MBR Rootkit - removing the remnants?

Working on an XP Home box which was running slow with nothing particulalrly showing up with the installed Avira.
Combofix removed some hidden processes but Gmer (or at least mbr) shows the following.

---------------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !
---------------------------


Is this still an active problem or is it showing the mbr has been repaired?
Fixboot and fixmbr don't change the output.

How to tidy up the rogue code?
LVL 64
☠ MASQ ☠Asked:
Who is Participating?
 
rpggamergirlCommented:
"Is this still an active problem or is it showing the mbr has been repaired?"
No, it's not an active problem.... yes it's showing that mbr is fixed.


"How to tidy up the rogue code?"
The code is harmless but cannot be removed unless you reformat or delete the partition and create a new one.
0
 
ViRoguesCommented:
Try using Malwarebytes Anti Malware. (http://www.malwarebytes.org/mbam.php)

It always keeps my computer safe from stuff like that.
0
 
edbedbCommented:
Don't bet the farm on this but it looks like the problems were found by reading the raw data from the hard drive. It is likely the remnants of an infection that has already been eradicated.
You might be able to get a clean scan by defragging the hard drive before the scan.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
rpggamergirlCommented:
MBR is okay... nothing is wrong there... the output is okay.
0
 
☠ MASQ ☠Author Commented:
Thanks - that's what I thought but I didn't want to leave the "Malicious Code Found @ ..." message appearing if there was a way of fixing it.
 
I guess Combofix has done it's work again :)
0
 
☠ MASQ ☠Author Commented:
Shame there's no easy way to remove the quarantined code but good to know it's not a problem.
Thanks :)
0
 
rpggamergirlCommented:
When ComboFix fixed an mbr... there should also be a line in the log that say something like, "original mbr successfully restored !"

user & kernel MBR OK <-- this line is what you need to look for in the CF log afterwards as it tells you that the user and MBR is OK.

copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

The above lines are nothing to worry about.
When a rootkit first installed, it also writes a code in an obscured sector of the drive(not boot sector), harmless but can only be removed by reformatting/deleting the partition.


0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.