win32:MBRoot-J [Trj]

[essexboy]

Definitely an MBR infection - this is an old one called help assistant

Please download HelpAsst_mebroot_fix.exe and save it to your desktop.
Close out all other open programs and windows.
Double click the file to run it and follow any prompts.
If the tool detects an mbr infection, please allow it to run mbr -f and shutdown your computer.
Upon restarting, please wait about 5 minutes, click Start>Run and type the following bolded command, then hit Enter.
 
helpasst -mbrt
 
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.
 
 
*In the event the tool does not detect an mbr infection and completes, click Start>Run and type the following bolded command, then hit Enter.
 
mbr -f
 
Now, please do the Start>Run>mbr -f command a second time.
Now shut down the computer (do not restart, but shut it down), wait a few minutes then start it back up.
Give it about 5 minutes, then click Start>Run and type the following bolded command, then hit Enter.
 
helpasst -mbrt
 
Make sure you leave a space between helpasst and -mbrt !
When it completes, a log will open.
Please post the contents of that log.

[atis]

Thanks a lot essexboy. That looks promising !

I needed to go for the second option. Tool completed first without detection. However, it seems to have caught something and removed it.

Eager to know what you think.

Cheers. Here is the log.

Atis.

C:\Documents and Settings\mga\Desktop\HelpAsst_mebroot_fix.exe
20/06/2011 at 23:29:01,10

HelpAssistant account Inactive

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll present! ~ attempting to remove
termsrv32.dll successfully removed

 ~~ Checking firewall ports ~~

  backing up DomainProfile\GloballyOpenPorts\List registry key
  closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-
"3389:TCP"=-

  backing up StandardProfile\GloballyOpenPorts\List registry key
  closing rogue ports

HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\globallyopenports\list
"65533:TCP"=-
"52344:TCP"=-
"3246:TCP"=-
"2479:TCP"=-

 ~~ Checking profile list ~~

HelpAssistant profile found in registry ~ backing up and removing S-1-5-21-2798417395-2383758349-3804553033-1005
HelpAssistant profile directory exists at C:\Documents and Settings\HelpAssistant ~ attempting to remove
 ~ All C:\Documents and Settings\HelpAssistant files successfully removed ~

 ~~ Checking mbr ~~

user & kernel MBR OK

 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Status check on 21/06/2011 at  0:02:27,28

Account active               No
Local Group Memberships      *Administrators       

 ~~ Checking mbr ~~

Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
called modules: ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
kernel: MBR read successfully
user & kernel MBR OK

 ~~ Checking for termsrv32.dll ~~

termsrv32.dll not found


HKEY_LOCAL_MACHINE\system\currentcontrolset\services\termservice\parameters
   ServiceDll   REG_EXPAND_SZ     %systemroot%\System32\termsrv.dll

 ~~ Checking profile list ~~

No HelpAssistant profile in registry

 ~~ Checking for HelpAssistant directories ~~

none found

 ~~ Checking firewall ports ~~

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\domainprofile\GloballyOpenPorts\List]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


 ~~ EOF ~~

[essexboy]

Definitely help assist

What are your current problems ?

[atis]

Well, essexboy, business as usual...

I finished yesterday with the tool for helpasst, posted the log, went to bed with high hopes to have removed it, but nothing seems to have changed. Avast continue detecting a rootkit after passing some 10 minutes from switching on the computer.

I have just run a scan with Avast and only detects that, the rootkit. No other kind of symptoms whatsoever...

Regards,

Atis

[essexboy]

Still reporting the mbr ?

Lets run the new aswMBR - capture the mbr.dat and I will have a look at it - could you rename the MBR.dat file on the desktop to MBR.txt and then attach to your next post 

Download aswMBR.exe ( 1.8mb ) to your desktop.
 
Double click the aswMBR.exe to run it
 
Click the "Scan" button to start scan
 
 
On completion of the scan click save log, save it to your desktop and post in your next reply

[atis]

Yeap !

Seems to be attached toughtly. At this point, it might have been easier just to format the MBR, but now after so many tries I am curious to see the end of the hunting. Let's take it with patience.

Here is the log and in the next post I send the MBR.dat with .txt extension.

Thanks for your support.

Atis

aswMBR version 0.9.7.675 Copyright(c) 2011 AVAST Software
Run date: 2011-06-21 20:16:40
-----------------------------
20:16:40.718    OS Version: Windows 5.1.2600 Service Pack 3
20:16:40.718    Number of processors: 2 586 0xE08
20:16:40.718    ComputerName: MGA_PORTABLE  UserName: mga
20:16:41.906    Initialize success
20:16:42.546    AVAST engine defs: 11062100
20:16:57.593    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3
20:16:57.593    Disk 0 Vendor: FUJITSU_MHV2100BH_PL 00000029 Size: 95396MB BusType: 3
20:16:57.640    Disk 0 MBR read successfully
20:16:57.640    Disk 0 MBR scan
20:16:57.640    Disk 0 Win32:MBRoot-J [Trj]
20:16:57.640    Disk 0 MBR [Win32:MBRoot]  **ROOTKIT**
20:16:57.640    Disk 0 scanning C:\WINDOWS\system32\drivers
20:17:12.796    Service scanning
20:17:14.250    Disk 0 trace - called modules:
20:17:14.281    ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:17:14.281    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a610ab8]
20:17:14.281    3 CLASSPNP.SYS[f7657fd7] -> nt!IofCallDriver -> \Device\00000084[0x8a62b9e8]
20:17:14.281    5 ACPI.sys[f75ae620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a62cd98]
20:17:14.531    AVAST engine scan C:\WINDOWS
20:43:33.171    AVAST engine scan C:\Documents and Settings\mga
20:55:15.765    AVAST engine scan C:\Documents and Settings\All Users
20:58:47.812    Scan finished successfully
20:59:42.796    Disk 0 MBR has been saved successfully to "C:\Documents and Settings\mga\Desktop\MBR.dat"
20:59:42.890    The log file has been saved successfully to "C:\Documents and Settings\mga\Desktop\aswMBR_621.txt"

[atis]

Here is the MBR.dat file

http://www.mediafire.com/?bzmzph4gjkwkb5v

Atis

[DavidR]

Interesting the web shield alerts on the mbr.txt file and aborts the connection.

[atis]

Well, possibly it is also infected...

I am wondering whether my system somehow re-generates the virus, if ever we killed it. However, I did not plub anything to my computer since I get the first alarm and has operated only the browser (firefox), avast, and the tools you have sent me.

Could any software application in my computer generate this kind of virus?

Can I do something to send the mbr.dat to you?

Atis

[essexboy]

I have it - just disabled my shields for a few minutes 

I can see the grub reference - I have submitted it to the labs and also parsing it through Jotti and Virus total

Back in  a bit

[essexboy]

Only Avast reported at Jotti http://virusscan.jotti.org/en/scanresult/6991aae4df7acbfac853e9c32e5539ab5a1af593

Still awaiting virus total

[essexboy]

And virus total had 3 hits Avast5 / 6 and GDATA - methinks it is hitting on the grub element and the FP is being generated by that

http://www.virustotal.com/file-scan/report.html?id=bd13e5607b2e3e0f641b04239c0cc096b8990ad289123453aa8b71a7df8f1956-1308688391

[atis]

Hi essexboy,

Any suggestions then on the next step? I do not quite understand whether it is just grub creating the mess...

Cheers,

Atis

[essexboy]

At the moment I believe it to be a false positive - based on my other tool result, plus re-instating the MBR

We can do a final check if you wish to confirm this hypothesis

Download Dr Web from here Fill in the small form and download
 
It will download as an 8 digit file save it to your desktop

Restart in safe mode and run
Accept the enhanced version
Then run the quick scan
About halfway through you will be prompted to buy - just X the box closed
Once finished it will generate a log please attach that

[atis]

Thanks a lot essexboy,

I think we have tested enough for the last couple of weeks. I prefer now to play a bit with the computer and see whether I find some behaviour that makes me think something is going wrong.

Since the beginning I did not notice any real problem (no loss of resources, no crashing problems, no sign of modification of my applications...) None of the other tools detected anything. I guess that grub grew bigger as Linux has preserved different versions to boot. Possibly Avast sees much code it cannot interpret and released the alarm.

If for whatever reason something suspicious happens in the next couple of days I will try next Sunday the last tool you suggest .

I appreciate a lot your suppot on this. To tell you the truth, after the first few days I was more interested in the learning hunting process than worried about the virus. I have seen that we, small unimportant users, are well protected and supported out there.

Thanks again, and let's hope that it was indeed a false alarm.

Cheers,

Atis