the log after the fix:



aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-05-20 14:19:28
-----------------------------
14:19:28.562    OS Version: Windows 5.1.2600 Service Pack 3
14:19:28.562    Number of processors: 2 586 0x2B01
14:19:28.562    ComputerName: SAMSUNG01  UserName: UserName
14:19:49.046    Initialize success
14:20:08.765    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-9
14:20:08.781    Disk 0 Vendor: SAMSUNG_HD160JJ ZM100-47 Size: 152627MB BusType: 3
14:20:10.796    Disk 0 MBR read successfully
14:20:10.796    Disk 0 MBR scan
14:20:10.796    Disk 0 Windows XP default MBR code
14:20:12.796    Disk 0 scanning sectors +268414020
14:20:12.812    Disk 0 scanning C:\WINDOWS\system32\drivers
14:20:25.812    Service scanning
14:20:30.953    Disk 0 trace - called modules:
14:20:30.968    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys
14:20:30.968    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x87110ab8]
14:20:30.968    3 CLASSPNP.SYS[f755cfd7] -> nt!IofCallDriver -> \Device\0000007d[0x8714ef18]
14:20:30.984    5 ACPI.sys[f73f3620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP4T0L0-9[0x8714dd98]
14:20:30.984    Scan finished successfully
14:20:52.609    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\UserName\Desktop\MBR.dat"
14:20:52.609    The log file has been saved successfully to "C:\Documents and Settings\UserName\Desktop\aswMBR3.txt"

[Left123]

Looks clean,any other problems?

[noridge]

ok thanks i'll run the MBAM and Avast scans again and let you know

one thing that did happen on reboot was a small windows error pop up entitled 'SRY #001' with the error message 'CLED ERROR' - any idea what that might be or if it's related?

[Left123]

Do you Cubase installed?IOpen up task manager and close the application cled.exe if it is there.
Start->Run>type "msconfig",and under the startup tab uncheck the cled.exe process.

[noridge]

thanks Left123 (i should really have web checked that one myself!)

when i run the avast scan should i run a quickscan or a boot-time scan?

[Left123]

Run a quick scan first.

[noridge]

hi thank you all for your help so far 

however i appear to still have a further complication.

one of the reasons i was alerted to the fact my desktop had an infection is that i have been experiencing connection timeouts when trying to access a specific website and it's corresponding ftp (which i can view and connect to on my laptop using the same net connection). i contacted the webhost of the site and they have informed me that their security system had detected malware on my desktop and therefore were blocking it.

so after running all the scans suggested in this post i have tried to access the site again. my desktop still will not load the site, and when i contacted the host to explain that i had cleaned the infection they replied saying that they still detected a malware threat.

have you any further suggestions on what might be causing this please?