I googled “Win32:MBRoot code” and came across a very recent thread (Cannolo and EssexBoy) in this forum.
Here’s my story: I had a Sinowal/Mebroot infection a few days ago which was cleaned (not sure if completely?) with help from another forum. Then, just today, I scanned with aswMBR, and it shows the “malicious Win32…” line. This line also shows up on a GMER scan. I am concerned as to whether the rootkit re-spawned itself or if this is an inactive copy of the malware… I’m worried after reading about how nasty Sinowal is. I’m just an ordinary user, so any help/advice is greatly appreciated - thanks. aswMBR log:
swMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-24 10:59:47
10:59:47.655 OS Version: Windows 6.0.6001 Service Pack 1
10:59:47.655 Number of processors: 2 586 0x170A
10:59:47.656 ComputerName: MW-PC UserName:
10:59:49.097 Initialize success
10:59:57.039 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
10:59:57.041 Disk 0 Vendor: WDC_WD32 11.0 Size: 305245MB BusType: 3
10:59:57.439 Disk 0 MBR read successfully
10:59:57.442 Disk 0 MBR scan
10:59:57.590 Disk 0 scanning sectors +625140400
10:59:57.867 Disk 0 malicious Win32:MBRoot code @ sector 625140403 !
10:59:57.951 Disk 0 PE file @ sector 625140425 !
10:59:58.027 Disk 0 scanning C:\Windows\system32\drivers
11:01:13.504 Service scanning
11:01:14.628 Disk 0 trace - called modules:
11:01:14.760 ntkrnlpa.exe CLASSPNP.SYS disk.sys iastor.sys hal.dll dxgkrnl.sys igdkmd32.sys watchdog.sys rdbss.sys
11:01:14.764 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x85d1fac8]
11:01:14.768 3 CLASSPNP.SYS[8b3a7745] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0x852d2028]
11:01:14.771 Scan finished successfully
Lately, while surfing the internet, I would notice my browser stalling for 30-60 seconds before resuming. I never experienced this before the Sinowal/Mebroot infection. Perhaps it’s something else. So I guess this inert bootkit remnant is harmless?
The reason why I’m paranoid is because after Combofix removed the bug 2 days ago, I immediately ran GMER and it did not show those lines. But after I manually uninstalled and deleted some suspicious files from my computer, those lines reappeared in subsequent GMER scans. I also ran DDS, and it showed some files created at around the date/time of my uninstallation, e.g. sed.exe, MBR.exe, PEV.exe, SWREG.exe (all in C:\windows). Are these harmless items that have nothing to do with the bug?
Hope it’s just the paranoia… :-\ In any case, thanks for responding so quickly!
Nice to know that it’s finally gone. Time to change all my passwords! (The slow performance must be due to poor maintenance of my system rather than any malware.)
Thank you so much for putting my mind at ease. You guys here are awesome.
Try this to clear some of the junk and then run a quick defrag
Clear Cache/Temp Files
Download TFC by OldTimer to your desktop
[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.