Unkown MBRs: PhysicalDrive0

Viruses and worms
1

Hi there

I recently ran the spybot Rootkit scan and it picked up the following

Master Boot Records

1 MBRs checked.
Unkown MBRs: PhysicalDrive0
PhysicalDrive0

I’ve run tdsskiller and rogue killerbut i’m still the same warning from Spybot. I ran aswmbr and it identifies the above error.

aswMBR version 0.9.9.1707 Copyright(c) 2011 AVAST Software
Run date: 2013-02-24 15:25:25

15:25:25.210 OS Version: Windows x64 6.1.7601 Service Pack 1
15:25:25.210 Number of processors: 4 586 0x2A07
15:25:25.210 ComputerName: DAVID-PC UserName: David
15:25:27.425 Initialize success
15:25:27.643 AVAST engine defs: 13022400
15:25:34.102 Disk 0 (boot) \Device\Harddisk0\DR0 → \Device\Ide\IAAStorageDevice-1
15:25:34.102 Disk 0 Vendor: SAMSUNG_ 2AR1 Size: 953869MB BusType: 3
15:25:34.133 Disk 0 MBR read successfully
15:25:34.148 Disk 0 MBR scan
15:25:34.148 Disk 0 unknown MBR code
15:25:34.164 Disk 0 Partition 1 80 (A) 07 HPFS/NTFS NTFS 100 MB offset 2048
15:25:34.180 Disk 0 Partition 2 00 07 HPFS/NTFS NTFS 804864 MB offset 206848
15:25:34.195 Disk 0 Partition - 00 0F Extended LBA 128282 MB offset 1648568320
15:25:34.226 Disk 0 Partition 3 00 27 Hidden NTFS WinRE NTFS 20622 MB offset 1911289856
15:25:34.351 Disk 0 Partition 4 00 07 HPFS/NTFS NTFS 128281 MB offset 1648570368
15:25:34.398 Disk 0 scanning C:\windows\system32\drivers
15:25:44.402 Service scanning
15:26:06.101 Modules scanning
15:26:06.116 Disk 0 trace - called modules:
15:26:06.163 ntoskrnl.exe CLASSPNP.SYS disk.sys iaStor.sys hal.dll
15:26:06.179 1 nt!IofCallDriver → \Device\Harddisk0\DR0[0xfffffa80077ba060]
15:26:06.194 3 CLASSPNP.SYS[fffff8800120143f] → nt!IofCallDriver → \Device\Ide\IAAStorageDevice-1[0xfffffa800751f050]
15:26:07.707 AVAST engine scan C:\windows
15:26:11.139 AVAST engine scan C:\windows\system32
15:28:40.030 Disk 0 MBR has been saved successfully to “C:\Users\David\Desktop\MBR.dat”
15:28:40.062 The log file has been saved successfully to “C:\Users\David\Desktop\aswMBR.txt”
15:28:57.401 AVAST engine scan C:\windows\system32\drivers
15:29:11.285 AVAST engine scan C:\Users\David
15:30:44.342 Disk 0 MBR has been saved successfully to “C:\Users\David\Desktop\MBR.dat”
15:30:44.358 The log file has been saved successfully to “C:\Users\David\Desktop\aswMBR.txt”

The thing is even though it hasn’t been highlighted as a rootkit by the above programs , i’m still worried it is as someone else has also had a similar problem to mine, not too long ago.

http://forum.avast.com/index.php?topic=96313.15

I have outptted the mbr.dat to my desktop, but do not know how to open it, to see if it is connecting to dodgy wesbites/stealing data. I’m at the end of the road woith it as i have followed recommended procedures and it is still not resolved.

Any help would be greatly appreciated.

2

hey and welcome to the forum i suggest you follow this guide and let a malware expert have a look at your computer.

http://forum.avast.com/index.php?topic=53253.0

3

Hi Mikael

Thanks for your reply.

I’ve done my best to ensure I conform to the forum requirements for such problems. Hopefully someone will be able to help !! Please not MalwareBytes did not find any infected items, hence why i have not included the log. Any assistance would be appreciated.

There is a similar thread which is here http://forum.avast.com/index.php?topic=96313.0.

I also checked my IP address to see if it has been used for spam/botnet via dns blacklist (http://www.dnsbl.info/dnsbl-database-check.php) and my ip address is down as blacklisted in the barracuda database http://barracudacentral.org/data/spam.

But needless to say i am out of my depth really when it come to all this. Hopefully someone can help me out. Files are attached but i will add the rogue killer logs in an additional message.

Thanks

4

The last of the logs attached (Rogue Killer logs).

5

hey agian thank you for attaching the necessary logs now we wait for a malware expert to check those logs and help you from there.

6

Hi it is a system specific MBR that AswMBR does not recognise, but it is not saying it is bad. RogueKiller knows a lot more tattoos than either spybot and AswMBR and it has reported this KIWI Image system MBR Code

Otherwise the system looks clean

7

Thanks Essexboy for your reply,

Pardon my ignorance / lack of knowledge, what IS KIWI Image system MBR Code? From what you can you seen from the logs then, would you say the system is clean, or do i need to try and get it resolved?

Thanks
David

8

KIWI MBR is used as part of a Linux distribution system so either you have had Linux on the system before or the computer manufacturer used the Linux system to install windows