Disk 0 malicious Win32:MBRoot, TRIED EVERYTHING I could...please help

For the last week I have been chasing this sinowal trojan and it’s still winning, I think!? I used so many ‘tools’ I’ve lost count. THis computer was updated from a free version of avast to Internet Security version. It found the sinowal trojan and locked up. The log show that it did nothing with the infected file. After running all the steps suggested by essexboy’s post and a few others. I delete all the restores, left them off and ran online antivirus f-secure in between doing boot scans with Avast. that I’ve tried TFC, OTA, HAMeb_check, Secunia, performed the FIXMBR 3 different times, on in recovery mode. I’ve posted the log from the program that seems to be the only one reporting it now. At one time in this long process, there was even a file next to the “ntkrnlpa.exe” line that was named catchme.sys!!! ::slight_smile:
Can some PLEASE take a look and let me know what I can do, other than wipe out the hard drive?
THANKS AHEAD! -Kathy

aswMBR Log:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 20:47:50

20:47:50.828 OS Version: Windows 5.1.2600 Service Pack 3
20:47:50.828 Number of processors: 1 586 0x2402
20:47:50.828 ComputerName: MARCHLAPTOP01 UserName:
20:47:51.125 Initialize success
20:47:55.250 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
20:47:55.250 Disk 0 Vendor: FUJITSU_MHV2080AT_PL 008300A1 Size: 76319MB BusType: 3
20:47:57.296 Disk 0 MBR read successfully
20:47:57.296 Disk 0 MBR scan
20:47:59.312 Disk 0 scanning sectors +156296385
20:47:59.343 Disk 0 malicious Win32:MBRoot code @ sector 156296388 !
20:47:59.359 Disk 0 PE file @ sector 156296410 !
20:47:59.375 Disk 0 scanning C:\WINDOWS\system32\drivers
20:48:07.640 Service scanning
20:48:09.437 Disk 0 trace - called modules:
20:48:09.453 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
20:48:09.468 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85938ab8]
20:48:09.468 3 CLASSPNP.SYS[f7632fd7] → nt!IofCallDriver → \Device\00000085[0x85968288]
20:48:09.484 5 ACPI.sys[f74a9620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x85967d98]
20:48:10.015 Scan finished successfully

Hi Kathy - you are clean. ASWMbr is reporting the backup (inert) copy of the malware and is of no danger

20:47:55.250 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 20:47:55.250 Disk 0 Vendor: FUJITSU_MHV2080AT_PL 008300A1 Size: 76319MB BusType: 3 20:47:57.296 Disk 0 MBR read successfully 20:47:57.296 Disk 0 MBR scan 20:47:59.312 [b]Disk 0 scanning sectors +156296385[/b] 20:47:59.343 [b]Disk 0 malicious Win32:MBRoot code @ sector 156296388 [/b] ! 20:47:59.359 Disk 0 PE file @ sector 156296410 ! 20:47:59.375 Disk 0 scanning C:\WINDOWS\system32\drivers 20:48:07.640 Service scanning

Thank you, thank you so very much for confirming this. I am totally relieved to know I will get my weekend off…woohoo ;D Maybe I’d been done sooner if I’d posted earlier. Thanks again.

I was hit by the win32:mbroot trojan yesterday. Alhough aswMBR.exe fixed the MBR, the presence of the inert MBR record with the malware can be a nag and prevent the 100% peace of mind that a completely clean scan provides.

The way I was able to fix the problem was downloading ‘MBRWiz.exe’ from http://firesage.com/mbrwizard.php.

The CLI version of this progam is free. I ran the CLI version with the /copy switch and copied the clean MBR from sector 0 to the target sector where the inert MBR record with the malware was present. Now I have a clean scans by aswMBR and GMER.

Hope this feedback helps somone.