Win32:MBRoot

Hi, my avast free antivirus 6.0.100 advice me about a:" \.\PHYSICALDRIVE…:MBROOT " on logon, I’m reading more solution in this forum too, downloaded aswMBR.exe and everythings like this post: " http://forum.avast.com/index.php?topic=71782.0 "
but virus or rootkit stay always there… the log of aswMBR after FixMBR is:

aswMBR version 0.9.4 Copyright(c) 2011 AVAST Software
Run date: 2011-04-15 16:15:48

16:15:48.280 OS Version: Windows 5.1.2600 Service Pack 3
16:15:48.280 Number of processors: 1 586 0x701
16:15:48.280 ComputerName: ANGEL UserName:
16:15:49.592 Initialize success
16:15:54.109 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-4
16:15:54.129 Disk 0 Vendor: Maxtor_4D040H2 DAK019K0 Size: 39083MB BusType: 3
16:15:54.129 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP0T1L0-c
16:15:54.139 Disk 1 Vendor: Maxtor_4D040H2 DAH017K0 Size: 39083MB BusType: 3
16:15:56.172 Disk 0 MBR read successfully
16:15:56.172 Disk 0 MBR scan
16:15:58.185 Disk 0 scanning sectors +80035830
16:15:58.225 Disk 0 malicious Win32:MBRoot code @ sector 80035833 !
16:15:58.225 Disk 0 PE file @ sector 80035855 !
16:15:58.235 Disk 0 scanning C:\WINDOWS\system32\drivers
16:16:14.818 Service scanning
16:16:44.671 Disk 0 trace - called modules:
16:16:44.711 ntoskrnl.exe CLASSPNP.SYS disk.sys atapi.sys hal.dll viaidexp.sys
16:16:44.721 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x81b54030]
16:16:44.802 3 CLASSPNP.SYS[f9568fd7] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-4[0x81b09030]
16:16:44.802 Scan finished successfully

S.O. is windows XP Home…

Can help me? Thanks.

First TDSSKiller log is:

2011/04/15 16:03:34.0857 1400 TDSS rootkit removing tool 2.4.21.0 Mar 10 2011 12:26:28
2011/04/15 16:03:35.0107 1400 ================================================================================
2011/04/15 16:03:35.0107 1400 SystemInfo:
2011/04/15 16:03:35.0107 1400
2011/04/15 16:03:35.0107 1400 OS Version: 5.1.2600 ServicePack: 3.0
2011/04/15 16:03:35.0107 1400 Product type: Workstation
2011/04/15 16:03:35.0107 1400 ComputerName: ANGEL
2011/04/15 16:03:35.0117 1400 UserName: XXXXX
2011/04/15 16:03:35.0117 1400 Windows directory: C:\WINDOWS
2011/04/15 16:03:35.0117 1400 System windows directory: C:\WINDOWS
2011/04/15 16:03:35.0117 1400 Processor architecture: Intel x86
2011/04/15 16:03:35.0117 1400 Number of processors: 1
2011/04/15 16:03:35.0117 1400 Page size: 0x1000
2011/04/15 16:03:35.0117 1400 Boot type: Safe boot
2011/04/15 16:03:35.0117 1400 ================================================================================
2011/04/15 16:03:35.0718 1400 Initialize success
2011/04/15 16:03:40.0094 1416 ================================================================================
2011/04/15 16:03:40.0094 1416 Scan started
2011/04/15 16:03:40.0094 1416 Mode: Manual;
2011/04/15 16:03:40.0094 1416 ================================================================================

2011/04/15 16:05:30.0403 1416 \HardDisk0 - detected Backdoor.Win32.Sinowal.knf (0)
2011/04/15 16:05:30.0543 1416 \HardDisk1 - detected Backdoor.Win32.Sinowal.knf (0)
2011/04/15 16:05:30.0904 1416 ================================================================================
2011/04/15 16:05:30.0904 1416 Scan finished
2011/04/15 16:05:30.0904 1416 ================================================================================
2011/04/15 16:05:31.0014 1408 Detected object count: 2
2011/04/15 16:05:49.0020 1408 \HardDisk0 (Backdoor.Win32.Sinowal.knf) - will be cured after reboot
2011/04/15 16:05:49.0070 1408 \HardDisk0 - ok
2011/04/15 16:05:49.0070 1408 Backdoor.Win32.Sinowal.knf(\HardDisk0) - User select action: Cure
2011/04/15 16:05:49.0150 1408 \HardDisk1 (Backdoor.Win32.Sinowal.knf) - will be cured after reboot
2011/04/15 16:05:49.0190 1408 \HardDisk1 - ok
2011/04/15 16:05:49.0190 1408 Backdoor.Win32.Sinowal.knf(\HardDisk1) - User select action: Cure
2011/04/15 16:05:59.0635 1396 Deinitialize success

and still avast advice about Win32:MBRoot and aswMBR too…

Does Avast still report report the MBR infection ? After the TDSSKiller run ?

If so

Download ComboFix from one of these locations:

Link 1
Link 2

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Hi, I used Combofix and after aswMBR, the infection is always here… log files are attached at post, I hope so… :slight_smile:

Hi did you set all your ports to be open ?

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "3389:TCP"= 3389:TCP:Remote Desktop "65533:TCP"= 65533:TCP:Services "52344:TCP"= 52344:TCP:Services "6112:TCP"= 6112:TCP:Services "6479:TCP"= 6479:TCP:Services "6501:TCP"= 6501:TCP:Services etc.....
Also I believe that the MBR problem is on drive 1 - is that a bootable disc ? As combofix only looks at the main drive and reports that clean

No, there was firewall with close ports, but i think settings out for the virus, now the firewall was down, however the pc is without adsl so…, windows mystery… yes the disk 1 is bootable; Ok for cleaning it what can i do? :expressionless:

OK could you boot to the other disk and run combofix from there - If there is mebroot it should clear it - or you could use ASWMbr from there

I will formulate a fix to close those ports for you

Sorry always the same logs, I see it carefully…
However Avast doesn’t advice about virus \.\PHYSICALDRIVE0 - but aswMBR advice it…
Thanks for the fix and the time that you spend with my problem, excuse my bad english isn’t my language.
I think that I have to get used to live with this virus XD
Regards

No problem on the time or language

Could you run either ASWmbr or combofix on drive 1 to see if that will cure it

Yes, I’ve just done it with no result or the same log of the before device… I had the problem on deactivation of avast startup and l’ll reinstall it. I’m sorry but I’m on another pc at this time, I can’t put in this post the log, however is the same of the first. :expressionless:

MBRoot code @ sector 80035833 !
Hi I have just re-read the logs and what ASWMbr is showing is a backup but inactive copy of the bootkit - At the moment the only way to remove it is to reformat the drive. However, it is inactive

GMER is working on a way to remove this backup copy, but as yet does not have a viable removal cure

Ok Thank you, I’ll do it soon at possible :slight_smile:

;D