Author Topic: Unknown MBR code  (Read 10651 times)

0 Members and 1 Guest are viewing this topic.

Pony_Girl

  • Guest
Unknown MBR code
« on: August 11, 2011, 11:28:08 PM »
I have no idea if this is a problem or not, I could just be being paranoid but recently I've had problems with root kit Alureon (in the Avast! virus chest it's called " MBR:Alureon [Rtk] ").

So today (after receiving help with the matter from a member here recently) I decided to run Avast!'s rootkit tool (aswMBR) to try and get an idea if there is/was still a problem - this is where I got the "unknown MBR code" thing from.

I'm happy to listen, take advice and follow all instructions given - however, annoyingly enough, for some reason the aswMBR logs have been proving very hard to find (for me anyway), and it isn't like I don't know how to search and find things and use the search functions either, I do pay attention to where things get saved (I'm a detail freak).


I know a bit about computers/the techy stuff but I feel this isn't an area I'm sufficiently clued up on at all really.

Any help and advice would be greatly appreciated. I'm available day and night at pretty much all hours. I'm happy to be contacted via this thread, PM, or I can provide an e-mail address - if you think any other different medium would be better, I'm happy with that too.

Many thanks in advance to anybody who reads this, offers help and/or gives advice.

Best wishes and kind regards from Pony_Girl.
« Last Edit: August 11, 2011, 11:34:28 PM by Pony_Girl »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Unknown MBR code
« Reply #1 on: August 11, 2011, 11:34:45 PM »
Attach the aswMBR log to your next post, use the Additional Options in the Reply window that allows you to attach files, or copy and paste the contents of the aswMBR log.

If you didn't save the file, run aswMBR again and click the Save log.

Ensure that you have the latest version of aswMBR - Download aswMBR.exe to your desktop.
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76115
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Unknown MBR code
« Reply #2 on: August 11, 2011, 11:35:51 PM »
If you run aswMBR from the desktop, you'll also find the log there, if you choose to save it.
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Pony_Girl

  • Guest
Re: Unknown MBR code
« Reply #3 on: August 11, 2011, 11:44:57 PM »
@ Asyn:

I'm not entirely sure if I do have the most up to date version of aswMBR. If I decide to download it from the link in the post above, will I have to first uninstall/remove the copy on my computer, or will it over write it?

If I do need to uninstall the current version I have, how do I uninstall it?

@ DavidR: I did save the logs, I also checked where they were being saved (I ran it from where the aswMBR I have downloaded to, silly me, if I'd known I could of made things easier for myself...) then after a long time searching failed to find them, or even where they could have been/could be.
« Last Edit: August 11, 2011, 11:47:45 PM by Pony_Girl »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76115
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Unknown MBR code
« Reply #4 on: August 11, 2011, 11:47:03 PM »
@ Asyn:
I'm not entirely sure if I do have the most up to date version of aswMBR. If I decide to download it from the link in the post above, will I have to first uninstall/remove the copy on my computer, or will it over write it?

Use the link provided by Dave.
No need to uninstall..!!
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Pony_Girl

  • Guest
Re: Unknown MBR code
« Reply #5 on: August 11, 2011, 11:53:17 PM »
This may seem like a silly question, but I'd rather ask questions and get informed answers than go by what little I know about this stuff - for some reason it's not saving straight to my desktop, it doesn't ask me where I want to save to, it just goes in my Downloads folder, does it matter if I just stick it on my desktop or will I still have trouble finding the logs?

[EDIT] Sorry, figured it out. :)
« Last Edit: August 11, 2011, 11:57:05 PM by Pony_Girl »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76115
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Unknown MBR code
« Reply #6 on: August 11, 2011, 11:55:31 PM »
This may seem like a silly question, but I'd rather ask questions and get informed answers than go by what little I know about this stuff - for some reason it's not saving straight to my desktop, it doesn't ask me where I want to save to, it just goes in my Downloads folder, does it matter if I just stick it on my desktop or will I still have trouble finding the logs?

[EDIT] Sorry, figured it out. :)

Ok. :)
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Pony_Girl

  • Guest
Re: Unknown MBR code
« Reply #7 on: August 11, 2011, 11:57:19 PM »
Another silly question - Different options for what scan I want to do - which should I pick ("QuickScan", "C:\", whatever "[...]" is, I'm guessing it's probably not "(none)" LOL)?
« Last Edit: August 12, 2011, 01:33:44 AM by Pony_Girl »

Offline Asyn

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 76115
  • Urlaub/Vacation
    • >>>  Avast Forum - Deutschsprachiger Bereich  <<<
Re: Unknown MBR code
« Reply #8 on: August 12, 2011, 12:04:41 AM »
Another silly question - Different options for what scan I want to do - which should I pick ("QuickScan", "C:\", whatever "[...]" is, probably not (none) LOL)?

While this isn't really needed, you can choose QuickScan. (Won't take too long.)
W8.1 [x64] - Avast PremSec 22.7.7366.BC [UI.713] - Firefox ESR 91.11 [NS/uBO/PB] - Thunderbird 91.11
Avast-Tools: Secure Browser 103.0 - Cleanup 22.2 - SecureLine 5.18 - DriverUpdater 22.2 - CCleaner 6.01
Avast Wissenswertes (Downloads, Anleitungen & Infos): https://forum.avast.com/index.php?topic=60523.0

Pony_Girl

  • Guest
Re: Unknown MBR code
« Reply #9 on: August 12, 2011, 12:15:57 AM »
Just figured out part of why I've been having trouble finding my logs - need admin' privileges to run certain things (which I do have, kind of because I know all the passwords and have access to it all, I just use a standard user account), thus if they do save to the desktop it's in the user profile I specifically made for admin' stuff... Silly me *rolls eyes at self*.

Here is the log...
« Last Edit: August 12, 2011, 12:22:51 AM by Pony_Girl »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Unknown MBR code
« Reply #10 on: August 12, 2011, 01:08:38 AM »
OK, this will probably take more analysis as you are on a 64bit OS version so care has to be taken not to try fixing the MBR or you could have an expensive paper weight.

Other than the unknown MBR code, which is likely to be because you have an HP system, is that correct ?

If so it has a recovery partition and a recovery console, in order to access them HP is likely to have a custom MBR code, hence the unknown MBR code line. So you don't want to touch that or you would no longer have access to this recovery partition or recovery console.

So other than your case of paranoia mentioned in your first post are you experiencing any symptoms (strange occurrences, etc.) ?

If you can open the avast chest (avastUI, Maintenance, Virus Chest) and right click on the file that was detected as MBR:Alureon [Rtk] and select Properties. What was the original file name and the location where it was found ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Pony_Girl

  • Guest
Re: Unknown MBR code
« Reply #11 on: August 12, 2011, 01:25:42 AM »
Well, I have today read elsewhere that the "unknown MBR code" thing is fairly common with both Dell and HP computers (I'm HP, don't like Dell). But I just wanted to know for sure and seek advice from people more knowledgeable on this stuff than myself due to the problems I was having before I made this thread.

No, didn't try the "Fix MBR" option on the aswMBR scan. Myself and the member here who helped me (you know who you are, thank you thank you again :) ) both decided that we should try other things and see how it went first - and it went pretty well I think (no symptoms or any trouble, nothing odd, not that I've noticed anyway) so we left it at that without doing the "Fix MBR" thing. I made this thread here at the suggestion of the member I already mentioned.

Original file name: MBR.dat
Original folder: C:\Users\Admin\Documents
Size of file: 512
Category: Infected files
Virus description: MBR:Alureon [Rtk]
File ID: 10
« Last Edit: August 12, 2011, 01:55:31 AM by Pony_Girl »

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Unknown MBR code
« Reply #12 on: August 12, 2011, 02:14:03 AM »
Well I would say you have nothing to worry about as what is being detected is the data file created by the aswMBR.exe scan, it produces the mbr.dat file (which is effectively a copy of the MBR) and when you save the scan the aswMBR.txt file.

So because the mbr.dat is a copy of the MBR and in this case since it is a non-standard MBR avast is having a bit of a fit on it.

Now that it is in the chest it shouldn't be an issue, though having recently run aswMBR.exe again there would be another copy of the mbr.dat file, so be aware of that. Now that we have determined why it is an unknown mbr code you can actually delete any mbr.dat file on your desktop or C:\Users\Admin\Documents, etc.

@@@@
Looking back on your log and the location this was found, C:\Users\Admin\Documents it means you ran the aswMBR.exe as Admin.
So do you always use the Admin account for routine computer use ?
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security

Pony_Girl

  • Guest
Re: Unknown MBR code
« Reply #13 on: August 12, 2011, 02:36:31 AM »
Yay! :D Thank you everybody who has taken the time to respond to this thread and help me out here, it is really appreciated. :)

No, I don't tend to use the Admin user account for routine/general computer use (aside from regular updating of AV's/scanners which Admin privileges are needed for - MBAM wouldn't seem to update otherwise).
There are 3 user accounts on this computer: my mum's, my brother's, mine and an Admin user account set up after a friend of my sister suggested it.
Only my mother and I have access to the Admin account - my mum's happy to let me have access to it as I use common sense and am the most knowledgeable person in our house when it comes to computers (done a few courses, have real life friends who are fully qualified in this kinda thing who teach me all sorts - I'm lucky to be friends with them, they're great people :) ).

I'm by no means an expert, but I draw on knowledge I already have, use common sense and take care of general maintenance and stuff like keeping it all up to date. If I spot a problem and I KNOW FOR CERTAIN that I can fix it and won't break anything/f*ck it up, I get on with it - if I don't know what to do/what I'm doing I know people I can go to, have reliable sources and know where to look for help and advice (my brother on the other hand thinks he knows everything and jumps to conclusions - I like to first identify if there is a problem then what the problem is, then I fix it if I can, if I can't I do homework on it and seek advice).

Online DavidR

  • Avast Überevangelist
  • Certainly Bot
  • *****
  • Posts: 87080
  • No support PMs thanks
Re: Unknown MBR code
« Reply #14 on: August 12, 2011, 03:21:56 AM »
You're welcome.

Avast shouldn't need the Admin account to update as the avast.setup that does the update runs as a System user, see image.

I have MBAM Pro and that doesn't Need 'the admin' account either, whilst I use an account which has admin privileges (but not 'the admin' account, there is a difference) and that is just fine.
« Last Edit: August 12, 2011, 03:23:50 AM by DavidR »
Windows 10 Home 64bit/ Acer Aspire F15/ Intel Core i5 7200U 2.5GHz, 8GB DDR4 memory, 256GB SSD, 1TB HDD/ avast! free 22.10.6038 (build 22.10.7633.734) UI 1.0.733/ Firefox, uBlock Origin, uMatrix/ MailWasher Pro/ Avast! Mobile Security