malicious Win32:MBRoot code (sinowal/mebroot)

Hi,

I googled “Win32:MBRoot code” and came across a very recent thread (Cannolo and EssexBoy) in this forum.

Here’s my story: I had a Sinowal/Mebroot infection a few days ago which was cleaned (not sure if completely?) with help from another forum. Then, just today, I scanned with aswMBR, and it shows the “malicious Win32…” line. This line also shows up on a GMER scan. I am concerned as to whether the rootkit re-spawned itself or if this is an inactive copy of the malware… I’m worried after reading about how nasty Sinowal is. I’m just an ordinary user, so any help/advice is greatly appreciated - thanks. aswMBR log:

swMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-24 10:59:47

10:59:47.655 OS Version: Windows 6.0.6001 Service Pack 1
10:59:47.655 Number of processors: 2 586 0x170A
10:59:47.656 ComputerName: MW-PC UserName:
10:59:49.097 Initialize success
10:59:57.039 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
10:59:57.041 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
10:59:57.439 Disk 0 MBR read successfully
10:59:57.442 Disk 0 MBR scan
10:59:57.590 Disk 0 scanning sectors +625140400
10:59:57.867 Disk 0 malicious Win32:MBRoot code @ sector 625140403 !
10:59:57.951 Disk 0 PE file @ sector 625140425 !
10:59:58.027 Disk 0 scanning C:\Windows\system32\drivers
11:01:13.504 Service scanning
11:01:14.628 Disk 0 trace - called modules:
11:01:14.760 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll dxgkrnl.sys igdkmd32.sys watchdog.sys rdbss.sys
11:01:14.764 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85d1fac8]
11:01:14.768 3 CLASSPNP.SYS[8b3a7745] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x852d2028]
11:01:14.771 Scan finished successfully

try this

  • scan again, the click “FIX MBR” and reboot
  • after reboot, scan again and click “save log” and post it in your next reply

Ok, I’ve done the above. The two lines with “!” are still there. Here’s the new log:

Run date: 2011-04-24 11:42:10

11:42:10.143 OS Version: Windows 6.0.6001 Service Pack 1
11:42:10.143 Number of processors: 2 586 0x170A
11:42:10.143 ComputerName: MW-PC UserName:
11:42:11.376 Initialize success
11:42:15.104 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
11:42:15.104 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
11:42:15.135 Disk 0 MBR read successfully
11:42:15.135 Disk 0 MBR scan
11:42:15.151 Disk 0 scanning sectors +625140400
11:42:15.198 Disk 0 malicious Win32:MBRoot code @ sector 625140403 !
11:42:15.213 Disk 0 PE file @ sector 625140425 !
11:42:15.213 Disk 0 scanning C:\Windows\system32\drivers
11:42:23.372 Service scanning
11:42:24.589 Disk 0 trace - called modules:
11:42:24.605 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll
11:42:24.605 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85d160d8]
11:42:24.620 3 CLASSPNP.SYS[8b3aa745] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x852cf028]
11:42:24.620 Scan finished successfully

OK you need something stronger to kill this…

Essexboy is notified and will arrive soon… :wink:

Thank you, I’ll wait for him :slight_smile:

Hi the MBR bootkit is gone however this is a backup copy - at the moment there is no way to remove it, but it is inert

Disk 0 malicious Win32:MBRoot code @ sector 625140403 !

Are you experiencing any problems ?

Hi.

Lately, while surfing the internet, I would notice my browser stalling for 30-60 seconds before resuming. I never experienced this before the Sinowal/Mebroot infection. Perhaps it’s something else. So I guess this inert bootkit remnant is harmless?

The reason why I’m paranoid is because after Combofix removed the bug 2 days ago, I immediately ran GMER and it did not show those lines. But after I manually uninstalled and deleted some suspicious files from my computer, those lines reappeared in subsequent GMER scans. I also ran DDS, and it showed some files created at around the date/time of my uninstallation, e.g. sed.exe, MBR.exe, PEV.exe, SWREG.exe (all in C:\windows). Are these harmless items that have nothing to do with the bug?

Hope it’s just the paranoia… :-\ In any case, thanks for responding so quickly!

. sed.exe, MBR.exe, PEV.exe, SWREG.exe
Used by combofix - If you wish I could check it out

Part of the DDS log below (can’t post the whole thing; exceeded maximum allowed length). I also ran Combofix last night, with no additional deletions.

