Jump to content
TeMerc

boot.ini f\p....

Recommended Posts

From support user, dev log

Malwarebytes' Anti-Malware 1.34Database version: 1762Windows 5.1.2600 Service Pack 3
2/15/2009 1:23:16 PMmbam-log-2009-02-15 (13-23-16).txt
Scan type: Quick ScanObjects scanned: 69430Time elapsed: 59 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:\boot.ini (Trojan.Agent) -> Quarantined and deleted successfully. [385753513430616780808515747974]

Share this post


Link to post
Share on other sites

Just updated to 1.34 when this happened.

Malwarebytes' Anti-Malware 1.34Database version: 1764Windows 5.1.2600 Service Pack 2
2/15/2009 5:14:31 PMmbam-log-2009-02-15 (developer).txt
Scan type: Quick ScanObjects scanned: 49022Time elapsed: 1 minute(s), 35 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:\boot.ini (Trojan.Agent) -> No action taken. [385753513430616780808515747974]

This is the boot.ini file.

--------------------------

[boot loader]

timeout=1

default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS

[operating systems]

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect

Share this post


Link to post
Share on other sites

Can you please click on Start, Run, and type in mbam.exe /debug. It will create a file, please attach it here.
Submitted and awaiting reply.

Share this post


Link to post
Share on other sites

Is this a false positive? I received a similar result with a scan on 12 February, and only now did it occur to me it might be false:

Malwarebytes' Anti-Malware 1.34Database version: 1753Windows 5.1.2600 Service Pack 3
2/12/2009 10:57:33 AMmbam-log-2009-02-12 (10-57-29).txt
Scan type: Quick ScanObjects scanned: 50251Time elapsed: 8 minute(s), 0 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:\boot.ini (Trojan.Agent) -> No action taken.

Would a log in developer mode still be of use to you at this late date? I can supply the following information:

Machine is fully patched. AdAware 2008, SuperAntiSpyware, SpySweeper, SpybotS&D all installed, and none detected any problem. Full time AV is McAfee, ZoneAlarmPro firewall. McAfee turned up nothing, nor did Housecall.

Further, full MBAM scan was run 11 Feb, and it detected nothing. Ran Windows Update 12 Feb, installed new patches, etc., ran MBAM quick scan. Nothing else installed in that time period.

I hope that I posted this correctly. Thanks in advance for your help.

Share this post


Link to post
Share on other sites

Same here:

Malwarebytes' Anti-Malware 1.34

Database version: 1765

Windows 5.1.2600 Service Pack 3

16-2-2009 18:15:25

mbam-log-2009-02-16 (18-15-22).txt

Scan type: Quick Scan

Objects scanned: 48758

Time elapsed: 4 minute(s), 3 second(s)

Files Infected:

\boot.ini (Trojan.Agent) -> No action taken.

Funny thing is: I ran it a second time, and no detection. Running it a third time as we speak; will do a mbam.exe /debug afterwards

Share this post


Link to post
Share on other sites

Interesting, I am running a dualboot with Win7 right now.

Malwarebytes' Anti-Malware 1.34Database version: 1766Windows 5.2.3790 Service Pack 2
2/16/2009 2:16:59 PMmbam-log-2009-02-16 (14-16-59).txt
Scan type: Quick ScanObjects scanned: 58571Time elapsed: 2 minute(s), 11 second(s)
Files Infected:\boot.ini (Trojan.Agent) -> No action taken.

Copy of my boot.ini as well.

;;Warning: Boot.ini is used on Windows XP and earlier operating systems.;Warning: Use BCDEDIT.exe to modify Windows Vista boot options.;[boot loader]timeout=30default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows XP Professional x64 Edition" /NOEXECUTE=OPTIN /FASTDETECT

I found that after a reboot that this would pop up again, but repeated scans after an existing one it wouldn't. But not always, I have no idea what's triggering it. It's also not showing up on all of my machines. Just this one.

mbam_info.txt

mbam_info.txt

Share this post


Link to post
Share on other sites

Copy of my boot.ini, just in case:

[boot loader]timeout=20default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS[operating systems]multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optinmulti(0)disk(0)rdisk(0)partition(2)\WINDOWS="Safety" /noexecute=optin /fastdetectC:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

Share this post


Link to post
Share on other sites
Can you please click on Start, Run, and type in mbam.exe /debug. It will create a file, please attach it here.
Malwarebytes' Anti-Malware 1.34

Database version:

Executable location: C:\Program Files\Malwarebytes' Anti-Malware

Database location: C:\Documents and Settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\rules.ref

Username: Ron Scalzo

Windows folder: C:\WINDOWS

System folder: C:\WINDOWS\system32

Root drive: C:

Program Files: C:\Program Files

Common Files: C:\Program Files\Common Files

C:\Documents and Settings\Administrator\Desktop

Desktop: C:\Documents and Settings\All Users\Desktop

Desktop: C:\Documents and Settings\Default User\Desktop

Desktop: C:\Documents and Settings\LocalService\Desktop

Desktop: C:\Documents and Settings\Ron Scalzo\Desktop

C:\Documents and Settings\Administrator\Start Menu

Start Menu: C:\Documents and Settings\All Users\Start Menu

Start Menu: C:\Documents and Settings\Default User\Start Menu

Start Menu: C:\Documents and Settings\LocalService\Start Menu

Start Menu: C:\Documents and Settings\Ron Scalzo\Start Menu

Start Menu: C:\Documents and Settings\All Users\Start Menu

C:\Documents and Settings\Administrator

User Root: C:\Documents and Settings\All Users

User Root: C:\Documents and Settings\Default User

User Root: C:\Documents and Settings\LocalService

User Root: C:\Documents and Settings\NetworkService

User Root: C:\Documents and Settings\Ron Scalzo

C:\Documents and Settings\Administrator\Favorites

Favorite: C:\Documents and Settings\All Users\Favorites

Favorite: C:\Documents and Settings\Default User\Favorites

Favorite: C:\Documents and Settings\LocalService\Favorites

Favorite: C:\Documents and Settings\Ron Scalzo\Favorites

C:\Documents and Settings\Administrator\Application Data

Application Data: C:\Documents and Settings\All Users\Application Data

Application Data: C:\Documents and Settings\Default User\Application Data

Application Data: C:\Documents and Settings\LocalService\Application Data

Application Data: C:\Documents and Settings\NetworkService\Application Data

Application Data: C:\Documents and Settings\Ron Scalzo\Application Data

Application Data: C:\Documents and Settings\All Users\Application Data

C:\Documents and Settings\LocalService\Application Data\Microsoft\Internet Explorer\Quick Launch

Quick Launch: C:\Documents and Settings\Ron Scalzo\Application Data\Microsoft\Internet Explorer\Quick Launch

Temporary Folder: C:\WINDOWS\Temp

Share this post


Link to post
Share on other sites

I'd like to report in that my MBAM has also detected boot.ini as a False Positive.

Unfortunately, I was unable to recreate the FP in Developer Mode, so here is the original log:

Malwarebytes' Anti-Malware 1.34Database version: 1783Windows 5.1.2600 Service Pack 2
2/21/2009 8:43:42 AMmbam-log-2009-02-21 (08-43-42).txt
Scan type: Quick ScanObjects scanned: 49510Time elapsed: 19 minute(s), 43 second(s)
Memory Processes Infected: 0Memory Modules Infected: 0Registry Keys Infected: 0Registry Values Infected: 0Registry Data Items Infected: 0Folders Infected: 0Files Infected: 1
Memory Processes Infected:(No malicious items detected)
Memory Modules Infected:(No malicious items detected)
Registry Keys Infected:(No malicious items detected)
Registry Values Infected:(No malicious items detected)
Registry Data Items Infected:(No malicious items detected)
Folders Infected:(No malicious items detected)
Files Infected:\boot.ini (Trojan.Agent) -> Quarantined and deleted successfully.

Share this post


Link to post
Share on other sites

When trying to run MBAM in developer mode, it tells me:

Swissarmy failed to load; Error code: 0 or something to that effect.

Share this post


Link to post
Share on other sites

This is an odd glitch that I may have just fixed , please update and scan again if you were having this issue .

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.