support for aswMBR?

I’m new here, so sorry if this is the wrong forum, but it looked the closest.

I am attempting to repair my WinXP system, and a helpful malware exterminator over at TechSpot.com told me to use aswMBR to scan my system.

this thing: aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software

I have a SCSI Ultra160 controller and MAYBE that is the problem. It takes HOURS for this software to run and, honestly, I still haven’t seen it complete the scan yet. It is only scanning the system files, not the whole disk. It can be seen taking several minutes on each of large files, and just a few minutes ago, as the time went across midnight, it sat on one file for almost an hour. I couldn’t even get Task Manager to Start and so I had to just press the reset button!

I can’t believe this is normal or acceptable. Are there any command line tricks I might try?

do you have a malware problem ?

if so, follow the guide here, attach the logs and essexboy will help you when he arrive
http://forum.avast.com/index.php?topic=53253.0

Which is your installed antivirus?

Run aswMBR initially with no scan selected in the drop down box

Viruses were found and removed. Malware was found and removed. It now APPEARS that there is a bootkit infection, but that is why I am running this utility.

Here is the log file, which shows that it ran for over 15 hours and still had not completed! Maybe I need to turn off a bunch of services? What could cause this?

aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 02:18:03

02:18:03.984 OS Version: Windows 5.1.2600 Service Pack 3
02:18:03.984 Number of processors: 1 586 0x801
02:18:03.984 ComputerName: RIONXP UserName: Rion
02:18:04.328 Initialize success
02:18:12.093 AVAST engine defs: 12011801
02:18:30.859 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Scsi\adpu160m1Port2Path0Target0Lun0
02:18:30.859 Disk 0 Vendor: SEAGATE_ 0003 Size: 17501MB BusType: 1
02:18:31.375 Disk 1 \Device\Harddisk1\DR1 → \Device\Scsi\adpu160m1Port2Path0Target1Lun0
02:18:31.375 Disk 1 Vendor: QUANTUM_ UCH0 Size: 8759MB BusType: 1
02:18:31.375 Disk 2 \Device\Harddisk2\DR2 → \Device\Scsi\adpu160m1Port2Path0Target2Lun0
02:18:31.375 Disk 2 Vendor: FUJITSU_ 0104 Size: 35068MB BusType: 1
02:18:31.375 Device \Driver\adpu160m → DriverStartIo SCSIPORT.SYS f73c440e
02:18:31.406 Disk 0 MBR read successfully
02:18:31.406 Disk 0 MBR scan
02:18:31.421 Disk 0 Windows XP default MBR code
02:18:31.437 Disk 0 Partition 1 80 (A) 0C FAT32 LBA MSDOS5.0 17492 MB offset 63
02:18:31.453 Disk 0 scanning sectors +35824950
02:18:31.468 Disk 0 scanning C:\WINDOWS\system32\drivers
02:57:49.187 Service scanning
02:57:50.343 Modules scanning
03:32:05.765 Disk 0 trace - called modules:
03:32:05.765 ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll adpu160m.sys
03:32:05.781 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86f0e918]
03:32:05.781 3 CLASSPNP.SYS[f750ffd7] → nt!IofCallDriver → \Device\Scsi\adpu160m1Port2Path0Target0Lun0[0x86fd6a38]
03:32:06.328 AVAST engine scan C:\WINDOWS
03:44:38.890 AVAST engine scan C:\WINDOWS\system32
16:42:33.781 AVAST engine scan C:\WINDOWS\system32\drivers
17:21:50.796 AVAST engine scan C:\Documents and Settings\Rion
17:38:51.125 Disk 0 MBR has been saved successfully to “C:\MBR.dat”
17:38:51.140 The log file has been saved successfully to “C:\aswMBR.txt”

Do you have a link to the thread so that I can see what has been done

Here’s the link for EssexBoy, but I am a bit perplexed that no one has a clue as to why the utility runs so slowly. I am going to guess that it is because of my SCSI controller. Many of these utilities try to access the drive directly, but if they assume an ATA drive, that won’t work on my system.

