Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP Pro SP3 Machine with Curious Boot Issues


  • Please log in to reply
29 replies to this topic

#1 VoleCubed

VoleCubed

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 05 September 2010 - 08:35 PM

Hello.

I have been dealing with "m0le" over at the anti-malware forum at the following url:

http://www.bleepingcomputer.com/forums/topic342369.html


We came to an impasse and m0le instructed me to post here, writing: "Please post in Bleeping Computer's XP forum for help. Link to this forum and explain that the boot sequence seems to be causing the problem."

Background:

My PC is infected with two strains of TDSS (TDL3-Alureon Variant Rootkit), one of which has overwritten the MBR.

m0le instructed me to burn a Windows XP Recovery Console Bootable ISO CD and then to use the Windows Recovery Console in order to execute the "fixmbr" command and try to undo the damage caused by the rootkit.

I had, on my initial post to the malware forum, disclosed the following information about my PC (which I will reproduce here):

"I should also mention that I am somewhat hamstrung on this PC because there is a separate error: The PC hangs when trying to boot in safe mode. This has been going on for some time. It used to hang at some file (I forget now which one) which I, through research, determined to be non-critical and so deleted. Now the PC hangs on safe mode boot at the file MUP.SYS. Apparently, the fix is to repair the XP OS. But, the Dell that I have had a defective CD-ROM drive. I recently (say 3 weeks ago) replaced the drive with a DVD-ROM, but I can't put my finger on my XP disks."

As I suspected, the underlying issue just mentioned became a problem in dealing with the malware issue.

Here, reproduced from the aforementioned thread in the malware forum, is my statement regarding the difficulties that I had booting the PC with the Recovery Console Bootable disk, the XP Pro disk (which I located subsequent to my initial post), and my inability to use the Recovery Console.

"Firstly, I did download the XP Recovery Console Bootable Disk ISO on a clean PC. I double clicked the ISO file and my burner program, Nero (apparently the program defaulted to open ISO files), seemed to make it easy to burn it to a CD - which I did.

"Secondly, I attempted - after verifying in the BIOS that my IDE-DVD-ROM drive was prior to the hard drive in the book sequence - to use the CD to boot the PC. And, after listening to the brief 3.5" floppy test, the DVD-ROM could be heard spinning; however, the boot sequence seemed to bypass the CD altogether, proceeding quickly to Windows XP normal load. (It seemed that an option for Recovery Console appeared practically for a mere INSTANT, and then vanished.)

"Thirdly, I put in additional effort to locate my actual full version copy of Windows XP Pro, which I was finally able to track down. And I then attempted to boot the PC from the XP Pro full version. The PC could again be heard trying the floppy drive, then the DVD-ROM drive, at which point the PC hung on a black screen. I left the PC sit for over an hour with no discernible change in this black-screen-hang until, able to bear it no longer, I availed myself of the power button. (I take it, however, that this episode demonstrates that the DVD-ROM drive was indeed prior to the hard drive in the boot sequence. I confess, though, that I cannot be SURE that my XP Pro disk is a bootable disk - but it seems that I have used it that way on an earlier occasion.)

"Fourthly, I allowed Windows to begin to boot normally - with nothing in the DVD-ROM drive - and, since I have a Dell PC, pressed F12 for "Boot Sequence" options. This function key provided various choices. One option was labeled "Utility Boot" (or something close to that). But, after selecting that option, the PC hung again. Another choice said (something like): "Boot from IDE device", but gave an error that repeated every time I pressed F2 to "retry device". (Bear in mind that the DVD-ROM drive functions in normal Windows mode usage.)

"Fifth, since ComboFix had previously installed the Recovery Console, I simply pressed "R" when the - very BRIEF (see above) - option for Recovery Console was displayed. This actually worked to get me to a screen that said (at the bottom): "Starting Windows Recovery Console" (or something close to that). And there was a process bar that progressed beautifully from left to right and then... promptly stopped. The PC hung up on the "Starting Windows Recovery Console" screen. And an hour of time again was insufficient to perceive any relevant change."

Summary:

So...the point is that the PC that I have will boot into normal mode, but will not boot into safe mode, nor will it boot from the Recovery Console Bootable disk, nor it it boot from my copy of Windows XP Pro (which, if memory serves me, IS a full version, bootable disk).

Any help would be appreciated. Thank you for your time.

Sincerely,

Matt

Sorry - the model would have been good information to provide.

I have a Dell Dimension 4500S.

Edited by hamluis, 19 September 2010 - 06:09 AM.
Removed malware log, not germane here ~ Hamluis.


BC AdBot (Login to Remove)

 


#2 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 12 September 2010 - 07:34 AM

Can you give me a little history on that machine, it's getting pretty old and it would be helpful to know a little more about it.

C: is FIXED (NTFS) - 37 GiB total, 1.123 GiB free.


That's 3%
Chewy

No. Try not. Do... or do not. There is no try.

#3 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 13 September 2010 - 01:32 PM

Drive C: | 37.24 Gb Total Space | 1.17 Gb Free Space | 3.15% Space Free | Partition Type: NTFS
Unable to calculate disk information.


Can you access bios to set the boot order to cdrom always first?
Chewy

No. Try not. Do... or do not. There is no try.

#4 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 13 September 2010 - 08:15 PM

Hello,

Yes, I am able to access the BIOS. At first, I simply left the boot sequence at: 1. 3.5", 2. CD-ROM, 3. Hard Drive. But, then I did switch the sequence to: 1. CD-ROM, 2. 3.5", 3. HD.

As to your earlier question, could you be more specific about the sort of information that you have in mind? I am by now used to requests for specific log files. I confess I am not really sure how to answer your general question. Are you looking for information concerning the circumstances under which I acquired the machine? (If so, I obtained it from my wife's employer - it had been her workstation PC and, when the Dell lease expired, she got first choice to purchase the thing - which we did. I can confer with her about what date this occurred if that detail would be helpful to you. I don't recall the date myself. I believe that I FDisked, formatted, and re-installed XP Pro from the software that was provided by her employer. But, honestly, we had bought several machines from her employer in this way and each was somewhat different in terms of the specific steps that we took to set it up at our house.)

Sincerely,

Matt

Edited by VoleCubed, 13 September 2010 - 08:20 PM.


#5 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 14 September 2010 - 02:14 AM

Well the inability to boot to the xp cd has me puzzled, we need to boot to the pro disk to do a system repair after we free up enough hard drive space.

Anything below 15% free is too small for windows to defrag, I saw a reference to an install date of 2005 in one of your logs, that was quite some time ago. At this point I would suggest a flatten and rebuild as the optimum choice.
Chewy

No. Try not. Do... or do not. There is no try.

#6 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 15 September 2010 - 10:10 PM

Hello, DaChew.

Let me ask a question, just so that I am clear. By the phrase "a flatten and rebuild" scheme, do you mean to recommend:
  • A course of action whereby I implement a full format and "restore" (reloading of XP Pro from scratch)? Or...
  • A course of action whereby I regain (roughly) 12%+ of hard drive space (in order to go from 3% free to 15% free so that I can run Defrag optimally) by using, say, the Windows Add/Remove program utility to free up space?
If you mean 1, how am I to be confident that my machine will accept a reload of Windows XP after a format (or Fdisk-format pair), if my machine will not now even boot from my XP disk? If you mean 2, it occurs to me that the most obvious place to begin would be with iTunes, and my music collection, since that takes up quite a bit of space. Please advise.

Thank you, in advance, for your clarification, and for your assistance in general!

Sincerely,

Matt

#7 ezli09

ezli09

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Tennessee Lowlands
  • Local time:12:54 AM

Posted 15 September 2010 - 11:01 PM

Hi VoleCubed. This is my first post here at bleeping!. Take the HDD out of the Dell, slave it to a WinXPPro pc test rig(ie: a pc that can be infected with a virus and then re-imaged if necessary), scan it for a virus, copy your data to the slave rig or an external HDD, insert a copy of Killdisk in the test rig, CAREFULLY point KillDisk at your slaved HDD, and wipe it. Re-format the HDD with NTFS while still attached to the test rig, and while you are at it, re-scan the slave rig or external HDD a second time with a different AV program if possible. A real root-kit can never truly be guaranteed to be eradicated, I agree with Chewy's flatten and rebuild option. Re-insert the HDD into the Dell, run the Dell HDD diagnostics to make sure there are no physical problems with the HDD, and re-install Windows. Hope this helps and any/all feedback is appreciated.

#8 hamluis

hamluis

    Moderator


  • Moderator
  • 56,381 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:12:54 AM

Posted 16 September 2010 - 05:45 AM

<<A real root-kit can never truly be guaranteed to be eradicated,...>>

Although I might personally be inclined to agree in part...with such a statement because I am not educated in malware-removal...I don't believe such a blanket statement ought to be made in the XP forum in a situation where a member is being helped by a BC Staff person in the Malware Removal Logs forum.

The OP was instructed to post here...based on the premise that there are issues with the system that may be able to be solved within the XP forum. DaChew has elaborated on those possible issues.

If your generalized statement were true...it seems to me that the MRT members would not have the approach and success rate they do have...with members having a rootkit or other malware problems.

Louis

#9 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 16 September 2010 - 11:08 AM

Thanks Louis

@VoleCubed

We have a few issues that need to be addressed individually

The Xp pro disk needs to be checked for bootability in another computer with a different optical drive?

If we can get a bootable disk then we might procede with running windows as a repair disk but we will need more free space on the hard drive.

There are several approaches to freeing up hard drive space

First I would transfer any data I needed to save to another drive(usb etc)

Many guides address disk cleanup, but we might need to wipe some restore points also.

Sometimes even repair disk won't fix issues and then you need to do a clean install.
Chewy

No. Try not. Do... or do not. There is no try.

#10 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:54 AM

Posted 16 September 2010 - 10:20 PM

DaChew here is my two cents.

Lets download and burn a LiveCD of Ubuntu and see if that boots. If the CD Boots then the issue is with the XP CD.

http://www.ubuntu.com/desktop/get-ubuntu/download

#11 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 19 September 2010 - 02:22 AM

Dear DaChew,

I have been busying myself off-loading my data from the PC in question and freeing up hard drive space.

So far I have brought the free space up to 16.0 GB, which is - I believe - now 43% free.

A couple of questions:
  • Should I run Defrag?
  • Should I run CheckDisk?
  • Should I continue freeing up space? If so, what is my target free percentage?
  • Are you preparing me to reformat the drive...wipe it completely clean? Or, are you preparing me to try to restore the XP system without having to do a full format?
Also: I will shortly test the XP disk in another machine - to see if I can boot from it on a different setup.

One last question: Am I supposed to be heeding the advice of others who post on this thread, or just you? Should I download "Ubuntu" and/or "KillDisk", etc.?

To all who do post: I appreciate the effort and the thought. But, I know that it must be difficult for my main adviser to help me if I'm following other instructions alongside his own. So, I thought I would ask explicitly about who I am supposed to be minding. :thumbsup:

Thank you for your attention!

Sincerely,

Matt

p.s. Regarding the question of rootkit eradicability: I emailed Bill Blunden (author of "The Rootkit Arsenal") and asked him to comment on the statement that: "A real root-kit can never truly be guaranteed to be eradicated...". An apparent associate of his responded as follows:

"Met ..., ... Bill, ... the other night and passed on your query.

"He asserted that it's not that you can't ever get rid of a rootkit. Ridding yourself of a rootkit on a compromised is actually pretty simple: just adopt a scorched earth policy.

"1) Turn off your machine
"2) Re-flash the firmware on your motherboards BIOS/Video Card/Peripheral devices
"3) Re-build the OS (or re-image) from a trusted media
"4) Do the patch and update mambo (assuming that your *network* can be trusted)

"Most of the real debate is over removing a rootkit without having to resort to the above 'flatten your machine' approach.

"In this case, it's a matter of not knowing whether you've actually removed the rootkit or not. Regardless of how careful you are, if you don't re-build from scratch, then you're assuming a certain degree of risk that you actually didn't get it all and that there are vestiges left from the intrusion that can be used to set up an outpost again. ...

"-Rick James
"Below Gotham Labs, Associate" (Email, "Can You Ever Get Rid of a Rootkit", Saturday, September 18, 2010, 1:45 PM, Emphasis added)

#12 DaChew

DaChew

    Visiting Alien


  • Members
  • 10,317 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:millenium falcon and rockytop
  • Local time:02:54 AM

Posted 19 September 2010 - 03:26 AM

VoleCubed,


40% free hard drive(system) space seems to be the magic number with XP defrag, running XP as a repair disk is often just a last resort before biting the bullet and reloading windows. So getting your data backed up on another drive or media is a good idea,

Yes, please heed any other advice from fellow staff members here at BC, complexe issues like this one are best attacked from many angles, "two heads are better than one".
Chewy

No. Try not. Do... or do not. There is no try.

#13 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 19 September 2010 - 05:14 AM

First: Thank you, DaChew, for your prompt and continued attention!

Second, seeing as I am now slightly above the Xp defrag "magic number" of 40% free space, I will try to run defrag and let you know what the result is.

Third, you wrote that I should "heed any other advice from fellow staff members here at BC". Now, it appears that the phrase "fellow staff members" plays an important role in your statement. How, then, can I distinguish a "staff member" from a "regular, non-staff member user"? In other words, how will I know if the poster has the status of a staff member?

Fourth, I forgot to comment, in conjunction with hamluis' post, that there is an analogy to human health that may be relevant. It may not be necessary for the malware team to "eradicate" a rootkit, in order to restore PC functionality. For example, in human health, once infected with a variant of the herpes viruse (to take one example), there is no treatment (http://www.cdc.gov/std/herpes/stdfact-herpes.htm#treatment), that is, the virus cannot be eradicated. The herpes virus, perhaps like a rootkit, remains in the body after initial infection: "After initial infection, the viruses move to sensory nerves, where they become latent and reside life-long" (http://en.wikipedia.org/wiki/Herpes_simplex). But, doctors are still able to treat the virus in the sense of controlling - to some extent - the frequency of outbreaks. In other words, one might argue that, even if a rootkit cannot be eradicated, still, the rootkit may be controlled - in a way analogous to the way doctors control herpes outbreaks. Or...so one might think.

~ Matt

#14 cryptodan

cryptodan

    Bleepin Madman


  • Members
  • 21,868 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Catonsville, Md
  • Local time:06:54 AM

Posted 19 September 2010 - 05:23 AM

Third, you wrote that I should "heed any other advice from fellow staff members here at BC". Now, it appears that the phrase "fellow staff members" plays an important role in your statement. How, then, can I distinguish a "staff member" from a "regular, non-staff member user"? In other words, how will I know if the poster has the status of a staff member?



Staff Memebers have certain colored titles to the left and below our names/avatars BC Advisors are Green you can find out more on the index of this forum.

Posted Image

Also have you downloaded a Linux LiveCD and tested it out to see if your computer does in fact boot via CD-ROM?

#15 VoleCubed

VoleCubed
  • Topic Starter

  • Members
  • 25 posts
  • OFFLINE
  •  
  • Local time:01:54 AM

Posted 21 September 2010 - 09:25 AM

Here is the latest installment of my sordid computer saga.

First, thank you cryptodan, I see the titles now!

Second, I downloaded the Ubuntu .iso and burned it. The pc DID boot from the Ubuntu disk. It pulled up some sort of run-from-disk emulation or simulation or something. I didn't do anything with the Ubuntu stuff though, I simply verified that the pc would boot from the CD - which it did.

Third, I tried to boot a second pc from my copy of Windows XP Pro, and was seemingly unsuccessful. I say "seemingly" because I should here log a caveat.
  • The second pc has the following setup (just to sketch a few components in rough terms): The original hard drive is master on the primary IDE controller, with the original CD drive as slave on the primary. I had installed a second hard drive, which is master on the secondary IDE controller, along with a DVD drive which is slaved to the second HD (on IDE1). I should state explicitly that the second hard drive and the DVD drive have functioned with no problems since I installed them (roughly two years ago, as I recall). Now, as it turns out, the original CD drive does not function, and has not functioned for some time. It seems to be a mechanical failure or some sort - sometimes it opens, sometimes it doesn't; sometimes it would read, and sometimes it wouldn't...until it just seemed to quit altogether.
  • Okay...so, I checked the boot sequence in the BIOS and moved the CD drive into second place after the 3.5" floppy and before the HD. And with the XP disk in the DVD drive, the computer simply booted normally...went right into my normal Windows XP load up. But, I noticed that the PC never tried to boot from the DVD - the pc tried the floppy disk and the original CD drive, however.
  • Just as a pro forma trial, I next put the XP disk into the original CD drive and rebooted. The pc again went directly into the normal XP load up. This was not surprising to me because, as I mentioned, I suspect that the drive is bad - and I never use it any more because I always use the DVD burner that I installed.
  • So I went back into the BIOS and I noticed that both entries on the secondary IDE controller were set to "OFF". So, I switched them to "AUTO" and rebooted. Going back into the BIOS, I could now see both the second hard drive and the DVD (which shows up, I think, as a "CD Device", or some equivalent expression). With the BIOS seemingly recognizing the DVD drive, I rebooted another time - after placing the XP disk back into the DVD drive. But, again, the pc loaded XP normally. (I stress that, although the BIOS had the secondary IDE controller setting switched 'off', this was news to me, since the drives have never had any difficulties.)
  • Finally, I rebooted and went into the recovery console (RC). After loading the RC and selecting the operating system, I navigated to my DVD drive directly. I could read the XP disk and the DIR command worked to display the disk contents. But, I could not run the "setup.exe" file from within the RC. When I tried, the pc diaplyed an "invalid command" error (or some such similarly worded error message).
  • So...I say that the disk "seemed" not to work because:
  • although I could not get the second pc to boot from the disk either, it could POSSIBLY be because of the way my drives are setup (I could just remove the CD drive and slave the DVD to the primary master (on IDE0)...but, this will take me a few days because my wife uses the pc heavily and it is not conveniently located); and
  • I'm not sure if Microsoft made XP disk that were not bootable(...did they?). But, if the disk is 'bad', why can I still read its contents? It has no visible scratches. What would make a readable XP disk unable to serve as a bootable disk?
So...the pc with the "curious boot issues" does not SEEM to be unique in being unable to boot from my copy of XP Pro. I guess there is something wrong with my copy. :thumbsup: BUT...the "curious boot issue" pc IS unique in that I still cannot get it into safe mode - I verified that it still hangs on MUP.SYS.

Also, fourth, I did run DEFRAG...and CHKDSK on startup after having selected the "check disk for errors" option under "tools" in the properties for my C: drive. I had checked the two radio buttons for auto-fixing errors and the other thing (I forget what the second button's option was). But, even after running these two utilities, I still could not get into safe mode.

What say you guys to all of this?

Sincerely,

Matt

Edited by VoleCubed, 21 September 2010 - 09:29 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users