Aws Scan

I hope I’m doing the right thing here by starting a new topic. I have a laptop connected to a my network and I used aswMBR to scan it. Everything’s running ok on it and also the main computer I use, but after doing the scan on the laptop I noticed again the NTFS type came up as unknown and with a few hidden files associated with it. This also occurred on the main computer. Is this normal? I’ve got a full log file if you need to see it. Thanks ahead.

03:37:40.752 Disk 0 unknown MBR code
03:37:40.752 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12291 MB offset 63
03:37:40.784 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 70168 MB offset 25174016
03:37:40.815 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 70166 MB offset 168878080
03:37:40.815 Disk 0 scanning sectors +312579760

The aswMBR is a specialist tool used for a specific purpose, e.g. if you suspect that you have a MBR (Master Boot Record) rootkit.

So what was your purpose in running aswMBR ?

Just general security. Plus I have read that “unknown MBR” can be a cause for concern. I might of misinterpreted this but?

I wouldn’t use this for general security as if you make any change it could stuff your system. I have no idea of your experience level, so take this as general advice for others who may well be following this topic or reading it later. This tool should be used under guidance of an experienced malware removal specialist to avoid the pitfalls mentioned before.

The “unknown MBR” is notunusual and may not mean there is an MBR rootkit as many manufacturers (HP, DELL, etc.) may well have a custom MBR to cater for their specific recovery process or system setup.

EDIT: you can attach the aswMBR log and I will try to get a specialist to take a look at it.

Okay and thanks. I’m no expert. I’ve done programming years ago (Cobol) lol, and that was mainly file processing so, and my experience is more hands on, but I’ve been using computers since the Apple 2e.

Look, I’ve got a little bit of concern with this, I don’t want to go into details, but I’m concerned that I might be under what you might call a personal attack and the person I’m concerned about is a computer scientist that is well capable of doing such. Over a few years I’ve had hard disks gradually decrease performance and then become unbootable, before their life.
The other odd thing also is that they would not perform disk checks, errors about the structure of their MBR’s,boot sector errors- ect, ect.

With my first post too, I did say that the main computer is saying “unknown MBR” also, and this computer was built by me. It is running Acronis True Image 2013 which might explain it.
There is also 2 other laptops on the same network in the house.
I could (and very well could be) wrong in all this, but some expert help would put my mind at rest.
Thanks again.

aswMBR scan of Laptop:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-10 03:13:38

03:13:38.681 OS Version: Windows 6.0.6002 Service Pack 2
03:13:38.681 Number of processors: 2 586 0x170A
03:13:38.681 ComputerName: MICHEAL-PC UserName: Micheal
03:13:39.398 Initialize success
03:15:16.322 AVAST engine defs: 13050900
03:37:40.518 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-0
03:37:40.518 Disk 0 Vendor: Hitachi_HTS543216L9A300 FB2OC40C Size: 152627MB BusType: 3
03:37:40.659 Disk 0 MBR read successfully
03:37:40.659 Disk 0 MBR scan
03:37:40.752 Disk 0 unknown MBR code
03:37:40.752 Disk 0 Partition 1 00 27 Hidden NTFS WinRE NTFS 12291 MB offset 63
03:37:40.784 Disk 0 Partition 2 80 (A) 07 HPFS/NTFS NTFS 70168 MB offset 25174016
03:37:40.815 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 70166 MB offset 168878080
03:37:40.815 Disk 0 scanning sectors +312579760
03:37:41.064 Disk 0 scanning C:\Windows\system32\drivers
03:37:53.295 Service scanning
03:38:28.223 Modules scanning
03:38:56.475 Disk 0 trace - called modules:
03:38:57.005 ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll ataport.SYS PCIIDEX.SYS msahci.sys
03:38:57.021 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x854e2968]
03:38:57.021 3 CLASSPNP.SYS[87ba58b3] → nt!IofCallDriver → [0x84a0ac10]
03:38:57.036 5 acpi.sys[806926bc] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-0[0x84a0a030]
03:38:58.097 AVAST engine scan C:\Windows
03:39:00.874 AVAST engine scan C:\Windows\system32
03:42:31.162 AVAST engine scan C:\Windows\system32\drivers
03:42:48.462 AVAST engine scan C:\Users\Micheal
03:43:51.923 AVAST engine scan C:\ProgramData
03:44:11.158 Scan finished successfully
04:36:17.270 Disk 0 MBR has been saved successfully to “C:\Users\Micheal\Documents\MBR.dat”
04:36:17.285 The log file has been saved successfully to “C:\Users\Micheal\Documents\aswMBR.txt”

aswMBR scan of Main Computer:

aswMBR version 0.9.9.1771 Copyright(c) 2011 AVAST Software
Run date: 2013-05-10 22:37:51

