unknown MBR

An unknown MBR code was noticed when running aswMBR. Could EssexBoy please take a look and tell me whether or not there is a problem? This computer was a custom build, not an OEM and does not have a recovery partition

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-21 16:19:05

16:19:05.921 OS Version: Windows 5.1.2600 Service Pack 3
16:19:05.921 Number of processors: 2 586 0x6B02
16:19:05.921 ComputerName: F6L2R7 UserName: Ann
16:19:06.328 Initialize success
16:19:09.765 AVAST engine defs: 13012001
16:20:39.890 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000067
16:20:39.890 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476938MB BusType: 3
16:20:39.953 Disk 0 MBR read successfully
16:20:39.953 Disk 0 MBR scan
16:20:39.968 Disk 0 unknown MBR code
16:20:39.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
16:20:39.968 Disk 0 scanning sectors +976768065
16:20:40.000 Disk 0 scanning C:\WINDOWS\system32\drivers
16:20:47.562 Service scanning
16:20:57.609 Modules scanning
16:21:17.468 Disk 0 trace - called modules:
16:21:17.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
16:21:17.484 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a66aab8]
16:21:17.484 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\00000068[0x8a674f18]
16:21:17.484 5 ACPI.sys[b7f7f620] → nt!IofCallDriver → \Device\00000067[0x8a66a030]
16:21:17.875 AVAST engine scan C:\WINDOWS
16:21:24.031 AVAST engine scan C:\WINDOWS\system32
16:23:17.687 AVAST engine scan C:\WINDOWS\system32\drivers
16:23:38.937 AVAST engine scan C:\Documents and Settings\Ann
16:32:57.015 AVAST engine scan C:\Documents and Settings\All Users
16:35:56.531 Scan finished successfully
16:36:19.625 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Ann\My Documents\MBR.dat”
16:36:19.656 The log file has been saved successfully to “C:\Documents and Settings\Ann\My Documents\aswMBR.txt”

he is notified, check back tomorrow

ty :slight_smile:

Would you care to tell us why you felt the need to run aswMBR ?

This is a specialist tool that should be run for a specific purpose.

I asked for a checkup in a forum from someone who helps there and at the Malwarebytes forum because I had Java and an old Adobe Reader on my computer.

I have run the following tools:

TDSS Killer - clean
adwcleaner - clean
Junkware Remover - clean
Rogue Killer - clean
FSS - clean
Combofix - evidence of this malware: http://www.sophos.co…d-analysis.aspx
no notification of a rootkit or evidence of a rootkit on the rest of the scan.

The helper was concerned because some trojans/rootkits such as Alureon can create a hidden partition that can hide from detection and will often present as an unknown MBR on aswMBR and other tools that check the MBR. The helper knows this often happens on OEM computers with recovery partitions but since my computer is a custom build with no recovery partition, it was advised that I submit the mbr.dat file to EssexBoy for inspection to make sure it is clean.

Yes, it is just that we generally don’t see the aswMBR presented in isolation.

MBR rootkits, and rootkits whilst they may be hidden are generally going to present other symptoms, attempts to connect to other sites to download more malware, etc.

Whilst unknown MBR isn’t unusual and not necessarily an indication of an MBR rootkit. From my limited understanding of the aswMBR logs, the aswMBR isn’t showing any hidden partition, etc. and avast scan isn’t flagging anything else.

Since all of your other scans have come up clean and your concerns and reason for all of the scans was having JAVA and an out of date Adobe Reader, the likelihood is that these haven’t compromised your system.

Personally if you haven’t done so already I would uninstall JAVA (unless you absolutely have to have it, website of applications that require it). I would also suggest that you get ride of Adobe Reader as it is a constant target of malware given its high user base and use one of the other PDF Reader options.

But essexboy may see something in the aswMBR that I don’t so he would have to give the all clear on that one. It is now almost 1am in the UK so he won’t be back until later today.

Since there was a detection on combofix, I would suggest that you attach that log also so he can get some more background information.

The jave and adobe have gone from my computer and once my computer is given the all clear I will download another pdf viewer, but I need the all clear on the MBR first before I install anything else.

Because our malware experts live in different parts of the world, it may be a bit of time before one of them comes and joins your thread. Please be patient.

A third-party pdf reader that is safer to use and works well is this one: http://www.foxitsoftware.com/Secure_PDF_Reader/ Securing your system of vulnerable and obsolete (end of life) software can be addressed by this tool: http://secunia.com/vulnerability_scanning/online/ or this one: http://secunia.com/vulnerability_scanning/personal/

Please note that Secunia Online Scanner does require the use of java installed on your system to run it. You may want to pass on this one because of this requirement.

Thanks :slight_smile: I realise there is a time difference…and because I’m in New Zealand its almost time for bed, so will check back in my morning.

Are you dual booting the system with a Linux release ?

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.
[*]Post the report

Hello, I don’t think I am doing anything with linux…

RogueKiller V8.4.3 [Jan 21 2013] by Tigzy
mail : tigzyRKgmailcom
Feedback : http://www.geekstogo.com/forum/files/file/413-roguekiller/
Website : http://tigzy.geekstogo.com/roguekiller.php
Blog : http://tigzyrk.blogspot.com/

Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ann [Admin rights]
Mode : Scan – Date : 01/23/2013 07:31:06

¤¤¤ Bad processes : 0 ¤¤¤

¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU[…]\System : disableregistrytools (0) → FOUND
[HJPOL] HKLM[…]\System : DisableRegistryTools (0) → FOUND

¤¤¤ Particular Files / Folders: ¤¤¤

¤¤¤ Driver : [LOADED] ¤¤¤
SSDT[31] : NtConnectPort @ 0x805A45D8 → HOOKED (Unknown @ 0x89E31700)

¤¤¤ HOSTS File: ¤¤¤
→ C:\WINDOWS\system32\drivers\etc\hosts

127.0.0.1 localhost

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: +++++
— User —
[MBR] 9c7cfd3ce4308e30718b78d30c55765b
[BSP] 4efc888af14c840ef36a74acaa975c86 : Windows XP MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 476937 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Finished : << RKreport[1]_S_01232013_02d0731.txt >>
RKreport[1]_S_01232013_02d0731.txt

OK lets see if TDSSKiller has any concerns about the hook

Download the latest version of TDSSKiller from here and save it to your Desktop.

[*]Doubleclick on TDSSKiller.exe to run the application

https://dl.dropbox.com/u/73555776/tdss%20start.JPG

[*]Then click on Change parameters.

https://dl.dropbox.com/u/73555776/tdss%20Change%20param.JPG

[*]Check the boxes beside Verify Driver Digital Signature and Detect TDLFS file system, then click OK.

[*]Click the Start Scan button.

[*]If a suspicious object is detected, the default action will be Skip, click on Continue.

https://dl.dropbox.com/u/73555776/tdss%20threat.JPG

[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.

[*]Get the report by selecting Reports

https://dl.dropbox.com/u/73555776/tdss%20report.JPG

[*]Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.

Please copy and paste its contents on your next reply.

I don’t know what I’m doing wrong, but when I click on report, a page opens, but I can’t click on it to copy and paste it. There were 8 objects found, but once I clicked continue no option was available tome except to click on report.

the file was too big to post here so have attached it.

Nope they all look good as well… Are you experiencing any problems ?

windows live messenger is acting weird…I have to keep exiting it and resigning in…thats about it.

Live messenger is being discontinued this year and being replaced by Skype, I am not sure if MS are updating it at all now

Yes, I read that, it will be good to get rid of it…have a clean out.

We can reset the MBR to standard but as it stands I can see no problems with it

its okay…if its all clean I’m happy with that…ty so much for your help…its really appreciated :slight_smile: