MBR Rootkit - removing the remnants?

Working on an XP Home box which was running slow with nothing particulalrly showing up with the installed Avira.
Combofix removed some hidden processes but Gmer (or at least mbr) shows the following.

---------------------------
Stealth MBR rootkit/Mebroot/Sinowal detector 0.3.7 by Gmer, http://www.gmer.net

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user & kernel MBR OK
copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !
---------------------------


Is this still an active problem or is it showing the mbr has been repaired?
Fixboot and fixmbr don't change the output.

How to tidy up the rogue code?
LVL 65
☠ MASQ ☠Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ViRoguesCommented:
Try using Malwarebytes Anti Malware. (http://www.malwarebytes.org/mbam.php)

It always keeps my computer safe from stuff like that.
0
edbedbCommented:
Don't bet the farm on this but it looks like the problems were found by reading the raw data from the hard drive. It is likely the remnants of an infection that has already been eradicated.
You might be able to get a clean scan by defragging the hard drive before the scan.
0
rpggamergirlCommented:
MBR is okay... nothing is wrong there... the output is okay.
0
Make Network Traffic Fast and Furious with SD-WAN

Software-defined WAN (SD-WAN) is a technology that determines the most effective way to route traffic to and from datacenter sites. Register for the webinar today to learn how your business can benefit from SD-WAN!

rpggamergirlCommented:
"Is this still an active problem or is it showing the mbr has been repaired?"
No, it's not an active problem.... yes it's showing that mbr is fixed.


"How to tidy up the rogue code?"
The code is harmless but cannot be removed unless you reformat or delete the partition and create a new one.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
☠ MASQ ☠Author Commented:
Thanks - that's what I thought but I didn't want to leave the "Malicious Code Found @ ..." message appearing if there was a way of fixing it.
 
I guess Combofix has done it's work again :)
0
☠ MASQ ☠Author Commented:
Shame there's no easy way to remove the quarantined code but good to know it's not a problem.
Thanks :)
0
rpggamergirlCommented:
When ComboFix fixed an mbr... there should also be a line in the log that say something like, "original mbr successfully restored !"

user & kernel MBR OK <-- this line is what you need to look for in the CF log afterwards as it tells you that the user and MBR is OK.

copy of MBR has been found in sector 0x0DF83CBD
malicious code @ sector 0x0DF83CC0 !
PE file found in sector at 0x0DF83CD6 !

The above lines are nothing to worry about.
When a rootkit first installed, it also writes a code in an obscured sector of the drive(not boot sector), harmless but can only be removed by reformatting/deleting the partition.


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Anti-Virus Apps

From novice to tech pro — start learning today.