Adlice forum
Software feedback => RogueKiller => Topic started by: johnnykid2321 on August 24, 2015, 06:49:57 PM
-
Why is my MBR Code "Unknown"? Shouldn't it say Vista? Is there a rookit...whats going on.
RogueKiller V10.10.2.0 (x64) [Aug 24 2015] by Adlice Software
mail : http://www.adlice.com/contact/
Feedback : http://forum.adlice.com
Website : http://www.adlice.com/softwares/roguekiller/
Blog : http://www.adlice.com
Operating System : Windows 7 (6.1.7600) 64 bits version
Started in : Safe mode with network support
User : Parent [Administrator]
Started from : C:\Users\Parent\Documents\AV\RogueKillerX64.exe
Mode : Scan -- Date : 08/24/2015 11:51:51
¤¤¤ Processes : 0 ¤¤¤
¤¤¤ Registry : 0 ¤¤¤
¤¤¤ Tasks : 0 ¤¤¤
¤¤¤ Files : 0 ¤¤¤
¤¤¤ Hosts File : 0 ¤¤¤
¤¤¤ Antirootkit : 0 (Driver: Not loaded [0xc000035f]) ¤¤¤
¤¤¤ Web browsers : 0 ¤¤¤
¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: TOSHIBA MK6465GSX +++++
--- User ---
[MBR] cd077db3adb3d2c6c8799ce0f1f8d622
[BSP] 001f21890a1e793c91827d583e4eebdc : Unknown MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 593576 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1216053248 | Size: 16600 MB [Windows Vista/7/8 Bootstrap | Windows Vista/7/8 Bootloader]
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1250050048 | Size: 103 MB
User = LL1 ... OK
User = LL2 ... OK
Here's my aswMBR scan
aswMBR version 1.0.1.2252 Copyright(c) 2014 AVAST Software
Run date: 2015-08-24 12:51:07
-----------------------------
12:51:07.798 OS Version: Windows x64 6.1.7600
12:51:07.798 Number of processors: 4 586 0x2505
12:51:07.798 ComputerName: PARENT-HP UserName: Parent
12:51:08.937 Initialize success
12:51:11.670 AVAST engine defs: 15082400
12:52:34.140 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1
12:52:34.140 Disk 0 Vendor: TOSHIBA_ GJ00 Size: 610480MB BusType: 3
12:52:34.297 Disk 0 MBR read successfully
12:52:34.297 Disk 0 MBR scan
12:52:34.832 Disk 0 unknown MBR code
12:52:34.848 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 199 MB offset 2048
12:52:34.848 Disk 0 default boot code
12:52:35.032 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 593576 MB offset 409600
12:52:35.079 Disk 0 Partition 3 00 07 HPFS/NTFS NTFS 16600 MB offset 1216053248
12:52:35.145 Disk 0 Partition 4 00 0C FAT32 LBA MSDOS5.0 103 MB offset 1250050048
12:52:35.473 Disk 0 scanning C:\Windows\system32\drivers
12:52:45.996 Service scanning
12:53:23.914 Modules scanning
12:53:23.915 Disk 0 trace - called modules:
12:53:23.967 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
12:53:23.967 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xfffffa8004ba0060]
12:53:23.967 3 CLASSPNP.SYS[fffff88001bb043f] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0xfffffa8004905050]
12:53:23.967 Disk 0 statistics 104659/0/0 @ 7.95 MB/s
12:53:23.967 Scan finished successfully
12:53:55.673 Disk 0 MBR has been saved successfully to "C:\Users\Parent\Documents\MBR.dat"
12:53:55.678 The log file has been saved successfully to "C:\Users\Parent\Documents\aswMBR.t
-
Hi johnnykid2321,
Welcome to Adlice.com Forum.
The MBR is not linked to the operating system installed but usually to the PC manufacturer.
When the MBR is unknown, RogueKiller dumps it in the %programdata%/RogueKiller/debug/ folder.
Could you please attach it with your next reply ?
Regards.
-
I couldn't upload RogueKiller.mtx do you need it as well?
Judging from my logs, there's nothing suspicious going on right?
I'm literally on OCD Paranoia right now w/ my computer
-
Hi johnnykid2321,
Your computer is not infected.
Thanks to your upload, we will be able to add this MBR to the list of legit ones.
Regards.
-
Thanks.
I also did an emisoft scan and I found these registries keys
How dangerous are any of them? could they have stolen confidential information?
Ive ran TDSS killer, avast, avira, rkiller, hitman pro, zoek.exe, aswMBR microsoft malicious software tool, adwcleaner, and junkware
could any of those programs triggered those registries keys
Emsisoft Emergency Kit v. 10.0.0.5488
(C) 2003-2015 Emsisoft - www.emsisoft.com
ID Object
0 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASAPI32 detected: Application.Win32.InstallExt (A)
1 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\AU__RASMANCS detected: Application.Win32.InstallExt (A)
2 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TASKSCHEDULER_RASAPI32 detected: Application.Win32.InstallExt (A)
3 Key: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432NODE\MICROSOFT\TRACING\TASKSCHEDULER_RASMANCS detected: Application.Win32.InstallExt (A)
4 Value: HKEY_USERS\S-1-5-21-249595754-1824982653-1794911265-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLEREGISTRYTOOLS detected: Setting.DisableRegistryTools (A)
5 Value: HKEY_USERS\S-1-5-21-249595754-1824982653-1794911265-1000\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\POLICIES\SYSTEM -> DISABLETASKMGR detected: Setting.DisableTaskMgr (A)
-
Hi,
These entries are inactive remnants of adware InstallExt so you can move them to quarantine
They pose no thread to your confidentiality.
Regards.
-
Thanks for the help, you are a fucking god
def will try to support you guys in the future when i get some $
owe ya a big one
-----
also for the people who may stumble upon this thread in the future
if you had ran junkware removal tools, it will affect the registrytools and taskbar manager registries.
-
Hi johnnykid2321,
You are very welcome.
Thanks for the kind words. :)
Regards.