Author Topic: mbr.exe ?  (Read 3912 times)

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
mbr.exe ?
« on: May 22, 2011, 02:23:28 PM »

gmer.exe and mbr.exe are available for download at http://www.gmer.net/. They're widely recommended as rootkit finders. I've run gmer.exe before without problems. This is the first time I've tried to run mbr.exe. 

I can't find any operating instructions or documentation for mbr.exe. Is there any? For example what op systems does it support? How is it supposed to work? I've asked the author but no response (yet).

When I ran mbr.exe there was an immediate black screen, then computer rebooted, and no log file was generated. Apparently no harm was done, but something wasn't right. Maybe that's because I let free avast antivirus run it in the sandbox, which it advised me to do ???

free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline Pondus

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 21661
  • Gender: Male
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #1 on: May 22, 2011, 02:27:40 PM »
This is the only one i know http://public.avast.com/~gmerek/aswMBR.htm

you may PM Essexboy
Chief Wiggum: Uh, no, you got the wrong number. This is 9-1…2.


Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #2 on: May 22, 2011, 03:01:24 PM »
MBR.exe is effectively incorporated within aswMBR

What MBR.exe does is replace the current MBR with a default operating system one, not a problem as long as you do not have an unusual MBR set up

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #3 on: May 22, 2011, 03:24:41 PM »
MBR.exe is effectively incorporated within aswMBR

What MBR.exe does is replace the current MBR with a default operating system one, not a problem as long as you do not have an unusual MBR set up
Thanks...but I've never run across aswMBR previously. I'm only talking about mbr.exe which is downloadable from http://www.gmer.net/. There is no info about mbr.exe at that site, unless I'm overlooking something. So where is the documentation/info/op instructions for mbr.exe located on the internet - reference link(s)???
free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #4 on: May 22, 2011, 03:32:49 PM »
It is a specialist tool that is kept purposely vague as it can ruin your day if used improperly
So if you do want to use it you have to ask and therefore reduce the risk of damaging your system

So why did you want to use MBR.exe ?

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #5 on: May 22, 2011, 04:00:24 PM »
It is a specialist tool that is kept purposely vague as it can ruin your day if used improperly
So if you do want to use it you have to ask and therefore reduce the risk of damaging your system

So why did you want to use MBR.exe ?
Who keeps it purposely vague? Who is the author of mbr.exe? Where is the documentation? Where are the operating instructions? Who do I ask? The gmer website info-email link is refusing to respond, apparently  ???

I'm seeing it recommended for general use in various places, tech support forums, etc, but without any cautions or relevant information. My experience when I ran mbr.exe was: It caused a black screen, reboot, and no log file was generated. That indicates it's buggy and risky, in lieu of complete documentation and details. So where are they?
free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #6 on: May 22, 2011, 04:05:05 PM »
The programmes Author works for Avast

And he created the aswMBR programme

Quote
I'm seeing it recommended for general use in various places, tech support forums, etc, but without any cautions or relevant information. My experience when I ran mbr.exe was: It caused a black screen, reboot, and no log file was generated. That indicates it's buggy and risky, in lieu of complete documentation and details. So where are they?
So if you feel that why did you run it ?

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #7 on: May 22, 2011, 04:36:08 PM »
The programmes Author works for Avast
And he created the aswMBR programme
So, did he also create the mbr.exe program? If so, what is his name? Where is the URL that gives relevant documentation and operating instructions?

Quote from: JohnnyBob
I'm seeing it recommended for general use in various places, tech support forums, etc, but without any cautions or relevant information. My experience when I ran mbr.exe was: It caused a black screen, reboot, and no log file was generated. That indicates it's buggy and risky, in lieu of complete documentation and details. So where are they?

Quote from: essexboy
So if you feel that why did you run it ?
I felt that after the fact, not before, because running mbr.exe obviously did not work properly.
 
It was recommended to me that I run mbr.exe, by two different tech support gurus on two different forums. That's why I ran it. But they made no cautions or indications that it was dangerous/risky - which it probably is (based on my experience).

So it seems that the cat's out of the bag already, running rampant in the wild, and it's now time to provide full documentation and op instructions for everyone to read! Otherwise expect an increasing stream of complaints and queries about it...
« Last Edit: May 22, 2011, 04:39:15 PM by JohnnyBob »
free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #8 on: May 22, 2011, 04:44:16 PM »
There is no log generated as it just replaces the MBR and nothing else

Did you read this page ? http://www2.gmer.net/mbr/

Quote
So it seems that the cat's out of the bag already, running rampant in the wild, and it's now time to provide full documentation and op instructions for everyone to read! Otherwise expect an increasing stream of complaints and queries about it.

This programme has been out now for many years and you are the first I have come across that has voiced any concerns about it.  As for running rampant I fail to follow you - this is a tool used in malware removal forums by people who know what it does, and when to use it.  If you had concerns at the time why did you not ask the person helping you 

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #9 on: May 22, 2011, 05:30:04 PM »
There is no log generated as it just replaces the MBR and nothing else
Thanks for the info. That's contradicts what I was told elsewhere, that a log would be generated. Who is correct?
Quote from: essexboy
Did you read this page ? http://www2.gmer.net/mbr/
No, I didn't (thanks for the link). There's no link to that link from the http://www2.gmer.net homepage that I can find, only a link to download mbr.exe. I guess that answers my main question, except... I've searched through it and found some references to mbr.exe near the bottom under "Detection and removal" and "Update". According to that info, there are several different versions of mbr.exe, and the author is from gmer.net (not avast.com): "Stealth MBR rootkit detector 0.2.2 by Gmer, http://www.gmer.net"; "mbr.exe version 0.3.1 or newer"; etc. Also I see no cautions about its use, i.e. why it's risky. My impression is that mbr.exe is only used to remove a few known mbr rootkits, not to find/diagnose them, nor to repair the mbr in general. That contradicts the tech guru advice I'm seeing elsewhere that mbr.exe can be used, in general, to repair mbr errors. So are we talking about the same mbr.exe or are there two different authors/software using this same name?

Quote from: JohnnyBob
So it seems that the cat's out of the bag already, running rampant in the wild, and it's now time to provide full documentation and op instructions for everyone to read! Otherwise expect an increasing stream of complaints and queries about it.

Quote from: essexboy
This programme has been out now for many years and you are the first I have come across that has voiced any concerns about it.  As for running rampant I fail to follow you - this is a tool used in malware removal forums by people who know what it does, and when to use it.  If you had concerns at the time why did you not ask the person helping you 
It has gone beyond malware removal forums, into general purpose forums and newsgroups. Yes, I asked the persons who recommended it for details. I also asked the gmer author for details. None of them responded. At least I've got you on the hook...  ;D
free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #10 on: May 22, 2011, 05:39:50 PM »
It will remove mebroot/sinow/TDL 4  there are different specialist tools for TDL 3/Helpassist as they use system files as well as the MBR so it needs a multi pronged approach to the repair

At the moment these are the main MBR infectors

However, it appears that there are now some variants that merge TDL3/TDL4 which makes it a tad more difficult to remove.   

Quote
the author is from gmer.net (not avast.com):
That is his personal page, who do you think designed the MBR detection routines for Avast (aswMBR) ;D? The different versions are just the change log of the programme, the only one you can download will be the latest

 

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #11 on: May 22, 2011, 06:29:44 PM »
Well, I feel a whole lot better now (emotionally) after that pleasant but challenging exchange, however some of my initial basic questions about mbr.exe remain unanswered...

When I ran mbr.exe it gave me an immediate black screen then my computer auto-rebooted. Is that normal? What exactly did it do to my computer, if anything?

Should I have run it in the avast sandbox, as I was advised to do by avast, or outside of the sandbox? Is that what caused the black screen and autoreboot?

Maybe I shouldn't be running it at all, and I don't plan to run it again, but I'd like to know what happened, and why. Apparently a lot of folks are running it these days without knowing the consequences. Give a monkey a banana and he'll eat it. :)
free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #12 on: May 22, 2011, 08:22:30 PM »
Quote
When I ran mbr.exe it gave me an immediate black screen then my computer auto-rebooted. Is that normal? What exactly did it do to my computer, if anything?
The programme runs under a command prompt, hence the black box/screen.  Replacement of the MBR will require an immediate reboot to ensure safety

Quote
Should I have run it in the avast sandbox, as I was advised to do by avast, or outside of the sandbox? Is that what caused the black screen and autoreboot?
No MBR ran the routines - but as it was in a sandbox no changes were made

Quote
Maybe I shouldn't be running it at all, and I don't plan to run it again, but I'd like to know what happened, and why. Apparently a lot of folks are running it these days without knowing the consequences. Give a monkey a banana and he'll eat it.
  Tell me about it, the amount of systems I see where the user has tried programmes that were found on the net and then wondered why the system did not work anymore.  For the majority of infections I would recommend getting help on a reputable forum

Offline JohnnyBob

  • Full Member
  • ***
  • Posts: 199
  • Peace
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #13 on: May 22, 2011, 09:27:14 PM »
Those aren't answers to my questions. Perhaps someone else knows...
free avast! 9.0 installed without Email Shield (not needed). Web shield disabled. All other "extras" are not installed or disabled. It wanted server status access to the internet which I blocked permanently via ZA. I also killed AvastEmUpdate.exe by renaming it in Safe Mode. Windows XP Home SP3, ZoneAlarm 6.1.744.001, Firefox 25.0 & IE8, Outlook Express.

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 28953
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: mbr.exe ?
« Reply #14 on: May 22, 2011, 09:36:30 PM »
What part was not answered to your satisfaction ?

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now