Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

False Positive or Real Issue?


  • Please log in to reply

#1
N. Kaufman

N. Kaufman

    Member

  • Member
  • PipPip
  • 48 posts
I have my laptop running Win-7 64-bit.

Just the other day, I downloaded mbr.exe from gmer.net and ran it using Admin. Got the following in log file:

*********MBR.exe Log Begins**********************************************

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 6.1.7601

device: opened successfully
user: error reading MBR
error: Read The handle is invalid.
kernel: error reading MBR

*********MBR.exe Log Ends **********************************************

Getting a bit concerned, I then downloaded aswMBR from gmer.net and ran it without virus scanning. Following are the results:

********* aswMBR.exe Log Begins **********************************************

aswMBR version 0.9.9.1771 Copyright© 2011 AVAST Software
Run date: 2013-06-13 20:23:31
-----------------------------
20:23:31.383 OS Version: Windows x64 6.1.7601 Service Pack 1
20:23:31.383 Number of processors: 2 586 0x170A
20:23:31.384 ComputerName: NK-PC UserName: Admin
20:23:32.283 Initialize success
20:23:32.558 AVAST engine defs: 13061301
20:23:39.692 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0
20:23:39.696 Disk 0 Vendor: FUJITSU_MJA2250BH_G2 8919 Size: 238475MB BusType: 11
20:23:39.809 Disk 0 MBR read successfully
20:23:39.813 Disk 0 MBR scan
20:23:39.819 Disk 0 Windows 7 default MBR code
20:23:39.828 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
20:23:39.842 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 140374 MB offset 206848
20:23:39.870 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 97999 MB offset 287692800
20:23:40.161 Disk 0 scanning C:\Windows\system32\drivers
20:23:54.807 Service scanning
20:24:26.682 Modules scanning
20:24:26.689 Disk 0 trace - called modules:
20:24:26.714 ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys ataport.SYS PCIIDEX.SYS hal.dll msahci.sys
20:24:27.056 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004b2c450]
20:24:27.065 3 CLASSPNP.SYS[fffff880018dd43f] -> nt!IofCallDriver -> [0xfffffa80047b1520]
20:24:27.073 5 ACPI.sys[fffff8800115e7a1] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0xfffffa80047ad680]
20:24:27.083 Scan finished successfully
20:25:00.552 Disk 0 MBR has been saved successfully to "C:\Users\Admin\Desktop\Software\MBR.dat"
20:25:00.557 The log file has been saved successfully to "C:\Users\Admin\Desktop\Software\aswMBR.txt"


********* aswMBR.exe Log Ends **********************************************

The above aswMBR log shows everything is fine.

So if MBR.exe giving me false positives or is aswMBR wrong?

Please help!!!!



Ran MBAM and following is the log:

Malwarebytes Anti-Malware 1.75.0.1300
www.malwarebytes.org

Database version: v2013.06.13.09

Windows 7 Service Pack 1 x64 NTFS
Internet Explorer 10.0.9200.16576
Admin :: NK-PC [administrator]

6/13/2013 10:37:18 PM
mbam-log-2013-06-13 (22-37-18).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 277864
Time elapsed: 3 minute(s), 47 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)



What is going on? Both MBAM and aswMBR do not show any problem. Only MBR.exe does. Why??

Edited by N. Kaufman, 13 June 2013 - 08:47 PM.

  • 0

Advertisements


#2
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello N. Kaufman,

I am curious to know why you downloaded those tools. Was your machine experiencing suspicious symptoms?

Turning to your question I don't know why you are getting different results from MBR.exe and aswMBR but let's run TDSSKiller just to make sure.

Please download the latest version of TDSSKiller from here and save it to your Desktop.
  • Doubleclick on TDSSKiller.exe to run the application, then click on Change parameters.

    Posted Image
  • Put a checkmark beside loaded modules.

    Posted Image
  • A reboot will be needed to apply the changes. Do it.
  • TDSSKiller will launch automatically after the reboot. Also your computer may seem very slow and unusable. This is normal. Give it enough time to load your background programs.
  • Then click on Change parameters in TDSSKiller.
  • Check all boxes then click OK.

    Posted Image
  • Click the Start Scan button.

    Posted Image
  • The scan should take no longer than 2 minutes.
  • If a suspicious object is detected, the default action will be Skip, click on Continue.

