Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

False Positive or Real Problem??


  • Please log in to reply
7 replies to this topic

#1 nkaufman

nkaufman

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 13 June 2013 - 07:49 PM

I have my laptop running Win-7 64-bit.

Just the other day, I downloaded mbr.exe from gmer.net and ran it using Admin. Got the following in log file:

*********MBR.exe Log Begins**********************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR

*********MBR.exe Log Ends **********************************************

Getting a bit concerned, I then downloaded aswMBR from gmer.net and ran it without virus scanning. Following are the results:

********* aswMBR.exe Log Begins **********************************************

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-13 20:23:31
-----------------------------
20:23:31.383 OS Version: Windows x64 6.1.7601 Service Pack 1
20:23:31.383 Number of processors: 2 586 0x170A
20:23:31.384 ComputerName: NK-PC UserName: Admin
20:23:32.283 Initialize success
20:23:32.558 AVAST engine defs: 13061301
20:23:39.692 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:23:39.696 Disk 0 Vendor: FUJITSU_MJA2250BH_G2 8919 Size: 238475MB BusType: 11
20:23:39.809 Disk 0 MBR read successfully
20:23:39.813 Disk 0 MBR scan
20:23:39.819 Disk 0 Windows 7 default MBR code
20:23:39.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:23:39.842 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 140374 MB offset 206848
20:23:39.870 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 97999 MB offset 287692800
20:23:40.161 Disk 0 scanning C:\Windows\system32\drivers
20:23:54.807 Service scanning
20:24:26.682 Modules scanning
20:24:26.689 Disk 0 trace - called modules:
20:24:26.714 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
20:24:27.056 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b2c450]
20:24:27.065 3 CLASSPNP.SYS[fffff880018dd43f] -> nt!IofCallDriver -> [0xfffffa80047b1520]
20:24:27.073 5 ACPI.sys[fffff8800115e7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047ad680]
20:24:27.083 Scan finished successfully
20:25:00.552 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\Software\MBR.dat"
20:25:00.557 The log file has been saved successfully to "C:\Users\Admin\Desktop\Software\aswMBR.txt"


********* aswMBR.exe Log Ends **********************************************

The above aswMBR log shows everything is fine.

So if MBR.exe giving me false positives or is aswMBR wrong?

Please help!!!!
 

 

 

Ran MBAM and following is the log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.13.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Admin :: NK-PC [administrator]

6/13/2013 10:37:18 PM
mbam-log-2013-06-13 (22-37-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 277864
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

What is going on? Both MBAM and aswMBR do not show any problem. Only MBR.exe does. Why??


Edited by nkaufman, 13 June 2013 - 09:45 PM.


BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 20 June 2013 - 08:33 PM

Let's get one more look.

Open MalwareBytes ....Click on More Tools

Then click on Anti-Rootkit and run that.

There are instructions there..

Post that log here.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 nkaufman

nkaufman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 20 June 2013 - 10:00 PM

Hello,

 

Here is the log:

 

Malwarebytes Anti-Rootkit BETA 1.06.0.1003
www.malwarebytes.org

Database version: v2013.06.20.10

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Admin :: NK-PC [administrator]

6/20/2013 10:25:40 PM
mbar-log-2013-06-20 (22-25-40).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUM | P2P
Scan options disabled: Deep Anti-Rootkit Scan | PUP
Objects scanned: 306261
Time elapsed: 22 minute(s), 38 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

Physical Sectors Detected: 0
(No malicious items detected)

(end)



#4 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 21 June 2013 - 09:09 AM

OK, I say you are OK.. You have a 64 bit system. GMer does work on 64 bit computers just not all the selections can be checked - that is way some of the items could not be read or handled.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#5 nkaufman

nkaufman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 21 June 2013 - 12:13 PM

I was thinking if there is a way to confirm if other people have faced similar issue running mbr.exe (NOT gmer) on Win-7 64-bit Professional. That would give me the peace of mind. :-) 



#6 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 21 June 2013 - 12:19 PM

If you have concern that you are still infected .. Please follow this Preparation Guide and post in a new topic.

Let me know if all went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#7 nkaufman

nkaufman
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:33 PM

Posted 28 June 2013 - 07:41 AM

I installed Win-7 on another hard drive that I had and tried to run mbr on it. Got same error and makes me wonder if there is something that stops mbr.exe from running under win-7 64-bit prof edition.

Thanks,

 



#8 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,530 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:03:33 PM

Posted 28 June 2013 - 08:37 PM

Still better to ask these with the DDS log posted in the New topic per the Guide above. They will check your MBR also.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users