aswMBR having trouble finding MBR on disk 0?

My computer has physical drive 0, consisting of E (system root drive) and F, and USB physical drive 1, logical drive H, which sometimes is connected to my computer and sometimes not.

Gmer’s mbr log keeps insisting that the MBR file on “Harddisk2\DR5” is corrupt and it has limited ability to read it.

Malabyte anti-Malware won’t install, but the computer boots up just fine. The MBR in drive 0 exists.

If the USB drive is NOT connected, aswMBR reports,

17:11:25.671 Modules scanning
17:11:33.984 Disk 0 trace - called modules:
17:11:34.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys pciide.sys PCIIDEX.SYS
17:11:34.000 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0x8a56eab8]
17:11:34.000 3 CLASSPNP.SYS[b80e8fd7] → nt!IofCallDriver → \Device\0000006e[0x8a596f18]
17:11:34.000 5 ACPI.sys[b7f7f620] → nt!IofCallDriver → \Device\Ide\IdeDeviceP0T0L0-3[0x8a585d98]
17:11:34.234 AVAST engine scan E:
17:43:20.156 Scan finished successfully

If the USB drive IS hooked up aswMBR reportrs,

18:10:05.390 AVAST engine defs: 12011601
18:10:16.125 Disk 0 \Device\Harddisk0\DR0 → \Device\Ide\IdeDeviceP0T0L0-3
18:10:16.125 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size: 305245MB BusType: 3
18:10:16.125 Device \Driver\usbstor → DriverStartIo USBSTOR.SYS b83d1f26
18:10:16.140 Disk 2 MBR read successfully
18:10:16.140 Disk 2 MBR scan
18:10:16.171 Disk 2 Windows XP default MBR code
18:10:16.171 Disk 2 MBR hidden
18:10:16.171 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39997 MB offset 63
18:10:16.171 Disk 2 Partition - 00 0F Extended LBA 265237 MB offset 81915435
18:10:16.171 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS 265237 MB offset 81915498
18:10:16.250 Disk 2 scanning E:\WINDOWS\system32\drivers
18:10:42.828 Service scanning
18:10:43.609 Modules scanning
18:11:12.359 Disk 2 trace - called modules:

What is even up with “Disk2”? Now, Disk 0, drive E is 39997 mb. That’s partition 1. Partition 2 is 265237 mb. Disk 01, drive H, is 74 gb.

WDC_WD3200AAKS is the model number of Disk 0.

What am I to make of this?

Also, GMER mbr refers to Harddisk2/DR5, which at one oint (but not now) it claimed had rootkit-like code on it. No scan has specifically found it, but it appears that the MBR on the usb drive may or may not be Windows xpcode. I’d not expect it to be windows xp code.

Dora

That needs investigation…i will ask u to run a tool that will give essexboy the required info

download MbrScan to your desktop
http://eric71.geekstogo.com/tools/MbrScan.exe

Run MbrScan
Place a tick in the asm Code box just below the report button
Press the scan button
Once it has completed then press the report button

Copy and paste the generated report to your next post please
also please follow the guide below is the link and attach the logs:
http://forum.avast.com/index.php?topic=53253.0

Essexboy notified…

I attached that MbrScan log instead of pasting it; it is very long.

Thank you for your response, Indian; I’ve an idea I finally found intelligent life.

Incidently, I purchased Avast Antivirus last week, and so far, I like it. Hard to tell what antivirus is most likely to prevent this sort of thing and I’ve run a number of them, but I like the way it operates, and it’s what I’ve had running continuously on my machine.

As to the instructions you referred me to;

one reason why I think I still have malware on my machine is that Malabytes’ anti-malware won’t fully install. It appears to install but the service appears neither in the registry nor in services.msc and msconfig services tab. I’ve installed and run maybe six other antivirus programs complete with their services.

I’ve attached output from aswMBR with and without the USB drive attached. The results are quite different.

I attached the OTL log.

Here’s the weirdness from GMER and MBE.

