Unknown MBR code on Lenovo R500 notebook PC is normal?

Hey all! ... I'm new here, but not to forum usage (in general ... I read the Welcome PM and Sticky threads ... ) ... I came in here because I found a fairly relevant thread by bbpathd1, who was guided to a successful resolution by one of your Admins, TimW (BTW, can I change the Linear sort order of Closed threads? I'd prefer to see the oldest at the top, not the bottom ... no biggie ...). I may not have a malware issue at all, perhaps just a ThinkPad-specific MBR idiosynchracy.

Back story: I've been trying to get a Lenovo R500 notebook PC running better than it was before being donated to me ... it's got a Windows Vista sticker on it but appears to have the entire ThinkVantage suite of programs installed on XP Pro SP3 32-bit ... it uses an Intel Centrino2 P8400 2.26GHz CPU and has 2.94GB of RAM, so, should run XP pretty snappily ... even fully updated ... all the way 'round.

It's always interesting to see what s/w a corporate tool is loaded with, and, what the user later loads and does to bring an OS to its' knees ... both with startup stuff and an impressive range of toolbars / malware / ect. ...

Anyways, I've got things pared down, cleaned up (I use AVG AntiVirus Free Edition 2015, Spybot - S & D 2.4, Malwarebytes Anti-Malware [Free] 2[.0.4.1028] & SpywareBlaster V5.0) and sorted out pretty well now, with one recurring exception ... where my PC familiarity is failing me ... after restarting, I keep running into the Chkdsk flag (dirty bit set) on the 143.19 GB NTFS 'Healthy (System)' disk (C:\), which, along with a hidden, 5.86 GB FAT32 'Healthy (EISA Configuration)' partition called 'SERVICEV001', reside on the one and only physical Hitachi (HTS543216L9SA00, Rev: FB2ZC48C) HDD.

Using 'Hiren's BootCD' (15.2) on a USB stick, > 'MiniXP' > I used 'HxD' to find the dirty bit and reset it, but it kept recurring ... after three such fixes ... I then just said F it, decided to risk the damage Chkdsk can do and ran 'Check Disk (chkdsk /f /x)' from HBCD 15_2 ... this allowed me to use Diskeeper 8(.0.478.0) when I was back up in the regular XP OS ... once per full iteration ... however, every time I tried to set a Diskeeper boot-time defragmentation on regular startup, I would run into the Chkdsk flag ... and boot-time defrag would not run ... I then used MBRCheck, version 1.2.3, from HBCD 15_2 and it reports "Unknown MBR code" / "Found non-standard or infected MBR".

In the process, I've become fairly familiar with the [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
"BootExecute" Multi-String Value (REG_MULTI_SZ) ... however, the Data for this value alone does not seem to have full control over what occurs on startup and I have noticed a variety of data lines that get placed there, can mess up a boot-time defrag and need to be temporarily removed ... i.e.:

autocheck autochk /p \??\C:
autocheck autochk *


or:

autocheck autochk /p \??\C:
AUTONTFS C: PAGE=MIN DIRS=MFTZ ENDPAUSE MFT=MIN


or, other lines noted post-install of AVG & Spybot - S & D, respectively:

C:\PROGRA~1\AVG\AVG2015\avgrsx.exe /sync /restart

sdnclean.exe


Note: Spybot - S & D manages to insert an empty line in this value when it writes 'sdnclean.exe' to the existing value data ... something Windows Registry Editor Version 5.00 will not allow manually ... (?)

Anyways, I suspect the MBR code is what is messing me up and is something proprietary and / or to do with the ThinkPad Embedded Security Subsystem (R500: TCG TPM 1.2, Integrated in chipset).

Any thoughts on this? I can't help but think using HBCD 15_2 > MiniXP > MBRCheck, option '[2] Restore the MBR ... ' might be a serious error on my part and render the existing recovery partition unuseable ...

FFF

 

Thank you TimW for helping me out ... I've since taken a look at a Lenovo T61's MBR (this machine's HDD was reloaded by me with XP Pro SP3 32-bit and the ThinkVantage suite of s/w, with no preservation of any pre-existing recovery partition) with MBRCheck, and, even though the SHA1 value is different, it is still seen as a "Unknown MBR code" / "Found non-standard or infected MBR". With your input and this additional observation, I'm not going to sweat the MBR thing for the R500 (or the T61 ... as it's been solid for a long time now).

Aside from that, any thoughts on the BootExecute values I mentioned?

I've managed to capture and create a couple of different REG files that include the 1 blank line that Spybot - S & D 2.4 inserts in BootExecute when it writes 'sdnclean.exe' or 'sdnclean64.exe' (the latter for a Win 7 Pro SP1 64-bit OS) to the existing value Data.

I will test this method of introducing the blank line into BootExecute on the R500 later today and report back ... FFF

 

Righto TimW ... I'll get into it again in software later ... FFF