Confusion about MBR depending if USB drive is connected

  • Thread starter Thread starter villandra
  • Start date Start date
V

villandra

I'm not so sure I have a master boot record virus.

I discovered that I'm getting different results from my MBR and
rootkit malware scanners depending on whether the USB drive is plugged
into the computer and turned on. The output doesn't make any sense.

Can someone please help me make sense out of it. Here is what I am
getting.

The output from my scans doesn’t make any sense in terms of what is on
my system.



I have one internal hard drive (SATA), model WDC_WD3200AAKS. In disk
manager this is physical drive 0, with two logical partitions;
partition 1, drive E, the system root drive, with 40 GB, and partition
2, drive F, with 265 GB.



I have one USB drive, book style, which is sometimes connected and
sometimes isn’t. When connected it is physical drive 1, with 74 GB.



There is no physical drive 2.



The computer boots normally, which is completely inconsistent with the
notion that the MBR on Disk 0 is unreadable, corrupt, or missing.



My major problem is that I recently had a fake AV, and though nothing
in particular appears to be wrong and nothing in the registry is
blocking it, Malabytes anti-malware selectively won’t install
properly; particularly its service never appears in the registry, nor
in services.msc or msconfig services list. Six other anti-malware
programs and their services have installed correctly and run.



GMER, under DISK sectors – refers to Disk \ Device \ Harddisk2\DR5
sector 00: rootkit-like behavior.



Today the reference to rootkit like behavior seems to have disappeared
from this statement. Sometimes the reference to Harddisk2\DR5
doesn’t appear either.



I’ve no clue what Harddisk2\DR5 is. Online I found vague references
to USB whatevers, but Device Manager and Disk Manager cannot identify
DR5. I can’t seem to find an IRQ number for it. Maybe SATA boards
don’t have them.



It takes so long to run GMER and I’m having trouble running it, that I
haven’t determined if this reference goes away and comes back
depending on whether the USB drive is plugged into the computer and
turned on.



MBR log reports, no matter whether the USB drive is connected or not:



Stealth MBR rootkit/Mebroot/Sinowal/TDL4 detector 0.4.2 by Gmer,
http://www.gmer.net

Windows 5.1.2600 Disk: HP______ rev.1.00 -> Harddisk2\DR5 -> \Device
\00000097



device: opened successfully

user: error reading MBR

kernel: MBR read successfully

user != kernel MBR !!!



What even is Harddisk2\DR5?



Avast’s aswMBR tool adds to the mystery.



If the USB drive is NOT connected to my machine, it reports,



17:11:11.593 Initialize success

17:11:11.640 AVAST engine defs: 12011601

17:11:24.875 Service scanning

17:11:25.671 Modules scanning

17:11:33.984 Disk 0 trace - called modules:

17:11:34.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll
atapi.sys pciide.sys PCIIDEX.SYS

17:11:34.000 1 nt!IofCallDriver -> \Device
\Harddisk0\DR0[0x8a56eab8]

17:11:34.000 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device
\0000006e[0x8a596f18]

17:11:34.000 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide
\IdeDeviceP0T0L0-3[0x8a585d98]

17:11:34.234 AVAST engine scan E:\

17:43:20.156 Scan finished successfully



I don’t know if this means aswMBR didn’t FIND a master boot record?



However, if the USB drive IS connected to my machine, it reports,



18:10:05.390 AVAST engine defs: 12011601

18:10:16.125 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide
\IdeDeviceP0T0L0-3

18:10:16.125 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
305245MB BusType: 3

18:10:16.125 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
b83d1f26

18:10:16.140 Disk 2 MBR read successfully

18:10:16.140 Disk 2 MBR scan

18:10:16.171 Disk 2 Windows XP default MBR code

18:10:16.171 Disk 2 MBR hidden

18:10:16.171 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS
39997 MB offset 63

18:10:16.171 Disk 2 Partition - 00 0F Extended LBA
265237 MB offset 81915435

18:10:16.171 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS
265237 MB offset 81915498

18:10:16.250 Disk 2 scanning E:\WINDOWS\system32\drivers

18:10:42.828 Service scanning

18:10:43.609 Modules scanning

18:11:12.359 Disk 2 trace - called modules:



What is up with Disk 2? There is no Disk 2. The contents of Disk 2
corresponds to what’s really on Disk 0, partition 1 and partition 2.
However it correctly recognized Disk 0 with the correct label WDC
WD3200AAKS.



The tool MBRCheck from keekstogo.com found



298 GB Physical Drive 0 Windows XP MBR code detected (shown in green
to signify that it’s fine)

74 GB Physical Drive 1 RE: Unknown MBR code.



Found nonstandard or infected MBR (restore MBR of a physical disk w
standard boot code).