    Posted Image
  • If malicious objects are found, they will show in the Scan results - Select action for found objects and offer three options.
    Ensure Cure (default) is selected, then click Continue > Reboot now to finish the cleaning process.

    Posted Image

    Note: If Cure is not available, please choose Skip instead, do not choose Delete unless instructed.
  • A report will be created in your root directory, (usually C:\ folder) in the form of "TDSSKiller.[Version]_[Date]_[Time]_log.txt". Please copy and paste the contents of that file here.

  • 0

#3
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hello,

No issues were there. However I just run these tools every once in a while to make sure that machines are working properly.

Here is TDSS logs. Only 2 threats (false) - SASCore - SuperAntiSpyware and Brother printer.

Had to attach file as results were too long to be posted in reply.

Edit - Forgot to mention that I did not get any "Cure" options. So I skipped all.

This is very strange.

Is there a problem running MBR.exe under 64-bit Win-7 prof edition?

Attached Files


Edited by N. Kaufman, 20 June 2013 - 01:27 PM.

  • 0

#4
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Is there a problem running MBR.exe under 64-bit Win-7 prof edition?


There was with the older versions but I believe (I haven't used it for some time) that the latest versions do work with Win 7 and 64bit machines.

I don't think you have a problem but let's run an online scan to make sure we aren't missing something.

Please run a free online scan with the ESET Online Scanner

Vista / Win7 users: Right-click on the either the IE or FF icon in the Start Menu or Quick Launch Bar on the Taskbar and select Run as Administrator.

Note: This scan works with Internet Explorer or Mozilla FireFox.

If using Mozilla Firefox you will need to download esetsmartinstaller_enu.exe when prompted then double click on it to install.

  • Click the green ESET Online Scanner box
  • Tick the box next to YES, I accept the Terms of Use
    then click on: Start
  • You may see a panel towards the top of the screen telling you the website wants to install an addon... click and allow it to install. If your firewall asks whether you want to allow installation, say yes.
  • Make sure that the option Scan archives is checked.
  • Now click on Advanced Settings and select the following:
    • Scan for potentially unwanted applications
    • Scan for potentially unsafe applications
    • Enable Anti-Stealth Technology
  • Click on Start
  • The virus signature database will begin to download. Be patient this make take some time depending on the speed of your Internet Connection.
  • When completed the Online Scan will begin automatically. The scan may take several hours.
  • Do not touch either the Mouse or keyboard during the scan otherwise it may stall.
  • When completed select Uninstall application on close, make sure you copy the logfile first!
  • Then click on: Finish
  • Use notepad to open the logfile located at C:\Program Files\ESET\EsetOnlineScanner\log.txt.
  • Copy and paste that log as a reply to this topic.

  • 0

#5
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hello,

Following is the contents of the log file after running Eset

C:\Users\Admin\AppData\Local\Temp\AskSLib.dll a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Admin\Desktop\Changes\Changes\FoxitReader531.0606_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
C:\Users\Admin\Desktop\Changes\From-All\FoxitReader531.0606_enu_Setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
D:\$RECYCLE.BIN\S-1-5-21-3541748131-2431800971-909701637-1000\$RRAUWDG.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
D:\Software\hwmonitor_1.18-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
D:\Software\13-ImgBurn\SetupImgBurn_2.5.7.0.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
D:\Software\18-Auslogics\disk-defrag-setup.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined
D:\Software\7-CutePDF\CuteWriter.exe a variant of Win32/Bundled.Toolbar.Ask application cleaned by deleting - quarantined

Seems to NOT like Ask.com toolbar in the various program files. I deleted them because I can always download the latest versions of these freeware. One seems to be malware - C:\Users\Admin\AppData\Local\Temp\AskSLib.dll or then maybe not.

Edited by N. Kaufman, 20 June 2013 - 08:46 PM.

  • 0

#6
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Seems to NOT like Ask.com toolbar in the various program files.


It comes bundled with other stuff some of it adware and foistware, see link below:

http://www.systemloo...ar_ask_com.html

Let's check to see if there is other adware there:

  • Download OTL to your desktop.
  • Double click on the icon to run it. Make sure all other windows are closed and to let it run uninterrupted.
  • When the window appears, underneath Output at the top change it to Minimal Output.
  • Under the Standard Registry box change it to All.
  • Check the boxes beside LOP Check and Purity Check.
  • Click the Run Scan button. Do not change any settings unless otherwise told to do so. The scan wont take long.
  • When the scan completes, it will open two notepad windows. OTL.Txt and Extras.Txt. These are saved in the same location as OTL.
  • Please copy (Edit->Select All, Edit->Copy) the contents of these files, one at a time, and post it with your next reply.

  • 0

#7
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts
Hello,

Sorry was away for a few days but am back now and will look at d/loading OTL etc.

What I did before going on my trip was - Install Win-7 on another hard drive that I had and tried to run mbr on it. Got same error and makes me wonder if there is something that stops mbr.exe from running under win-7 64-bit prof edition.

Thanks,
  • 0

#8
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello N. Kaufman,

I somehow missed your reply here.

You didn't follow up with the OTL scan that I mentioned in my last post so I take it that you are happy?
  • 0

#9
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Hello N. Kaufman,

I somehow missed your reply here.

You didn't follow up with the OTL scan that I mentioned in my last post so I take it that you are happy?


Hello,

Sorry. Got slammed after coming back from my trip. Am planning to d/load OTL over the long weekend and will let you know.

Any thoughts on same issue of mbr.exe from running under win-7 64-bit prof edition on another hard drive?

Thanks,
  • 0

#10
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

Any thoughts on same issue of mbr.exe from running under win-7 64-bit prof edition on another hard drive?


Try this one:

Download MBRCheck.exe

Right click and run it as administrator. Wait while it does it's job... might seem to be doing nothing for a bit.

Post the results back here.
  • 0

Advertisements


#11
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Try this one:

Download MBRCheck.exe

Right click and run it as administrator. Wait while it does it's job... might seem to be doing nothing for a bit.

Post the results back here.


Hello,

Did not run OTL yet. Will do if you tell me to do so.

Ran MBRCheck and following are the results:
MBRCheck, version 1.2.3
© 2010, AD

Command-line:
Windows Version: Windows 7 Professional
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: Hewlett-Packard
BIOS Manufacturer: Hewlett-Packard
System Manufacturer: Hewlett-Packard
System Product Name: HP G71 Notebook PC
Logical Drives Mask: 0x0000001c