GMER, under DISK sectors – refers to Disk \ Device \ Harddisk2\DR5 sector 00: rootkit-like behavior.

Today the reference to rootkit like behavior seems to have disappeared from this statement. Sometimes the reference to Harddisk2\DR5 doesn’t appear either.

MBR log reports, no matter whether the USB drive is connected or not:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net

Windows 5.1.2600 Disk: HP______ rev.1.00 → Harddisk2\DR5 → \Device\00000097

device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!

I’ve also got maybe the prize; I used a utility called MBR Wizard to examine and back up my master boot record. I could send you a screenshot of the output (in pdf format), and the backed up copy of the actual master boot record. In fact I’d love to send that thing to someone with the ability and the will to analyze it.

Thanks for help;ing me get to the bottom of it!

Yours,
Dora Smith

One thing; remember part of my orginal question was what’s device\harddisk2\DR5?

Well, something I read somewhere led me to plug the USB drive into a different USB plug on the computer to see if the number changed. Now it is apparently DR3, and evidently the number that isn’t DR0 is the USB drive.

It’s an external USB hard drive, Fantom Drive, TFDU8072

Dora

The MBR of the USB if fine…we have a problem here:

Device\Harddisk1\DR3	74.53 Go  [Fixed] ==> Unknown MBR Code ......

MBR_MD5   : D7AC31EE8D798436603C3EE1984EC422
MBR_SHA1  : E2AA030A78CD87A6AEFDFF81BC708EEB84D7229C

Device\Harddisk1\Partition1	74.53 Go  	0x07 NTFS / HPFS

There is a another partition that doesnt have a MBR code so wait until essexboy has a look at this…

True Indian:

I’m not too clear on what the problem you are showing me is, but I wonder if it’s the fact that the USB drive’s MBR file isn’t in XP code.

I don’t actually understand why a nonbootable USB drive, intended to be used as storage and never to my knowledge used to boot, would have any MBR file. I imagine it has a partition table, but I don’t think that’s exactly the same thing. Its manufacturer wouldn’t have intended it to just be run on a Windows XP computer in any case.

Dora

Its actually that a partition doesnt have a known MBR code…wait until essexboy advices u wuth this…

How many discs do you have ?
How many are fixed and how many are removable ?
What problems are you experiencing

Do the following:
With all drives connected
StartRun
type diskmgmt.msc
Click “OK

Disk Management will open.

Click and hold the right side of the Disk Management Window and drag it to the right until you can see all the columns.

Take a screen Shot of the Disk Management Window and attach the screen shot to your reply.

That would have to wait until tonight as I’m not home. The forum is very limited in what file formats one can attach and I wasn’t aware one has the option of attaching any image - or I’d already have attached my screenshot of the output of my mbr wizard utility, which would also have answered your questions.

The usb drive is removable - it’s a usb drive. The internal hard drive is teh system hard drive, or rather the first of two partitions is bootable. The usb drive is nonbootable. It evidently has a mbr for some reason. Logically since it isn’t a bootable hard drive but for external file storage its mbr was not written by Microsoft nor for Windows XP.

Most of the information that you requested is in the output from that utility that Indian had me run. In fact I think that only the table that shows teh physical locations associated with the start of each partition is not there. That utility describes the two drives and the physical structure of each.

It also contains teh entire code on each of the two MBRs in both machine language and assembly language. I thought the point was to be able to tell at a glance if it is infected with a virus. Hence my comment that I seem to have finally found intelligent life.

The problem that I’m having is threefold.

  1. I was attacked by a fake antivirus program a week and a half ago. Vipre found one of its many files and one registry entry and identified the virus. That info isn’t handy at the moment either. fakeav.oq? I had to manually find and remove files and this has been a long process.

  2. Malabytes Anti-malware trial version, expired, which previously ran, wouldn’t run. I’ve tried to install it after thoroughly removing it several times. The service won’t install. It doesn’t show up in the services.msc list and no system registry entries for it occur. Malabytes insists that malware must be blocking it.

  3. As I posted, my scans sometimes can’t read the master boot record on drive 0, sometimes don’t seem to see it, and sometimes report strange code.

