Author Topic: aswMBR says 'unknown MBR code' should I worry ?  (Read 4623 times)

Offline Stang

  • Jr. Member
  • **
  • Posts: 71
    • Personal Message (Offline)
aswMBR says 'unknown MBR code' should I worry ?
« on: May 15, 2011, 05:29:38 PM »
Is this a problem ?  I have attached the log.

Thanks

UPDATE by the way all scans (Avast and MBAM) are all clean
« Last Edit: May 15, 2011, 05:32:49 PM by Stang »

Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #1 on: May 15, 2011, 06:38:04 PM »
No.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline m00nbl00d

  • Jr. Member
  • **
  • Posts: 81
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #2 on: May 16, 2011, 12:55:31 AM »
No.

Is it a bug, making it display that message?

Offline RNfromTN

  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 668
  • Gender: Male
  • surfin sandboxed
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #3 on: May 17, 2011, 11:47:37 AM »
No.

Is it a bug, making it display that message?
Just a guess, possibly a non windows boot manager.
I have grub4dos as a boot manager and I get that "unknown mbr code" message.
Sandboxie| IFW|Outpost firewall|Norton Ghost|Win XP,Vista,7
member since 2005| Linux Mint user

Offline Left123

  • There Is No Patch For Human Stupidity.
  • avast! Evangelist
  • Advanced Poster
  • ***
  • Posts: 1052
  • Gender: Male
  • Proud Community Member&Helper.
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #4 on: May 17, 2011, 11:54:59 AM »
No.

Is it a bug, making it display that message?
Probably modified master boot record code.
AMD Athlon(tm) X2 Dual-Core Processor 4200+ - 2.20 GHz,3,00 GB RAM -
Browser:Mozilla Firefox +WOT - SoftWare:CCleaner - Windows 7 32 bit
No Anti-Virus

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69218
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #5 on: May 17, 2011, 01:25:35 PM »
Whist it could be related to a different boot manager, I don't know if that would also change the MBR.

However, your  aswMBR.txt content is almost identical to another were the Aluron rootkit has been confirmed and if correct you are going to need investigate further and if confirmed help to remove it.

See this topic, the one starting on page 2 for drankinboy http://forum.avast.com/index.php?topic=77998.msg645836#msg645836.

Whilst essexboy won't be back on the forums until this evening (UK time), you could run the OTS tool and post the log so he has something else to work with.

Quote from: essexboy
Unfortunately no two attacks are the same so first I will need to see what you have.

Download OTS to your Desktop and double-click on it to run it
  • Make sure you close all other programs and don't use the PC while the scan runs.
  • Select All Users
  • Under additional scans select the following
Reg - Disabled MS Config Items
Reg - Drivers32
Reg - NetSvcs
Reg - SafeBoot Minimal
Reg - Shell Spawning
Evnt - EventViewer Logs (Last 10 Errors)
File - Lop Check

  • Under the Custom Scan box paste this in
netsvcs
%SYSTEMDRIVE%\*.exe
/md5start
volsnap.*
explorer.exe
winlogon.exe
Userinit.exe
svchost.exe
/md5stop
%systemroot%\*. /mp /s
hklm\software\clients\startmenuinternet|command /rs
hklm\software\clients\startmenuinternet|command /64 /rs
CREATERESTOREPOINT

  • Now click the Run Scan button on the toolbar. Make sure not to use the PC while the program is running or it will freeze.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Please attach the log in your next post.

Why was it that you ran aswMBR in the first place ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline Stang

  • Jr. Member
  • **
  • Posts: 71
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #6 on: May 17, 2011, 04:53:21 PM »

Why was it that you ran aswMBR in the first place ?


A while back I had several viruses including rootkit.  Essexboy helped me through those issues.  Lately my pc just seemed to be very slow from time to time and aswMBR seemed a simple non-invasive way to check my MBR.  Last time I used a varitey of tools including ComboFix under direction of EB.

I see a few posts with the same 'unknown MBR code' message so  I suspect I am OK.

Thanks

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #7 on: May 17, 2011, 05:39:48 PM »
Is your system a Dell ?

Offline Stang

  • Jr. Member
  • **
  • Posts: 71
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #8 on: May 17, 2011, 05:44:32 PM »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #9 on: May 17, 2011, 06:33:01 PM »
OK Dell have a unique MBR that allows you to access the recovery partition, if the MBR is replaced by a standard file then you will lose access to the recovery partition and it is a pain to restore it  ;D

Offline Stang

  • Jr. Member
  • **
  • Posts: 71
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #10 on: May 17, 2011, 06:37:51 PM »
Thanks!  one of these days i might have to breakdown and get a new laptop anyway.  For  now all is well and i will save me pennies.


Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69218
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #11 on: May 17, 2011, 06:45:55 PM »
OK Dell have a unique MBR that allows you to access the recovery partition, if the MBR is replaced by a standard file then you will lose access to the recovery partition and it is a pain to restore it  ;D

That is very interesting.

I guess if a DELL gets an MBR Rootkit they are stuffed for doing a factory restore, as they won't be able to get the custom MBR back (or can they). So no access to the modified/unique MBR if a fixMBR replaces it with a clean standard MBR ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #12 on: May 17, 2011, 06:52:07 PM »
Correct we give them the option of no access to the recovery partition for a while - or continued MBR infection - that does focus their mind somewhat

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69218
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #13 on: May 17, 2011, 07:28:23 PM »
Correct we give them the option of no access to the recovery partition for a while - or continued MBR infection - that does focus their mind somewhat

So presumably this is a fix the problem first, e.g. remove the MBR rootkit setting a standard MBR and at a later point try to change the MBR to the Dell unique one if possible.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29024
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: aswMBR says 'unknown MBR code' should I worry ?
« Reply #14 on: May 17, 2011, 07:38:46 PM »
Aye - it is possible to revert but it does require some fiddling with the system to download and install the MBR.  The only other alternative is a full factory restore 

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now