Avast WEBforum
Other => Viruses and worms => Topic started by: westes on February 16, 2013, 01:27:19 PM
-
I have what I think is an MBR problem on a boot device. I get a Boot Device not available when I try to boot. However if I attach another drive that is a mirror of the affected drive, that drive loads its MBR, and its Windows XP boot.ini then points back to the original boot device which is able to boot.
I ran aswMBR, and interestingly this gives a hint of a problem when the Scan tells me that the Disk 0 MBR hidden. It should not be hidden should it?
I run FixMBR inside aswMBR, which finishes, and then I run Scan again. Now it does not report the MBR as hidden.
I try to reboot and I still get the Boot Device Not Available. I turn on the drive with the mirror of the affected device. Again the MBR loads from that mirror device and points back to the affected drive. Windows loads from the affected device. I re-run aswMBR, and again my MBR reports as Hidden.
Does anyone have any insight into what might be happening here?
Background facts:
- Dell Precision 380 running as the boot device two identical Western Digital Raptor 10K drives, configured as RAID 1 using the Intel built in RAID in the Dell system.
- Dell BIOS is configured to make the RAID 1 volume bootable and all other hard drive boot devices are disabled. It is interesting because the device with the mirror of the RAID 1 volume is NOT marked as bootable, and yet the system is able to boot it and use its MBR to load and use its boot.ini to point back to the original device that does not boot.
- The boot device with RAID 1 IS marked Active.
- I run the Avast Quickscan from aswMBR with the latest download and it does not find anything.
-
Are you running a raid setup ?-
Dell BIOS is configured to make the RAID 1 volume bootable and all other hard drive boot devices are disabled. It is interesting because the device with the mirror of the RAID 1 volume is NOT marked as bootable, and yet the system is able to boot it and use its MBR to load and use its boot.ini to point back to the original device that does not boot.
-
I am using the Intel motherboard RAID built into the Precision 380. It's a software RAID technology that relies on a Windows driver. I use it extensively on many Dell Precisions at office and two at home, and I strongly feel that this is not the issue here. The RAID 1 boot device has something wrong with its MBR.
-
Unfortunately RAID devices are very difficult to clean especially in the MBR sectors
As you are in RAID 1 then the system will boot from the mirror drive (#2) and utilise data where possible from drive #1
Have you tried chkdisc /r on drive 1
-
Unfortunately RAID devices are very difficult to clean especially in the MBR sectors
As you are in RAID 1 then the system will boot from the mirror drive (#2) and utilise data where possible from drive #1
Have you tried chkdisc /r on drive 1
What I was trying to explain is that the system is NOT booting from the mirror drive. The system cannot boot at all and gives the Boot Device not available message.
I am hacking around the defective MBR on the boot device by introducing a THIRD hard drive. This third drive has a mirror image of the boot volume on it. Now when I power on computer, the MBR from the THIRD hard drive is loading. It then reads the boot.ini from the THIRD hard drive. That boot.ini in turn points back to the affected boot volume, and Windows loads from that volume.
In fact right as the affected boot volume begins to load, I can POWER OFF the third hard drive and Windows boots normally from the affected boot drive.
I will try CHKDSK /R now.
Are you suggesting that I should remove the second drive and work with just the primary drive 0 in the RAID 1 drive pair (drive 0 and drive 1)? I could do that and rebuild the RAID later.
Or are you suggesting I should just downgrade the RAID and make the boot device drive 0 a non RAID device?
-
Unfortunately RAID devices are very difficult to clean especially in the MBR sectors
As you are in RAID 1 then the system will boot from the mirror drive (#2) and utilise data where possible from drive #1
Have you tried chkdisc /r on drive 1
CHKDSK /R finds nothing wrong with the drive.
After CHKDSK completes, I still cannot boot from the RAID 1 boot device. I have to rely on the third hard drive's MBR to get the boot process started.
-
I am not an expert in RAID. But I may be able to work with a single drive. Do you know what happened to cause this problem ?
Also what is the OS
-
Could you post the aswMBR report please as I have had a possible thought, it may be an additional TDL4 partition
-
I am not an expert in RAID. But I may be able to work with a single drive. Do you know what happened to cause this problem ?
Also what is the OS
Before I spend half the day to re-organize a boot partition as non-RAID, I am hoping we can at least do the basic diagnostic tests. Maybe you will see something obvious on that. What I did do for now is to remove drive 1 from the RAID 1 boot device. That leaves me with a single drive 0 in a degraded RAID 1 boot drive.
In this configuration I ran aswMBR again and ran FixMBR again. The problem persists.
What happened to cause the problem is hard to pinpoint. I use the third drive as a backup drive. So it is on all the time. I did not realize until yesterday that powering off that third drive the system would not boot. If the problem ends up being an MBR rootkit, then that will be because the primary computer user is sloppy reading email with attachments. If it is not a rootkit, then the only suspect is that I migrated about three months ago from one boot device to a new boot device. Perhaps at the time of that migration the MBR needed to be patched/changed and was somehow corrupted. I did not catch that corruption at the time because the system secretly went to the third drive to start the boot process, after failing on the RAID1 primary.
I am going to start backups of the boot logical volume. By the time this is over I may end up having to recreate it from scratch.
-
Could you post the aswMBR report please as I have had a possible thought, it may be an additional TDL4 partition
How can I upload a group of logfiles and attach it to a post on this site?