22:37:51.921 OS Version: Windows x64 6.1.7601 Service Pack 1
22:37:51.921 Number of processors: 8 586 0x2A07
22:37:51.921 ComputerName: JOHN-PC UserName: john
22:37:54.417 Initialize success
22:37:56.722 AVAST engine download error: 0
22:37:59.514 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP4T0L0-4
22:37:59.514 Disk 0 Vendor: ST31000526SV CV15 Size: 953869MB BusType: 3
22:37:59.514 Disk 1 \Device\Harddisk1\DR1 → \Device\Ide\IdeDeviceP5T0L0-5
22:37:59.514 Disk 1 Vendor: ST31000526SV CV15 Size: 953869MB BusType: 3
22:37:59.592 Disk 0 MBR read successfully
22:37:59.592 Disk 0 MBR scan
22:37:59.592 Disk 0 unknown MBR code
22:37:59.592 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 953867 MB offset 2048
22:37:59.623 Disk 0 scanning C:\Windows\system32\drivers
22:38:06.643 Service scanning
22:38:10.590 Service BdfNdisf c:\program files\common files\bitdefender\bitdefender firewall\bdfndisf6.sys LOCKED 5
22:38:10.606 Service bdfwfpf C:\Program Files\Common Files\Bitdefender\Bitdefender Firewall\bdfwfpf.sys LOCKED 5
22:38:18.062 Modules scanning
22:38:18.062 Disk 0 trace - called modules:
22:38:18.094 ntoskrnl.exe fltsrv.sys tdrpman.sys CLASSPNP.SYS disk.sys vidsflt.sys ACPI.sys ataport.SYS pciide.sys
22:38:18.109 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa800eb9f060]
22:38:18.109 3 CLASSPNP.SYS[fffff880013c843f] → nt!IofCallDriver → [0xfffffa800e943e10]
22:38:18.109 5 vidsflt.sys[fffff88000e165cd] → nt!IofCallDriver → [0xfffffa800e7d1e40]
22:38:18.125 7 ACPI.sys[fffff88000f447a1] → nt!IofCallDriver → \Device\Ide\IdeDeviceP4T0L0-4[0xfffffa800e80e060]
22:38:18.125 Scan finished successfully
22:38:40.495 Disk 0 MBR has been saved successfully to “G:\mbr\MBR.dat”
22:38:40.573 The log file has been saved successfully to “G:\mbr\aswMBRm.txt”

If you have other concerns there are other tools that are used for analysis, which are of a wider spectrum than the specialist aswMBR tool.

Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the tools and attach the logs here, not in the LOGS topic.

As it is a custom build I will use another tool to take a peek at the mbr

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.
[*]Attach that report

This is RogueKiller scan from the main computer as this is the one that concerns me the most. Thanks.

RogueKiller V8.5.4 [Mar 18 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows 7 (6.1.7601 Service Pack 1) 64 bits version
Started in : Normal mode
User : john [Admin rights]
Mode : Scan – Date : 05/11/2013 19:42:15
| ARK || FAK || MBR |

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 3 ¤¤¤
[RUN][SUSP PATH] HKUS\S-1-5-21-366503658-1597434619-481558210-1001[…]\Run : JFSW2Launch (C:\Users\UpdatusUser\AppData\Roaming\Transcend\JFSW2\JFSW2Launch.exe) → FOUND
[RUN][SUSP PATH] HKUS\S-1-5-21-366503658-1597434619-481558210-1001[…]\Run : Browser Infrastructure Helper (C:\Users\UpdatusUser\AppData\Local\Smartbar\Application\SnapDo.exe startup) → FOUND
[TASK][SUSP PATH] Run RoboForm Process : C:\Users\john\AppData\Local\Temp\RoboForm\RoboTaskBarIcon.exe → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [NOT LOADED] ¤¤¤

¤¤¤ HOSTS File: ¤¤¤
→ C:\Windows\system32\drivers\etc\hosts

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: ST31000526SV ATA Device +++++
— User —
[MBR] 0d045626d84f3d91c2aa3b8181e48ff0
[BSP] 790f3f41881509e26865f88de7034a64 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 953867 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive1: ST31000526SV ATA Device +++++
— User —
[MBR] 264a3cc523980de401663de2930c555b
[BSP] a07943d555a412d9697e072a3065792c : Windows 7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 646459 Mo
1 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 1323950080 | Size: 307409 Mo
User = LL1 … OK!
User = LL2 … OK!

+++++ PhysicalDrive2: SMI USB DISK USB Device +++++
— User —
[MBR] ac08b949078f59e85581010880693d31
[BSP] 370eac4e0faaed5068851ac6d9c6e292 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT16 (0x06) [VISIBLE] Offset (sectors): 56 | Size: 955 Mo
User = LL1 … OK!
Error reading LL2 MBR!

+++++ PhysicalDrive3: Kingston DataTraveler G2 USB Device +++++
— User —
[MBR] 7a2f2917e8dbbd789443a206ff4a978a
[BSP] 33a07a59d299ab4ea9f4ab0156f9d86f : Windows XP MBR Code
Partition table:
0 - [ACTIVE] FAT32-LBA (0x0c) [VISIBLE] Offset (sectors): 8064 | Size: 7636 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[2]_S_05112013_02d1942.txt >>
RKreport[1]_S_05052013_02d1854.txt ; RKreport[2]_S_05112013_02d1942.txt

Hi it is just a custom MBR and is of no concern, Roguekiller has a list of all bad MBR’s and is showing a good LL1 and 2

If you wish me to look deeper I can do that

Can I just say you guys have been great! Best forum I’ve been on. I’ll know where to come if I run into any trouble in the future.
That’s good news- I was mainly worried about the MBR. But if it’s okay about further checks and if you’re not to busy I would appreciate that. Thanks.

No problem

Download OTL to your Desktop
Secondary link

[*]Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.

https://dl.dropbox.com/u/73555776/OTL_Main_Tutorial.gif

[*]Select All Users
[*]Under the Custom Scan box paste this in

netsvcs
BASESERVICES
%SYSTEMDRIVE%*.exe
/md5start
services.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
winsock.*
/md5stop
CREATERESTOREPOINT

[*]Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
[*]When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
[*]Attach both logs

Here you go. :slight_smile: It did not produce a extras.txt?

Just some adware is all

Warning This fix is only relevant for this system and no other, using on another computer may cause problems

Be advised that when the fix commences it will shut down all running processes and you may lose the desktop and icons, they will return on reboot

Run OTL

[*]Under the Custom Scans/Fixes box at the bottom, paste in the following

https://dl.dropbox.com/u/73555776/OTL_Fix.GIF


:OTL
IE - HKU\S-1-5-21-366503658-1597434619-481558210-1001\SOFTWARE\Microsoft\Internet Explorer\Main,Search Bar = http://feed.snap.do/?publisher=SnapdoOpenCandy&dpid=SnapdoOpenCandy&co=AU&userid=1120a2bc-114c-44d1-91a4-58f8d53ede4d&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-366503658-1597434619-481558210-1001\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://feed.snap.do/?publisher=SnapdoOpenCandy&dpid=SnapdoOpenCandy&co=AU&userid=1120a2bc-114c-44d1-91a4-58f8d53ede4d&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-366503658-1597434619-481558210-1001\SOFTWARE\Microsoft\Internet Explorer\Search,SearchAssistant = http://feed.snap.do/?publisher=SnapdoOpenCandy&dpid=SnapdoOpenCandy&co=AU&userid=1120a2bc-114c-44d1-91a4-58f8d53ede4d&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-366503658-1597434619-481558210-1001\..\URLSearchHook: {3bbd3c14-4c16-4989-8366-95bc9179779d} - No CLSID value found
IE - HKU\S-1-5-21-366503658-1597434619-481558210-1001\..\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}: "URL" = http://feed.snap.do/?publisher=SnapdoOpenCandy&dpid=SnapdoOpenCandy&co=AU&userid=1120a2bc-114c-44d1-91a4-58f8d53ede4d&searchtype=ds&q={searchTerms}
IE - HKU\S-1-5-21-366503658-1597434619-481558210-1001\..\SearchScopes\{9A90A6B2-549B-4036-889C-9E71C14484C9}: "URL" = http://search.conduit.com/ResultsExt.aspx?q={searchTerms}&SearchSource=4&ctid=CT3201318
O4 - HKU\S-1-5-21-366503658-1597434619-481558210-1001..\Run: [Browser Infrastructure Helper] C:\Users\UpdatusUser\AppData\Local\Smartbar\Application\SnapDo.exe startup File not found

:Files
C:\Users\UpdatusUser

:Commands
[resethosts]
[emptytemp]
[CREATERESTOREPOINT]
[Reboot]

[*]Then click the Run Fix button at the top
[*]Let the program run unhindered, reboot the PC when it is done
[*]Open OTL again and click the Quick Scan button. Post the log it produces in your next reply.

