BleepingComputer.com: Possibly self-inflicted boot problem

First, I dual-boot into Windows XP and Ubuntu 9.04. Ubuntu was installed via the Windows installer for Ubuntu.

AVG Free (forgot which version offhand) told me that there was some infection (forgot which, if AVG stores logs in text format, please tell me where). Shortly after, TeaTimer comes up and asks whether to allow or deny a change. I click Deny. The malware pops up a message, forgot what the exact message was. The wallpaper changed. I get fed up and force the computer off for the night. The next day, I booted into Linux. I figured that TeaTimer should prevent the infection from starting again (it shouldn't have been able to get itself into the startup stuff), but want to remove the malicious files anyway. I go to C:\Windows\System32 (/host/WINDOWS/system32), and google the names of the most recently modified files. They all seem to be malware. The names are: 41.exe, avr10.exe, critical_warning.html (the wallpaper, apparently), logon.exe, winhelper86.dll, winlogon86.exe, and winupdate86.exe. I put them into an encrypted .zip file, in /host/WINDOWS/system32. When I go to boot into Windows, I get a STOP error and then the computer restarts. Eventually finding the "Disable Restart on System Error" option, I see that it's a STOP, 0x24. Doing a bit of research, I find that it's an NTFS error. I eventually stumble upon ntfsfix, and, not realizing that it's only for emergencies, I run it from an Ubuntu 9.10 LiveCD (running it from the wubi-installed Ubuntu made no sense (I did attempt it though), since that was effectively running off files on the NTFS partition, iiuc). The problem persists. I can still access the NTFS files from Ubuntu.

www.aumha.org is what I consider the site for obtaining essential info about any given STOP error.

0x00000024: NTFS_FILE_SYSTEM
A problem occurred within NTFS.SYS, the driver file that allows the system to read and write to NTFS file system drives. There may be a physical problem with the disk, or an Interrupt Request Packet (IRP) may be corrupted. Other common causes include heavy hard drive fragmentation, heavy file I/O, problems with some types of drive-mirroring software, or some antivirus software. I suggest running ChkDsk or ScanDisk as a first step; then disable all file system filters such as virus scanners, firewall software, or backup utilities. Check the file properties of NTFS.SYS to ensure it matches the current OS or SP version. Update all disk, tape backup, CD-ROM, or removable device drivers to the most current versions.

Soooo...you essentially did what is detailed at http://www.ehow.com/how_4690469_ntfssys-er...nux-livecd.html.

FWIW: I generally surrender easily when I see errors re the file system, I just do a clean install since the file system may not seem capable of being repaired.

FWIW: NTFS errors may also stop chkdsk /r from completing its assigned tasks, halting efforts to overcome the error within XP's Recovery Console.

Louis

The thing I don't understand is, if it's that severe, why am I still able to access my files from Linux?

I don't know anything about linux...but as for accessing your files...can you move them? Or can you just see that they are on that partition, in a given directory?

Linux O/Ses can see Windows O/Ses...just as XP can see Windows 9x, but Windows 9x cannot see XP or any other O/S on NTFS. That's no mystery.

The error message says that ntfs.sys (which is a file) is the show stopper. I and the written words on this error...indicated that it can be more than just that one file that has gone wrong, it can be something that renders the NTFS file system nonbootable/unuseable to Windows.

It doesn't necessarily affect someone standing in a window (no pun intended) and just looking in.

Louis

I was able to make and delete files before the ntfsfix, and have been able to make a file after.

EDIT: Forgot to mention, after the ntfsfix, Windows did run chkdisk then restarted.

This post has been edited by Sgeo: 04 December 2009 - 07:20 PM

Might a chkdisk from Recovery Console help? I'm planning on trying it soon..

If it is a severe NTFS problem, chkdsk /r won't be able to complete and will probably give an error message stating such and why.

If it's a hard drive problem, ditto, with the exception that I consider running the hard drive manufacturer's diagnostic a last step in checking out possible hard drive problems. Long test, if long and short are offered.

If it's an XP problem...then those two checks should proceed smoothly...and I would possibly try to replace the indicated file via the Recovery Console.

Louis

Might it work even though the ntfsfix-initiated chkdisk didn't?

Huh...I am intrigued to know why the ntfs-3g driver still can read the drive without you force mounting it (Unless you force mounted the drive).

I suggest first running a backup that way all the files are saved.

Next, using either the live cd or the existing Ubuntu installation install GParted.
Then start GParted (System > Administration > Gparted )
In that screen you should be able to see the Windows Partition.
Right-Click on the partition, and select the Option "Check"
Make sure at the bottom the only operation is "check and repair file system"
Make sure you do that, because otherwise you could lose data.
LOSE DATA!!
After making sure that there is just the one operation pending, hit Apply or the check mark.
Let that run, see if that helps your problem.

~powerjuce

powerjuice: Didn't help, but didn't cause problems as far as I can tell.

I tried booting the WinXP disc, but got a 0x7E error, and it mentioned pci.sys.

EDIT: The WinXP disc might be a different one from what came with the laptop (which apparently is just an image of what was on the laptop initially).

This post has been edited by Sgeo: 09 December 2009 - 08:36 PM

If you have all your data backed up I suggest u do a nuke and then re-install, you file system has been really screwed up.

~powerjuce

I fixed it! I had a Windows XP Pro disc (even though the XP on the computer was Media Center). I slipstreamed SP3 with the help of http://jeremy.visser.name/2008/07/12/slips...ack-3-in-linux/ , which fixed the problem with running the installation disc. I tried chkdsk -r, but that didn't help. I did a repair install. It said something about inserting Disc 2, but I just clicked cancel. After that, no more STOP error when running in normal mode, although I couldn't get Safe Mode to work. It triggered the Activation stuff, however. When I tried to log on, it wanted to start the Activation Wizard, but the Wizard never came up. I tried following the instructions in http://social.technet.microsoft.com/Forums...9b-f8d4aa14a35a , but even Safe Mode with Command Line didn't work. I tried replacing the Activation Wizard with explorer.exe, so I might be able to install IE8, but it complained about some quota issue when I tried to run anything (except I could open pictures, but not text files, hmm..). I eventually remembered http://support.microsoft.com/kb/917964 , and following the instructions for uninstalling IE8 from the Recovery Console. After that, the Activation Wizard worked without a hitch.