MBAR found this. Is it a threat

[rosiesdad]

Bootkit.Mebromi.Sinowal.D.MBR Not rootkit, bootkit.

Found on 2 drives, I tried cleanup and its coming back.

Ran TDSS Killer, didnt see any issues.

MBAM runs clean, and regular Antivirus is AVAST.

Is this a false positive?

[AdvancedSetup]

Yes, this is a nasty rootkit

I would suggest following the advice from the topic here Available Assistance for Possibly Infected Computers and having one of the Experts assist you with looking into your issue.

Thanks

[coolcat]

Maybe a false positive.

Have been scanning weekly with the older versions (even scanned just 3 days ago and everything was clean), recently updated to 1.05.0.1001 and the same issue popped up. Try updating your definitions and see whether it goes away (it did for me).

Without clicking "remove" on MBAR. Concurrent scans with GMER, MBRCheck.exe, TDSSKILLER.exe are all clean.

Norton 360/MalwareBytes Pro/Superantispyware scans have been clean weekly as well as in safemode too.

[coolcat]

Can you go to your MBAR 1.05.0.1001 folder and look at the log file that detected the infection?

I've been trying to pinpoint how the infection came because I too have had 0 things wrong with the PC (and I weekly scan with Symantec, MBAM, Superantispyware, VIPRE antivirus, Bitdefender, TrendMicro, AVAST). Scans with ASWmbr, Bootkitremoval, gmer, rootkitbuster, tdsskiller, mdrcheck, HiJackThis are all clean.

I see that a 3rd person has also had the exact Bootkit and upon looking at their log below:

(mbar-log-2013-04-17) they were using Database version: v2013.04.17.15, which was the exact same database version as me.

Now, I've scanned 5 times with MBAR in the past ~1-2 months using the previous Beta-releases (even a scan 3-4 days BEFOREhand with the older V1.01 with up-to-date defintions were absolutely clean). Unless "Bootkit.Mebromi.Sinowal.D.MBR" is a new definition file (which I doubt because it's been in the wild since 2008), I suspect it could be a false positive or something.

3 individuals detecting the same infection at the same time (around 7:00PM CST on 04/17/2013) with the same Definition File (v2013.04.17.15) would be highly irregular but not impossible:

Files Detected: 1

C:\ProgramData\Malwarebytes\Malwarebytes' Anti-Malware\MBR_0_infected.mbam (Bootkit.Mebromi.Sinowal.D.MBR) -> Delete on reboot.

• Can anyone confirm whether Bootkit.Mebromi is simply a new definiton file whereby the infection could have been missed with my previous 5-6 scans using the older versions?
  

[AdvancedSetup]

Please be patient. I think it may be a false positive but have asked for assistance from the Dev Team. It may be a few days though before I get a response as we're quite busy right now.

Thank you

[AdvancedSetup]

Please make sure you have the latest version of MBAR and then check for updates and if it's still detecting let me know and post back the log from the tool

http://www.malwarebytes.org/products/mbar/

Thanks