THEN

Download AdwCleaner from here to your desktop
Run AdwCleaner and select Delete

https://dl.dropbox.com/u/73555776/AdwCleaner.GIF

Once done it will ask to reboot, allow this
On reboot a log will be produced please attach that

Okay, and thanks.

AdwCleaner v2.300 - Logfile created 05/12/2013 at 14:59:29

Updated 28/04/2013 by Xplode

Operating system : Windows 7 Home Premium Service Pack 1 (64 bits)

User : john - JOHN-PC

Boot Mode : Normal

Running from : C:\Users\john\Desktop\adwcleaner.exe

Option [Delete]

***** [Services] *****

***** [Files / Folders] *****

***** [Registry] *****

Key Deleted : HKU\S-1-5-21-366503658-1597434619-481558210-1001\Software\Microsoft\Internet Explorer\SearchScopes{006EE092-9658-4FD6-BD8E-A21A348E59F5}

***** [Internet Browsers] *****

-\ Internet Explorer v10.0.9200.16537

[OK] Registry is clean.

-\ Google Chrome v26.0.1410.43

File : C:\Users\john\AppData\Local\Google\Chrome\User Data\Default\Preferences

[OK] File is clean.


AdwCleaner[R1].txt - [7374 octets] - [04/05/2013 00:31:46]
AdwCleaner[R2].txt - [1051 octets] - [12/05/2013 14:58:59]
AdwCleaner[S1].txt - [7610 octets] - [04/05/2013 00:32:08]
AdwCleaner[S2].txt - [986 octets] - [12/05/2013 14:59:29]

########## EOF - C:\AdwCleaner[S2].txt - [1045 octets] ##########

How is the computer behaving ?

Really good actually. It’s very sharp and responsive since getting rid of snap-do and running the cleaner!
Did a full back-up earlier. I knew it had that snap-do in there but I had kind of given up on getting rid of it, so yeah, thanks for that.
Been a pleasure dealing with you essexboy and DavidR. I know definitely where to come if I get in trouble, you have both been great!
Take care guys.

No problem glad we could help.

…miss post

It is amazing how much junk accumulates in such a short period. To keep it clean I would suggest that you use TFC on a weekly basis to empty all temporary folders, this also clears Java and Flash

Clear Cache/Temp Files
Download TFC by OldTimer to your desktop

[*] Please double-click TFC.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]It will close all programs when run, so make sure you have saved all your work before you begin.
[*]Click the Start button to begin the process. Depending on how often you clean temp files, execution time should be anywhere from a few seconds to a minute or two. Let it run uninterrupted to completion.
[*]Once it’s finished it should reboot your machine. If it does not, please manually reboot the machine yourself to ensure a complete clean.

Subject to no further problems :slight_smile:

I will remove my tools now and give some recommendations, but, I would like you to run for 24 hours or so and come back if you have any problems

Now the best part of the day ----- Your log now appears clean :thumbsup:

A good workman always cleans up after himself so…The following will implement some cleanup procedures as well as reset System Restore points:

Run AdwCleaner and press uninstall

Run OTL and hit the cleanup button. It will remove all the programmes we have used plus itself.

Clear Restore Points

Go Start > All Programmes > Accessories > System tools
Right click Disc Cleanup and select run as administrator
When it pops up at the first prompt select OK after it has done some calculations the tabs will appear
Select More Options tab
Press Sytem Restore and Shadow Copies Cleanup button

https://dl.dropbox.com/u/73555776/disc%20clean.JPG

Now that you are clean, to help protect your computer in the future I recommend that you get the following free programmes:

http://img233.imageshack.us/img233/7729/mbamicontw5.gif
Malwarebytes.

Update and run weekly to keep your system clean

Download and install FileHippo update checker and run it monthly it will show you which programmes on your system need updating and give a download link

If you use on-line banking then as an added layer of protection install Trusteer Rapport

It is critical to have both a firewall and anti virus to protect your system and to keep them updated. To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read our little guide How did I get infected in the first place ?Keep safe :wave: