Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Windows XP, MBR Grief


  • Please log in to reply

#1
shaun_023

shaun_023

    Member

  • Member
  • PipPip
  • 28 posts
Greeting,

I've been sent over, by Rorschach112, from the Malware forum due to boot issues originating from a virus attack and subsequent disinfection procedure.

The computer, running Windows XP and Phoenix FirstWare (Host Protected Area on the disk) crashed (virus related), damaging the Phoenix software function. This was an inconvenience but did not appear critical and I intended to tackle the issue after the system was (hopefully) cleaned. An initial seek/destroy program found a MBR infection and attempted removal. Upon reboot the system froze after the bios (and peripheral drivers) loaded but before Windows.

During a boot the following notice is displayed;

cME Disk Error - Loading FirstWare Data Area Failed.
cME Disk Press any key to boot normally...

Before the repair attempt, by pressing any key the system would continue on and load Windows.
After the repair attempt, the system will not recognize any key with the exception of Ctrl/Alt/Del which forces a reboot.

Rorschach112 suspects that the MBR could be messed up. Does anyone have any suggestions on how this roadblock can be bypassed?

Many thanks in advance,
etc. etc.
  • 0

Advertisements


#2
Mikeme

Mikeme

    Member

  • Member
  • PipPip
  • 48 posts
fixmbr from the recovery console, have a read: http://support.microsoft.com/kb/307654
  • 0

#3
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Try this and see if it will fix the issue for you.


If you have your Windows CD
  • Insert your Windows XP CD into your CD and assure that your CD-ROM drive is capable of booting the CD.
  • Once you have booted from CD, You’re going to proceed until you see the following screen, at which point you will press the "R" key to enter the recovery console:
    Posted Image

  • You will be prompted to select one of the listed Windows installation (typically number "1").
  • Select the installation number, and hit Enter.
    If there is an administrator password for the administrator account fill out the password and hit enter.
    By default you can leave this blank and hit enter.
    (If it does have a password and you don't know it, you're out of luck).

    You will be greeted with this screen, which indicates a recovery console at the ready:
    Posted Image

  • Please make sure you follow the instructions of this guide exactly as given or you might risk more problems.
    NOTE; Make sure you press Enter after each command.
    Make sure all commands are exactly as shown in this guide, including "spaces".


    First, we will start off with these 6 commands.

    CD..
    ATTRIB -H C:\boot.ini
    ATTRIB -S C:\boot.ini
    ATRIB -R C:\boot.ini
    del boot.ini
    BOOTCFG /Rebuild


    Note about the above command.
    BOOTCFG /REBUILD will search for pre-existing installations of Windows XP and rebuilds sundry essential components of the Windows operating system, recompiles the BOOT.INI file and corrects a litany of common Windows errors.

    For the Enter Load Identifier portion of this command, you should enter the name of the operating system you have installed.
    If, for example, you are using Windows XP Home, you could type Microsoft Windows XP Home Edition for the identifier (it's not crucial, however what the name is, as long, as it's meaningful).
    For the OS Load Option portion of this command, you should enter the following: /FASTDETECT /NOEXECUTE=OPTIN
    It is very important that you do one or both of the following two things:

    Here is what you should see:
    Posted Image

  • The following command verifies the integrity of the hard drive containing the Windows XP installation. While this step is not an essential function in our process, it’s still good to be sure that the drive is physically capable of running windows and that it contains no bad sectors or other corruptions that might be causing issues.
    Take note that this scan might take a long while. Leave it running uninterrupted!

    CHKDSK /R
  • This last command writes a new boot sector to the hard drive and cleans up all the loose ends we created by rebuilding the BOOT.INI file and the system files. When the Windows Recovery Console asks you if you are Sure you want to write a new bootsector to the partition C: ? just hit "Y" and hit Enter to confirm your decision:

    FIXBOOT
  • It’s time to reboot your PC by typing:
    EXIT
    and pressing Enter.
With any luck, your PC will boot successfully into Windows XP as if your various DLL, Hive, EXE and NTLDR errors never existed.

