support for aswMBR?

[bobbyrae]

I'm new here, so sorry if this is the wrong forum, but it looked the closest.

I am attempting to repair my WinXP system, and a helpful malware exterminator over at TechSpot.com told me to use aswMBR to scan my system.

this thing:  aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software

I have a SCSI Ultra160 controller and MAYBE that is the problem.  It takes HOURS for this software to run and, honestly, I still haven't seen it complete the scan yet.  It is only scanning the system files, not the whole disk. It can be seen taking several minutes on each of large files, and just a few minutes ago, as the time went across midnight, it sat on one file for almost an hour.  I couldn't even get Task Manager to Start and so I had to just press the reset button!

I can't believe this is normal or acceptable.  Are there any command line tricks I might try?

[Pondus]

do you have a malware problem ?



if so, follow the guide here, attach the logs and essexboy will help you when he arrive
http://forum.avast.com/index.php?topic=53253.0

[Lisandro]

Which is your installed antivirus?

[essexboy]

Run aswMBR initially with no scan selected in the drop down box

[bobbyrae]

Viruses were found and removed. Malware was found and removed. It now APPEARS that there is a bootkit infection, but that is why I am running this utility.

Here is the log file, which shows that it ran for over 15 hours and still had not completed! Maybe I need to turn off a bunch of services? What could cause this?


aswMBR version 0.9.9.1297 Copyright(c) 2011 AVAST Software
Run date: 2012-01-19 02:18:03
-----------------------------
02:18:03.984    OS Version: Windows 5.1.2600 Service Pack 3
02:18:03.984    Number of processors: 1 586 0x801
02:18:03.984    ComputerName: RIONXP  UserName: Rion
02:18:04.328    Initialize success
02:18:12.093    AVAST engine defs: 12011801
02:18:30.859    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target0Lun0
02:18:30.859    Disk 0 Vendor: SEAGATE_ 0003 Size: 17501MB BusType: 1
02:18:31.375    Disk 1  \Device\Harddisk1\DR1 -> \Device\Scsi\adpu160m1Port2Path0Target1Lun0
02:18:31.375    Disk 1 Vendor: QUANTUM_ UCH0 Size: 8759MB BusType: 1
02:18:31.375    Disk 2  \Device\Harddisk2\DR2 -> \Device\Scsi\adpu160m1Port2Path0Target2Lun0
02:18:31.375    Disk 2 Vendor: FUJITSU_ 0104 Size: 35068MB BusType: 1
02:18:31.375    Device \Driver\adpu160m -> DriverStartIo SCSIPORT.SYS f73c440e
02:18:31.406    Disk 0 MBR read successfully
02:18:31.406    Disk 0 MBR scan
02:18:31.421    Disk 0 Windows XP default MBR code
02:18:31.437    Disk 0 Partition 1 80 (A) 0C    FAT32 LBA MSDOS5.0    17492 MB offset 63
02:18:31.453    Disk 0 scanning sectors +35824950
02:18:31.468    Disk 0 scanning C:\WINDOWS\system32\drivers
02:57:49.187    Service scanning
02:57:50.343    Modules scanning
03:32:05.765    Disk 0 trace - called modules:
03:32:05.765    ntoskrnl.exe CLASSPNP.SYS disk.sys SCSIPORT.SYS hal.dll adpu160m.sys
03:32:05.781    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86f0e918]
03:32:05.781    3 CLASSPNP.SYS[f750ffd7] -> nt!IofCallDriver -> \Device\Scsi\adpu160m1Port2Path0Target0Lun0[0x86fd6a38]
03:32:06.328    AVAST engine scan C:\WINDOWS
03:44:38.890    AVAST engine scan C:\WINDOWS\system32
16:42:33.781    AVAST engine scan C:\WINDOWS\system32\drivers
17:21:50.796    AVAST engine scan C:\Documents and Settings\Rion
17:38:51.125    Disk 0 MBR has been saved successfully to "C:\MBR.dat"
17:38:51.140    The log file has been saved successfully to "C:\aswMBR.txt"

[essexboy]

Do you have a link to the thread so that I can see what has been done

[bobbyrae]

Here's the link for EssexBoy, but I am a bit perplexed that no one has a clue as to why the utility runs so slowly.  I am going to guess that it is because of my SCSI controller.  Many of these utilities try to access the drive directly, but if they assume an ATA drive, that won't work on my system.

http://www.techspot.com/vb/topic176130.html

[essexboy]