Kernel Drivers (total 207):
0x02A1C000 \SystemRoot\system32\ntoskrnl.exe
0x03002000 \SystemRoot\system32\hal.dll
0x00BC4000 \SystemRoot\system32\kdcom.dll
0x00C0E000 \SystemRoot\system32\mcupdate_GenuineIntel.dll
0x00C5D000 \SystemRoot\system32\PSHED.dll
0x00C71000 \SystemRoot\system32\CLFS.SYS
0x00CCF000 \SystemRoot\system32\CI.dll
0x00E8A000 \SystemRoot\system32\drivers\Wdf01000.sys
0x00F4C000 \SystemRoot\system32\drivers\WDFLDR.SYS
0x00F5C000 \SystemRoot\system32\drivers\ACPI.sys
0x00FB3000 \SystemRoot\system32\drivers\WMILIB.SYS
0x00FBC000 \SystemRoot\system32\drivers\msisadrv.sys
0x00FC6000 \SystemRoot\system32\drivers\pci.sys
0x00E00000 \SystemRoot\system32\drivers\vdrvroot.sys
0x00E0D000 \SystemRoot\System32\drivers\partmgr.sys
0x00E22000 \SystemRoot\system32\DRIVERS\compbatt.sys
0x00E2B000 \SystemRoot\system32\DRIVERS\BATTC.SYS
0x00E37000 \SystemRoot\system32\drivers\volmgr.sys
0x00D8F000 \SystemRoot\System32\drivers\volmgrx.sys
0x00E4C000 \SystemRoot\System32\drivers\mountmgr.sys
0x010DB000 \SystemRoot\system32\drivers\vmbus.sys
0x01117000 \SystemRoot\system32\drivers\winhv.sys
0x0112B000 \SystemRoot\system32\drivers\atapi.sys
0x01134000 \SystemRoot\system32\drivers\ataport.SYS
0x0115E000 \SystemRoot\system32\drivers\msahci.sys
0x01169000 \SystemRoot\system32\drivers\PCIIDEX.SYS
0x01179000 \SystemRoot\system32\drivers\amdxata.sys
0x01184000 \SystemRoot\system32\drivers\fltmgr.sys
0x011D0000 \SystemRoot\system32\drivers\fileinfo.sys
0x0123B000 \SystemRoot\System32\Drivers\Ntfs.sys
0x01000000 \SystemRoot\System32\Drivers\msrpc.sys
0x013DD000 \SystemRoot\System32\Drivers\ksecdd.sys
0x0105E000 \SystemRoot\System32\Drivers\cng.sys
0x01200000 \SystemRoot\System32\drivers\pcw.sys
0x01211000 \SystemRoot\System32\Drivers\Fs_Rec.sys
0x014B7000 \SystemRoot\system32\drivers\ndis.sys
0x01400000 \SystemRoot\system32\drivers\NETIO.SYS
0x01460000 \SystemRoot\System32\Drivers\ksecpkg.sys
0x01600000 \SystemRoot\System32\drivers\tcpip.sys
0x015A9000 \SystemRoot\System32\drivers\fwpkclnt.sys
0x0148B000 \SystemRoot\system32\drivers\vmstorfl.sys
0x01821000 \SystemRoot\system32\drivers\volsnap.sys
0x0186D000 \SystemRoot\System32\Drivers\spldr.sys
0x01875000 \SystemRoot\System32\drivers\rdyboost.sys
0x018AF000 \SystemRoot\System32\Drivers\mup.sys
0x018C1000 \SystemRoot\System32\drivers\hwpolicy.sys
0x018CA000 \SystemRoot\System32\DRIVERS\fvevol.sys
0x01904000 \SystemRoot\system32\DRIVERS\disk.sys
0x0191A000 \SystemRoot\system32\DRIVERS\CLASSPNP.SYS
0x0194A000 \SystemRoot\System32\Drivers\aswVmm.sys
0x0197A000 \SystemRoot\System32\Drivers\aswRvrt.sys
0x019C5000 \SystemRoot\system32\drivers\cdrom.sys
0x02CB7000 \SystemRoot\System32\Drivers\aswSnx.SYS
0x02DB6000 \SystemRoot\System32\Drivers\Null.SYS
0x02DBF000 \SystemRoot\System32\Drivers\Beep.SYS
0x02DC6000 \SystemRoot\System32\Drivers\aswKbd.SYS
0x02DCF000 \SystemRoot\System32\drivers\vga.sys
0x02C00000 \SystemRoot\System32\drivers\VIDEOPRT.SYS
0x02C25000 \SystemRoot\System32\drivers\watchdog.sys
0x02C35000 \SystemRoot\System32\DRIVERS\RDPCDD.sys
0x02C3E000 \SystemRoot\system32\drivers\rdpencdd.sys
0x02C47000 \SystemRoot\system32\drivers\rdprefmp.sys
0x02C50000 \SystemRoot\System32\Drivers\Msfs.SYS
0x02C5B000 \SystemRoot\System32\Drivers\Npfs.SYS
0x02C6C000 \SystemRoot\system32\DRIVERS\tdx.sys
0x02C8E000 \SystemRoot\system32\DRIVERS\TDI.SYS
0x02C9B000 \SystemRoot\System32\Drivers\aswTdi.SYS
0x03C68000 \SystemRoot\system32\drivers\afd.sys
