Hello,

I have the problem with sinowal@mbr[rtk] as well. I did MBAM (it has found and removed 13 items) and OTS (logs are attached below. I have downloaded ComboFix. Should I proceed further with ComboFix? I would like to know expert opinion.

Thanks.

when asking for help you should start your own topic and not inside someone elses old topic…

• download aswMBR and save to dektop http://public.avast.com/~gmerek/aswMBR.exe
• double click the aswMBR icon to run it
• click scan, when done click save log and post it here in your next reply

Hi,

This is the log you asked me for. Yes, I shouldn’t write in this topic. Sorry, for that.

01:29:41.218 Disk 0 malicious Win32:MBRoot code @ sector 195366468 ! 01:29:41.218 Disk 0 PE file @ sector 195366490 ! 01:29:41.218 Disk 0 MBR [Win32:MBRoot] **ROOTKIT**

• Scan again, when done click “Fix mbr” and reboot
• scan again, click save log and post new log

OK, but there is one more problem. After I do a scan the option “FixMBR” is disabled.

OK then you click the “FIX” button

The new log is:

02:05:38.828 Infection fixed successfully - please reboot ASAP

No, but this one is after reboot.

02:13:48.984 Disk 0 malicious Win32:MBRoot code @ sector 195366468 !

well run OTS post a new logg, come back tomorrow and Essexboy will remove it for you

I will notifie him now, he is usually in here from 8:0pm - 11:59pm uk time

OK., So I will wait until tomorrow (especially it’s quit late out here 2:21AM)
Thank you for your help and good night.

Hi ;D

Go to Start >> Run >> copy/paste the bolded text below >> Press ENTER

mbr -f

Then a logfile (mbr.log) will be created on your screen (find it at C:\WINDOWS\mbr.log).

Once done then re-run aswMBR to see if it is still being reported

Hello,

Sorry I’m late.
I did your instructions, but I couldn’t find the log file so I redirected it to a file mbr.txt (attached to this post)
mbr -f >> c:\mbr.txt
and after that I tried aswMBR (log is attached too.)
And now after scanning there is an option FixMBR active.

On completion of this can you let me know if you are still getting alerts

Re-Run aswMBR

Click Scan

On completion of the scan

Click the FIXMBR Button

http://i1224.photobucket.com/albums/ee362/Essexboy3/aswmbrwhistler-1.gif

Save the log as before and post in your next reply

It looks like it’s still out there:

1. FixMRR
2. Save Log (aswMBR4.txt)
3. Scan
4. Save Log (aswMBR5.txt)
5. reboot and scan
6. Save Log (aswMBR6.txt)

May I ask you a question?
Before I did Fix command (as Pondus said yesterday

), there was a line in red in logs of aswMBR:
02:05:33.359 Disk 0 MBR [Win32:MBRoot] ROOTKIT
and after I’d done Fix there is no such line.

So is it still infectious?

What we are seeing now is a copy of the MBR malware at this location

06:52:53.234 Disk 0 malicious Win32:MBRoot code @ sector 195366468 !

Is Avast still alerting on it ?

The MBR itself is nice and sound now

No, Avast! don’t alert about it since yesterday and computer works completely fine.
I hope that’s it, but I’m still concerned about this malicious code in MBR

Thank you very much, Essexboy and Pondus.

P.S. Maybe fixmbr from windows xp recovery console would help?

It is inactive and to be honest the only way to clear that would be to format the drive - which may be a bit of an overkill

OK. That sounds resonable for me.

Run OTS and hit the cleanup button to remove it and just delete aswMBR from the desktop ;D