MBR hash unrecognized/faked

OK, first the necessary system info:

Tweaking.com - System Information v1.0.2
-------------------------------------------------------------
1. Operating System
-------------------------------------------------------------
Microsoft Windows 7 Home Premium (64-bit) 6.1.7601 Service Pack 1
-------------------------------------------------------------
2. Computer System (Detail Level: Basic) Start
-------------------------------------------------------------
Bootup State: Normal boot
Caption: OWNER-HP
Workgroup: WORKGROUP
Domain: WORKGROUP
Part Of Domain: False
Domain Role: 0 - Standalone Workstation
Manufacturer: Hewlett-Packard
Model: p6774y
Name: OWNER-HP
Number Of Logical Processors: 4
Number Of Processors: 1
Status: OK
System Type: x64-based PC
User Name: owner-HP\owner
-------------------------------------------------------------
3. CPU (Detail Level: Basic) Start
-------------------------------------------------------------
Architecture: 9
Caption: AMD64 Family 16 Model 10 Stepping 0
Current Clock Speed: 2900
Current Voltage: 1.5
Description: AMD64 Family 16 Model 10 Stepping 0
Device ID: CPU0
Family: 1
L2CacheSize: 2048
L3CacheSize: 6144
Manufacturer: AuthenticAMD
MaxClockSpeed: 2900
Name: AMD Phenom(tm) II X4 840T Processor
NumberOfCores: 4
NumberOfLogicalProcessors: 4
-------------------------------------------------------------
4. Drives (Detail Level: Basic) Start
-------------------------------------------------------------
Caption: Hitachi HDS721010CLA332 SATA Disk Device
Description: Disk drive
InterfaceType: IDE
Manufacturer: (Standard disk drives)
Model: Hitachi HDS721010CLA332 SATA Disk Device
Partitions: 3
Size: 931.51 GB
-------------------------------------------------------------
Caption: ioSafe G3 USB Device
Description: Disk drive
InterfaceType: USB
Manufacturer: (Standard disk drives)
Model: ioSafe G3 USB Device
Partitions: 1
Size: 2.73 TB
-------------------------------------------------------------
Caption: Seagate Backup+ Desk USB Device
Description: Disk drive
InterfaceType: USB
Manufacturer: (Standard disk drives)
Model: Seagate Backup+ Desk USB Device
Partitions: 1
Size: 2.73 TB
-------------------------------------------------------------
5. Memory (Ram) (Detail Level: Basic) Start
-------------------------------------------------------------
(Installed Physical Memory Modules)
BANK1 - Size 2.00 GB
BANK2 - Size 2.00 GB
BANK3 - Size 2.00 GB
-------------------------------------------------------------
(Page File Info)
Name: C:\pagefile.sys
Allocated Size: 5887 MB
Current Usage: 529 MB
Peak Usage: 647 MB
Temp Page File: False
-------------------------------------------------------------
(Memory Stats)
Memory Total: 5.75 GB
Memory Used:: 3.33 GB
Memory Available: 2.42 GB
Process Count: 85
--------------------------------------------------------------

Now here's the readout from running MBRCheck program just now:

start program
MBRCheck, version 1.2.3 (c) 2010

Windows Version: Windows 7 Home Premium Edition
Windows Information: Service Pack 1 (build 7601), 64-bit
Base Board Manufacturer: FOXCONN
BIOS Manufacturer: American Megatrends Inc.
System Manufacturer: Hewlett-Packard
System Product Name: p6774y
Logical Drives Mask: 0x00000dfc

C:\DOS\MBRCheck.exe

\\.\C: --> \\.\PhysicalDrive0 at offset 0x00000000`06500000 (NTFS)
\\.\D: --> \\.\PhysicalDrive0 at offset 0x000000e5`a6300000 (NTFS)
\\.\K: --> \\.\PhysicalDrive2 at offset 0x00000000`00800000 (NTFS)
\\.\L: --> \\.\PhysicalDrive1 at offset 0x00000000`0003f000 (NTFS)

PhysicalDrive0 Model Number: HitachiHDS721010CLA332, Rev: JP4OA3GH
PhysicalDrive2 Model Number: SeagateBackup+ Desk, Rev: 050B
PhysicalDrive1 Model Number: ioSafeG3, Rev: MX6O

Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3A81AC631E811CAA8658FADA4F7506C9B922C0BB
2794 GB \\.\PhysicalDrive2 MBR Code Faked!
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
2794 GB \\.\PhysicalDrive1 MBR Code Faked!
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


Found non-standard or infected MBR.
exit program
=======================================================

At the time that I attached the two external HDDs for the first time I wasn't having any malware trouble (daily scanning with Norton360, Malwarebytes Antimalware, SUPERAntiSpyware, and Panda were all normal) but I ran MBRCheck out of curiosity and discovered the worrisome message about the MBR code being faked. I don't know what the deal is with that, but it seems unlikely to be due to infection or corruption, given that I got those results withing minutes of plugging the drives in for the first time on a clean system.

The "Unknown MBR code" message for drive0 is more perplexing. When I first ran MBRCheck I got the above output for drive0. Seeing that the code was unknown, I replaced the MBR with a backup from 14 months ago and then ran MBRCheck. I again got the same message about "unknown MBR code" but a different SHA1 hash. I then booted from a Windows Repair CD and used the "bootrec /fixmbr" command to rebuild the MBR. When I subsequently ran MBRCheck I again got the same message\hash shown above.

I'm not having any boot issues so I'm loathe to do anything about it. I was just hoping that someone could enlighten me as to why the MBR code for my system disk is being reported as "Unknown" and why the MBR codes for a couple of brand new external drives would be reported as being "faked". For that matter, why would a non-bootable external USB drive have a MBR in the first place? :confused

 

It is possible that you have an MBR Virus/Rootkit. The information on this page may be of assistance.

 

Additionally, I ran MBR Check on my own system with AND without my external hard drive connected after reading your post(see attached).

 

I ran ComboFix and it apparently attempted to fix the MBRs because when I subsequently ran MBRcheck it displayed the following output:


Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Unknown MBR code
SHA1: 3A81AC631E811CAA8658FADA4F7506C9B922C0BB
2794 GB \\.\PhysicalDrive6 RE: Unknown MBR code <------------------changed
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
2794 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected <------changed
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A


The status of the 2 external drive MBRs changed despite the corresponding hashes remaining the same. That's odd. One of the external HDDs had a Windows XP MBR implemented. Also odd. Before and after MBR dumps of each of these 2 drives indicated that both had changed by 0 bytes (identical) . Very odd

I then ran MBR v1.05 (another MBR backup/restore/repair utility) and wrote a Windows 7 MBR to drive0 (system disk). Then I ran MBRcheck and got the following output:


Size Device Name MBR Status
--------------------------------------------
931 GB \\.\PhysicalDrive0 Windows 7 MBR code detected <------changed
SHA1: 4379A3D43019B46FA357F7DD6A53B45A3CA8FB79
2794 GB \\.\PhysicalDrive6 MBR Code Faked! <------------------changed
SHA1: 639AC5CDF8A5CF3245975932C6A4215450A7B98F
2794 GB \\.\PhysicalDrive1 RE: Windows XP MBR code detected
SHA1: DA38B874B7713D1B51CBC449F4EF809B0DEC644A

MBR for system drive0 was changed to standard Windows 7 format. Before and after MBR dumps showed that the MBR had changed by only 4 bytes. Even though I didn't do anything to drive6 MBR at this stage and despite no change in the MBR hash, the status of drive6 MBR reverted back to "MBR Code Faked!"

So, in summary, the following net status changes have happened to these 3 MBRs:

drive0 (system drive): Unknown MBR code --> Windows 7 code detected (total changes = 4 bytes)
drive1 (External HDD): MBR Code Faked! --> Windows XP MBR code detected (total changes = 0 bytes)
drive6 (External HDD): MBR Code Faked! --> MBR Code Faked! (total changes = 0 bytes)

I don't even have a theory as to what's going on here, unless one believes in a 4 byte rootkit. Even then, it wouldn't explain how MBR status can change in instances where the MBR remains identical, byte for byte..