Author Topic: Win32 MBRoot - J[Trj] detected  (Read 50439 times)

0 Members and 1 Guest are viewing this topic.

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #30 on: May 22, 2011, 05:18:13 PM »
hmm combofix is not starting when i drag the CFScript.txt onto it..

the combofix loading bar appears but once that disappears nothing happens..? (this is what happened when i ran my first scan using it, but on the 3rd attempt it started this time it has not)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #31 on: May 22, 2011, 05:21:27 PM »
Ah OK that is CF's doing so that we can keep track and analyse all files ..  We will reset at the end

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #32 on: May 22, 2011, 05:22:34 PM »
Ooops cross post - so CF just stalls ?

Lets go for a deeper analysis

First we will run a virus scan

On the first tab select all elements down to and including  Computer and then select start scan
Once it has finished select report and post that.



[color="#FF0000"]Do not close AVPTool or it will self uninstall, if it does uninstall - then just rerun the setup file on your desktop[/color]

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip



noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #33 on: May 22, 2011, 05:24:18 PM »
yes cf is just stalling.

do you want me to use kapersky not avast?
« Last Edit: May 22, 2011, 05:28:24 PM by noridge »

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #34 on: May 22, 2011, 05:29:11 PM »
Yes as the main bit I am after is the analysis log, you can skip the first part as it is not known malware we are looking for

Just do the analysis section

Download AVP Tool

Now an analysis scan

Select the Manual Disinfection tab
Press the Gather System Information button
Once done Open the last report saved folder  then attach the zip file to your next post zip
The file is located at C:\Users\your name\Desktop\Virus Removal Tool\setup_9.0.0.722_05.01.2011_20-34\LOG\avptool_sysinfo.zip



noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #35 on: May 22, 2011, 06:46:29 PM »
i am not allowed to attach zip files to the post..

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #36 on: May 22, 2011, 07:07:44 PM »
 upload to Mediafire and post the sharing link.

noridge

  • Guest

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #38 on: May 22, 2011, 10:27:31 PM »
AVP looks OK on the analysis side

But I would like to revisit the MBR again as I am starting to come across a TDL3 and TDL4 hybrid

Please read carefully and follow these steps. 
  • Download TDSSKiller and save it to your Desktop.
  • Extract its contents to your desktop.
  • Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
     
     

     
     
  • If an infected file is detected, the default action will be Cure, click on Continue.
     
     

     
     
  • If a suspicious file is detected, the default action will be Skip, click on Continue.
     
     

     
     
  • It may ask you to reboot the computer to complete the process. Click on Reboot Now.
     
     

     
     
  • If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  • If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #39 on: May 22, 2011, 10:48:31 PM »
no malicious or suspicious objects found

the report is attached (it was too long to copy/paste)

thanks again for your time on this!


Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #40 on: May 22, 2011, 10:51:45 PM »
Are you still getting reports of having malware ?

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #41 on: May 22, 2011, 11:03:17 PM »
i have just tried the website i've been having trouble accessing and it is suddenly working!

i arranged to talk to the webhost first thing in the morning so i will try and find out if they can shed some further light as to what the problem was. (maybe we solved the actual issue on friday and it's taken a while for the server to refresh?) i'll post any findings or explanations.

in the meantime i am slightly confused but indeed joyous! ;D

thank you all for your persistence and patience in trying to solve this issue - it's been fascinating, i only wish i knew what you could see in all tho se logs 8)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #42 on: May 22, 2011, 11:09:34 PM »
I like mysteries - they tax the old grey matter

I believe it was one of the dll's taken out by combofix, although I feel comodo may have been slowing CF down, do you have the hips running ?

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #43 on: May 22, 2011, 11:13:33 PM »
sorry, hips?

(i had completely disabled and closed comodo btw)

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #44 on: May 22, 2011, 11:21:01 PM »
also one thing i noticed is that the first kapersky scan totally changed my hosts file to just my localhost and nothing else..