If you don't have Windows CD
Please download ARCDC from Artellos.com.
  • Double click ARCDC.exe
  • Follow the dialog until you see 6 options. Please pick: Windows Professional SP2 & SP3
  • You will be prompted with a Terms of Use by Microsoft, please accept.
  • You will see a few dos screens flash by, this is normal.
  • Next you will be able to choose to add extra files. Select the Default Files.
  • The last window will allow you to burn the disk using BurnCDCC
Then, follow instructions from Step #1 above.
  • 0

#4
shaun_023

shaun_023

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Pass 1: All went well until the command CHKDSK /R was entered. Immediately presented with -
Blue Screen ...
STOP: c0000139 {Entry Point Not Found}
The procedure entry point LdrSetMUICacheType could not be located in the dynamic link library ntdll.dll.

... had to reboot.

Pass 2: Repeated instructions and completed list, with exception of CHKDSK.
Upon reboot the computer locked up as before, following the cME message (press any key).

If the Phoenix HPA is causing this grief, is there any way to get rid of it? It's useless to me and takes 40Gb away from the disk. I contacted Phoenix inquiring about the driver(s) and registry keys. They said; sooo sorry, can't help. I suspect (not knowing me from Adam) that their response had more to do with preservation of security than lack of knowledge.

At least I now have the Recovery CD at hand and the reassurance that the computer recognizes that it has Windows on board. Any suggestions for a next step?

Cheers,
  • 0

#5
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Lets try the direct approach then. Repeat steps and once you get thru step 4 then type in this and press enter.

fixmbr

When done then type exit and then enter system should reboot.

Let me know what happens
  • 0

#6
shaun_023

shaun_023

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Guess what computer this message is coming from!

FIXMBR ... big CAUTION
computer appears to have a non-standard or invalid master boot record.
may damage your partition table.
could cause all partitions on the disk to become inaccessible.
Are you sure? ?????????!!???

yes, and instant "successful".
Exit and reboot.

No more cME!!!!
However, screen pops up asking me which operating system I want to load, Windows XP Pro or Windows XP Pro. Can't think of where the duplication came from (maybe that blue screen abort).

Anyway, Windows loads right up. Hurray!!! and the world has one less boat anchor.

At the risk of straining your good will on seemingly non-critical issues, two questions:

1. Any suggestions on how to get rid of the OS duplication?
2. Under Admin Tools/Computer Man./Disk Man. the hard disk has two partitions, C: and a healthy unknown of 45 Gb (HPA residue). Both are identified as the primary partition (dark blue bar). Options related to the "unknown" are limited to Delete and Help. Is it safe to delete the unknown or should I just leave it alone?

Thanks very much for your patience and perseverance.
Best Regards,
  • 0

#7
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
Great news and now lets see where the two OS's are coming from. Please do the following.
Please do the following in the exact steps. Failure to do so could make the boot.ini damaged and cause unstable or unusable results with your system.:

Save a Backup Copy of Boot.ini

1. Click Start, click Run, type sysdm.cpl and then click OK.
2. Click on the Advanced tab, and then click Settings
3. In the Startup and Recovery area at the bottom click Settings.
4. Under System Startup click Edit. This opens the Boot.ini file in Notepad ready for editing.
5. In Notepad, click File on the Menu bar, and then click Save As.
6. First in here change the location in the top white drop down box to Desktop. Then in the file name change to Boot.old and save as Text Document(*.txt) and save it to your Desktop and then click Save



Please copy and paste all the lines from your Boot.ini file in your next reply.


Now you can repeat the steps to get back to step Number 4
I will reply with the Fix to do. Once the fix has been applied then Save and Close the file.
Reboot and let me know if this takes care of your problem


Below you will see a sample of a Windows Professional boot.ini file. Yours will look the same except it may say Microsoft Windows XP Home Edition


Sample Boot.ini File


[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

Edited by rshaffer61, 10 May 2010 - 06:50 AM.