http://www.techspot.com/vb/topic176130.html

How much data is on your drive and what size is it

The actual MBR scan part should take no more than a minute or two

Just running a quick scan now, this is the log after a quick scan

Do any other programmes have problems running on the drive configuration >

aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
Run date: 2012-01-24 21:18:01

21:18:01.413 OS Version: Windows x64 6.1.7601 Service Pack 1
21:18:01.413 Number of processors: 4 586 0x2A07
21:18:01.413 ComputerName: MARTIN-HP UserName: Martin
21:18:03.254 Initialize success
21:18:03.472 AVAST engine defs: 12012400
21:18:09.182 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
21:18:09.182 Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3
21:18:09.182 Disk 0 MBR read successfully
21:18:09.197 Disk 0 MBR scan
21:18:09.197 Disk 0 unknown MBR code
21:18:09.197 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
21:18:09.213 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 482461 MB offset 206848
21:18:09.213 Disk 0 Partition - 00 0F Extended LBA 460152 MB offset 988286976
21:18:09.244 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 11154 MB offset 1930678272
21:18:09.275 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 460151 MB offset 988289024
21:18:09.275 Service scanning
21:18:10.414 Modules scanning
21:18:10.414 Disk 0 trace - called modules:
21:18:10.929 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:18:10.929 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa8006fd4060]
21:18:10.945 3 CLASSPNP.SYS[fffff88001d7143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa8004751050]
21:18:12.926 AVAST engine scan C:\Windows
21:18:15.734 AVAST engine scan C:\Windows\system32
21:19:09.772 AVAST engine scan C:\Windows\system32\drivers
21:19:16.434 AVAST engine scan C:\Users\Martin
21:20:12.516 AVAST engine scan C:\ProgramData
21:21:06.913 Scan finished successfully
21:22:48.735 Disk 0 MBR has been saved successfully to “C:\Users\Martin\Desktop\MBR.dat”
21:22:48.735 The log file has been saved successfully to “C:\Users\Martin\Desktop\aswMBR.txt”

>>How much data is on your drive and what size is it
I have three SCSI drives, but the C drive is 18g, 12g is used.

>>The actual MBR scan part should take no more than a minute or two
I think you can inspect the listing I gave and see the time stamps.
The first part went very quickly like you say, but when scanning directories…

>>Do any other programmes have problems running on the drive configuration
There was another anti-virus utility they asked me to run, and it didn’t complete
like it should. The initial message said something to the effect “this program should
take no more than 3 minutes…” and so after 10 minutes it seemed to be hanging.
And I couldn’t terminate it or even get Windows task manager to start, so I
had to press the reset button. UGGGHH! That thing was not a program, but a script.
It is called DDS.scr and they had me put it on the desktop and run from there. I have
tried it a few times and always got the same result. BUT… all normal programs seem to run
just fine.

I think the Esage run had problems as well, as the list partitions looked OK

What symptoms are you experiencing ?

I notice that he hasn’t tried OTL yet I wonder if that would run

Not sure what the Esage run is. Currently I am experiencing NO SYMPTOMS except
scanners not working! I don’t know what OTL is.

Since my last post, he had me try ComboFix, which did about the same thing as DDS - started up OK, then just sat there ofr hours until I hit the reset button. I couldn’t do a normal shutdown or kill CF. He may ask me to rename CF and try it that way.

My current position is that the system seems to be working just fine and all this effort seems to be going nowhere. Of course, if there is an indication of a rootkit, it must be found.

The problem being perceived is in this area - you are in the blue

02:18:31.437 Disk 0 Partition 1 80 (A) 0C FAT32 LBA MSDOS5.0 17492 MB offset 63
21:18:09.197 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048

80 (A) 0C This indicates a FAT32 partition

Whereas

80 (A) 07 This indicates a NTFS partition

Most programmes now expect a NTFS file structure, so this may be the root of the problem

I have suspecting something of that nature. Some kind of assumption or bug with SCSI. Actually, most of the scanners I have tried have worked well, it’s just these three that I mentioned that are hanging. There’s about 10 others that I have run OK by now.

If these scanners have such a limitation, it should be documented and these professional helper types that are telling us to use the scanners should know. They will see FAT32 in one of the log files and then not ask us to use those specific scanners, right?

