Yes. Please make sure users have their BlackBerries or other USB devices disconnected, when running upgrade.
The upgrade appears to run fine. The error occurs after the upgrade and new 5.2.5 builds, so I don't think its a matter of having something attached to the computer during the upgrade. I am comparing MBRs on broken machines. Certain users continually get this error; this is the cause of concern. Virus/Malware causing this? I hope McAfee is able to do something with the 'broken' MBRs to determine what is causing this. Its becoming a concern here since it is occuring more frequently with 5.2.5.
From what I can see at this point from a broken machine....
It looks like the SafeBoot MBR has been overwritten. Sector 0 appears to have a non-SafeBoot MBR. Sector 1 is also populated with what appears to be a duplicate of sector 0 with slight differences. Sector 3 is populated with "Error loading virtualization module. Contact network administrator..... To boot to the Rescue and Recovery Environment, Press F11... There has been a signature failure"
Sector 4-8 appears to have something else in it (all hex). I have multiple broken machines from the same user - the same broken MBR (and sectors 3-8) is on both broken machines. So it appears something the user is doing is triggering this.
What do I have here? I have no idea right now. Does anyone think this could be some sort of malware or rootkit causing this?
More information... User appears to had "White Smoke" installed before the machine was rebooted and broke. From what I have read White Smoke is a MBR virus. I assume what has happened is a new variant is out in the wild that McAfee Virus Scan does not pick up, machines gets infected and breaks....
I used TDSKiller from Kaspersky and it found a rootkit on the infected drive (just slaved the drive and it was still able to read the infected MBR). I quarantined the files and submitted to McAfee (not detected by McAfee). Detected as Win32/Alureon.MBR, Rootkit.Tdss.AW, etc by other vendors.
Scan results from one of the files --> http://www.virustotal.com/file-scan/report.html?id=40914dfd49a3a0df1c4aa0cf86745 0762a3ac16d398a2559dd266d48199e8d2b-1292423089
I will post when this variant is caught and cleaned by McAfee. Thanks for listening, you have been a great crowd!
Message was edited by: cdobol on 12/15/10 10:29:02 AM EST