Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Automatic "driver updates" causes lost partitions/unbootable system on the 15th


  • This topic is locked This topic is locked
5 replies to this topic

#1 Nyctalus

Nyctalus

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 17 February 2013 - 07:39 PM

During the last weeks I have experienced 2 sudden incidents that have made my system unbootable and wiped the partitions on both my disks (total data loss). This has been initiated by apparent driver downloads/updates that have started automatically ”out of the blue”. Both happened on the evening of the 15th (January and February).

 

SYMPTOMS: There have been three incidents. The two last ones I’m sure are related, but the first one may have a "normal" explanation and may well not be related to the other two:

 

 #1. In DELL BIOS I turned NVIDIA Optimus technology from OFF to ON. When exiting BIOS and starting Windows new display drivers were downloaded and installed automatically (no questions asked). After a required reboot a number of system files were missing, error messages started to appear, one of the security options in Windows 7 was disabled and couldn’t be enabled (I am on an XP system now and don’t remember the name). Norton IS, Spybot S&D and Windows Defender did not find anything. I finally recovered the system from a Norton Ghost image from a few days prior to the BIOS change.

 

#2. A update window suddenly appeared on the screen (not initiated by me). The title bar said something about updates of Intel drivers (wireless driver was one of them). It developed into a black screen with a progress bar and red letters across it (”do not turn your computer off” or something like that). I think it also was with a Windows logo like during the startup process. According to the messages about three different updates were performed – all BIOS related. One of them was EC BIOS. I have had DELL computers for some years, but never experienced automatic BIOS updates like this – and I’m quite sure it was no question about if I wanted to do the update or not (or later). After the ”updates” had finished, the computer restarted. Then a blue screen for a short while and an endless self running loop of new startup attempts and the same blue screen reading among others:

 

”A problem has been detected and Windows has been shut down to prevent
damage to your computer…

*** STOP: 0X0000007E (…

dxgkrnl.sys…

Dumping physical memory to disk…”

 

Using an external USB enclosure I connected both disks (system SSD and data HDD) to another laptop (XP). No data was found (no partitions).

Again, I recovered the system disk from a Norton Ghost image (from a month back in time). A bit later the data disk in mysterious ways became readable again. I’m not sure what I did to do that (maybe it happened independently of my efforts). 

I suspected an infection and did repeated thorough scans with the programs mentioned below. Nothing found.

The DELL logo was no longer showing during the startup process, something I am quite sure it did before. I did repeated attempts to flash a BIOS update (from A07 to A09), but nothing happened (still A07). Even flashing from a USB stick during startup (with USB before HDD in the start up sequence) did not work. I ran the ePSA Pre-boot System Assessment - no problems found. This was during a very busy period, so I did not have time to take it any further.

 

#3. Quite similar to #2. This time it started with a completely empty DOS window (black) appearing on the screen. The title bar said something about installing. Shortly afterwards there was a small Windows message box also saying something about installing (network (?) drivers I think). No questions asked. I quickly closed both windows, but about half a minute later the system shut down, restarted and went into the same blue screen-start up loop as in #2. Although this time with a slightly different error message:

 

”A problem has been detected and Windows has been shut down to prevent damage to your computer.

SYSTEM_SERVICE_EXCEPTION

*** STOP: 0X0000003B (…

Dumping physical memory to disk…”


I have photos of several blue screens from both incident #2 and 3 (they are the same within but not between incidents).

All partitions were gone and both disks were again empty (external enclosure connected to another laptop). EaseUS Partition Master did not find any partitions (but the disks showed up OK). EaseUS Data Recovery Wizard (should be a powerful tool) gave no results during Partition Recovery. In the Complete Recovery it recognized the small (about 16 MB) ”FAT16 (DELL)” partition on the system drive, but nothing else. I find this odd. In this last incident it was only about 1 minute from the installation message appeared to system shutdown. Even on a speedy SSD that shouldn’t be enough to wipe the whole disk that thoroughly clean.

 

Apart from the incidents above there have been no obvious signs of virus/malware infections (no popup windows, no redirected web pages, no unusual messages about virus scanning needed and no system crashes). This is where I stand now.

 

OCCURRENCE: Incident #1 was in November (not sure about date). Incidents #2 and #3 were on 15th January and 15th February, respectively. Both happened at about 9 PM (UTC+1). Very odd that it happened on the same date (15th) and time...! In both cases (#2 & 3) the download window(s) appeared out of the blue as I was passively watching web TV. There had not been any downloads, clicks on links or anything for an hour or more prior to this.

 

SOFTWARE: I have Norton Internet Security installed and active as my main protection (2012 version, updated to 2013 a couple of weeks ago). I run weekly full scans of my system with this program. I also do weekly full scans with Spybot - Search & destroy, Windows Defender and Secunia PSI. After the incident a month ago I also installed Malwarebytes Anti-malware and have run several full scans with it. Signatures have been manually updated prior to all searches with all programs (automatic updates is also active). None of these programs have ever found anything else than a couple of low rated browser cookies. Windows update is automatic. Java has been held updated. I don't use Adobe Acrobat/Acrobat Reader. Main browser is Firefox (occasionally Chrome and IE). I am security conscious and don't open/preview links or attachments in suspicious e-mails. The same during browsing. I have installed some programs/utilities (no games) from sites I thought were secure (mostly download.com/CNET), but have always scanned the downloaded files with Norton IS and Spybot S&D before installation.

 

SYSTEM: DELL Latitude E6430 with Windows 7 64-bit. Samsung SSD as system disk, Seagate HDD as data disk in internal HDD caddy. Intel i7-3720QM and NVIDIA NVS 5200M. The laptop was new in October.

 

It seems a bit strange that a virus or malware is this "lethal", but still I cannot see any other likely explanation. I haven't done a clean install yet. I know that some bugs may be difficult to find, but I am still puzzled by the fact that none of the anti-virus/-malware programs I have been using have found anything and that the system has been running so normal until these incidents suddenly occurs. I have read that viruses/malware may hide in the boot sector or in the BIOS. Can that be the problem here?

 

I would be very grateful for any suggestions.



BC AdBot (Login to Remove)

 


#2 Nyctalus

Nyctalus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 21 February 2013 - 03:52 AM

I have now run Norton Bootable Recovery Tool from a CD and searched the SSD boot disk. Nothing found, but the files on the disk were recognised (357,000 files). The system disk was mapped as disk D by Norton Bootable Recovery Tool (in a normal running system it was C). So the files are there, but not accessible. The data disk (HDD) is searched now. Nothing found so far and I don't expect that either as nothing was found on the system disk. Also here the program recognises the files (the file names are listed as they are being searched). The disk is mapped as C (normally it is D).



#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,562 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:11:27 AM

Posted 21 February 2013 - 08:26 PM

I will ask someone to look here.


How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,585 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:27 PM

Posted 25 February 2013 - 02:10 PM

Hello, to get an idea of what we're looking at here lets start with the MBR.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1
  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.
  • This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif


#5 Nyctalus

Nyctalus
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:05:27 PM

Posted 25 February 2013 - 04:31 PM

Thank you for your answer Elise. I'm quite sure I have located the culprit now. It is not a virus or malware - at least not in normal terms... I tried calling Dell support and they directed me in the right direction: Dell Client System update, their own software for keeping drivers etc. up to date. They recommended uninstalling this software. I gave up recovering my system and used a Norton Ghost image. The Dell Client System update was set to automatically install needed updates on the 15th of each month (my two last incidents were on the 15th of Jan. and 15th of Feb.). The Dell software have now been thoroughly uninstalled and my system is running normally. I'm deeply disappointed by Dell pushing drivers that have such grave effects on their customers systems. I don't know if others are affected. It might be a combination of my hardware that was not compatible with the drivers.

 

I have scheduled a full backup of my disks on the 15th of March, but I'm quite sure that I will be OK now.

 

Thanks for your time.



#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,585 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:06:27 PM

Posted 25 February 2013 - 04:44 PM

Thank you for sharing your solution! Its indeed not really nice from Dell to set up a driver update by default only to trash a computer and cause data loss. I'm glad to hear you found the cause of the problem though.

 

As this issue seems resolved I will now close this topic. If you need this topic reopened, please send me a Personal Message.


regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft

 

animinionsmalltext.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users