ComboFix (CF) needs the Windows recovery console (WRC)installed to do it’s thing. I already had installed it (I think), and CF informed me that it was going to install or update WRC. It turns out that it installed a CORRUPTED SCSI driver, so WRC would no longer boot. I know this because I attempted to boot into WRC and it gave me a message about that and then when I looked at the driver file it was very small and contained the text “404 - file not found.” Did this come from Microsoft? I don’t know.

My answer was to let it do it’s “update” thing and then later copy in the correct SCSI driver file from the i386 directory. Then WRC was up to date and was bootable. Unfortunately, this did not seem to fix the problem with CF just hanging in AutoScan.

ComboFix created a directory and I found mbr.log in there:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SEAGATE_ rev.0003 -> Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target2Lun0 

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!! 
error: Read  The request could not be performed because of an I/O device error.

I think that his boils down to the file system on the hard drive and the scsi connect… A very unusual combination… If you have no problems evident then I would suspect it may be something you will either have to get used to, or convert the drive to NTFS

I have just recently installed Avast Free Antivirus and it immediately detected a Rootkit MBR: Alureon. I tried using the Delete now action but it didn’t work. I did some web searches and saw it was recommended to use aswMBR. I downloaded aswMBR and did a scan and it returned this log -

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-18 13:56:22

13:56:22.378 OS Version: Windows 5.1.2600 Service Pack 2
13:56:22.378 Number of processors: 1 586 0x905
13:56:22.378 ComputerName: NIX UserName: Me
13:56:25.302 Initialize success
13:56:26.193 AVAST engine defs: 12031701
13:57:28.583 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
13:57:28.593 Disk 0 Vendor: FUJITSU_MHS2040AT__D 8205 Size: 35141MB BusType: 3
13:57:28.994 Disk 0 MBR read successfully
13:57:28.994 Disk 0 MBR scan
13:57:29.004 Disk 0 unknown MBR code
13:57:29.024 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 35134 MB offset 63
13:57:29.054 Disk 0 Partition 2 00 17 Hidd HPFS/NTFS NTFS 7 MB offset 71956080
13:57:29.064 Disk 0 Partition 2 INFECTED MBR:Alureon-K [Rtk]
13:57:29.064 Disk 0 scanning sectors +71971200
13:57:29.274 Disk 0 scanning C:\WINDOWS\system32\drivers
13:57:49.423 Service scanning
13:58:23.632 Modules scanning
13:58:42.389 Disk 0 trace - called modules:
13:58:42.860 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
13:58:42.860 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x86f24ab8]
13:58:42.870 3 CLASSPNP.SYS[f76e105b] → nt!IofCallDriver → \Device\00000079[0x86f3f130]
13:58:42.870 5 ACPI.sys[f7657620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x86f23d98]
13:58:43.360 AVAST engine scan C:
14:36:15.960 Scan finished successfully
14:36:52.883 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Me\My Documents\MBR.dat”
14:36:52.893 The log file has been saved successfully to “C:\Documents and Settings\Me\My Documents\aswMBR.txt”

My question is now do I just select FixMBR or is it more complicated than that? sorry just unsure what to do next. (Yes i’m a noob :-[)

OK this is a multiple type infection so we will need to remove it in parts

First :

Do the following:
StartRun
type diskmgmt.msc
Click “OK

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

You will see a 7 MB partition
Right click that and select delete

Then :

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_1.jpg

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_2.jpg

[*]Click the Start Scan button.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_3.jpg

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_4.jpg

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

http://i466.photobucket.com/albums/rr21/JSntgRvr/tdss_5.jpg

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

A report will be created in your root directory, (usually C:\ folder) in the form of “TDSSKiller.[Version][Date][Time]_log.txt”. Please copy and paste its contents on your next reply.

Thank you for the the swift reply. I deleted the partition with Disk Manager and did a scan with TDSSkiller which detected 21 threats. There was no Cure option so I skipped them all. Here is a link the TDSSkiller log (I had to upload it to cloud storage as it exceeded the character limit for a post).

http://www.mediafire.com/?6v1bt5lw9ib9wxw

Any problems apparent ?