Remember that there is no particular reason to expect the USB storage
device to have a Windows XP master boot record.



McAfee Stinger says, 2 master boot records, 0 possibly infected.

3 boot sectors, 0 possibly infected.



TDSSKiller, told to look for file system not consistent with Windows
XP code, didn’t find anything suspicious about my master boot record,
and didn’t find anything else wrong.


More clues:

More clues.



Avast aswMBR without USB drive connected to machine.



17:11:33.984 Disk 0 trace - called modules:

17:11:34.000 ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll
atapi.sys pciide.sys PCIIDEX.SYS

17:11:34.000 1 nt!IofCallDriver -> \Device
\Harddisk0\DR0[0x8a56eab8]

17:11:34.000 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device
\0000006e[0x8a596f18]

17:11:34.000 5 ACPI.sys[b7f7f620] -> nt!IofCallDriver -> \Device\Ide
\IdeDeviceP0T0L0-3[0x8a585d98]



Avast aswMBR with USB drive connected to machine.



18:10:05.390 AVAST engine defs: 12011601

18:10:16.125 Disk 0 \Device\Harddisk0\DR0 -> \Device\Ide
\IdeDeviceP0T0L0-3

18:10:16.125 Disk 0 Vendor: WDC_WD3200AAKS-00V1A0 05.01D05 Size:
305245MB BusType: 3

18:10:16.125 Device \Driver\usbstor -> DriverStartIo USBSTOR.SYS
b83d1f26

18:10:16.140 Disk 2 MBR read successfully

18:10:16.140 Disk 2 MBR scan

18:10:16.171 Disk 2 Windows XP default MBR code

18:10:16.171 Disk 2 MBR hidden

18:10:16.171 Disk 2 Partition 1 80 (A) 07 HPFS/NTFS NTFS
39997 MB offset 63

18:10:16.171 Disk 2 Partition - 00 0F Extended LBA
265237 MB offset 81915435

18:10:16.171 Disk 2 Partition 2 00 07 HPFS/NTFS NTFS
265237 MB offset 81915498

18:10:16.250 Disk 2 scanning E:\WINDOWS\system32\drivers

18:10:42.828 Service scanning

18:10:43.609 Modules scanning

18:11:12.359 Disk 2 trace - called modules:

18:11:12.359 ntkrnlpa.exe CLASSPNP.SYS disk.sys hal.dll

18:11:12.359 1 nt!IofCallDriver -> \Device
\Harddisk2\DR5[0x8939b2d8]



Notice the difference in what device 1 ntlotCallDriver calls depending
on whether the USB storage device is connected.. It looks as if
Device\Harddisk2\DR5 may be the USB drive, unless it’s the hard drive
if and only if the USB drive is connected.

Atleast when the USB drive isn’t connected, the hard drive appears to
be \Device\Harddisk0\DR0(0x8a56eab8).



Allegedly the Harddisk# comes from the physical disk number, and the
DR# comes from the partition, which once again makes no sense; there
aren’t 5 partitions, and there still isn’t a physical disk 2.




Speaking of other things wrong, aswMBR was finding Service WRKrn E:
\Windows\System32\drivers\WRkrn.sys **LOCKED** 32, but that line did
not appear on either of two scans run today. I cannot get Google to
bring up any explanation of what that line means.



Repeated scans with rootkit removal tools and antivirus programs that
are reasonably good at detecting rootkits have not found any. You
yourself demonstrated on your web site that that doesn’t mean there
isn’t a rootkit, nor that the master boot record is not infected.



Noone on the forums who has helped me has found anything in particular
wrong with my running processes, and nothing in the registry refers to
Malabytes anti-malware. I even removed the Legacy entries. Some of
the scans found possible other problems in my registry but noone would
specifically look at them, because they wanted ComboFix to permanently
disable my computer instead. That approach certainly saves them a
lot of time. I’ll reinstall my system before I do anything as
idiotic as running ComboFix.



I’d really appreciate it if you can make sense out of what is going on
with my master boot record.. I do not want to overwrite my master
boot record unnecessarily. I want to make sure it’s necessary before
I risk having to reinstall my system.
 
From: "villandra said:
I'm not so sure I have a master boot record virus.

You are all over the place with this. You should have stayed with the assistance in the
Malwarebytes' forum. Nope, you have to do it your way.

Good luck with your pseudo "virus".
 
You are all over the place with this.  You should have stayed with the assistance in the
Malwarebytes' forum.  Nope, you have to do it your way.

Good luck with your pseudo "virus".

Dave, I'm not aware of having gotten any advice on the Malabytes
forum.

Dora
 
Back
Top