Bogus Boot

Discussion in 'Windows 64bit' started by krakr, Jan 27, 2009.

  1. krakr

    krakr Guest

    I have a major issue. Despite editing my boot.ini manually and thru msconfig,
    there are 2 boot options. The default IS NOT a valid install and does not
    appear on the .ini.
    I recently had a nasty trojan horse on my system that I've been attempting
    to root out. The scripts in it created admin level accounts while revoking
    rights to my own admin level acoount.
    However, I didn't have this issue until I swapped out my mobo.

    I have no idea what on earth could override boot.ini, but it's on my hdd.
    Any input is welcome
     
    krakr, Jan 27, 2009
    #1
    1. Advertising

  2. krakr

    krakr Guest

    "krakr" wrote:

    > I have a major issue. Despite editing my boot.ini manually and thru msconfig,
    > there are 2 boot options. The default IS NOT a valid install and does not
    > appear on the .ini.
    > I recently had a nasty trojan horse on my system that I've been attempting
    > to root out. The scripts in it created admin level accounts while revoking
    > rights to my own admin level acoount.
    > However, I didn't have this issue until I swapped out my mobo.
    >
    > I have no idea what on earth could override boot.ini, but it's on my hdd.
    > Any input is welcome


    PH< OS is XP64 . I'm confused because I didn't have the problem until
    tonight when I upped my mobo.
     
    krakr, Jan 27, 2009
    #2
    1. Advertising

  3. krakr

    krakr Guest

    I need to clarify. I had a trojan. It's been removed. The accounts it
    created were removed. Now I just have the Admin, my compromised account (that
    I don't log into but need to take the My docs & stuff from) and my new
    account.

    I'm virus free and ready to move on for the past 2 days. Just installed a
    new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    configuring the boot sequence again in BIOS. I had the issue. No other HDD
    has a boot.ini on it and I didn't have the issue on the old mobo.

    It's terribly confusing, especially after reading the security logs that
    allowed a script to remove rights from my own account while adding more to
    it's own when it was in the "user" group. Talk about security flaws :(
     
    krakr, Jan 27, 2009
    #3
  4. Personally, I'd pull off any data files you absolutely positively trust, and
    then do a complete wipe of the system, booting off the XP x64 disk and
    deleting all partitions, recreating and formatting them. Whatever is going
    on, it feels more like a root kit than a simple trojan, and I'd say you
    still have problems.

    --
    Charlie.
    http://msmvps.com/blogs/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel

    "krakr" <> wrote in message
    news:D...
    >I need to clarify. I had a trojan. It's been removed. The accounts it
    > created were removed. Now I just have the Admin, my compromised account
    > (that
    > I don't log into but need to take the My docs & stuff from) and my new
    > account.
    >
    > I'm virus free and ready to move on for the past 2 days. Just installed a
    > new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    > configuring the boot sequence again in BIOS. I had the issue. No other HDD
    > has a boot.ini on it and I didn't have the issue on the old mobo.
    >
    > It's terribly confusing, especially after reading the security logs that
    > allowed a script to remove rights from my own account while adding more to
    > it's own when it was in the "user" group. Talk about security flaws :(
     
    Charlie Russel - MVP, Jan 27, 2009
    #4
  5. krakr

    philo Guest

    "Charlie Russel - MVP" <> wrote in message
    news:...
    > Personally, I'd pull off any data files you absolutely positively trust,
    > and then do a complete wipe of the system, booting off the XP x64 disk and
    > deleting all partitions, recreating and formatting them. Whatever is going
    > on, it feels more like a root kit than a simple trojan, and I'd say you
    > still have problems.
    >
    >



    I recently had to repair a machine with a root kit
    and fdisk/mbr from a win9x boot floppy did the trick

    of course it was an IDE drive


    for an SATA drive one would need to use the repair console and isse the
    fixmbr command

    however, the fixmbr command does not over-write quite as much as fdisk/mbr


    > Charlie.
    > http://msmvps.com/blogs/xperts64
    > http://mvp.support.microsoft.com/profile/charlie.russel
    >
    > "krakr" <> wrote in message
    > news:D...
    >>I need to clarify. I had a trojan. It's been removed. The accounts it
    >> created were removed. Now I just have the Admin, my compromised account
    >> (that
    >> I don't log into but need to take the My docs & stuff from) and my new
    >> account.
    >>
    >> I'm virus free and ready to move on for the past 2 days. Just installed a
    >> new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    >> configuring the boot sequence again in BIOS. I had the issue. No other
    >> HDD
    >> has a boot.ini on it and I didn't have the issue on the old mobo.
    >>
    >> It's terribly confusing, especially after reading the security logs that
    >> allowed a script to remove rights from my own account while adding more
    >> to
    >> it's own when it was in the "user" group. Talk about security flaws :(

    >
     
    philo, Jan 27, 2009
    #5
  6. krakr

    krakr Guest

    many thx, though I'm not looking forward to it.

