win32:MBRoot-J [Trj]

[atis]

Hi

I am new to this forum. I have experienced a smilar infection to the one described at the post:

http://forum.avast.com/index.php?topic=78458.0

Avast detects the malware specified in the subject, but I cannot get rid of it even with the scan at boot-time (it detects the infection, but does not fix the problem).

I have followed the first steps as described in the recommendations to follow, without success yet. Here are the logs:

______________________________

Malwarebytes' Anti-Malware 1.51.0.1200
www.malwarebytes.org

Database version: 6821

Windows 5.1.2600 Service Pack 3
Internet Explorer 8.0.6001.18702

10/06/2011 23:39:13
mbam-log-2011-06-10 (23-39-13).txt

Scan type: Quick scan
Objects scanned: 195101
Time elapsed: 6 minute(s), 58 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
_________________________________________

OTS (attached)

______________________________________

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-09 21:55:44
-----------------------------
21:55:44.359    OS Version: Windows 5.1.2600 Service Pack 3
21:55:44.359    Number of processors: 2 586 0xE08
21:55:44.359    ComputerName: MGA_PORTABLE  UserName: mga
21:55:44.906    Initialize success
21:55:53.796    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:55:53.812    Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
21:55:55.843    Disk 0 MBR read successfully
21:55:55.843    Disk 0 MBR scan
21:55:55.843    Disk 0 unknown MBR code
21:55:57.843    Disk 0 scanning sectors +195366465
21:55:57.890    Disk 0 scanning C:\WINDOWS\system32\drivers
21:56:04.140    Service scanning
21:56:05.328    Disk 0 trace - called modules:
21:56:05.359    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:56:05.359    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6dfab8]
21:56:05.359    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a69d9e8]
21:56:05.359    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a668940]
21:56:05.375    Scan finished successfully
21:59:20.781    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\mga\Desktop\MBR.dat"
21:59:20.796    The log file has been saved successfully to "C:\Documents and Settings\mga\Desktop\aswMBR.txt"


aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-10 21:38:28
-----------------------------
21:38:28.312    OS Version: Windows 5.1.2600 Service Pack 3
21:38:28.312    Number of processors: 2 586 0xE08
21:38:28.312    ComputerName: MGA_PORTABLE  UserName: mga
21:38:28.734    Initialize success
21:38:42.187    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
21:38:42.187    Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
21:38:44.265    Disk 0 MBR read successfully
21:38:44.281    Disk 0 MBR scan
21:38:44.281    Disk 0 unknown MBR code
21:38:46.281    Disk 0 scanning sectors +195366465
21:38:46.500    Disk 0 scanning C:\WINDOWS\system32\drivers
21:38:52.468    Service scanning
21:38:53.640    Disk 0 trace - called modules:
21:38:53.671    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
21:38:53.671    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a71c428]
21:38:53.687    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000084[0x8a6a0338]
21:38:53.687    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a6c0940]
21:38:53.687    Scan finished successfully
21:39:10.640    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\mga\Desktop\MBR.dat"
21:39:10.640    The log file has been saved successfully to "C:\Documents and Settings\mga\Desktop\aswMBR.txt"

______________________________________________

MBR.dat was also detected as infected when rebooting in the scan at boot time.

I use a laptop where I share two partitions one for Linux and one for Windows, booting via the Grub engine. Never experienced problems before for two years.

Can anybody help fixing the malware? Thanks in advance.

atis

[mikaelrask]

welcome to the forum.

someone will check those logs and will give you further instruction.

i suggest you try a boot scan with avast and try to send the malware to the chest from there.

http://www.schmahl.net/avastbootscan.php

good luck.

[atis]

Thanks Mikaelrask,

I'll wait for the instructions.

Meanwhile I will run again a bootscan with Avast with the settings suggested in your attached link. I will report in a new post.

Cheers,

atis

[atis]

Hi,

Here is the most recent aswboot report.

06/11/2011 16:02
Scan of all local drives

File MBR 0 is infected by Win32:MBRoot-J [Trj]
File C:\Documents and Settings\HelpAssistant\.jose.user.preferences|>image Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\HelpAssistant\My Documents\sofware\adware\pllangs.exe|>Wise0038.bin Error 42145 {Installer archive is corrupted.}
File C:\Documents and Settings\HelpAssistant\My Documents\sofware\censolar\censol_f.zip|>CENSOL_F.EXE Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\mga\.jose.user.preferences|>image Error 42125 {ZIP archive is corrupted.}
File C:\Documents and Settings\mga\My Documents\sofware\censolar\censol_f.zip|>CENSOL_F.EXE Error 42125 {ZIP archive is corrupted.}
Number of searched folders: 12705
Number of tested files: 661899
Number of infected files: 1

It logs the infection in MBR (no option is given to delete it). The corrupted files are old files never used recently. Dont now whether there is any connection.
I don't notice any strange behaviour in the computer yet.

I wait for any suggestions/ recommendations.


Thanks.

Atis

[DavidR]

Don't worry about the archive is corrupted message.

Try this avast MBR rootkit tool:

Download aswMBR.exe ( 576KB ) to your desktop.

Double click the aswMBR.exe to run it

Click the "Scan" button to start scan

 
On completion of the scan click save log, save it to your desktop and post in your next reply

[atis]

Hi David,

I rerun the tool and obtained the same message that I posted last Friday. Here it is again.

aswMBR version 0.9.5.256 Copyright(c) 2011 AVAST Software
Run date: 2011-06-12 12:24:57
-----------------------------
12:24:57.968    OS Version: Windows 5.1.2600 Service Pack 3
12:24:57.968    Number of processors: 2 586 0xE08
12:24:57.968    ComputerName: MGA_PORTABLE  UserName: mga
12:24:58.328    Initialize success
12:25:10.312    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
12:25:10.312    Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
12:25:12.343    Disk 0 MBR read successfully
12:25:12.343    Disk 0 MBR scan
12:25:12.343    Disk 0 unknown MBR code
12:25:14.359    Disk 0 scanning sectors +195366465
12:25:14.406    Disk 0 scanning C:\WINDOWS\system32\drivers
12:25:23.812    Service scanning
12:25:25.484    Disk 0 trace - called modules:
12:25:25.500    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
12:25:25.562    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6dfab8]
12:25:25.562    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000083[0x8a68f9e8]
12:25:25.562    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a6a2940]
12:25:25.562    Scan finished successfully
12:25:30.875    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\mga\Desktop\MBR.dat"
12:25:30.875    The log file has been saved successfully to "C:\Documents and Settings\mga\Desktop\aswMBR.txt"

I hope this may help. I wonder whether the line:
12:25:12.343    Disk 0 unknown MBR code

has to do with the fact that I have partitions both for Linux and Windows and boot from Grub, or actually this is the signal of the virus.

Cheers,

Atis

[essexboy]

It may well be that could you send the MBR.dat from your desktop to Avast via the virus chest

Second opinion now

Please read carefully and follow these steps. 

• Download TDSSKiller and save it to your Desktop.
  
• Extract its contents to your desktop.
• Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
   
   
  
   
   
  
• If an infected file is detected, the default action will be Cure, click on Continue.
   
   
  
   
   
  
• If a suspicious file is detected, the default action will be Skip, click on Continue.
   
   
  
   
   
  
• It may ask you to reboot the computer to complete the process. Click on Reboot Now.
   
   
  
   
   
  
• If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
  
• If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.
  

[atis]

Hi essexboy,

Thanks for your message.

I start to be a bit confused. TDSS killer did not find anything as far as I understand (please see the log attached as it seems to be too big). But Avast continue popping up the alarm. No other symptoms in the last couple of days.

Cheers,

Atis.

[essexboy]

Could you upload the MBR.dat to avast so that they can check it out, it may be because you are using grub

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[atis]

Hi essexboy,

Thanks again for your quick and prompt answer.

Sorry, I am new on all this and I have two doubts:

1.- (sure it is simple) how do I upload mbr.dat to avast? I always click "send to avast" when I am prompted to do so after the pop-up detection. I suppose I have sent it already? Is there other way?

2.- (crucial) would combofix not be the hair of the dog? I mean, I would like to find out first if effectively I am infected. I have read a guide to combofix and in my (short) knowledge I risk to run down my whole configuration with this powerful tool. As far as MBR is taken over by Windows (for whatever reason like rebooting in safe mode, for instance), it will possibly overwrite my partitions in Linux.
Have you ever used this tool with a similar configuration? I am ready to reinstall everything if needed, but first I'd rather confirm that the computer is infected with a tool not so aggressive (obviously if it exists).

Thanks again for your advice.

Atis.

[Pondus]

.- (sure it is simple) how do I upload mbr.dat to avast? I always click "send to avast" when I am prompted to do so after the pop-up detection. I suppose I have sent it already? Is there other way?

Moving files to the Virus Chest
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_03

Submitting files from the Virus Chest to avast! Virus Lab
https://support.avast.com/index.php?_m=knowledgebase&_a=viewarticle&kbarticleid=501#idt_07

[essexboy]

No we could start easy  this scan is purely analysis

To ensure that I get all the information this log will need to be attached (instructions at the end) if it is to large to attach then upload to Mediafire and post the sharing link.

Download OTS  to your Desktop

• Close ALL OTHER PROGRAMS.
  