0x03CF1000 \SystemRoot\System32\Drivers\aswrdr2.sys
0x03D05000 \SystemRoot\System32\DRIVERS\netbt.sys
0x03D4A000 \SystemRoot\system32\DRIVERS\wfplwf.sys
0x03D53000 \SystemRoot\system32\DRIVERS\pacer.sys
0x03D79000 \SystemRoot\system32\DRIVERS\vwififlt.sys
0x03D8F000 \SystemRoot\system32\DRIVERS\netbios.sys
0x03D9E000 \SystemRoot\system32\DRIVERS\wanarp.sys
0x03DB9000 \SystemRoot\system32\DRIVERS\VBoxUSBMon.sys
0x03C00000 \SystemRoot\system32\DRIVERS\VBoxDrv.sys
0x03C3C000 \SystemRoot\system32\drivers\termdd.sys
0x03C50000 \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL64.SYS
0x03C5A000 \??\C:\Program Files\SUPERAntiSpyware\SASDIFSV64.SYS
0x04060000 \SystemRoot\system32\DRIVERS\rdbss.sys
0x040B1000 \SystemRoot\system32\drivers\nsiproxy.sys
0x040BD000 \SystemRoot\system32\drivers\mssmbios.sys
0x040C8000 \SystemRoot\System32\drivers\discache.sys
0x040D7000 \SystemRoot\system32\drivers\csc.sys
0x0415A000 \SystemRoot\System32\Drivers\dfsc.sys
0x04178000 \SystemRoot\system32\DRIVERS\blbdrive.sys
0x04189000 \SystemRoot\System32\Drivers\aswSP.SYS
0x04000000 \SystemRoot\system32\DRIVERS\tunnel.sys
0x04026000 \SystemRoot\system32\DRIVERS\intelppm.sys
0x0403C000 \SystemRoot\system32\DRIVERS\CmBatt.sys
0x04864000 \SystemRoot\system32\DRIVERS\igdkmd64.sys
0x05287000 \SystemRoot\System32\drivers\dxgkrnl.sys
0x0537B000 \SystemRoot\System32\drivers\dxgmms1.sys
0x053C1000 \SystemRoot\system32\DRIVERS\usbuhci.sys
0x04800000 \SystemRoot\system32\DRIVERS\USBPORT.SYS
0x053CE000 \SystemRoot\system32\DRIVERS\usbehci.sys
0x00E66000 \SystemRoot\system32\drivers\HDAudBus.sys
0x0420D000 \SystemRoot\system32\DRIVERS\athrx.sys
0x045B8000 \SystemRoot\system32\DRIVERS\vwifibus.sys
0x045C5000 \SystemRoot\system32\DRIVERS\Rt64win7.sys
0x053DF000 \SystemRoot\system32\drivers\i8042prt.sys
0x04041000 \SystemRoot\system32\drivers\kbdclass.sys
0x03E87000 \SystemRoot\system32\DRIVERS\SynTP.sys
0x03EEE000 \SystemRoot\system32\DRIVERS\USBD.SYS
0x03EF0000 \SystemRoot\system32\DRIVERS\mouclass.sys
0x03EFF000 \SystemRoot\system32\drivers\wmiacpi.sys
0x03F08000 \SystemRoot\system32\drivers\CompositeBus.sys
0x03F18000 \SystemRoot\system32\DRIVERS\serscan.sys
0x03F20000 \SystemRoot\system32\drivers\ksthunk.sys
0x03F26000 \SystemRoot\system32\drivers\ks.sys
0x03F69000 \SystemRoot\system32\DRIVERS\AgileVpn.sys
0x03F7F000 \SystemRoot\system32\DRIVERS\rasl2tp.sys
0x03FA3000 \SystemRoot\system32\DRIVERS\ndistapi.sys
0x03FAF000 \SystemRoot\system32\DRIVERS\ndiswan.sys
0x03FDE000 \SystemRoot\system32\DRIVERS\raspppoe.sys
0x03E00000 \SystemRoot\system32\DRIVERS\raspptp.sys
0x03E21000 \SystemRoot\system32\DRIVERS\rassstp.sys
0x03E3B000 \SystemRoot\system32\DRIVERS\rdpbus.sys
0x03E46000 \SystemRoot\system32\DRIVERS\VBoxNetFlt.sys
0x03E75000 \SystemRoot\system32\drivers\swenum.sys
0x041EB000 \SystemRoot\system32\DRIVERS\umbus.sys
0x058DA000 \SystemRoot\system32\DRIVERS\usbhub.sys
0x05934000 \SystemRoot\System32\Drivers\NDProxy.SYS
0x05949000 \SystemRoot\system32\DRIVERS\stwrt64.sys
0x05800000 \SystemRoot\system32\DRIVERS\portcls.sys
0x0583D000 \SystemRoot\system32\DRIVERS\drmk.sys
0x0664D000 \SystemRoot\system32\DRIVERS\agrsm64.sys
0x0676F000 \SystemRoot\system32\drivers\modem.sys
0x0677E000 \SystemRoot\system32\drivers\HdAudio.sys
0x067DA000 \SystemRoot\System32\Drivers\crashdmp.sys
0x067E8000 \SystemRoot\System32\Drivers\dump_dumpata.sys
0x067F4000 \SystemRoot\System32\Drivers\dump_msahci.sys
0x06600000 \SystemRoot\System32\Drivers\dump_dumpfve.sys
0x00020000 \SystemRoot\System32\win32k.sys
0x06613000 \SystemRoot\System32\drivers\Dxapi.sys
0x0661F000 \SystemRoot\system32\DRIVERS\usbccgp.sys
0x0585F000 \SystemRoot\System32\Drivers\usbvideo.sys
0x005C0000 \SystemRoot\System32\TSDDD.dll
0x0588D000 \SystemRoot\system32\drivers\luafv.sys
0x058B0000 \??\C:\Windows\system32\drivers\aswMonFlt.sys
0x059C8000 \SystemRoot\System32\Drivers\aswFsBlk.SYS
0x059D3000 \SystemRoot\system32\drivers\WudfPf.sys
0x03DDF000 \SystemRoot\system32\DRIVERS\lltdio.sys
0x02628000 \SystemRoot\system32\DRIVERS\nwifi.sys
0x0267B000 \SystemRoot\system32\DRIVERS\ndisuio.sys
0x0268E000 \SystemRoot\system32\DRIVERS\rspndr.sys
0x026A6000 \SystemRoot\system32\drivers\HTTP.sys
0x0276F000 \SystemRoot\system32\DRIVERS\bowser.sys
0x0278D000 \SystemRoot\System32\drivers\mpsdrv.sys
0x027A5000 \SystemRoot\system32\DRIVERS\mrxsmb.sys
0x0348F000 \SystemRoot\system32\DRIVERS\mrxsmb10.sys
0x034DD000 \SystemRoot\system32\DRIVERS\mrxsmb20.sys
0x03501000 \SystemRoot\system32\drivers\peauth.sys
0x035A7000 \SystemRoot\System32\Drivers\secdrv.SYS
0x035B2000 \SystemRoot\System32\DRIVERS\srvnet.sys
0x035E3000 \SystemRoot\System32\drivers\tcpipreg.sys
0x03400000 \SystemRoot\System32\DRIVERS\srv2.sys
0x05450000 \SystemRoot\System32\DRIVERS\srv.sys
0x05559000 \SystemRoot\system32\DRIVERS\asyncmac.sys
0x055C6000 \SystemRoot\system32\DRIVERS\monitor.sys
0x00700000 \SystemRoot\System32\cdd.dll
0x771B0000 \Windows\System32\ntdll.dll
0x480E0000 \Windows\System32\smss.exe
0xFF4D0000 \Windows\System32\apisetschema.dll
0xFF9D0000 \Windows\System32\autochk.exe
0xFF4A0000 \Windows\System32\imagehlp.dll
0xFF270000 \Windows\System32\wininet.dll
0xFF190000 \Windows\System32\oleaut32.dll
0x77380000 \Windows\System32\psapi.dll
0xFF130000 \Windows\System32\Wldap32.dll
0xFF0B0000 \Windows\System32\shlwapi.dll
0xFF0A0000 \Windows\System32\nsi.dll
0x770B0000 \Windows\System32\user32.dll
0x76F90000 \Windows\System32\kernel32.dll
0xFF020000 \Windows\System32\difxapi.dll
0xFE290000 \Windows\System32\shell32.dll
0xFE080000 \Windows\System32\ole32.dll
0xFDF50000 \Windows\System32\rpcrt4.dll
0xFDF30000 \Windows\System32\sechost.dll
0xFDE50000 \Windows\System32\advapi32.dll
0xFDDB0000 \Windows\System32\comdlg32.dll
0x77370000 \Windows\System32\normaliz.dll
0xFDB20000 \Windows\System32\iertutil.dll
0xFDAF0000 \Windows\System32\imm32.dll
0xFD910000 \Windows\System32\setupapi.dll
0xFD870000 \Windows\System32\msvcrt.dll
0xFD710000 \Windows\System32\urlmon.dll
0xFD6A0000 \Windows\System32\gdi32.dll
0xFD590000 \Windows\System32\msctf.dll
0xFD4F0000 \Windows\System32\clbcatq.dll
0xFD4E0000 \Windows\System32\lpk.dll
0xFD490000 \Windows\System32\ws2_32.dll
0xFD3C0000 \Windows\System32\usp10.dll
0xFD3B0000 \Windows\System32\api-ms-win-downlevel-advapi32-l1-1-0.dll
0xFD310000 \Windows\System32\comctl32.dll
0xFD300000 \Windows\System32\api-ms-win-downlevel-normaliz-l1-1-0.dll
0xFD2C0000 \Windows\System32\cfgmgr32.dll
0xFD280000 \Windows\System32\wintrust.dll
0xFD110000 \Windows\System32\crypt32.dll
0xFD100000 \Windows\System32\api-ms-win-downlevel-version-l1-1-0.dll
0xFD0E0000 \Windows\System32\devobj.dll
0xFD0D0000 \Windows\System32\api-ms-win-downlevel-ole32-l1-1-0.dll
0xFD060000 \Windows\System32\KernelBase.dll
0xFD050000 \Windows\System32\api-ms-win-downlevel-user32-l1-1-0.dll
0xFD040000 \Windows\System32\api-ms-win-downlevel-shlwapi-l1-1-0.dll
0xFD030000 \Windows\System32\msasn1.dll

