Author Topic: MBR Check - User != LL2 ... KO! ? (Read 12891 times)

6151 · « **on:** December 17, 2014, 07:30:47 PM »

I am not having any computer trouble but I noticed something that I wanted to ask about in the MBR Check portion. Is User != LL2 ... KO! always something to be concerned about or is it potentially okay?

I asked for help from one of the malware groups and they said it was nothing and my scans are clean so nothing to worry about but I figured I would check here just in case. The odd thing is that I have no idea what the 0 and 1 partitions correspond to under the LL2 section. Windows Disk Management only shows the 0-3 partitions listed under User with sizes that match up with those 4. But, the other 2 are unknowns and no other drive was connected when running Roguekiller.

¤¤¤ MBR Check : ¤¤¤
+++++ PhysicalDrive0: +++++
--- User ---
[MBR]
[BSP] : Windows Vista/7/8 MBR Code
Partition table:
0 - [ACTIVE] NTFS (0x7) [VISIBLE] Offset (sectors): 2048 | Size: 199 MB
1 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 590468 MB
2 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 1209688064 | Size: 15748 MB
3 - [XXXXXX] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 1241939968 | Size: 4063 MB
User = LL1 ... OK
User != LL2 ... KO!
--- LL2 ---
[MBR]
[BSP] : Unknown MBR Code
Partition table:
0 - [XXXXXX] NTFS (0x7) [VISIBLE] Offset (sectors): 409600 | Size: 77824 MB
1 - [ACTIVE] FAT32-LBA (0xc) [VISIBLE] Offset (sectors): 159793152 | Size: 400 MB

Tigzy · « **Reply #1 on:** December 19, 2014, 04:05:16 PM »

Yes, doesn't look so good.
In theory, unknown MBRs are dumped into %programdata%/RogueKiller/debug, can you see them?

6151 · « **Reply #2 on:** December 19, 2014, 08:01:46 PM »

I can. There is a physicaldrive0_LL2_mbr 1 KB file there. I don't know how to open or read the contents though.

RogueKillerX64 lists nothing within the program itself under the MBR tab. It is only when I check the report do I notice the MBR Check info with the User != LL2 ... KO! and the 2 unknown partition tables listed under LL2.

I tried running a bunch of other programs like Microsoft Security Essentials, Malwarebytes, RKill, DDS, FRST, TDSSKiller, Malwarebytes Anti-Rootkit, ADWCleaner and ComboFix but, unless I am using them wrong or running them incorrectly, they don't seem to suggest anything off.

Any ideas on what I can try to either confirm or eliminate a potential issue?

Thank you for the reply.

Tigzy · « **Reply #3 on:** December 22, 2014, 11:11:02 AM »

Can you please attach the file? Also you can upload it on Virus Total, it will tell you if it's malicious.

6151 · « **Reply #4 on:** December 23, 2014, 12:06:41 AM »

Virus Total said it was clean.

I tried attaching it but it said the following.

An Error Has Occurred!
You cannot upload that type of file. The only allowed extensions are doc,gif,jpg,pdf,png,txt,zip,rar,7z

Tigzy · « **Reply #5 on:** December 23, 2014, 09:11:59 AM »

Yes, you can zip it first

6151 · « **Reply #6 on:** December 23, 2014, 10:30:20 AM »

Apologies. I haven't done that before and don't think I have a program that will do it. Right clicking on it doesn't show any zip option.

Tigzy · « **Reply #7 on:** December 23, 2014, 12:08:14 PM »

You can install 7zip, that's very useful program
EDIT: Or for now, you can just rename the extension by .txt for example.

6151 · « **Reply #8 on:** December 24, 2014, 03:56:26 AM »

Thank you Tigzy for the help and txt tip.

6151 · « **Reply #9 on:** December 31, 2014, 10:57:42 PM »

Hi Tigzy.

Just in case looking at the mbr file slipped passed you rather than been too busy to look into it yet. Wondering if this was a non-issue or something that needs to be addressed.

I did notice this poster, http://forum.adlice.com/index.php?topic=314.0, had the same User = LL1 ... OK User != LL2 ... KO! with identical LL2 Partition Table sizes so perhaps it is some HP anomaly?

Thanks again.

Tigzy · « **Reply #10 on:** January 02, 2015, 09:08:44 AM »

It's in the todo list, waiting to be processed... It will addressed soon or later, depends.
You don't have to be concerned, VT said the MBR was clean so I'll do nothing else than whitelisting it and put a name on it. BTW could you tell me what PC brand you have and if you have antivirus or security product on it?

EDIT: No because you don't have the same MBR bootstrap (he got Win7 bootstrap while yours is unknown)

6151 · « **Reply #11 on:** January 02, 2015, 09:05:40 PM »

Thank you Tigzy. Glad it didn't turn out to be something I needed to be concerned with. I was worried it was some type of infection.

Computer is an HP laptop. Windows 7. Has Microsoft Security Essentials, Malwarebytes paid version and Malwarebytes Anti-Exploit free version.

Thanks again for your time and help.

Tigzy · « **Reply #12 on:** January 05, 2015, 10:50:55 AM »

Thanks for information. Should be whitelisted in next release.

Author Topic: MBR Check - User != LL2 ... KO! ? (Read 12891 times)

6151

MBR Check - User != LL2 ... KO! ?

Tigzy

Re: MBR Check - User != LL2 ... KO! ?

6151

Re: MBR Check - User != LL2 ... KO! ?

Tigzy

Re: MBR Check - User != LL2 ... KO! ?

6151

Re: MBR Check - User != LL2 ... KO! ?

Tigzy

Re: MBR Check - User != LL2 ... KO! ?

6151

Re: MBR Check - User != LL2 ... KO! ?

Tigzy

Re: MBR Check - User != LL2 ... KO! ?

6151

Re: MBR Check - User != LL2 ... KO! ?

6151

Re: MBR Check - User != LL2 ... KO! ?

Tigzy

Re: MBR Check - User != LL2 ... KO! ?

6151

Re: MBR Check - User != LL2 ... KO! ?

Tigzy

Re: MBR Check - User != LL2 ... KO! ?