• Double-click on OTS.exe to start the program.
  
• Check the box that says Scan All Users
  
• Check the box that says 64 bit
  
• Under Additional Scans check the following:

Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

• Under the Custom Scan box paste this in

%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

• Now click the Run Scan button on the toolbar.
  
• Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
  
• Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
  

Please attach the log in your next post.

[atis]

Thanks both to Pondus and essexboy.

1.- MBR.DAT has been submitted to Avast virus lab. (I have quoted the subject of this thread in case it helps). Apparently it will be actually submitted as far as I close and update avast.

2.- OTS.txt log is at: http://www.mediafire.com/?aqsszff695m55j4

I have put the first one I run after the detection of the potential virus, as it took a while to run the scan. If needed, I will run another one tomorrow, and put the new log.

Let's see if any of this bring some light...

Cheers,

Atis

[essexboy]

Start OTS. Copy/Paste the information in the quotebox below into the panel where it says "Paste fix here" and then click the Run Fix button.

Code: [Select]

[Unregister Dlls]
[Driver Services - Safe List]
YY -> (gsplittm) gsplittm [Kernel | On_Demand | Stopped] -> C:\Documents and Settings\mga\Local Settings\Temp\gsplittm.sys
[Registry - Safe List]
< FireFox Extensions [Program Folders] > ->
YY -> Java Console   -> C:\Program Files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0023-ABCDEFFEDCBA}
< Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar
YN -> "" [HKLM] -> Reg Error: Key error. [Reg Error: Value error.]
< Internet Explorer ToolBars [HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\] > -> HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\Software\Microsoft\Internet Explorer\Toolbar\
YN -> ShellBrowser\\"{C4069E3A-68F1-403E-B40E-20066696354B}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
YN -> WebBrowser\\"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}" [HKLM] -> Reg Error: Key error. [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\.DEFAULT\] > -> HKEY_USERS\.DEFAULT\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-18\] > -> HKEY_USERS\S-1-5-18\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< Internet Explorer Extensions [HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\] > -> HKEY_USERS\S-1-5-21-2798417395-2383758349-3804553033-1006\Software\Microsoft\Internet Explorer\Extensions\
YN -> CmdMapping\\"{08B0E5C0-4FCB-11CF-AAA5-00401C608501}" [HKLM] -> [Reg Error: Value error.]
YN -> CmdMapping\\"{92780B25-18CC-41C8-B9BE-3C9C571A8263}" [HKLM] -> [Reg Error: Key error.]
< MountPoints2 [HKEY_CURRENT_USER] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
YN -> \{baa4b40e-dc64-11dc-a640-00a0d147e75b} ->
YN -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{baa4b40e-dc64-11dc-a640-00a0d147e75b}\Shell\AutoRun\command ->
YN -> \{baa4b40e-dc64-11dc-a640-00a0d147e75b}\Shell\AutoRun\command\\"" -> [F:\ooo.exe]
[Registry - Additional Scans - Safe List]
< Disabled MSConfig Registry Items [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg\
YN -> My Web Search Bar hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
YN -> MyWebSearch Email Plugin hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
YN -> MyWebSearch Plugin hkey=HKLM key=SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
[Empty Temp Folders]
[EmptyFlash]
[CreateRestorePoint]
 
 
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.  Post that information back here

I will review the information when it comes back in.

Depending on what the fix contains, this process may take some time and your desktop icons might disappear or other uncommon behavior may occur.

This is no sign of malfunction, do not panic!

[atis]

Thanks essexboy, not only for your advice, but also working on my confidence on this unusual task for me.

Well here is the outcome of last step.

I run OTS, after finishing its job, it prompted me to accept for re-booting in order to apply the full fixing. I accepted but the application remained idle (not stall). I waited some 25 minutes waiting for another prompt or just for the application to close and reboot, but nothing happened. So I did it myself, close OTS and reboot.

No log was generated (I searched also elsewhere in my hard disk after rebooting) and nothing apparently happened (no strange behaviour whatsoever in my laptop). Avast detected again the infection after a few minutes, asked me to delete the malware and here we go again...

Should I rerun OTS with the same code? Maybe the application failed to complete the whole task.

Just incidentally microsoft prompted an error-message in the PCHealth folder of the application data. Just copied it:

EventType : visualstudio7x80update     P1 : msiexec.exe     P2 : 1.0.1686.5002
P3 : kb2416447     P4 : 1033     P5 : 643     P6 : f     P7 : install     
P8 : x86     P9 : 5.1.2600.2.3.0.768     P10 : 0     

NDP1.1sp1_KB2416447_X86_wrapper.log
version.txt

Don't suppose it has anything to do.

Well, that's all. Wondering if it helps.

Cheers,

Atis.