Physical Forged Boot Sector false positive (Intel Raid Storage Manager?)

[Zhooom]

This was originally posted by user ponsich in the Anti-Rootkit Help, but several of us have the same issue - all running Intel Raid Storage Technology. 

 

See: https://forums.malwarebytes.org/index.php?showtopic=149317

 

Basically it appears to be, from ponsich's research and mine this morning, a false positive due to Intel's driver possibly changing these sectors for some reason.  It's very spooky however since this is mucking around with my system at a low enough level the disk could become unrecoverable, so I'm a little paranoid here ... 

 

For me, It's outside my C: drive Partition space as well (starting at sector 206848 and 2000211968 total sectors, which is sector # 2000418816).  The first results say the lowest forged sector number is 2000419072, and they go up from there.

 

While I ran this using the mbam /developer option, the log message stayed the same as it does normally, which I attached.  The actual physical sector doesn't seem like it would be very informative (at least to me) given that it doesn't say if that's what sector is being forged or that is the forgery location, but regardless I'd I'd think you need both to investigate. Maybe there's a pointer here somewhere .. I'm no expert.  

 

If needed I can upload one or more physical sector's of my disk for inspection. 

 

(edit - I enclosed the hex representation of the data in text format of the first physical sector being reported as forged.  Sorry, the editor I'm using doesn't allow me to save it as true binary.)

 

Let me know, thanks!

 

--Z

 

phys_sectors_log.txt

forged_sector_values.txt