Yours,
Dora

The forum is very limited in what file formats one can attach and I wasn't aware one has the option of attaching any image
save as Gif...that usually works fine for me

Lower left corner: additional options > attach

OK. Later.

But meanwhile virtually all of the same information is here. Above you will see attached to my last night’s post, MbrScan.log . The breakdown of my drives is identical to that of my system’s drive management, which I have viewed. I’m just not home at the moment. Drive numbers are same, in particular - 0 for the internal hard drive, w/ partition 1 for the drive with Windows (bootable), partition 2 for the larger drive with programs and data, drive 1 for the unpluggable USB data storage drive (with the master boot record written not for Windows XP - or else a virus, but it contains atleast some actual mbr code, because I compared the rest of the output in MbrScan.log with a sample machine and assembly language of an mbr online.)


MBRScan v1.0.6

OS             : Windows XP Home Service Pack 3 (32 bit)
PROCESSOR      : x86 Family 6 Model 42 Stepping 7, GenuineIntel
BOOT           : Normal Boot
DATE           : 2012/01/17 (ISO 8601) at 21:01:29
________________________________________________________________________________

DISK           : Device\Harddisk0\DR0 __WDC WD3200AAKS-00V1A0 (05.01D05)
BUS_TYPE       : (0x03)  P-ATA
USE_PIO        : YES
MAX_TRANSFER   : 128 Kb
ALIGNMENT_MASK : word aligned
________________________________________________________________________________

DISK           : Device\Harddisk1\DR3 __MDT MD80 0JB-00FUA0BUS_TYPE       : (0x07)  USB
USE_PIO        : NO
MAX_TRANSFER   : 64 Kb
ALIGNMENT_MASK : byte aligned
________________________________________________________________________________

Device\Harddisk0\DR0	298.1 Go  [Fixed] ==> XP MBR Code

MBR_MD5   : BAC194C4AAA77FCC6929A03DFC0A139B
MBR_SHA1  : 1C7D5FD82AF6B2355391306FA95AC90F889BE395

Device\Harddisk0\Partition1	39.06 Go  	0x07 NTFS / HPFS __ BOOTABLE __
Device\Harddisk0\Partition2	259.0 Go  	0x07 NTFS / HPFS
________________________________________________________________________________

Device\Harddisk1\DR3	74.53 Go  [Fixed] ==> Unknown MBR Code ......

MBR_MD5   : D7AC31EE8D798436603C3EE1984EC422
MBR_SHA1  : E2AA030A78CD87A6AEFDFF81BC708EEB84D7229C

Device\Harddisk1\Partition1	74.53 Go  	0x07 NTFS / HPFS
_____________________________________________________________________

Following is the entire contents of both files in machine language and then assembly language.

There is also attached above an OTL file that gives the entire structure of my system setup.   

Indian, who asked for these logs, specifically wants someone in particular to look at them.  It only makes sense to conclude that this somebody specific can read machine and/or assembly language and will know at a glance if something other than instructions pertinent to a master boot record are in these two files.

Yours,
Dora

Drive 0, the internal hard drive, has Windows installed on partition 1, and most of my programs and data on partition 2.

So I wouldn’t expect partition 2 to have a master boot record. Not sure why the USB data storage drive does.

The only information that is in my system disk management utility that is not otherwise here is the drive letters associated with the drives and partitions. Disk 0 partition 1 is drive E, Disk 0 partition 2 is drive F, and Disk 1 (the USB drive) is drive H. Another USB drive I’ve not been using recently is drive G. Drive C is the slot on the printer that I can insert a SD card into, for some reason. Maybe the printer was hooked up when I installed Windows. But if you look at the OTL output you will clearly see that my system root folder is drive E.

Dora

The reason I asked for the screen shot is that all the MBRs look good and as far as I can see so so the partitions…

There is a TDL doing the rounds at the moment that creates its own partition

There looks to be the remanants of zero access on the OTL log

So I will check that out first

So click start > run then type/copy/paste the following command in

netsh int ip reset c:\resetlog.txt

A log will be generated on the root c drive could you attach that

Although I notice that you have been getting help at BC but the topic was closed

OK, here are the files you asked for.