=============== Created Last 30 ================
.
2011-04-24 03:49:26 -------- d-----w- c:\users\julian\appdata\local\temp
2011-04-24 03:42:51 -------- d-sh–w- C:$RECYCLE.BIN
2011-04-23 19:24:34 229376 ----a-w- c:\windows\system32\PuranDefragS.exe
2011-04-23 19:24:34 221184 ----a-w- c:\windows\system32\PuranDC.exe
2011-04-23 19:24:34 212992 ----a-w- c:\windows\system32\PuranDefrag.dll
2011-04-23 19:24:34 1110016 ----a-w- c:\windows\system32\PuranFD.exe
2011-04-23 19:24:34 107008 ----a-w- c:\windows\system32\PuranDefragBT.exe
2011-04-23 19:24:34 -------- d-----w- c:\program files\Puran Defrag
2011-04-23 18:22:19 472808 ----a-w- c:\windows\system32\deployJava1.dll
2011-04-23 18:22:19 472808 ----a-w- c:\program files\mozilla firefox\plugins\npdeployJava1.dll
2011-04-23 02:41:10 100480 ----a-w- C:\pxldypoc.sys
2011-04-22 17:49:44 98816 ----a-w- c:\windows\sed.exe
2011-04-22 17:49:44 89088 ----a-w- c:\windows\MBR.exe
2011-04-22 17:49:44 256512 ----a-w- c:\windows\PEV.exe
2011-04-22 17:49:44 161792 ----a-w- c:\windows\SWREG.exe
2011-04-10 09:39:26 -------- d-----w- c:\program files\SwissSys 8
2011-04-05 03:29:08 528384 ----a-w- c:\progra~2\microsoft\windows\start menu\programs\chess vision trainer\CVision.exe
2011-03-26 22:30:00 781272 ----a-w- c:\program files\mozilla firefox\mozsqlite3.dll
2011-03-26 22:30:00 728024 ----a-w- c:\program files\mozilla firefox\libGLESv2.dll
2011-03-26 22:30:00 1975768 ----a-w- c:\program files\mozilla firefox\D3DCompiler_42.dll
2011-03-26 22:30:00 1893336 ----a-w- c:\program files\mozilla firefox\d3dx9_42.dll
2011-03-26 22:30:00 1874904 ----a-w- c:\program files\mozilla firefox\mozjs.dll
2011-03-26 22:30:00 15832 ----a-w- c:\program files\mozilla firefox\mozalloc.dll
2011-03-26 22:30:00 142296 ----a-w- c:\program files\mozilla firefox\libEGL.dll
2011-03-26 22:30:00 142296 ----a-w- c:\program files\mozilla firefox\components\browsercomps.dll
.
==================== Find3M ====================
.
2011-03-10 16:12:54 1161728 ----a-w- c:\windows\system32\mfc42u.dll
2011-03-10 16:12:54 1136640 ----a-w- c:\windows\system32\mfc42.dll
2011-03-03 15:00:15 738816 ----a-w- c:\windows\system32\inetcomm.dll
2011-03-03 12:53:48 2040832 ----a-w- c:\windows\system32\win32k.sys
2011-03-02 14:49:43 86528 ----a-w- c:\windows\system32\dnsrslvr.dll
2011-02-18 15:48:42 833024 ----a-w- c:\windows\system32\wininet.dll
2011-02-18 15:45:02 78336 ----a-w- c:\windows\system32\ieencode.dll
2011-02-18 14:09:54 389632 ----a-w- c:\windows\system32\html.iec
2011-02-18 13:48:10 1383424 ----a-w- c:\windows\system32\mshtml.tlb
2011-02-16 15:35:41 430080 ----a-w- c:\windows\system32\vbscript.dll
2011-02-16 15:29:56 34304 ----a-w- c:\windows\system32\atmlib.dll
2011-02-16 13:24:56 292864 ----a-w- c:\windows\system32\atmfd.dll
2011-02-03 01:11:20 222080 ------w- c:\windows\system32\MpSigStub.exe
.
============= FINISH: 21:39:44.65 ===============

Could you attach the combofix log please

Bottom left Additional options to attach a file ;D

Here’s the ComboFix log. (Didn’t even notice Additional Options ;D )

Nothing untoward showing there. Avast can cure some MBR bootkits from the bootscan

But, no apparent problems ?

Nice to know that it’s finally gone. Time to change all my passwords! (The slow performance must be due to poor maintenance of my system rather than any malware.)

Thank you so much for putting my mind at ease. You guys here are awesome. :slight_smile:

Try this to clear some of the junk and then run a quick defrag

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

OK, will do that. Thanks.

My pleasure - any problems let me know ;D