Author Topic: Win32 MBRoot - J[Trj] detected  (Read 50767 times)

0 Members and 1 Guest are viewing this topic.

Offline Pondus

  • Probably Bot
  • ****
  • Posts: 37524
  • Not a avast user
Re: Win32 MBRoot - J[Trj] detected
« Reply #15 on: May 20, 2011, 07:36:46 PM »
Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )


To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( OTS log ) save OTS log as ANSI

Essexboy will look at the log when he arrive here later today...

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #16 on: May 20, 2011, 08:12:30 PM »
thanks Pondus my ots log is attached

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #17 on: May 20, 2011, 08:47:42 PM »
What malware does the site think you have ?

I see you still have AVG 7.5 antispyware installed - I think updates for that finished a few years ago.. So I would recommend you uninstall it


noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #18 on: May 21, 2011, 09:33:45 AM »
hi essexboy

i asked the webhost about the malware. they replied saying that in the log they can only see the IP and HTTP request with a message in the security cluster showing Malware has been detected.

apparently they can enable further debugging, however it’s a global option which will log information about each HTTP request to all domains on the cloud, thus causing a lot of logs! i'll ask if they can do that.

i'll post a reply once i hear back from them again.

i have uninstalled AVG (this pc needs a little love as i havent used it in so long).


Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Win32 MBRoot - J[Trj] detected
« Reply #19 on: May 21, 2011, 09:38:50 AM »
hi essexboy

i asked the webhost about the malware. they replied saying that in the log they can only see the IP and HTTP request with a message in the security cluster showing Malware has been detected.

apparently they can enable further debugging, however it’s a global option which will log information about each HTTP request to all domains on the cloud, thus causing a lot of logs! i'll ask if they can do that.

i'll post a reply once i hear back from them again.

i have uninstalled AVG (this pc needs a little love as i havent used it in so long).


Any other problems remain?
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #20 on: May 21, 2011, 09:45:47 AM »
well apparently the webhost is still detecting malware when i access the site so i will post back once we have tried to debug it some more.

thanks  :)

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #21 on: May 21, 2011, 09:52:05 AM »
actually there was another question.

should i delete the 2 original quarantined files from the virus chest?


original file name: 7fea1-934-0.dat
original folder: C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\arpot
size of file: 1024
category: infected files
virus description: Win32:MBRoot-J [Trj]
file id: 1


original file name: 83b0e-d1c-0.dat
original folder: C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\arpot
size of file: 1024
category: infected files
virus description: Win32:MBRoot-J [Trj]
file id: 2

Offline Left123

  • There Is No Patch For Human Stupidity.
  • Avast Evangelist
  • Advanced Poster
  • ***
  • Posts: 1048
  • Proud Community Member&Helper.
Re: Win32 MBRoot - J[Trj] detected
« Reply #22 on: May 21, 2011, 09:58:51 AM »
actually there was another question.

should i delete the 2 original quarantined files from the virus chest?


original file name: 7fea1-934-0.dat
original folder: C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\arpot
size of file: 1024
category: infected files
virus description: Win32:MBRoot-J [Trj]
file id: 1


original file name: 83b0e-d1c-0.dat
original folder: C:\Documents and Settings\All Users\Application Data\Avast Software\Avast\arpot
size of file: 1024
category: infected files
virus description: Win32:MBRoot-J [Trj]
file id: 2
I wouldn't delete them.Just let them in quarantine.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #23 on: May 21, 2011, 11:20:18 AM »
ok i'll leave those alone.

i have spoken to the webhost and we have arranged to debug this further on monday morning.

i will post anything that is discovered here.

thank you  8)

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #24 on: May 21, 2011, 04:47:15 PM »
Could you provide a fresh OTS log now please, as the removal of AVG may reveal something

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #25 on: May 21, 2011, 05:19:37 PM »
here is my latest ots log

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #26 on: May 21, 2011, 05:28:45 PM »
Nothing at all showing there - are you experiencing any symptoms on your system ?

Download ComboFix from one of these locations:


Link 1
Link 2


* IMPORTANT !!! Save ComboFix.exe to your Desktop


  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal.  It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.




Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:




Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.  Please include the C:\ComboFix.txt in your next reply.

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #27 on: May 22, 2011, 04:01:18 PM »
hi essexboy

i've attached my combofix.txt

2 things. 1 it took ages to get combofix to launch and i had to try a number of times before it did. 2 after the reboot all of my antivirus software was restarted so i don't know if that affected any results.

also i've noticed that my bios doesn't seem to be being reset anymore (without having to replace the cmos battery as suggested by jacksticks), which is good, however my folder settings keep being reset now and mouse wheel has stopped working correctly. very minor things but thought it best to share recent behaviour changes in case they are in any way related.

thanks.

Offline essexboy

  • Malware removal instructor
  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 40589
  • Dragons by Sasha
    • Malware fixes
Re: Win32 MBRoot - J[Trj] detected
« Reply #28 on: May 22, 2011, 04:52:09 PM »
There are a few ports to close as revealed by CF

By reset do you mean the folder settings are going back to default ?

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:

Quote
Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
"65533:TCP"=-
"52344:TCP"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below.  This will start ComboFix again.




6. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt .

noridge

  • Guest
Re: Win32 MBRoot - J[Trj] detected
« Reply #29 on: May 22, 2011, 05:03:40 PM »
By reset do you mean the folder settings are going back to default ?

i am not sure if all options are defaulted but i noticed that 'show hidden files and folders' and 'hide extensions for known file types' have been reset to being unchecked on the last 2 hard boots.

i will run the above script now.