Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible MBR infection?


  • Please log in to reply
12 replies to this topic

#1 Kizza

Kizza

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 08:52 PM

Hello, when I run Spybot Search and Destroy Rootkit Scanner it indicates that I may have a problem with my Master Boot Records. My computer performance does not appear to be affected but I would still like to get to the bottom of this. If someone experience/qualified could please direct me i would greatly appreciate it.

 

Thanks in advance.

 

K.



BC AdBot (Login to Remove)

 


#2 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:50 PM

Posted 19 March 2013 - 08:58 PM

    

  • Please download TDSSKiller from here and save it to your Desktop
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters


    tds2.jpg

  • Check Loaded Modules  and Detect TDLFS file systemDo not check Verify file digital signatures (even though it is checked in the example)
  • If you are asked to reboot because an "Extended Monitoring Driver is required" please click Reboot now


    2012081514h0118.png

  • Click Start Scan and allow the scan process to run

  • If threats are detected select Skip for all of them unless I instruct you otherwise
  • Click Continue


    tds6.jpg

  • Click Reboot computer
  • Please post the contents of  TDSSKiller.[Version]_[Date]_[Time]_log.txt found in your root directory (typically c:\)in your reply


===================================================


aswMBR

--------------------

  • Download aswMBR and save it to your desktop.
  • Please disable your real time protection of any Antivirus, Antispyware or Antimalware programs temporarily. They will interfere and may cause unexpected results.
  • If you need help to disable your protection programs see here
  • Double click the aswMBR.exe file to run it. Please allow when you are asked to download AVAST antivirus engine defs.
  • Wait until the AV update is done, then click on the Scan button to start. The program will launch a scan.


    aswMBR1.png
  • When done, you will see Scan finished successfully. Please click on Save log and save the file to your desktop.


    aswMBR2.png
  • Please post the contents of the log in your next reply.

NOTE:  aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.


===================================================


ESET Online Scanner

--------------------

I'd like us to scan your machine with ESET OnlineScan  This process may may take several hours, that is normal

  • Hold down Control and click on this link to open ESET OnlineScan in a new window.
  • Click the esetonlinebtn.png  button.
  • For alternate browsers only: (Microsoft Internet Explorer users can skip these steps)

    • Click on esetsmartinstaller_enu.exe to download the ESET Smart Installer. Save it to your desktop.
    • Double click on the icon on your desktop.

    esetsmartinstaller_enu.png

  • Check "YES, I accept the Terms of Use."
  • Click the Start button.
  • Accept any security warnings from your browser.
  • Under scan settings, check "Scan Archives" and "Remove found threats"
  • Click Advanced settings and select the following:

    • Scan potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth technology
  • ESET will then download updates for itself, install itself, and begin scanning your computer. Please be patient as this can take some time.
  • When the scan completes, click List Threats
  • Copy and paste the information in your next reply.   Note:  If no malware was found you will not get a log.
  • Click the Back button.
  • Click the Finish button.


===================================================


Things I would like to see in your next reply. Please be sure to copy and paste the information rather than send an attachment. :thumbsup2:

  • TDSSKiller log
  • aswMBR log
  • ESET results


 



#3 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 09:14 PM

What if TDSSKiller found no threats (it didn't find any)? Do I just move on to other tests or do I post the log anyway? And if i do where do I find said log? Thanks.



#4 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:50 PM

Posted 19 March 2013 - 09:19 PM

Move to other scans.I have already instructed on how to get the logs after scan.If you dont get a log let me know.



#5 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 09:29 PM

Sorry I am confused do I run ESET OnlineScan and download/run the ESET Smart Installer or is it just one or the other? Ta.



I tihnk both.



#6 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 09:30 PM

Oh I see now nevermind.



#7 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 10:40 PM

Ok well TDSSKiller found no threats and didn't seem to produce a log.

 

Here is the lof from aswMBR;

 

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-03-20 13:18:09
-----------------------------
13:18:09.819    OS Version: Windows x64 6.1.7601 Service Pack 1
13:18:09.819    Number of processors: 8 586 0x2A07
13:18:09.820    ComputerName: KIEREN-HP  UserName: Kieren
13:18:15.824    Initialize success
13:18:15.913    AVAST engine defs: 13031901
13:18:37.354    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
13:18:37.357    Disk 0 Vendor: ST315003 HP23 Size: 1430799MB BusType: 3
13:18:37.443    Disk 0 MBR read successfully
13:18:37.446    Disk 0 MBR scan
13:18:37.450    Disk 0 Windows 7 default MBR code
13:18:37.457    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
13:18:37.462    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS      1417746 MB offset 206848
13:18:37.493    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        12951 MB offset 2903750656
13:18:37.549    Disk 0 scanning C:\Windows\system32\drivers
13:18:45.298    Service scanning
13:18:59.000    Modules scanning
13:18:59.010    Disk 0 trace - called modules:
13:18:59.028    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
13:18:59.034    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa80095fa790]
13:18:59.042    3 CLASSPNP.SYS[fffff880013b843f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa80083fc050]
13:19:02.142    AVAST engine scan C:\Windows
13:19:04.989    AVAST engine scan C:\Windows\system32
13:20:46.948    AVAST engine scan C:\Windows\system32\drivers
13:20:57.522    AVAST engine scan C:\Users\Kieren
13:23:16.059    AVAST engine scan C:\ProgramData
13:24:49.493    Scan finished successfully
13:25:05.808    Disk 0 MBR has been saved successfully to "C:\Users\Kieren\Desktop\MBR.dat"
13:25:05.812    The log file has been saved successfully to "C:\Users\Kieren\Desktop\aswMBRyay.txt"


and here is the ESET result;

 

C:\Users\Kieren\Downloads\Adaware_Installer.exe    Win32/OpenCandy application

 

I hope that is ok.



#8 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:50 PM

Posted 19 March 2013 - 10:43 PM

Logs are clean.No symptoms of MBR rootkit

 

when I run Spybot Search and Destroy Rootkit Scanner it indicates that I may have a problem with my Master Boot Records

 

What was the exact error



#9 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 10:51 PM

Apparently Spybot S&D considers opencandy to be a trojan, so perhaps that was my problem. The exact error was "Master Boot Records: six Master Boot Records checked, unknown MBRs; PhysicalDrive 1,2,3,4 and 5.



Actually there was more hang on.



#10 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 10:53 PM

// info: Rootkit removal help file
// copyright: © 2008-2013 Safer-Networking Ltd. All rights reserved.

:: RootAlyzer Results
File:"Unknown ADS","C:\Users\Kieren\AppData\Local\Hewlett-Packard\TouchSmart\Music\Setting_Common.ini:Rhapsody_Pwd:$DATA"
File:"Unknown ADS","C:\Users\All Users\Hewlett-Packard\Media\DVD\001.FCL:001.FCL:$DATA"
File:"Unknown ADS","C:\ProgramData\Hewlett-Packard\Media\DVD\001.FCL:001.FCL:$DATA"

 

That was from the 'deep scan'



#11 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:50 PM

Posted 19 March 2013 - 11:02 PM

ADS is alternate data streams and not related to MBR.Unknown MBR doesnt mean that system has MBR rootkit.

 

All the three files are legitimate ones.



#12 Kizza

Kizza
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:50 AM

Posted 19 March 2013 - 11:12 PM

Ok then thanks for all your help my mind is now at ease.



#13 narenxp

narenxp

  • BC Advisor
  • 16,371 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:India
  • Local time:06:50 PM

Posted 19 March 2013 - 11:14 PM

:welcome:






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users