question about scanning MBR for viruses (T42)

[ginahoy]

I have reason to believe my T42 is inflected with a virus even though my antivirus s/w and a couple of other malware detection tools find nothing. So I posted in one of the tech help forums (majorgeek.com) and ran their suite of detection tools. Nothing detected by their scans either.

However, the moderator noted that the reports show MBR as "unknown", which typically means the MBR has been customized by the OEM or a 3rd party app. Essentially, the tools can't detect an infection in a non-standard MBR. Since I have pretty strong evidence that the computer is inflected, I'm working under the assumption that my MBR has a rootkit type infection.

So my question is whether the MBR on this series (T42) is indeed customized such that would explain the "unknown" scan result? If so, does anyone know of a diagnostic tool that can scan the MBR for infections?

[RealBlackStuff]

The best one I know off is TDSS-Killer: https://support.kaspersky.com/viruses/disinfection/5350

[ginahoy]

Thanks for the reply. As it turns out, TDSS-Killer was among the suite of tools I ran. Here are relevant sections from the log that relate to MBR:

============================================================
\Device\Harddisk0\DR0:
MBR partitions:
\Device\Harddisk0\DR0\Partition1: MBR, Type 0x7, StartLBA 0x3F, BlocksNum 0x5B9F2E1
\Device\Harddisk0\DR0\Partition2: MBR, Type 0x7, StartLBA 0x5B9F35F, BlocksNum 0x30B1DD1
============================================================
E: <-> \Device\Harddisk0\DR0\Partition2
C: <-> \Device\Harddisk0\DR0\Partition1
================ Scan MBR ==================================
[ B25761579658CF370E5059AE7EC2A09F ] \Device\Harddisk0\DR0
\Device\Harddisk0\DR0 - ok
================ Scan VBR ==================================
[ 6346C11DAB93F2DFA3F2D3D31DD2429E ] \Device\Harddisk0\DR0\Partition1
\Device\Harddisk0\DR0\Partition1 - ok
[ 492EF4F2AE7A630D5D6E0D8B8746D166 ] \Device\Harddisk0\DR0\Partition2
\Device\Harddisk0\DR0\Partition2 - ok
============================================================

As you can see, TDSSKiller checked two partitions corresponding to drive letters C: and E: (drive E: is one I created).

The software that detected the unknown partition was RogueKiller. Here's the pertinent section from RKreport...

============================================================
+++++ PhysicalDrive0: (\\.\PHYSICALDRIVE0 @ IDE) HTS548080M9AT00 +++++
--- User ---
[MBR] 6bafe8d9ca3c41604a90abba34690721
[BSP] 39a337d10634c45633af4399c7262366 : MBR Code unknown
Partition table:
0 - [ACTIVE] NTFS (0x07) [VISIBLE] Offset (sectors): 63 | Size: 46910 Mo
1 - [XXXXXX] COMPAQ (0x12) [VISIBLE] Offset (sectors): 147132720 | Size: 4473 Mo
2 - [XXXXXX] EXTEN (0x05) [VISIBLE] Offset (sectors): 96072480 | Size: 24931 Mo
============================================================

Partitions 0 and 2 correspond with drive C and E, respectively, as evidenced by offset sectors (they correspond with the StartLBA's listed in the TDSS-Killer MBR report). So it's clear that TDSS-Killer ignored the recovery partition, and RogueKiller only reports it as 'unknown MBR code'.

I think this means I still don't know for sure if there's a rootkit infection. I'm tempted to just delete the recovery partition and enlarge one of the other partitions. After 9 years, I doubt seriously I'd ever rely on it.

[ajkula66]

Check this page:

https://www.malwarebytes.org/downloads/#beta

[RealBlackStuff]

After having seen your report, you can rest assured that your T42 has no infection whatsoever.
The MBR is a proprietary OEM version (Compaq in your case), which was 'created' when the OS was first installed on that HD (or cloned from another HD).
The 'standard' MBR is/was modified by the OEM to integrate the (normally invisible) recovery partition.
Probably you have your Folder Options/View set to NOT show hidden and system files, otherwise you would have seen that Recovery partition in Windows Explorer.
If it's positioned at the end of your HD, you can delete it and extend the partition before it.
Since that recovery partition came from Compaq, the HD probably also came from a Compaq.
That recovery would thus be useless anyway...

[ginahoy]

Thanks for the reply. I have pretty strong circumstantial evidence of an inflection. Perhaps you can make sense of this...

The T42 belongs to my wife. A couple of weeks ago I received a spam email from her. Her computer was off at the time and the originating IP address was in Asia. She uses Outlook Express to access email (AOL) rather than AOL webmail. When I checked her Inbox, it contained nearly a dozen delivery failure notices, all associated with email addys from her address book. Although most were simply outdated addresses, a couple were returned due to typo's in the domain (e.g., hotnail.com). This means the perpetrator must have had access to her address book, either from OE or AOL's online contact list (I just discovered her online contact list was automatically populated from OE's address book).

Naturally we immediately changed her password. Two days later I received another spam message from her, same MO, and the same batch of delivery failure notices arrived in her Inbox plus several 'heads-up' emails from friends. What I can't get past is how a hacker could learn her new p/w so quickly other than having a script installed on her PC. This time, I reset her p/w on my system and did not store in OE. That was two weeks ago,and no further attacks since then. Circumstantial, yes, but pretty strong evidence of an infection.

While, it's possible to spoof messages to appear to be sent from an AOL address without using AOL servers, in this case the routing entries appear legit. I contacted a spoofing expert in the UK I happen to know and he said the the routing entries were not spoofed. He said there will always be legitimate routing entries downstream of a spoofed entry since there's no way the spoofer can prevent downstream servers from adding their routing entries. In this case, the message I received had only two routing entries, the outgoing AOL webmail server and the receiving AOL mail server (since my address is also @AOL). As he explained it, if the outgoing entry had been spoofed, the hand-off IP addresses (between the two entries) would not match. So he's convinced the spammer used AOL webmail with a p/w. But even if he's mistaken, there can be no doubt the spammer has her address book, which would either have required a p/w or a script on her PC.

I know that spammers sometimes harvest emails from email distribution lists stored on a 3rd party computer that's infected. However, my wife never, and I mean never, sends emails to multiple recipients. She doesn't even know how. And she has never accessed her email through another computer. Nor does she have a smart phone.

The problem is, I can't find anything nefarious on her computer. I also tried the MalwareBytes Anti-Rootkit scanner (beta) suggested above by ajkula66.

I can only think of the following explanations, however unlikely...
a) the script erased itself after I changed p/w the first time but before I started running scans a week later, or
b) the perpetrator hacked AOL's servers, or
c) the perpetrator can copy files from a target computer without having installed a local script

Thoughts?

[burns334]

I've had good luck with ESET scanner, free to

[ajkula66]

Thoughts?

While I don't trust AOL servers much if at all and have experienced a variety of issues with them - including hacking - over the past decade, I'd save all important documents/files and wipe the drive, then perform a clean install.

That's the only way you'll know that you're safe IMO.

[RealBlackStuff]

Out of curiosity: where did the T42 hard disk come from?
Transplant from a Compaq machine?
Is there maybe a Compaq in the house, on your home network?
Had a visitor recently with a Compaq?
Maybe someone left you a keylogger?

I agree with George: save what you need and wipe the rest, doing a fresh install.

[ginahoy]

Wiping the drive is a bit draconian given the circumstances. If there's (still) an infection, it's been neutered by removing stored p/w from Outlook Express. The hacker still has the address book, and if they're spoofing AOL or can hack the AOL servers, there's nothing I can do anyway. Putting my hands on all the software to do a clean install would be a major headache I don't need.

Over the years, I've completely rebuilt the computer, including the CPU, main board and screen. The HDD is the only thing still original. It's a Hitachi HTS548080M9AT00. I purchased the Thinkpad from an ex-IBM employee who used to buy retired models from the company and refurbish for resale. He may have changed the HDD but I don't know why he would do that.

A keylogger was my initial thought. The question is how to detect and remove.

[RealBlackStuff]

Did you run Antimalwarebytes, as suggested above?

You might also consider dumping OE for e.g. Thunderbird.

[ginahoy]

Yes, I used both MalwareBytes and the beta MB Anti-Rootkit scanner.

I use TB on my system. I tried to get the wife to switch but she uses email so rarely she's not inclined to learn a new program. She's what you might refer to as technically challenged. In any case, I'm less concerned about future problems than trying to get a positive ID on the manner of compromise that led to the previous problem.