win32:MBRoot-J [Trj]

[essexboy]

Coudl you run a fresh OTS scan - then I can check to see if the driver was remove

[atis]

Hi essexboy,

Here is fresh OTS. I've run the scan with the same parameters you instructed me yesterday.

Hope you can find there what you look for. Looks to me as a complex task.

http://www.mediafire.com/?hno0wcof6poj9ta

Thanks!

Atis

[essexboy]

OK the driver does not want to go quietly - lets call in the big boy.  I have never yet had a problem with combofix, and it has plenty of built in safeguards   

Download and Install Combofix

Download ComboFix from one of the following locations:
Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop

* IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

• Double click on ComboFix.exe & follow the prompts.
  

As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

• Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

• Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

• Click on Yes, to continue scanning for malware.
  

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.

Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now

[atis]

Hi essexboy,

Here is my report after such a thrilling experience. Will try to be explicit and synthetic.

1.- Run ComboFix.

2.- At my own risk did not install the recovery console. To my reading, my reasoning and my (short) knowledge, I trusted more ComboFix
than MS installation of the console. The risk installing the console is removing my whole partitions structure sharing Linux and MS XP. I assumed the
risk of losing my MS system (I have my own restoration CD) with ComboFix, but at least I expected being able to boot with Linux in the worst scenario.

3. ComboFix apparently did his work. At running I saw it deleting three files and a number of folders (windows system ones, which made me quite uneasy,
I must confess).

4. It closed and tried to reboot, but could not alone. As I expected Grub, did not allow it straight. I needed to switch-off and re-start. I was relieved when
I saw my booting panel in Grub, all intact. I booted XP, and ComboFix retook control. I guess that he checked out the actions taken place after rebooting.
It generated the log I am enclosing. It also discovered it generated at my root folder a subfolder called Qoobox with two text files "add-removed" files and
"quarantined". It includes a subfoled called "quarantine". Did not want to be killed by curiosity as they say for the cat: I report, but did not open any of them.

5. Behaviour so far so good. Avast did not turn on after rebooting. For the rest did not appreciated any remarkable change in appeareance on my destop.
Internet works fine and so does the browser.

Wait for instructions after your checking the log (posted in a second post). Getting more curious about the whole thing, although I confess I was afraid during the experience.

Thanks for you great support !

atis

[atis]

Combofix log mentioned in my previous post. Atis

http://www.mediafire.com/?3q2k71k379oaqod

[essexboy]

You had help assistant - which I have not seen for a fair few months now, I thought it had faded away.  The windows folders you saw were in your app data / user folders - not where they are meant to be if they were legit  

So I just need to close a port and then determine what problems you have left

1. Close any open browsers.
 
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. 
 
3. Open notepad and copy/paste the text in the quotebox below into it:
 

Registry::
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3389:TCP"=-
 

 
Save this as CFScript.txt, in the same location as ComboFix.exe
 
 
 
 
Refering to the picture above, drag CFScript into ComboFix.exe
 
When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.

[atis]

Thanks a lot essexboy,

Happy to see that you have already found something in there. I am now in a rush. Anyway here is the new log of ComboFix. It took a while but nothing noticeable. Did not need to reboot. I will report more quietly this afternoon.

Cheers, atis
http://www.mediafire.com/?c54n7iq13rvq087

[essexboy]

The log looks ok - so what problems remian

[atis]

Well, to my surprise avast not only reports now the previous virus, but also that the file:

system32/drivers/w39n5l.sys

is also infected.

Therefore, I am not quite sure yet, whether I had a virus, I have it stil, or what to do next. I confess, I am lost with the whole thing since the beginning.

I did not run scan, avast just detected it with the normal pop up.

This morning everything looked also fine to my eyes. I have just switched the computer on and found myself at the start point. Did not run any other programme than avast, which I disabled when I started with ComboFix. I did not do anything with the computer since I closed this morning.

I deeply appreciate your help, and I wonder whether I should start again from the beginning.

