Unfortunately, as this is a MBR virus, there is no file I can upload for evidence. A false positive is unlikely, as there shouldn’t be anything lurking in the MBR. So the mere presence of anything is suspect.
I did a complete scan with Avast, and was unable to find the file that caused the infection. Given how nasty Sinowal/MBRoot is, I hope you can catch it.
Meanwhile I manually downloaded MRT and I’m running a full scan (I think the scan during Windows Updates is a quick scan). Will report what it finds.
OK, I booted into recovery console and did a FIXMBR on all my drives.
What’s frustrating is that even right after doing this, FIXMBR still says, “Caution This computer appears to have a non-standard or invalid master boot record”. What’s up with that??!?!
In any event… a full MRT scan comes up clean. So does an AVAST rootkits (full) scan.
Be that as it may, if you can recommend another rootkit scanner as a 3rd opinion, it would put my mind at ease.
Has Avast checked their signatures to see if what MRT initially reported … Trojan:DOS/Sinowal.G … is being caught by you guys now?
[*]Download TDSSKiller and save it to your Desktop.
[*]Extract its contents to your desktop.
[*]Once extracted, open the TDSSKiller folder and doubleclick on TDSSKiller.exe to run the application, then on Start Scan.
[*]If no reboot is require, click on Report. A log file should appear. Please copy and paste the contents of that file here.
[*]If a reboot is required, the report can also be found in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste the contents of that file here.
I noticed that aswmbr reports that I have 2 disks, yet it scans the MBR only on disk 0.
MRT originally reported that it found the infected MBR on disk 1.
Question:
Is there a way to get aswmbr to scan the MBR on disk 1?
Is the code in the MBR on disks 1+ ever executed? Because one of the “features” of Sinowal/MBRoot is that it infects the first 16 disks connected to the system, including flash drives.
There’s no need to download MRT a second time, After it’s been installed by Windows update, Just go to Start, run, type MRT, click OK, and you can run it anytime.
[]Be sure to disable your security programs
[]Double click on the file to run it (Vista and Windows 7 users will have to confirm the UAC prompt)
[*]A window similar to this should open on your desktop:
[*]If you are prompted with options, enter N at the prompt and press [i]Enter[/i]
[*]Press [i]Enter[/i] again
[*]A .txt file named MBRCheck_mm.dd.yy_hh.mm.ss should appear on your deskop. Please post the contents of that file.