File MBR is infected by Sinowal@mbr

Dear all,

My MBR seems to be infected by, what appaers to be, “Sinowal@bmr” virus. I ran avast! Internet Security a couple of times, but it couldn’t remove it. I ran it while the Windows XP is up, and I performed several boot-time scans. No luck :frowning:

What am I doing wrong? Please help!

Kind regards,


IronCity

Thanks Pondus :slight_smile:

Here is the result of awsMBR scan:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 10:15:51

10:15:51.671 OS Version: Windows 5.1.2600 Service Pack 3
10:15:51.671 Number of processors: 2 586 0x1C02
10:15:51.671 ComputerName: CALIGARI UserName: niceno
10:15:52.390 Initialize success
10:16:08.093 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
10:16:08.093 Disk 0 Vendor: ST9160310AS 0303 Size: 152627MB BusType: 3
10:16:10.093 Disk 0 MBR read successfully
10:16:10.093 Disk 0 MBR scan
10:16:10.093 Disk 0 MBR hidden
10:16:12.093 Disk 0 scanning sectors +312576705
10:16:12.125 Disk 0 malicious Win32:MBRoot code @ sector 312576708 !
10:16:12.125 Disk 0 PE file @ sector 312576730 !
10:16:12.140 Disk 0 MBR [Win32:MBRoot] ROOTKIT
10:16:12.140 Disk 0 trace - called modules:
10:16:12.140 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x85e14aee]<<
10:16:12.140 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d54ab8]
10:16:12.140 3 CLASSPNP.SYS[f7588fd7] → nt!IofCallDriver → \Device\00000078[0x86d54908]
10:16:12.140 5 ACPI.sys[f741f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x86d78940]
10:16:12.156 Scan finished successfully

10:16:12.125 Disk 0 malicious Win32:MBRoot code @ sector 312576708 ! 10:16:12.125 Disk 0 PE file @ sector 312576730 ! 10:16:12.140 Disk 0 MBR [Win32:MBRoot] **ROOTKIT**
  • start new scan, then click “FIX MBR” and reboot
  • after reboot, run new scan, then click “save log” and post that log in your next reply

I did as you suggested, with the following outcome:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-28 10:51:48

10:51:48.046 OS Version: Windows 5.1.2600 Service Pack 3
10:51:48.046 Number of processors: 2 586 0x1C02
10:51:48.046 ComputerName: CALIGARI UserName: niceno
10:51:48.625 Initialize success
10:51:53.468 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
10:51:53.468 Disk 0 Vendor: ST9160310AS 0303 Size: 152627MB BusType: 3
10:51:55.468 Disk 0 MBR read successfully
10:51:55.468 Disk 0 MBR scan
10:51:57.468 Disk 0 scanning sectors +312576705
10:51:57.515 Disk 0 malicious Win32:MBRoot code @ sector 312576708 !
10:51:57.515 Disk 0 PE file @ sector 312576730 !
10:51:57.515 Disk 0 scanning C:\WINDOWS\system32\drivers
10:52:07.968 Service scanning
10:52:09.187 Disk 0 trace - called modules:
10:52:09.437 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
10:52:09.437 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86d75ab8]
10:52:09.453 3 CLASSPNP.SYS[f7588fd7] → nt!IofCallDriver → \Device\00000077[0x86d589e8]
10:52:09.453 5 ACPI.sys[f741f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x86d5cd98]
10:52:09.453 Scan finished successfully

sorry to quick

10:51:57.515 Disk 0 malicious Win32:MBRoot code @ sector 312576708 ! 10:51:57.515 Disk 0 PE file @ sector 312576730 !

still there

Follow this guide from our expert malware remover Essexboy
http://forum.avast.com/index.php?topic=53253.0
( post the logs here in this topic and not in the guide )

To avoid using multiple post with copy and paste you have to attach the log`s
Lower left corner: Additional Options > Attach ( Malwarebytes log / OTS log ) save OTS log as ANSI

Essexboy will look at the logs when he arrive here later today…usually 8:00am - 11:59am uk time

I’ll give it a try, thanks.

It may be similar to this case, where it is gone but still detect

read this where essexboy explain: reply #5 http://forum.avast.com/index.php?topic=76965.0

Is your avast warnings gone ?

Essexboy is notified…

Notice the difference between the two reports

10:16:08.093 Disk 0 Vendor: ST9160310AS 0303 Size: 152627MB BusType: 3 10:16:10.093 Disk 0 MBR read successfully 10:16:10.093 Disk 0 MBR scan 10:16:10.093 Disk 0 MBR hidden 10:16:12.093 Disk 0 scanning sectors +312576705 10:16:12.125 Disk 0 malicious Win32:MBRoot code @ sector 312576708 ! 10:16:12.125 Disk 0 PE file @ sector 312576730 ! 10:16:12.140 [b]Disk 0 MBR [Win32:MBRoot] **ROOTKIT**[/b]10:16:12.140 Disk 0 trace - called modules:
Prior to the fixmbr
10:51:55.468 Disk 0 MBR read successfully 10:51:55.468 [b]Disk 0 MBR scan[/b]10:51:57.468 Disk 0 scanning sectors +312576705 10:51:57.515 Disk 0 malicious Win32:MBRoot code @ sector 312576708 ! 10:51:57.515 Disk 0 PE file @ sector 312576730 ! 10:51:57.515 Disk 0 scanning C:\WINDOWS\system32\drivers 10:52:07.968 Service scanning 10:52:09.187 Disk 0 trace - called modules:
After fix mbr

The infection has gone but the backup (inactive) copy remains

Allow me to update you on the issue.

I was following the information given by Essexboy (http://forum.avast.com/index.php?topic=53253.0), as follows:

  1. I have installed Malwarebytes’ Anti-Malware.

  2. I ran it.

  3. It found no viruses in MBR, but found one in a completely different file, an executable downloaded from the internet.

  4. I have removed the infected executable file by Malwarebytes’ Anti-Malware.

  5. And that was it, the virus in MBR is now also gone. I checked it several times with avast! Internet Security and Malwarebytes’ Anti-Malware.

I don’t understand what really happened, but I guess that the infected executable file was contaminating my MBR. The trouble is, avast couldn’t find this file, and was repairing MBR only. I could be wrong.

Anyhow, my system seems to be clean now.

Thanks again to Pondus and Essexboy :slight_smile:

i still recomend you follow the suggestion in reply #6 so Essexboy can confirm that everything is OK

Malwarebytes is not geared for MBR infections - it may indicate TDSS variants though. You must bear in mind that MBAM complements Avast inasmuch as it looks for known file names as opposed to signatures and behaviour which is Avasts forte… The packing and disguising of malware now is an art as the race between AV programmers and malware programmers hots up

Did you upload the dropper file to Avast for inclusion and analysis ?