Do I have an MBR Rootkit?

I caught some malware the other day and was able to get rid of it using your removal instructions, as far as I can tell anyway. Subsequent scans are clean and my PC is behaving normally again. They are listed here:

Registry Data Items Detected: 1
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 4
C:\Documents and Settings\User\My Documents\Downloads\iphonebackupextractor-latest.exe (PUP.Optional.OpenCandy) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\01390337422970.exe (Trojan.Ransom.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Temp\vtlcystx.exe (Trojan.Ransom.ED) -> Quarantined and deleted successfully.
C:\Documents and Settings\User\Local Settings\Application Data\YggzPack\FlashUtil.dll (VirTool.Vbcrypt) -> Quarantined and deleted successfully.


One thing I'm not sure about is that RogueKiller says I have an mbr.rootkit, as does Avast's anti-rootkit utility. I'm wondering whether they are thrown off by the fact my drive is encrypted and it creates some weirdness in the mbr. Malwarebyte's anti-rootkit utility won't scan the drive due to the encryption.

The Avast utility says this:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2014-01-23 17:28:09
-----------------------------
17:28:09.313 OS Version: Windows 5.1.2600 Service Pack 3
17:28:09.313 Number of processors: 4 586 0x2502
17:28:09.313 ComputerName: LV38PCE00274939 UserName: G65630
17:28:10.922 Initialize success
17:29:02.453 AVAST engine defs: 14012301
17:29:24.423 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
17:29:24.423 Disk 0 Vendor: WDC_WD25 02.0 Size: 238475MB BusType: 3
17:29:24.470 Disk 0 MBR read successfully
17:29:24.470 Disk 0 MBR scan
17:29:24.517 Disk 0 Windows XP default MBR code found via API
17:29:24.517 Disk 0 unknown MBR code
17:29:24.517 Disk 0 MBR hidden
17:29:24.517 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS CRYPT
238472 MB offset 63
17:29:24.517 Disk 0 scanning sectors +488392065
17:29:24.564 Disk 0 MBR [possible unknown bootkit@MBR] **ROOTKIT**
17:29:24.564 Scan finished successfully
17:30:00.114 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\User\Desktop\MBR.dat"
17:30:00.114 The log file has been saved successfully to "C:\Documents and Settings\User\Desktop\aswMBR.txt"

The RK report says this:

¤¤¤ Infection : Root.MBR ¤¤¤

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) WDC WD2500BEKT-60A25T1 +++++
--- User ---
[MBR] fca8207705384279cf6157111060b2ea
[BSP] 4d18b6ac37bf58e069c78784e1d997da : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User != LL1 ... KO!
--- LL1 ---
[MBR] 9223566183ed9380a092c5a433343d6c
[BSP] 0b3db176b24e7fd3e4dae63b1b0f0958 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo
User != LL2 ... KO!
--- LL2 ---
[MBR] 9223566183ed9380a092c5a433343d6c
[BSP] 0b3db176b24e7fd3e4dae63b1b0f0958 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 238472 Mo

Finished : << RKreport[0]_S_01222014_162330.txt >>

Thanks.

 

Hey thanks for your quick reply. Apologies for the inline logs, I think I confused your site with another where they ask for them that way.

I've attached them this time, let me know what you think when you get a chance. Thanks again.

 

Hey thanks for your help on this. I think I'm ok, and I'm getting a new laptop next week so I'm not going to worry about it. Thanks again.