Author Topic: Win32 MBRoot - J[Trj] detected (Read 50869 times)

noridge · « **Reply #30 on:** May 22, 2011, 05:18:13 PM »

hmm combofix is not starting when i drag the CFScript.txt onto it..

the combofix loading bar appears but once that disappears nothing happens..? (this is what happened when i ran my first scan using it, but on the 3rd attempt it started this time it has not)

essexboy · « **Reply #31 on:** May 22, 2011, 05:21:27 PM »

Ah OK that is CF's doing so that we can keep track and analyse all files .. We will reset at the end

essexboy · « **Reply #32 on:** May 22, 2011, 05:22:34 PM »

Ooops cross post - so CF just stalls ?

Lets go for a deeper analysis

First we will run a virus scan

On the first tab select all elements down to and including Computer and then select start scan
Once it has finished select report and post that.

[color="#FF0000"]Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop[/color]

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

noridge · « **Reply #33 on:** May 22, 2011, 05:24:18 PM »

yes cf is just stalling.

do you want me to use kapersky not avast?

essexboy · « **Reply #34 on:** May 22, 2011, 05:29:11 PM »

Yes as the main bit I am after is the analysis log, you can skip the first part as it is not known malware we are looking for

Just do the analysis section

Download AVP Tool

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip

noridge · « **Reply #35 on:** May 22, 2011, 06:46:29 PM »

i am not allowed to attach zip files to the post..

essexboy · « **Reply #36 on:** May 22, 2011, 07:07:44 PM »

upload to Mediafire and post the sharing link.

noridge · « **Reply #37 on:** May 22, 2011, 07:53:11 PM »

http://www.mediafire.com/?3roiennz49qlaxq

essexboy · « **Reply #38 on:** May 22, 2011, 10:27:31 PM »

AVP looks OK on the analysis side

But I would like to revisit the MBR again as I am starting to come across a TDL3 and TDL4 hybrid

Please read carefully and follow these steps.

Download TDSSKiller and save it to your Desktop.
Extract its contents to your desktop.
Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
If an infected file is detected, the default action will be Cure, click on Continue.
If a suspicious file is detected, the default action will be Skip, click on Continue.
It may ask you to reboot the computer to complete the process. Click on Reboot Now.
If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

noridge · « **Reply #39 on:** May 22, 2011, 10:48:31 PM »

no malicious or suspicious objects found

the report is attached (it was too long to copy/paste)

thanks again for your time on this!

essexboy · « **Reply #40 on:** May 22, 2011, 10:51:45 PM »

Are you still getting reports of having malware ?

noridge · « **Reply #41 on:** May 22, 2011, 11:03:17 PM »

i have just tried the website i've been having trouble accessing and it is suddenly working!

i arranged to talk to the webhost first thing in the morning so i will try and find out if they can shed some further light as to what the problem was. (maybe we solved the actual issue on friday and it's taken a while for the server to refresh?) i'll post any findings or explanations.

in the meantime i am slightly confused but indeed joyous!

thank you all for your persistence and patience in trying to solve this issue - it's been fascinating, i only wish i knew what you could see in all tho se logs

essexboy · « **Reply #42 on:** May 22, 2011, 11:09:34 PM »

I like mysteries - they tax the old grey matter

I believe it was one of the dll's taken out by combofix, although I feel comodo may have been slowing CF down, do you have the hips running ?

noridge · « **Reply #43 on:** May 22, 2011, 11:13:33 PM »

sorry, hips?

(i had completely disabled and closed comodo btw)

noridge · « **Reply #44 on:** May 22, 2011, 11:21:01 PM »

also one thing i noticed is that the first kapersky scan totally changed my hosts file to just my localhost and nothing else..

Author Topic: Win32 MBRoot - J[Trj] detected (Read 50869 times)

noridge

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected

essexboy

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected

noridge

Re: Win32 MBRoot - J[Trj] detected