Thanks,

atis

[essexboy]

Help assist normally has an MBR element - but maybe the grub bootloader is confucing the issue

Please download MBRCheck.exe to your desktop.

• Be sure to disable your security programs
  
• Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
• A window similar to this should open on your desktop:

• If you are prompted with options, enter N at the prompt and press Enter[/i]
  
• Press Enter[/i] again
  
• A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop.  Please post the contents of that file.

[atis]

Thanks for your patience essexboy,

Well that's my big question. If for whatever reason some of the code for booting is misinterpret by the scanning applications, the cleaning tools will get rid of it. Linux allows Windows to boot, but not the other way round. Any control giving to booting directly in Windows will immediately erase the booting dual facility (whether it takes control of the only partition assigned to it, or the whole disk).

When looking at the log I am enclosing in my next post, it recognised a physical drive of 93 GB, but Windows can only see the size of its partition, i.e. 45 GB. I created the structure of the partitions manually myself (it took me a good week), moving Windows and all my applications and restricting them to a part of my physical drive, overwriting a partition on the remaining physical space, installing Linux, and then Grub to customise my booting in both systems.

Now, the fact that makes me think that there might actually be a malware, is that I have a similar structure in my desktop, also with XP and avast installed. There I did not receive any warning, even when the configuration is much complicated (several partitions for Windows and several for Linux). Both computers (laptop and desktop) are isolated one each other, and I am even preventing to connect to internet simultaneously, since I discovered the problem. I have been working with this structure for almost three years now.

I don't know if this helps at all, and wonder whether a Linux expert could help on this, if indeed it is Grub who creates the whole mess. In any case, I prefer to give you as much data to my hand as possible to help solving the enigma.

In the next post you will find the MBRCheck log.

Cheers,

atis

[atis]

Here is the last log mentined in my previos post.

http://www.mediafire.com/?5xnpci1k3zpgh4k

atis

[essexboy]

The problem is - if it is an MBR infection the only way to clear it is to rewrite the MBR

Lets see if we can clear the main elements - that will render the changed MBR impotent but still enable a dual boot

Download and run HAMeb_check.exe
Post the contents of the resulting log.

[atis]

Hi essexboy,

I am ready to rewrite the MBR as soon as I am sure there is an infection. I am going to recheck my both systems and see whether I need to back up something I have not done yet in the past.

I will run the check you instruct me and we play around with the MBR.

Let's puts ourselves in the position that the MBR is infected. If I back up info to a DVD, would the infection come along, or it is not likely when I do not transfer Windows system files?

I did not plug anything to the computer since avast gave the alarm.

In my next post there will be the new log.

Cheers,

Mario

[atis]

Hi essexboy,

Sorry for the delay. I had been busy the last days. I retake the thread with the last log produced. I took the advantage to backup some recent files. I am ready to act on MBR if needed

atis
___________________________________

C:\Documents and Settings\mga\Desktop\HAMeb_check.exe
20/06/2011 at 22:04:19,03

Account active               No
Local Group Memberships      *Administrators       

 ~~ Checking profile list ~~

S-1-5-21-2798417395-2383758349-3804553033-1005
     %SystemDrive%\Documents and Settings\HelpAssistant

 ~~ Checking for HelpAssistant directories ~~

HelpAssistant

 ~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll present!


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll   REG_EXPAND_SZ     %SystemRoot%\System32\termsrv.dll

 ~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\DomainProfile\GloballyOpenPorts\List]
   "65533:TCP"=65533:TCP:*:Enabled:Services
   "52344:TCP"=52344:TCP:*:Enabled:Services
   "3246:TCP"=3246:TCP:*:Enabled:Services
   "2479:TCP"=2479:TCP:*:Enabled:Services
   "3389:TCP"=3389:TCP:*:Enabled:Remote Desktop

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
   "65533:TCP"=65533:TCP:*:Enabled:Services
   "52344:TCP"=52344:TCP:*:Enabled:Services
   "3246:TCP"=3246:TCP:*:Enabled:Services
   "2479:TCP"=2479:TCP:*:Enabled:Services


 ~~ EOF ~~