Processes (total 68):
0 System Idle Process
4 System
276 C:\Windows\System32\smss.exe
388 csrss.exe
452 C:\Windows\System32\wininit.exe
504 C:\Windows\System32\services.exe
556 C:\Windows\System32\lsass.exe
564 C:\Windows\System32\lsm.exe
676 C:\Windows\System32\svchost.exe
772 C:\Windows\System32\svchost.exe
852 C:\Windows\System32\svchost.exe
904 C:\Windows\System32\svchost.exe
936 C:\Windows\System32\svchost.exe
960 C:\Windows\System32\svchost.exe
984 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\stacsv64.exe
296 C:\Windows\System32\svchost.exe
1212 C:\Windows\System32\svchost.exe
1312 C:\Program Files\AVAST Software\Avast\AvastSvc.exe
1460 C:\Windows\System32\spoolsv.exe
1488 C:\Windows\System32\svchost.exe
1572 C:\Program Files\SUPERAntiSpyware\SASCore64.exe
1596 C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe
1628 C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe
1748 C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe
1812 C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
2824 C:\Windows\System32\svchost.exe
2868 C:\Program Files\Windows Media Player\wmpnetwk.exe
2940 C:\Windows\System32\svchost.exe
3884 C:\Windows\System32\svchost.exe
4684 csrss.exe
1060 C:\Windows\System32\winlogon.exe
4976 taskhost.exe
3568 dwm.exe
2424 explorer.exe
4708 sttray64.exe
4100 SynTPEnh.exe
4156 hkcmd.exe
3228 igfxpers.exe
5184 Updater.exe
5444 BrCtrlCntr.exe
5592 SynTPHelper.exe
5776 BrCcUxSys.exe
5908 iexplore.exe
5972 iexplore.exe
4528 C:\Windows\System32\svchost.exe
4348 AvastUI.exe
3796 C:\Windows\System32\audiodg.exe
4600 csrss.exe
2524 C:\Windows\System32\winlogon.exe
4724 C:\Windows\System32\taskhost.exe
5964 C:\Windows\System32\dwm.exe
4836 C:\Windows\explorer.exe
2264 C:\Windows\System32\wuauclt.exe
4568 C:\Program Files\IDT\WDM\sttray64.exe
5844 C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
928 C:\Windows\System32\igfxtray.exe
4596 C:\Windows\System32\hkcmd.exe
6052 C:\Windows\System32\igfxpers.exe
4316 C:\Program Files\AVAST Software\Avast\AvastUI.exe
1416 C:\Program Files (x86)\Ask.com\Updater\Updater.exe
1984 C:\Program Files (x86)\ControlCenter4\BrCtrlCntr.exe
3400 C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
1172 C:\Program Files (x86)\ControlCenter4\BrCcUxSys.exe
1116 C:\Windows\System32\taskeng.exe
6020 C:\Windows\System32\taskeng.exe
548 \\NK-PC\Public\Downloads\MBRCheck.exe
5088 C:\Windows\System32\conhost.exe
768 C:\Windows\System32\dllhost.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000022`4bb00000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)

PhysicalDrive0 Model Number: FUJITSUMJA2250BHG2, Rev: 8919

Size Device Name MBR Status
--------------------------------------------
232 GB \\.\PhysicalDrive0 Windows 7 MBR code detected
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79


Done!


If SUPERAntiSpyware could be a possible problem then I have no problems un-installing it to see if mbr.exe works.

Edited by N. Kaufman, 07 July 2013 - 01:26 PM.

  • 0

#12
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts

If SUPERAntiSpyware could be a possible problem then I have no problems un-installing it to see if mbr.exe works.


Perhaps it is SAS although I don't have it on my Win 7 Prof machine and I can't get Gmer's MBR.exe to work either.

However everything else comes up showing your machine as having the correct MBR.

I don't think it is anything to worry about. If you are concerned you could go to the Gmer site and use the email link to ask what might be going on.
  • 0

#13
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Perhaps it is SAS although I don't have it on my Win 7 Prof machine and I can't get Gmer's MBR.exe to work either.

However everything else comes up showing your machine as having the correct MBR.

I don't think it is anything to worry about. If you are concerned you could go to the Gmer site and use the email link to ask what might be going on.


Oh! didn't realize that you are experiencing the same issue. Then it does seem like mbr.exe does not seem to be running on 64-bit Win-7 Prof machines. What is surprising is that more people have not raised this issue in the past unless I am mistaken and this is a known issue.

Edited by N. Kaufman, 07 July 2013 - 03:53 PM.

  • 0

#14
emeraldnzl

emeraldnzl

    GeekU Instructor

  • GeekU Moderator
  • 19,991 posts
Hello N. Kaufman,

Oh! didn't realize that you are experiencing the same issue


Just recently tested it.

Then it does seem like mbr.exe does not seem to be running on 64-bit Win-7 Prof machines.


At the Gmer site it says in the news section:

"2013.01.03

New version 2.0.18327 with full x64 support has been released."


I suppose that might not mean mbr.exe but rather his other tools.

What is surprising is that more people have not raised this issue in the past unless I am mistaken and this is a known issue.


As I said you could take it up with him if you wish.

Actually most of us don't use that tool nowadays.

In any event I don't see a malware problem in your logs.

I think you are good to go.

We have a couple of last steps to perform and then you're all set.Posted Image

Please go here to download OTC.

Run this program to remove tools we have been using.

You will be asked to reboot the machine to finish the Cleanup process choose Yes.

Any other tools remaining may be deleted.

Next, we need to clean your restore points and set a new one:

Open System by clicking the Start button, right-clicking Computer, and then clicking Properties.

  • In the left pane, click System protection. Administrator permission required If you're prompted for an administrator password or confirmation, type the password or provide confirmation.
  • Under Protection Settings, click the radio button Configure.
  • Under Disk Space Usage, click the radio button Delete.
  • Click Continue, and then click OK.
-------------------------------------------------------------------------------------------------------------------

A reminder: Remember to (re-install if uninstalled during cleaning) update and turn back on any anti-malware programs you may have turned off during the cleaning process.
-------------------------------------------------------------------------------------------------------------------

Here are some things that I think are worth having a look at if you don't already know about them:

---------------------------------------------------------------------------------------------------------------------

It is good security practice to change your passwords to all your online accounts on a fairly regular basis, this is especially true after an infection. Refer to this Microsoft article Strong passwords: How to create and use them.

----------------------------------------------------------------------------------------------------------------------

Java warning

Java is a popular point of entry to your computer for malicous programs. The United States Department of Homeland Security recommends that computer users disable Java, see here. Unless you need it to run an important software the safest approach is to completely uninstall Java. Where you do require it, then the next safest option is to disable it in your browsers until you need it, then enable it.

How to disable Java in your web browser and How to unplug Java from the browser

If you do still need Java then regularly check that it is up to date. Older versions are the most vulnerable to malicious attack.

  • Download Java for Windows

    Reboot your computer.
    You also need to unininstall older versions of Java.
  • Click Start > Control Panel > Add or Remove Programs
  • Remove all Java updates except the latest one you have just installed.
--------------------------------------------------------------------------------------------------------------------

To help protect your computer in the future:



If you do not already have automatic updates set then it is recommended that you do set Windows to check, download and install your updates automatically.

* Click Start > Control Panel > System and Security > Windows Update
* Under Windows Update click on Turn automatic updating on or off
* Check items shown to ensure you receive updates automatically. Click OK.

Be aware of what emails you open and websites you visit.

Go here for some good advice about how to prevent infection.

A fun way to check your online safety literacy.

Quiz - getsafeonline

Have a safe and happy computing day!
  • 0

#15
N. Kaufman

N. Kaufman

    Member

  • Topic Starter
  • Member
  • PipPip
  • 48 posts

Hello N. Kaufman,

Oh! didn't realize that you are experiencing the same issue


Just recently tested it.


Quick question. Did you get the same result that I got while running mbr.exe under 64-bit win-7 prof edition?

Thanks,
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP