Unknown mbr code

Hi!

I was scanning a friend’s computer for possible infection with aswMBR
I’m not always able to complete the scan without a crash of the program, but the mbrScan is always complete

I get a ‘unknown mbr code’, I specify that the computer in question is a HP laptop, originally on windows 7, upgraded to windows 8 and the recovery partition has been deleted from the windows 7 ==> windows 8 upgrade

If someone with ability could check the mbr it would be nice, Avast full scan and MBAM full scan are clean, TDSS scan is also

The MBR.txt is the .dat that I converted, just tell me if you need the original .dat

And I also got a HIDDEN FILE while scanning with aswMBR but it was when I used TDSS killer before, if I rebooted it wouldn’t be tagged, so I guess its because TDSS killer need to monitor activity to scan loaded modules

AswMBR does not recognise all MBR codes that may be system specific. For a quicker check use :

[*] Download RogueKiller and save it on your desktop.

NOTE: If using IE8 or better Smartscreen Filter will need to be disabled

[*]Quit all programs
[*] Start RogueKiller.exe.
[*] Wait until Prescan has finished …
[*] Click on Scan

https://dl.dropbox.com/u/73555776/RKScan.GIF

[]Wait for the end of the scan.
[
] The report has been created on the desktop.

At the bottom of the log will be the MBR check

¤¤¤ MBR Check: ¤¤¤

+++++ PhysicalDrive0: (\.\PHYSICALDRIVE0 @ IDE) WDC WD32 00AAKS-00L9A SCSI Disk Device +++++
— User —
[MBR] 7f49bc81355bbad677ff138725186beb
[BSP] 96cf44173edeaad590a5ad4015a90d7c : Windows Vista MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 305241 Mo
User = LL1 … OK!
Error reading LL2 MBR!

Here it is

¤¤¤ MBR Verif: ¤¤¤

+++++ PhysicalDrive0: ST9500420AS +++++
— User —
[MBR] 085ce9e64ed4642ff74ab627808e060a
[BSP] a10639ba10487568ee4dcbb2a2a204d0 : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 2048 | Size: 199 Mo
1 - [XXXXXX] NTFS (0x07) [VISIBLE] Offset (sectors): 409600 | Size: 476738 Mo

33 c0 8e d0 bc 00 7c fb 8e c0 8e d8 8b f4 bf 00 06
b9 00 02 fc f3 a4 ea 60 06 00 00 00 00 00 00 52 65
63 6f 76 65 72 79 4d 67 72 20 00 70 44 38 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 0d 0a 00 00 00 00 57
00 00 00 ff ff ff ff ff ff ff ff 86 4c bd be 30 06
ac b4 0e 33 db cd 10 0a c0 75 f5 e3 0b fe 06 13 06
53 53 e8 6d 00 eb 36 b8 12 5f 66 ba 51 50 48 5f cd
15 80 e3 01 74 20 eb 24 8b 16 6c 04 fa 66 a1 1c 06
bf 54 06 b1 03 f2 66 af fb 74 0a a1 3d 00 00 c2 83
f8 24 76 e6 b0 01 84 c0 75 1c bb c6 7d 66 8b 37 66
8b 3e 2c 06 66 3b f7 74 07 80 c3 10 73 ee eb 05 bb
28 06 eb 10 bb c2 7d 80 7f fc 00 78 07 80 c3 10 73
f5 eb fe 66 ff 77 04 e8 02 00 ff e4 c8 10 00 00 b4
08 b2 80 cd 13 8a c1 24 3f fe c6 8a d8 f6 e6 c0 e9
06 86 cd 41 91 f7 e1 39 56 06 8b 56 06 8b 46 04 73
1c f7 f1 91 92 f6 f3 86 cd c0 e1 06 02 cc 41 8a f0
b8 01 02 bb 00 7c 86 26 13 06 eb 14 83 c4 10 0e 0e
52 50 0e 68 00 7c 6a 01 6a 10 8b f4 b8 00 42 b2 80
cd 13 c9 c2 04 00 1e 50 53 0e 1f bb 1b 06 a0 17 04
24 0f 88 47 04 e4 60 3c e0 74 1a 3c 1d 74 10 3c 2a
74 0c 3c 36 74 08 3c 38 74 04 84 c0 79 06 66 83 27
00 eb 06 fe 07 02 1f 88 07 5b 58 1f ea 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 72 9b
a2 a4 00 00

3…|….......RecoveryMgr .pD8....................................W............L..0....3.....u.......SS.m..6.._f.QPH_.....t .$..l..f....T....f..t..=.....$v.....u...}f.7f.>,.f;.t....s....(.....}...x....s...f.w..................$?...........A...9V..V..F.s..............A.......|.&.........RP.h.|j.j.....B.........PS........$..G..<.t.<.t.<*t.<6t.<8t…y.f.'…[X…r…

User = LL1 … OK!
User = LL2 … OK!

It also got two PUM in the registry, but that’s all he found
(Looked up for those key, they are harmless and according to other ppl nonsense that they are flagged)

Added RK log

So does the MBR Looks good?

My friend originally send me the laptop because after the HP recovery with the CD, avast flagged a file in a HP program (he had nothing else installed beside avast and the programs that were with HP)

Told him it was probably a FP. He deleted everything to go to windows 8 so I can’t upload the file to virustotal, but everyscan report from many tools comes clean (after windows 8 upgrade) so i guess it’s all good

Hi,

Essex is in bed. Check back tomorrow

MBR looks good… But, if the computer uses UEFI then the MBR is redundant :slight_smile: http://www.extremetech.com/computing/96985-demystifying-uefi-the-long-overdue-bios-replacement

How can I know if its a BIOS or a UEFI?
The interface looks like a BIOS, and its an old HP Pavilion DV7 3800, how can I be sure? And if its a UEFI, is there an equivalent to MBR viruses?

As of yet there are no in the wild EUFI malware. Generally you will need a system that came with windows 7 or better to have this functionality. So the more modern systems probably less than 2-3 years old