-
You should be able to attach the aswmbr report log
That one should let me know if we are dealing with a rogue partition
Or you can run this and post the log
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
-
You should be able to attach the aswmbr report log
That one should let me know if we are dealing with a rogue partition
I am asking mechanically - step by step - how do I attach files to a post. I don't see any link here to upload a file attachment.
Or you can run this and post the log
- Download RogueKiller (http://www.sur-la-toile.com/RogueKiller/RogueKiller.exe) and save it on your desktop.
NOTE: If using IE8 or better Smartscreen Filter will need to be disabled
- Quit all programs
- Start RogueKiller.exe.
- Wait until Prescan has finished ...
- Click on Scan
(https://dl.dropbox.com/u/73555776/RKScan.GIF)
- Wait for the end of the scan.
- The report has been created on the desktop.
Is it possible to stick with programs from well known developers? I don't like the idea of running some application attached to a forum that isn't a major software vendor's product.
-
When you use the Reply to a topic use the Attachments and other Options at the bottom of the text window.
-
Major software vendors do not know malware like these guys.. They are all good and safe programmes that I use and they are specifically targeted at defined areas of the system to gather data
Attachment instructions are near the beginning of this post http://forum.avast.com/index.php?topic=53253.0
-
When you use the Reply to a topic use the Attachments and other Options at the bottom of the text window.
Thanks for helping me on the attachments link. :)
Look at the four attachments, and let's discuss them 1) through 4)
The first attachment shows the scan of the non bootable drive. I highlighted the area of concern. There was an unrecognized MBR. That is probably not good.
The second attachment shows what the non bootable drive looks like after I ran FixMBR. Now the MBR shows as "hidden". Is the MBR supposed to be hidden? It is not on my other computers. So what's hiding it?
The third attachment shows what the drive looks like when I ran FixMBR again. However the problem persists. And after several reboots the MBR is hidden again.
The fourth attachment shows what the drive looks like after I disabled drive 1 in the RAID 1 pair. The only drive left on the system should be drive 0. It shows drive 2, which is weird, and it might be a stub of the third drive which I power off right at the start of the boot process (I only needed it for its MBR to start the boot process, and I wanted to simplify things down to a single drive configuration as you requested). After running FixMBR here the problem persists.
-
The first one indicates a non-standard MBR - probably as it is a raid configuration
So having fixed the MBR you then set it to a standard XP non raid MBR
Was it booting normally prior to the first aswMBR run
-
The first one indicates a non-standard MBR - probably as it is a raid configuration
So having fixed the MBR you then set it to a standard XP non raid MBR
Was it booting normally prior to the first aswMBR run
Oh great :)
It was NOT booting prior to the first run of aswMBR. I ran aswMBR in an attempt to reset the MBR.
So it looks like one strategy here might be to reset from RAID to non RAID and to then reset to RAID again, hoping that the utilities built into the system will rewrite the MBR at the time that conversion is done?
I predict a non booting system by end of day. :) But I can try after making backups.
-
The first one indicates a non-standard MBR - probably as it is a raid configuration
So having fixed the MBR you then set it to a standard XP non raid MBR
Was it booting normally prior to the first aswMBR run
Is there some tool I can buy that lives on its own boot CD that can be used to make backup copies of the MBR on any disk attached to the system? Sounds like I should start maintaing those backups periodically to recover from such cases.
-
The idea is not to work alone here, post the single analysis log, don't do anything that could impact on your system, such as run the fix mbr unless specifically asked to, that is why we have malware removal specialists helping.
There are many reasons why an unknown MBR isn't wrong, that is something the specialists can determine. I'm not a malware removal specialist, but I didn't see anything obvious in the first aswmbr scan log.
It is now almost midnight in the UK so essexboy is likely to be in bed now, but he should be back on-line tomorrow (time unknown).
-
The idea is not to work alone here, post the single analysis log, don't do anything that could impact on your system, such as run the fix mbr unless specifically asked to, that is why we have malware removal specialists helping.
There are many reasons why an unknown MBR isn't wrong, that is something the specialists can determine. I'm not a malware removal specialist, but I didn't see anything obvious in the first aswmbr scan log.
It is now almost midnight in the UK so essexboy is likely to be in bed now, but he should be back on-line tomorrow (time unknown).
Hi David. Remember that before I ever loaded aswMBR, I already had a non bootable drive. So I had very little to lose at that point from a FixMBR because the MBR I had did not work.
Point still taken and I will try to slow down. :)
-
The idea is not to work alone here, post the single analysis log, don't do anything that could impact on your system, such as run the fix mbr unless specifically asked to, that is why we have malware removal specialists helping.
There are many reasons why an unknown MBR isn't wrong, that is something the specialists can determine. I'm not a malware removal specialist, but I didn't see anything obvious in the first aswmbr scan log.
It is now almost midnight in the UK so essexboy is likely to be in bed now, but he should be back on-line tomorrow (time unknown).
I was able to resolve this problem by:
1) Making mirror of boot partition on a different drive
2) Converting the RAID 1 to a non RAID drive
3) Converting the non RAID drive back to RAID 1
Something about rebuilding the RAID apparently reconstructed the MBR correctly, and from that point on the system could reboot.
Thanks for your help here. Your thinking around this helped me to see the solution path.
-
Good that you have found a solution.
Sorry about the earlier confusion, when I posted my last reply I hadn't seen the other one posted by essexboy (on the next page and where my reply ended up too) and why I thought he would be in bed.
Well having a Raid enabled system as essexboy confirmed is one of the instances where you would have non-standard MBR.
-
I am glad that worked I will keep your solution in case this comes up again