How much data is on your drive and what size is it

The actual MBR scan part should take no more than a minute or two

Just running a quick scan now, this is the log after a quick scan 

Do any other programmes have problems running on the drive configuration >

aswMBR version 0.9.9.1509 Copyright(c) 2011 AVAST Software
Run date: 2012-01-24 21:18:01
-----------------------------
21:18:01.413    OS Version: Windows x64 6.1.7601 Service Pack 1
21:18:01.413    Number of processors: 4 586 0x2A07
21:18:01.413    ComputerName: MARTIN-HP  UserName: Martin
21:18:03.254    Initialize success
21:18:03.472    AVAST engine defs: 12012400
21:18:09.182    Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
21:18:09.182    Disk 0 Vendor: Hitachi_ JP4O Size: 953869MB BusType: 3
21:18:09.182    Disk 0 MBR read successfully
21:18:09.197    Disk 0 MBR scan
21:18:09.197    Disk 0 unknown MBR code
21:18:09.197    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048
21:18:09.213    Disk 0 Partition 2 00     07    HPFS/NTFS NTFS       482461 MB offset 206848
21:18:09.213    Disk 0 Partition - 00     0F Extended LBA            460152 MB offset 988286976
21:18:09.244    Disk 0 Partition 3 00     07    HPFS/NTFS NTFS        11154 MB offset 1930678272
21:18:09.275    Disk 0 Partition 4 00     07    HPFS/NTFS NTFS       460151 MB offset 988289024
21:18:09.275    Service scanning
21:18:10.414    Modules scanning
21:18:10.414    Disk 0 trace - called modules:
21:18:10.929    ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
21:18:10.929    1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8006fd4060]
21:18:10.945    3 CLASSPNP.SYS[fffff88001d7143f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004751050]
21:18:12.926    AVAST engine scan C:\Windows
21:18:15.734    AVAST engine scan C:\Windows\system32
21:19:09.772    AVAST engine scan C:\Windows\system32\drivers
21:19:16.434    AVAST engine scan C:\Users\Martin
21:20:12.516    AVAST engine scan C:\ProgramData
21:21:06.913    Scan finished successfully
21:22:48.735    Disk 0 MBR has been saved successfully to "C:\Users\Martin\Desktop\MBR.dat"
21:22:48.735    The log file has been saved successfully to "C:\Users\Martin\Desktop\aswMBR.txt"

[bobbyrae]

>>How much data is on your drive and what size is it
I have three SCSI drives, but the C drive is 18g, 12g is used.

>>The actual MBR scan part should take no more than a minute or two
I think you can inspect the listing I gave and see the time stamps. 
The first part went very quickly like you say, but when scanning directories...

>>Do any other programmes have problems running on the drive configuration
There was another anti-virus utility they asked me to run, and it didn't complete
like it should.  The initial message said something to the effect "this program should
take no more than 3 minutes..."  and so after 10 minutes it seemed to be hanging. 
And I couldn't terminate it or even get Windows task manager to start, so I
had to press the reset button. UGGGHH! That thing was not a program, but a script.
It is called DDS.scr and they had me put it on the desktop and run from there. I have
tried it a few times and always got the same result.  BUT... all normal programs seem to run
just fine.
 

[essexboy]

I think the Esage run had problems as well, as the list partitions looked OK

What symptoms are you experiencing ? 

I notice that he hasn't tried OTL yet I wonder if that would run

[bobbyrae]

I think the Esage run had problems as well, as the list partitions looked OK

What symptoms are you experiencing ? 

I notice that he hasn't tried OTL yet I wonder if that would run

Not sure what the Esage run is.  Currently I am experiencing NO SYMPTOMS except
scanners not working!  I don't know what OTL is.

Since my last post, he had me try ComboFix, which did about the same thing as DDS - started up OK, then just sat there ofr hours until I hit the reset button.  I couldn't do a normal shutdown or kill CF. He may ask me to rename CF and try it that way.

My current position is that the system seems to be working just fine and all this effort seems to be going nowhere.  Of course, if there is an indication of a rootkit, it must be found.

[essexboy]

The problem being perceived is in this area - you are in the blue

02:18:31.437    Disk 0 Partition 1 80 (A) 0C    FAT32 LBA MSDOS5.0    17492 MB offset 63
21:18:09.197    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048

80 (A) 0C    This indicates a FAT32 partition

Whereas

80 (A) 07    This indicates a NTFS partition

Most programmes now expect a NTFS file structure, so this may be the root of the problem  

[bobbyrae]

The problem being perceived is in this area - you are in the blue

02:18:31.437    Disk 0 Partition 1 80 (A) 0C    FAT32 LBA MSDOS5.0    17492 MB offset 63
21:18:09.197    Disk 0 Partition 1 80 (A) 07    HPFS/NTFS NTFS          100 MB offset 2048

80 (A) 0C    This indicates a FAT32 partition

Whereas

80 (A) 07    This indicates a NTFS partition

Most programmes now expect a NTFS file structure, so this may be the root of the problem  

I have suspecting something of that nature. Some kind of assumption or bug with SCSI. Actually, most of the scanners I have tried have worked well, it's just these three that I mentioned that are hanging.  There's about 10 others that I have run OK by now.

If these scanners have such a limitation, it should be documented and these professional helper types that are telling us to use the scanners should know. They will see FAT32 in one of the log files and then not ask us to use those specific scanners, right?

[bobbyrae]

ComboFix (CF) needs the Windows recovery console (WRC)installed to do it's thing.  I already had installed it (I think), and CF informed me that it was going to install or update WRC.  It turns out that it installed a CORRUPTED SCSI driver, so WRC would no longer boot.  I know this because I attempted to boot into WRC and it gave me a message about that and then when I looked at the driver file it was very small and contained the text "404 - file not found."  Did this come from Microsoft? I don't know.

My answer was to let it do it's "update" thing and then later copy in the correct SCSI driver file from the i386 directory. Then WRC was up to date and was bootable.  Unfortunately, this did not seem to fix the problem with CF just hanging in AutoScan.

[bobbyrae]

ComboFix created a directory and I found mbr.log in there: 

Code: [Select]

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: SEAGATE_ rev.0003 -> Harddisk0\DR0 -> \Device\Scsi\adpu160m1Port2Path0Target2Lun0

device: opened successfully
user: MBR read successfully
kernel: MBR read successfully
user != kernel MBR !!!
error: Read  The request could not be performed because of an I/O device error.