Something (malware?) is disrupting my MBR/boot sector.

Discussion in 'Malware Help (A Specialist Will Reply)' started by trex2000, Feb 22, 2010.

  1. trex2000

    trex2000 Private E-2

    I am running Windows XP Pro SP2. Years ago I installed SecurStar's DriveCrypt Plus Pack (DCPP), which is a boot disk encryption utility. After the computer posts, DCPP's log-in screen, called Bootauth, appears. Windows does not boot until one enters a password. My understanding is that to make this work DCPP modifies the boot sector of the hard disk. This worked quite well until about 3 weeks ago when Bootauth did not appear -- blank black screen. Fortunately, I had prepared an emergency floppy boot disk using the DCPP software, so I can boot into Windows using the emergency floppy which displays the Bootauth log-in screen.

    I fired up the DCPP program and reinstalled Bootauth (this involves decrypting the disk, uninstalling Bootauth, reinstalling Bootauth, and reencrypting the disk). After I did this, the problem disappeared for one or two OS boot sequences, but then returned. <I've repeated this entire process three times with the same result. So, it appears that something is disrupting the boot sector. Malware? (I've run Steve Gibson's Spinrite 6 software on the disk and it's given the disk a clean bill of health.)

    I've gone through the Major Geeks procedures for removing malware (unfortunately this did not solve the problem) and generating logs. I've placed the logs in a zip file and attached that zip file.
    A few notes about this:
    1. DCPP does not allow one to run Windows Recovery Console.
    2. The Root Repeal software could not access the boot sector.
    3. I did remove browser temp files, but not cookies or histories.
    4. In looking through the logs, I noticed several errors reported in the runkeys.txt log.
     

    Attached Files:

    trex2000, Feb 22, 2010
    #1
  2. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    I am not seeing anything in your logs other than these:
    Code:
    "C:\Documents and Settings\Bruce\Local Settings\temp\"
mbx@4d~1.###  Feb 15 2010        2048  "MBX@4D0@B23238.###"
mbx@9d~1.###  Feb 15 2010        2048  "MBX@9D0@B23238.###"
mbx@ce~1.###  Feb 15 2010        2048  "MBX@CE4@B23238.###"
    There is no evidence of a MBR infection and nothing was misreported in the runkeys log.

    You may need to contact Bootauth. and see if they have any forums for assistance.
     
    TimW, Feb 22, 2010
    #2
  3. trex2000

    trex2000 Private E-2

    Thanks for checking my logs and your prompt reply. :)
     
    trex2000, Feb 22, 2010
    #3
  4. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    You are most welcome.

    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no real-time protection. They are useful as backup scanners.They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    2. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /uninstall
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    3. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    4. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    5. Go to add/remove programs and uninstall HijackThis.
    6. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    7. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to tahe cleaning procedures ian step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore ato create a new clean Restore Point.
    8. After doing the above, you should work thru the below link:
     
    TimW, Feb 23, 2010
    #4
  5. trex2000

    trex2000 Private E-2

    In carrying out the final cleanup you recommend I got the following response from Windows XP when I tried to uninstall ComboFix from my Desktop
    (%userprofile%\Desktop\combofix" /uninstall):
    "Windows cannot find 'C:\Documents". Make sure you typed the name correctly, and then try again. To search for a file, click the start button, and then click Search.

    However, after I rebooted combofix was gone! :-D

    Thought this tidbit might be useful to someone else.

    trex2000
     
    trex2000, Mar 1, 2010
    #5
  6. TimW

    TimW MajorGeeks Administrator - Jedi Malware Expert Staff Member

    Strange, as this is the first time someone has reported that occurrence. :)
     
    TimW, Mar 2, 2010
    #6

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds