An unknown MBR code was noticed when running aswMBR. Could EssexBoy please take a look and tell me whether or not there is a problem? This computer was a custom build, not an OEM and does not have a recovery partition
aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-01-21 16:19:05
16:19:05.921 OS Version: Windows 5.1.2600 Service Pack 3
16:19:05.921 Number of processors: 2 586 0x6B02
16:19:05.921 ComputerName: F6L2R7 UserName: Ann
16:19:06.328 Initialize success
16:19:09.765 AVAST engine defs: 13012001
16:20:39.890 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\00000067
16:20:39.890 Disk 0 Vendor: SAMSUNG_HD501LJ CR100-13 Size: 476938MB BusType: 3
16:20:39.953 Disk 0 MBR read successfully
16:20:39.953 Disk 0 MBR scan
16:20:39.968 Disk 0 unknown MBR code
16:20:39.968 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 476937 MB offset 63
16:20:39.968 Disk 0 scanning sectors +976768065
16:20:40.000 Disk 0 scanning C:\WINDOWS\system32\drivers
16:20:47.562 Service scanning
16:20:57.609 Modules scanning
16:21:17.468 Disk 0 trace - called modules:
16:21:17.484 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll nvata.sys
16:21:17.484 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a66aab8]
16:21:17.484 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\00000068[0x8a674f18]
16:21:17.484 5 ACPI.sys[b7f7f620] → nt!IofCallDriver → \Device\00000067[0x8a66a030]
16:21:17.875 AVAST engine scan C:\WINDOWS
16:21:24.031 AVAST engine scan C:\WINDOWS\system32
16:23:17.687 AVAST engine scan C:\WINDOWS\system32\drivers
16:23:38.937 AVAST engine scan C:\Documents and Settings\Ann
16:32:57.015 AVAST engine scan C:\Documents and Settings\All Users
16:35:56.531 Scan finished successfully
16:36:19.625 Disk 0 MBR has been saved successfully to “C:\Documents and Settings\Ann\My Documents\MBR.dat”
16:36:19.656 The log file has been saved successfully to “C:\Documents and Settings\Ann\My Documents\aswMBR.txt”
I asked for a checkup in a forum from someone who helps there and at the Malwarebytes forum because I had Java and an old Adobe Reader on my computer.
I have run the following tools:
TDSS Killer - clean
adwcleaner - clean
Junkware Remover - clean
Rogue Killer - clean
FSS - clean
Combofix - evidence of this malware: http://www.sophos.co…d-analysis.aspx
no notification of a rootkit or evidence of a rootkit on the rest of the scan.
The helper was concerned because some trojans/rootkits such as Alureon can create a hidden partition that can hide from detection and will often present as an unknown MBR on aswMBR and other tools that check the MBR. The helper knows this often happens on OEM computers with recovery partitions but since my computer is a custom build with no recovery partition, it was advised that I submit the mbr.dat file to EssexBoy for inspection to make sure it is clean.
Yes, it is just that we generally don’t see the aswMBR presented in isolation.
MBR rootkits, and rootkits whilst they may be hidden are generally going to present other symptoms, attempts to connect to other sites to download more malware, etc.
Whilst unknown MBR isn’t unusual and not necessarily an indication of an MBR rootkit. From my limited understanding of the aswMBR logs, the aswMBR isn’t showing any hidden partition, etc. and avast scan isn’t flagging anything else.
Since all of your other scans have come up clean and your concerns and reason for all of the scans was having JAVA and an out of date Adobe Reader, the likelihood is that these haven’t compromised your system.
Personally if you haven’t done so already I would uninstall JAVA (unless you absolutely have to have it, website of applications that require it). I would also suggest that you get ride of Adobe Reader as it is a constant target of malware given its high user base and use one of the other PDF Reader options.
But essexboy may see something in the aswMBR that I don’t so he would have to give the all clear on that one. It is now almost 1am in the UK so he won’t be back until later today.
Since there was a detection on combofix, I would suggest that you attach that log also so he can get some more background information.
The jave and adobe have gone from my computer and once my computer is given the all clear I will download another pdf viewer, but I need the all clear on the MBR first before I install anything else.
Because our malware experts live in different parts of the world, it may be a bit of time before one of them comes and joins your thread. Please be patient.
Please note that Secunia Online Scanner does require the use of java installed on your system to run it. You may want to pass on this one because of this requirement.
Operating System : Windows XP (5.1.2600 Service Pack 3) 32 bits version
Started in : Normal mode
User : Ann [Admin rights]
Mode : Scan – Date : 01/23/2013 07:31:06
¤¤¤ Bad processes : 0 ¤¤¤
¤¤¤ Registry Entries : 2 ¤¤¤
[HJPOL] HKCU[…]\System : disableregistrytools (0) → FOUND
[HJPOL] HKLM[…]\System : DisableRegistryTools (0) → FOUND
[*]If malicious objects are found, they will show in the Scan results and offer three (3) options.
[*]Ensure Cure is selected, then click Continue => Reboot now to finish the cleaning process.
I don’t know what I’m doing wrong, but when I click on report, a page opens, but I can’t click on it to copy and paste it. There were 8 objects found, but once I clicked continue no option was available tome except to click on report.