I gather that I just reset my internet connection, for whatever that was worth.

Taht was Trojan.Win32.FakeAV.oq (v) that I got hit with. I lost both internet access and the abiltiy to run applications for a time, but I got them restored pretty quickly. I’m not sure I did anything in particular to recover access to teh Internet. I think the virus was just redirecting my browsers to its own pages. I never “installed” the stupid antivirus I allegedly needed. I quickly booted into safe mode and destroyed as many of the virus files as I could find. I was still finding potential files associated with that virus two days ago; it put them all over my system. Two days ago I wascleaning them out of my windows folders; files that were created when the virus appeared, files with funny names, no signatures and no identifiable function. I started by deleting all files I immediately found that were created at that time. Then I searched for the process that ran every time I tried to run any application. Windows prefetch files that looked infected kept reappearing. The virus tried to reconstitute the minute it could access the Internet in safe mode. They showed up at times when nothing else would have. I cleaned out my temporary and temporary internet files five times by different methods before I finally got rid of them. Many of the virus files were tehre. I restored to earlier system states twice without seeming to fix much of anything. I must have run about 8 different virus scans in addition to my rootkit utilities, and they found very little. One other thing; the first time I tried rkill, it killed “explorer.exe”. But when I checked explorer.exe was running. You know the system would have acted strange if it had shut down.

I’ve got a couple of questions.

First, when you say my MBRs look fine, what exactly did you look at? I see that my Windows MBR has quite a bit more conentes and more assembly code commands than the standard Windows XP MBR I found an example of online. Did you look at it? If not, could you possibly get someone who can read the code to look at it, or tell me where I’d most likely find such an individual.

Are you talking about TDL 4? It would have written to the MBR among other things.

Can TDL 4 actually do maximum damage in Windows XP? I understand it utilizes processes that began with Vista. I am now thinking twice about getting Windows 7.

Yours,
Dora

One other thing; Indian and Essexboy; thanks for your help!

As to other forums, suffice it to say that you’re the first people who have genuinely tried to be helpful. Your strategies are far more intelligent than any I’ve encountered previously.

Dora

Your Welcome!Essexboy will arrive by night to take a look at the screenshot…

OOPS! i forgot he is on holidays now so he may be early…say by evening

The MBR data is fairly easy to read from a hex editor

And the elements I look for are the flags

In a normal system the boot element is 80 and 07
In infected systems it is 80 and 17 with 00 and 07
In your case this is the boot partition
Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS 39997 MB offset 63

An altered MBR would be detected by aswMBR if it is not standard, it would also show an unknown if the io section

I feel the main problem here is a lot of fiddling around and removing elements in a rather willy nilly way

What I could do now is use Combofix to determine which elements of the infection are remaining and look at the drivers… Although I only like to use that when necessary, rather than go on a fishing expedition ;D

MBR log now says:

Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer, http://www.gmer.net
Windows 5.1.2600 Disk: HP______ rev.1.00 → Harddisk1\DR3 → \Device\0000008c

device: opened successfully
user: error reading MBR
error: Read The request could not be performed because of an I/O device error.
kernel: MBR read successfully
BIOS signateure not found

???

Please download MBRCheck.exe to your Desktop. Run the application.

If no infection is found, it will produce a report on the desktop. Post that report in your next reply.

If an infection is found, you will be presented with the following dialog:

[QUOTE]Enter ‘Y’ and hit ENTER for more options, or ‘N’ to exit:
[/quote]
Type N and press Enter. A report will be produced on the desktop. Post that report in your next reply.

Yes…i see on my system i have 4 partitions…

but by hp tools partition has boot element:
80 OC
But aswmbr reports it as NTFS

seems to be different in compaq…may be cozz there is a uniqueness in dell,hp[compaq] partitions…

all other partitions

are with boot element 80 07 and reported also as NTFS