Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Dell Inspiron E1505 will not boot - possible malware cause?


  • This topic is locked This topic is locked
32 replies to this topic

#1 rsquared11

rsquared11

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 02 February 2011 - 06:51 PM

Hey guys,

Hope somebody can help me out with this. I have had malware/spyware problems before and been able to treat them. Today, I had the traditional "your system is infected" popups, attempting to get me to click thru and buy something, even with AVG and Ad-Aware running in the background, but that's another gripe for another day.

Anyway, I shut down to reboot in safe mode to attempt to fix - and now I cannot reboot. The "DELL" screen comes up, and then the screen goes black. Its getting power, the hard drive is spinning, but it will not boot - in regular mode or safe mode.

I've read some things about flashing LED codes online, by LED's aren't flashing - only the power light and number lock light are lit. It doesn't try to boot and then shut down, it stops booting and stays on. I have reseated the memory, tried to boot with just the power chord in with no battery and I have nothing else plugged in.


I know its old (had it since 2006) and part of me thinks it may just be its time, but i also don't want to assume that since there was the virus popup right before hand. Would love to try to squeeze another year or so out of it!

Thanks in advance!

BC AdBot (Login to Remove)

 


#2 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:08:18 AM

Posted 02 February 2011 - 11:27 PM

Do you have, or have access to a retail copy of a XP installation CD? This will need to be the same version as the one install on your computer.

If not, try the following.

Download NTBR_CD.exe and create a bootable CD.

* Save the file to your Desktop and double-click it. This will create a folder named NTBR_CD.
* Open the folder and locate BurnItCD. Launch it by double-clicking it.
* When BurnCDCC opens, click Start - the CD tray will open.
* Insert blank CD and click OK.
* The tray will close, burn the image then eject the disk.


Run chkdsk.

* Boot the affected computer with the new CD.
(You may need to change the boot order in the BIOS so that the CD-ROM is the first device in the boot order.)
* Once presented with the boot screen please hit <ENTER> to boot from CD.
* After a warning screen there is a keyboard language options screen - press <ENTER> to leave it at EN-US.
You should now be at the Tool options screen.
* Type 5 and press <ENTER> to go to a command prompt.
At the command prompt type the following bolded command then press <ENTER>

tools\ntfs4dos\chkdsk

You will be prompted (in German) to press Enter.
* Press <ENTER> to start the check disk utility.
Check Disk will check all attached drives and attempt to correct any errors.
Please make a note of any errors found or corrections made.
* When it completes type "menu" and press <ENTER> to return to the tools menu.
* Type 6 and press <ENTER> to quit, then Ctrl+Alt+Del to restart.


Allow the computer to attempt booting normally and let me know the outcome.

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#3 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 03 February 2011 - 11:57 AM

Ran everything but did not get a successful boot. The only errors it found during the scan were:


CHKDSK is verifying indexes (stage 2 of 3)
Deleting index entry backup.dat in index $I30 of file 35534
Deleting index entry nodes.dat in index $I30 of file 35534
Index verification completed
CHKDSK is recovering lost files
Recovering orphaned file nodes.dat (89379) into directory file 35534
Recovering orphaned file backup.dat (90128) into directory file 35534
CHKDSK is verifying security descriptors (stage 3 of 3)

Everything else ran as expected.

#4 dc3

dc3

    Bleeping Treehugger


  • Members
  • 30,266 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Sierra Foothills of Northern Ca.
  • Local time:08:18 AM

Posted 03 February 2011 - 01:13 PM

Can you now boot into Windows?

Family and loved ones will always be a priority in my daily life.  You never know when one will leave you.

 

 

 

 


#5 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 03 February 2011 - 02:13 PM

No, it stops at the same point in the boot, just after the dell screen.

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:18 PM

Posted 03 February 2011 - 02:43 PM

Hello rsquared11,

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 03 February 2011 - 05:35 PM

My work laptop (which i'm working on now) will not burn CD's, so I'll have to try that tomorrow when I get to the office. I can't win!

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:18 PM

Posted 04 February 2011 - 02:53 AM

The following works for USB. :)

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
From here you can follow the instructions from my last post.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 February 2011 - 10:23 AM

MBR file is attached.

Thanks!Attached File  mbr.zip   625bytes   5 downloads

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:18 PM

Posted 04 February 2011 - 10:44 AM

Thats indeed malware. The MBR of the drive is infected with the TDL4 rootkit.

  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your (xPUD) USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 February 2011 - 11:49 AM

I am up and running! Now, my assumption is I should reboot in safe mode and run Malwarebytes, etc.?

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:18 PM

Posted 04 February 2011 - 11:50 AM

Yes, that would be a good start. Please let me know if you need any help making sure everything is clean.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 February 2011 - 02:27 PM

Malwarebytes says it found nothing. Not buying that! I'm running Ad-Aware and AVG now, are there better Malware programs out there?

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,821 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:18 PM

Posted 04 February 2011 - 02:36 PM

No antimalware program is perfect. MBAM is pretty good, in my opinion better than AdAware (both are antispyware scanners).

AVG is an antivirus scanner, so its good to scan with that too. Let me know if it finds anything. How are things running?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 rsquared11

rsquared11
  • Topic Starter

  • Members
  • 17 posts
  • OFFLINE
  •  
  • Local time:10:18 AM

Posted 04 February 2011 - 03:04 PM

Everything looked normal on the first normal boot but the popups were still there (click here to get virus protection, etc.), so the malware is still there. Thus far, MBAM and AVG have come up empty.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users