Author Topic: question re output from aswMBR scan  (Read 2880 times)

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
question re output from aswMBR scan
« on: August 28, 2011, 11:20:14 PM »
Hi, I suspect I may have a virus/rootkit on my PC so I tried your aswMBR scanner. It produced one red line in the results;

07:49:53.640    Disk 0 trace - called modules:
07:49:53.656    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ae64000]<<
07:49:53.656    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae48030]
07:49:53.656    3 CLASSPNP.SYS[b9918fd7] -> nt!IofCallDriver -> \Device\00000095[0x8ae4a640]
07:49:53.656    5 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8aef8028]

Am I correct in thinking that it is concerned about >>UNKNOWN [0x8ae64000]<< ?

What will happen if I click "Fix MBR" ?

Thanks,
Kevin
« Last Edit: August 28, 2011, 11:43:37 PM by nivekau »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69214
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #1 on: August 29, 2011, 12:43:59 AM »
To start with you shouldn't make any selections without guidance by someone experienced in the use of aswMBR.exe. I appreciate that is what you are trying to do but no one can give that information on the information given.

You should post the contents of the full log not selected parts.

Finally what made you consider the use of aswMBR.exe, e.g. what symptoms were you experiencing ?
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #2 on: August 29, 2011, 04:14:59 AM »
Finally what made you consider the use of aswMBR.exe, e.g. what symptoms were you experiencing ?

Hi David,
I appreciate your interest in my problem :)

It started with IE8 suddenly becoming very slow and high CPU usage on my PC when I wasn't actually doing anything. I did a scan using MSE which found Sinowal.gen!Y and PDFjsc.RM

These were removed but the problem didn't resolve. It appeared to my untrained eye that despite virus scans coming up blank that there was unexplained networks and CPU activity on my PC. 

I then spent many hours looking at forums and running various tools to inspect my system including Autoruns, HijackThis, GMER and Microsoft's Network Monitor.

Somewhere along this path I found some suggestions that led me to believe I may have a rootkit on my PC (I can't remember where) and came across some references to the aswMBR.exe tool.

Today I discovered that my IP is listed in CBL. This is part of what it said;

This IP is infected with, or is NATting for a machine infected with Torpig, also known by Symantec as Anserin.

This was detected by observing this IP attempting to make contact to a Torpig Command and Control server at 91.20.194.175, with contents unique to Torpig C&C command protocols.

Torpig is a banking trojan, specializing in stealing personal information (passwords, account information, etc) from interactions with banking sites.

Torpig is normally dropped by Mebroot. Mebroot is a Rootkit that installs itself into the MBR (Master Boot Record).


Here are the full results of my aswMBR scan (the line is red was red in the scan results);

aswMBR version 0.9.8.986 Copyright(c) 2011 AVAST Software
Run date: 2011-08-29 07:45:17
-----------------------------
07:45:17.562    OS Version: Windows 5.1.2600 Service Pack 3
07:45:17.562    Number of processors: 2 586 0x1706
07:45:17.562    ComputerName: KH-S6420-SSD  UserName: Kevin
07:45:17.937    Initialize success
07:46:16.875    AVAST engine defs: 11082801
07:48:43.890    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
07:48:43.890    Disk 0 Vendor: INTEL_SS 2CV1 Size: 152627MB BusType: 3
07:48:46.078    Disk 0 MBR read successfully
07:48:46.093    Disk 0 MBR scan
07:48:46.093    Disk 0 Windows VISTA default MBR code
07:48:46.234    Disk 0 scanning sectors +312578048
07:48:46.406    Disk 0 scanning C:\WINDOWS\system32\drivers
07:49:20.312    Service scanning
07:49:21.015    Modules scanning
07:49:53.640    Disk 0 trace - called modules:
07:49:53.656    ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x8ae64000]<<
07:49:53.656    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8ae48030]
07:49:53.656    3 CLASSPNP.SYS[b9918fd7] -> nt!IofCallDriver -> \Device\00000095[0x8ae4a640]
07:49:53.656    5 ACPI.sys[b977f620] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8aef8028]
07:49:53.765    AVAST engine scan C:\WINDOWS
07:50:27.765    AVAST engine scan C:\WINDOWS\system32
07:54:04.546    AVAST engine scan C:\WINDOWS\system32\drivers
07:54:45.562    AVAST engine scan C:\Documents and Settings\Kevin
08:01:22.109    AVAST engine scan C:\Documents and Settings\All Users
08:02:51.937    Scan finished successfully
09:09:03.546    Disk 0 MBR has been saved successfully to "F:\aswMBR\MBR.dat"
09:09:03.578    The log file has been saved successfully to "F:\aswMBR\aswMBR.txt"

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69214
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #3 on: August 29, 2011, 12:46:19 PM »
What were the file names and locations of the detections by MSE ?

When this high CPU activity was going on did you have avast and MSE installed as that would contribute to that ?

Are you using a fixed IP address, as normally that requires you pay extra for that than for an IP that is dynamically assigned ?

Your aswMBR log shows that you have the Default Vista MBR, so in this case fixing that wouldn't do anything I believe.

This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the other logs here, not in the LOGS topic.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29010
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #4 on: August 29, 2011, 12:56:15 PM »
The unknown may indicate a TDL3 infection or the latest TDL4 variant but a few logs will assist in that determination.  aswMBR shows no sign of an old Mebroot infection

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #5 on: August 29, 2011, 01:49:39 PM »
What were the file names and locations of the detections by MSE ?

This is what MSE reported;

Exploit:Win32/Pdfjsc.RM
Location: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\ND45QXK0\3567d[1].pdf

PWS:Win32/Sinowal.gen!Y
Location: C:\Documents and Settings\Kevin\Local Settings\Temporary Internet Files\Content.IE5\2RSZYX57\readme[1].exe

Quote
When this high CPU activity was going on did you have avast and MSE installed as that would contribute to that ?

I don't have Avast installed, I just allowed aswMBR to download the definitions.

I run Malwarebytes Pro, but both that and MSE are set to ignore one another. I've been running them both together for months without any problem. However, I also tried disabling them and it didn't make any difference to the CPU usage.

Quote
Are you using a fixed IP address, as normally that requires you pay extra for that than for an IP that is dynamically assigned ?

It's a fixed IP, and yes I pay extra for it. I have also found the outgoing TCP connection to the Torpig server in my router logs (I needed to make sure it wasn't another PC in the house that was responsible for the CBL listing. The CBL recorded another detection when I last  rebooted my PC.

Quote
Your aswMBR log shows that you have the Default Vista MBR, so in this case fixing that wouldn't do anything I believe.

I'm not running Vista - I'm using XP Pro SP3

Quote
This needs further analysis by a malware removal specialist:
Go to this topic http://forum.avast.com/index.php?topic=53253.0 for information on Logs to assist in cleaning malware. Use the information about getting and using the logs and attach the other logs here, not in the LOGS topic.

Okay. Thanks.

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #6 on: August 29, 2011, 01:55:45 PM »
The unknown may indicate a TDL3 infection or the latest TDL4 variant but a few logs will assist in that determination.  aswMBR shows no sign of an old Mebroot infection

What logs will help to determine the problem?

This is a PC I use for my own business so I really need to get this fixed!

EDIT: Ah sorry, I wrote this before following the directions from DavidR  :-[
« Last Edit: August 29, 2011, 01:57:38 PM by nivekau »

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #7 on: August 29, 2011, 02:18:39 PM »
Here are the OTL log files attached

EDIT/PS. I also did a full Malwarebytes scan and that didn't find anything.
« Last Edit: August 29, 2011, 02:43:20 PM by nivekau »

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69214
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #8 on: August 29, 2011, 02:53:14 PM »
@ nivekau
The files being in the temp internet files folder, may have inadvertently been run by the browser, if MSE or MBAM didn't detect them when created. Though the more serious of the two the readme file, that normally would be a .txt file not a .exe file, if you were tricked into running it or if it ran in the browser.

This is strange if as you say you don't have Vista installed:
7:48:46.093    Disk 0 Windows VISTA default MBR code

To start with the OTL logs will give essexboy some general information, since you have run aswMBR you won't have to repeat that. After analysis of your OTL logs, essexboy will construct a Fix for you. If needs be he will give further instruction on any other tools you need to run.

So the next step is essexboy getting back to the topic.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #9 on: August 29, 2011, 03:07:09 PM »
David, thanks for the response.

I have in fact just run aswMBR again and it gave a slightly different result, in addition to the entry there is also now a yellow entry! 

00:51:10.453    Service MpKsl2a996723 C:\Documents and Settings\All Users\Application Data\Microsoft\Microsoft Antimalware\Definition Updates\{726D8384-862E-49B5-8BD4-9528E305557C}\MpKsl2a996723.sys **LOCKED** 32

I have attached the full aswMBR log file.

Thanks for all your help guys. I have to go to bed now as it's after 1am here. But I'll be back on line in about  6 hours :(

Offline DavidR

  • avast! Überevangelist
  • Certainly Bot
  • *****
  • Posts: 69214
  • Gender: Male
  • No support PMs thanks
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #10 on: August 29, 2011, 03:13:31 PM »
OK, that may just be because MSE is locking the update function, but essexboy will know more on that.

Get some sleep and hopefully there will be fixes awaiting your return.
Core2Duo E8300/ 4GB Ram/ WinXP ProSP3/ avast! free 2014 9.0.2018/ Outpost Firewall Pro9.1/ Firefox 28.0, NoScript, RequestPolicy/ MailWasher Pro/ DropMyRights/ MalwareBytes AntiMalware Premium 2.0.1/ WinPatrol+/ Drive Image 7.1/ SnagIt 10.0/ avast! mobile security

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29010
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #11 on: August 29, 2011, 03:25:43 PM »
Hi I can see evidence of sinowal in two drivers that are running, which appear to report to Hong Kong 

Quote
DRV - File not found [Kernel | On_Demand | Running] -- -- (xpsec)
DRV - File not found [Kernel | On_Demand | Running] -- -- (xcpip)

I am not sure whether OTL is strong enough to remove them so.....



Download and Install Combofix

Download ComboFix from one of the following locations and allow it to install the recovery console:

Link 1
Link 2

VERY IMPORTANT !!! Save ComboFix.exe to your Desktop *

 IMPORTANT - Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. If you have difficulty properly disabling your protective programs, refer to this link here

  • Double click on ComboFix.exe & follow the prompts.
  • Accept the disclaimer and allow to update if it asks




  • When finished, it shall produce a log for you.
  • Please include the C:\ComboFix.txt in your next reply.[/b]
Notes:
1. Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. Do not "re-run" Combofix. If you have a problem, reply back for further instructions.


Please make sure you include the combo fix log in your next reply as well as describe how your computer is running now
 

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #12 on: August 29, 2011, 10:44:02 PM »
Thanks essexboy.

I have attached the combofix log.

Re my PC - IE8 is still exhibiting the same symptoms which led me to suspect I had a problem in the first place. Basically it is very slow, not slow to start or slow to bring up a web page, but there are delays when clicking links and controls, like it's doing something else!

CPU usage is also quite high, up to 50% while doing anything in IE, and when idle there appears to be constant almost random CPU usage from a wide variety of processes - maybe this happens normally and I don't notice it.

One significant change is that Roxio Media Manager installer started on it's own. If I cancel it at any stage it just starts again, with CPU usage up to 90% (msiexec.exe at 50%). If I let it run it eventually reaches a point where it asks for a CD-ROM to find some missing component. If I cancel at that point the installed just starts again.

Should I just uninstall Roxio? (I never use it)

Edit/PS: Re the idle CPU usage, it is now only 3-5% whereas it was previously hitting 20%

Edit/update: I found the disk that Roxio was looking for and it completed the installation, so that problem has gone away. I remembered that it was installed with Blackberry Desktop Manager so I do need it occasionally.

Further Update!
I have decided to bite the bullet and rebuild the C drive. I used the "recovery disk" that came with my PC and it says it wipes the HDD (well the C: partition ast least), I just hope it writes a new MBR!  .... now installing 111 Microsoft Updates .....
« Last Edit: August 30, 2011, 10:26:26 AM by nivekau »

Offline essexboy

  • avast! Überevangelist
  • Maybe Bot
  • *****
  • Posts: 29010
  • Gender: Male
  • Dragons by Sasha
    • Malware fixes
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #13 on: August 30, 2011, 06:48:12 PM »
There was no indication of any bad drivers or MBR problems on that log

But a factory install will wipe the hard drive and should write a new MBR

Offline nivekau

  • Newbie
  • *
  • Posts: 8
    • Personal Message (Offline)
Re: question re output from aswMBR scan
« Reply #14 on: August 31, 2011, 01:03:32 AM »
There was no indication of any bad drivers or MBR problems on that log

While you were sleeping (i'm in Australia), I tried a few other things and on one of the later aswMBR scans I did included another line in red that actually said ***root kit*** at the end.

I did a fix mbr which was successful, then something started hijacking my google search results and showing butterflysearch.net search results!

It was at that point I threw in the towel and resorted to a rebuild.

Thanks for the help along the way.

Cheers,
Kevin

 

Google Chrome

AVAST recommends using the FREE Google Chrome™ browser.

Download Google Chrome Now