  • 0

#8
Mikeme

Mikeme

    Member

  • Member
  • PipPip
  • 48 posts
Glad to see you finally got it figured out using the fixmbr I suggested in post#2 :) .
  • 0

#9
shaun_023

shaun_023

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here it is;

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect
  • 0

#10
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts

Here it is;

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /noexecute=optin
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


You need to delete the highlighted line above by following the instructions below.

Ok, so lets repair it.
  • Right click on My Computer and choose Properties
  • In the Properties window, click on the Advanced tab.
  • In the Startup and Recovery section, click on the Settings button.
  • In the window that opens, click on the Edit button...a notepad window will open (boot.ini)
  • copy the contents of the quotebox below and replace the old information in boot.ini
  • Save and then exit. Reboot and see if that fixs the multi boot at startup.

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect


Edited by rshaffer61, 10 May 2010 - 09:51 AM.

  • 0

Advertisements


#11
shaun_023

shaun_023

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Success, no more choices!
Very tricky. I copied in the lines wondering where the "/noexecute" went. Then, behold, you'd edited it back in. I will revise my version. What is "/noexecute=optin"?

Cheers,
  • 0

#12
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts
I don't know if this will explain it but here is what i found.

/noexecute=policy_level
OptIn (default configuration)

On systems with processors capable of hardware-enforced DEP, DEP is enabled by default for limited system binaries and applications that “opt-in,”

With this option, only Windows system binaries are covered by DEP by default.
  • 0

#13
shaun_023

shaun_023

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Thanks for tieing it to DEP.

I guess the only remaining question I've got is whether it's safe to push the delete button on the Unknown Partition. I'm going to run CHKDSK /R which might take a bit of time.

Cheers,

PS; so far I haven't experienced any random system crashes either (knock on wood)!
  • 0

#14
rshaffer61

rshaffer61

    Moderator

  • Moderator
  • 34,114 posts

I guess the only remaining question I've got is whether it's safe to push the delete button on the Unknown Partition. I'm going to run CHKDSK /R which might take a bit of time.


What unknown partition?
  • 0

#15
shaun_023

shaun_023

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I tried to run CHKDSK /R from the Recovery CD and got the same blue screen "STOP" as mentioned above (post 4). Loaded Windows ... My Computer ... Hard Disk Drives (properties) ... and ran Error-Checking (all boxes ticked) for the next reboot. The only disk drive indicated was C: which got a clean bill of health.

If I go to Admin Tools ... Computer Management ... Storage ... Disk Management
I have a; volume: 'blank', layout: Partition, type: Basic, FS: NTFS, Status: Healthy (Unknown Partition), Capacity: 45.30 GB, Free Space: 45.24 GB, ...
then; volume: (C:), Partition: Basic, FS: NTFS, Status: Healthy (System) ...

Under the table is a graphic of storage devices. Disk 0, Basic, 149.05 GB, Online. To the right a box for C: with a dark blue header (primary partition), 103.74 GB NTFS, Healthy (System). And further right another box for 'blank' again with a dark blue header, 45.30 GB NTFS, Healthy (Unknown Partition).

The unknown partition is, I believe, the block which was reserved for the #$!##$ Host Protected Area created by the Phoenix FirstWare software (which is no longer installed). While I can do several useful things with C:, my only options for the unknown are Delete and Help. I'd gladly delete it but my concern is the indication of a tie to the primary partition which I don't want to corrupt.

I think the problem is that the HPA is, by nature, supposed to be invisible to the OS. But this spat of virus/crashes has made the system semi-aware of its existence. Admin Tools knows its there, My Computer doesn't, and low-level Recovery isn't sure what to do about it.

Say the word and I'll merrily press the Delete button. If deletion is risky, I'll just leave it and soldier on.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP