A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Windows XP Help and Support
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

Boot failure after AVG removed trojan horse: invalid BOOT.INI



 
 
Thread Tools Display Modes
  #1  
Old April 19th 05, 10:40 PM
cheshirekat
external usenet poster
 
Posts: n/a
Default Boot failure after AVG removed trojan horse: invalid BOOT.INI

I have already posted this to the AVG Forum since the problem was caused by
AVG, but the resulting problem is Windows-related, as follows:

Windows XP Home: SP_?, factory-installed (OEM)
AVG Free 7.0: version 7.0.308?, virus db version 266.9.17?
No other anti-virus
No firewall software (except Windows Firewall protecting home LAN connection?)
No anti-spy (except for Yahoo! Toolbar?)
FYI: Dell Dimension 2100 Service Tag 87QJ511 (just in case more info helps)

Apologies in advance:
Sorry about the ?’s above:
1) since I can’t boot, I can’t check some of these and
2) this is not my machine, so I am trying to fill in info from various
documentation tossed together with that of all the other computers in the
house …I installed the AVG upgrade to help a friend who was getting the
“Upgrade to 7.0” warning prompt, so of course, it is now All My Fault :[
Sorry about the lengthy post, but: I usually have at least ½ a clue, so I’ve
done some research & tried some fixes, and I’d rather be thoroughly
descriptive

--Upgraded AVG 6.0 free edition to AVG Free 7.0
--Ran Update, created rescue disk set, ran initial scan
--Scan found several infected files: wish I had printed a list, but I do
recall that among the listed critters and affected files were
Adware.Bookedspace and Trojan Horse Dropper.Agent.2AM, NTDownloader; some of
the files were system files in WINNT\system32 and in \I386
--Allowed AVG to quarantine/repair/delete all automatically, which I am now
regretting, since

--When the computer was restarted the next day, it would not boot: error
message “A disk read error occurred, Press Ctrl+Alt+Del to restart” …doing so
resulted in the same message each time
--Tried to use the AVG rescue boot disk: error message “NTLDR is missing,
Press any key to restart” …to no avail. So maybe a false positive, but more
likely that the repair/removal was flawed? Anyhow, can’t restore the files
if the machine won’t boot…
--AVG Forum had a post referencing “NTLDR Missing”, but that was about
testing the disks, not actual boot failure. Checked the Symantec site for
info: seems some of the malicious code affecting NTLDR will change the file
attributes from hidden, system, read-only to “archive” in order to patch it,
and does not change it back (see tech details on W32.Bolzano); according to
Microsoft: “Many viruses update the boot sector with their own code and move
the original boot sector to another location on the disk. After the virus is
activated, it stays in memory and passes the execution to the original boot
sector so that startup appears normal. Some viruses do not relocate the
original boot sector, making the volume inaccessible. If the affected volume
is the active primary partition, the system cannot start. Other viruses
relocate the boot sector to the last sector of the disk or to an unused
sector on the first track of the disk. If the virus does not protect the
altered boot sector, normal use of the computer might overwrite it, rendering
the volume inaccessible or preventing the system from restarting. (see
Windows XP Resource Kit, Ch. 27)”, etc….

--Created a boot disk from another computer running XP Home (SP1)- included
NTLDR, NTDETECT and BOOT.INI; restart with this disk resulted in error
message: “Invalid BOOT.INI file, Booting from C:\windows\, Windows could not
start because the following file is missing or corrupt: Windows
root\system32\hal.dll, Please re-install a copy of the above file.”
--So, tried copying hal.dll (5.1.2600.0) as well, just to see if it would
work: no such luck, resulted in error message: “Invalid BOOT.INI file,
Booting from C:\windows\, Windows could not start because of a computer disk
hardware configuration problem. Could not read from the selected boot disk.
Check boot path and disk hardware. Please check the Windows documentation
about hardware disk configuration and your hardware reference manuals for
additional information.”
--BOOT.INI used is:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOW S
[operating systems]
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=”Mic rosoft Windows XP Home
Edition”/fastdetect
--Tried modifying as partition(1), no success

--However, I can: enter Dell Set-Up, or F8 into Windows Advanced Options
(but Last Known Good Config and Safe Mode were both unsuccessful) and I do
have an MS-DOS boot disk that brings me to command prompt A:\

--That brings us up to current: I believe that my options now involve
1) using the Recovery Console: not sure how comfortable I am with say,
editing BOOT.INI further with bootcfg or the like (I know enough to NOT just
dive into this) OR
2) Repairing/Reinstalling (in-place upgrade or parallel re-install) Windows
XP from the CD-ROM: my reservation on this is that according to MS Knowledge
Base article 312369, “You may lose data or program settings….” possibly
including documents in the Shared Documents folder. According to the Status
section, this was ‘first corrected in Windows XP Service Pack 1’, but I do
not know for sure if this machine has it installed: prevention options are
listed, Method 4 of which is a manual command-prompt option, but it notes:
“If you are using Recovery Console or an MS-DOS or Windows boot floppy disk,
the steps to delete the file are slightly different.” BUT does not say how

--Given my limited access options at present:
*** is there a way to check what SP is installed?
*** is there a way to determine where BOOT.INI *should* be pointing?
*** is there a way to back-up the Shared Documents folder from the A:\
prompt before I proceed?

Ads
 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
No boot from SATA with after parallel IDE removed Peter Maughan Hardware and Windows XP 4 December 11th 04 12:30 AM
Boot to either of two drives, then only one William B. Lurie The Basics 29 November 3rd 04 11:59 PM
unable to delete file after finding trojan horse virus Greta General XP issues or comments 2 August 18th 04 03:41 PM
Trojan Horse or valid Windows file? Roger L. General XP issues or comments 4 August 17th 04 07:10 AM
Trojan Horse Downloader Lance Cook Security and Administration with Windows XP 1 July 25th 04 05:30 AM






All times are GMT +1. The time now is 11:32 AM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright 2004-2024 PCbanter.
The comments are property of their posters.