    "Charlie Russel - MVP" wrote:

    > Personally, I'd pull off any data files you absolutely positively trust, and
    > then do a complete wipe of the system, booting off the XP x64 disk and
    > deleting all partitions, recreating and formatting them. Whatever is going
    > on, it feels more like a root kit than a simple trojan, and I'd say you
    > still have problems.
    >
    > --
    > Charlie.
    > http://msmvps.com/blogs/xperts64
    > http://mvp.support.microsoft.com/profile/charlie.russel
    >
    > "krakr" <> wrote in message
    > news:D...
    > >I need to clarify. I had a trojan. It's been removed. The accounts it
    > > created were removed. Now I just have the Admin, my compromised account
    > > (that
    > > I don't log into but need to take the My docs & stuff from) and my new
    > > account.
    > >
    > > I'm virus free and ready to move on for the past 2 days. Just installed a
    > > new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    > > configuring the boot sequence again in BIOS. I had the issue. No other HDD
    > > has a boot.ini on it and I didn't have the issue on the old mobo.
    > >
    > > It's terribly confusing, especially after reading the security logs that
    > > allowed a script to remove rights from my own account while adding more to
    > > it's own when it was in the "user" group. Talk about security flaws :(

    >
    >
     
    krakr, Jan 27, 2009
    #6
  7. I didn't suggest it would be fun. But I strongly suggest it is necessary.

    --
    Charlie.
    http://msmvps.com/blogs/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel

    "krakr" <> wrote in message
    news:...
    > many thx, though I'm not looking forward to it.
    >
    > "Charlie Russel - MVP" wrote:
    >
    >> Personally, I'd pull off any data files you absolutely positively trust,
    >> and
    >> then do a complete wipe of the system, booting off the XP x64 disk and
    >> deleting all partitions, recreating and formatting them. Whatever is
    >> going
    >> on, it feels more like a root kit than a simple trojan, and I'd say you
    >> still have problems.
    >>
    >> --
    >> Charlie.
    >> http://msmvps.com/blogs/xperts64
    >> http://mvp.support.microsoft.com/profile/charlie.russel
    >>
    >> "krakr" <> wrote in message
    >> news:D...
    >> >I need to clarify. I had a trojan. It's been removed. The accounts it
    >> > created were removed. Now I just have the Admin, my compromised account
    >> > (that
    >> > I don't log into but need to take the My docs & stuff from) and my new
    >> > account.
    >> >
    >> > I'm virus free and ready to move on for the past 2 days. Just installed
    >> > a
    >> > new Asus M3n72-d mobo this evening and a killer heat sink as well.
    >> > After
    >> > configuring the boot sequence again in BIOS. I had the issue. No other
    >> > HDD
    >> > has a boot.ini on it and I didn't have the issue on the old mobo.
    >> >
    >> > It's terribly confusing, especially after reading the security logs
    >> > that
    >> > allowed a script to remove rights from my own account while adding more
    >> > to
    >> > it's own when it was in the "user" group. Talk about security flaws :(

    >>
    >>
     
    Charlie Russel - MVP, Jan 27, 2009
    #7
  8. Boot from the install media, press F6 during initial read of the media when
    prompted, and the wipe the partitions before installing.

    --
    Charlie.
    http://msmvps.com/blogs/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel

    "philo" <> wrote in message
    news:%...
    >
    > "Charlie Russel - MVP" <> wrote in message
    > news:...
    >> Personally, I'd pull off any data files you absolutely positively trust,
    >> and then do a complete wipe of the system, booting off the XP x64 disk
    >> and deleting all partitions, recreating and formatting them. Whatever is
    >> going on, it feels more like a root kit than a simple trojan, and I'd say
    >> you still have problems.
    >>
    >>

    >
    >
    > I recently had to repair a machine with a root kit
    > and fdisk/mbr from a win9x boot floppy did the trick
    >
    > of course it was an IDE drive
    >
    >
    > for an SATA drive one would need to use the repair console and isse the
    > fixmbr command
    >
    > however, the fixmbr command does not over-write quite as much as
    > fdisk/mbr
    >
    >
    >> Charlie.
    >> http://msmvps.com/blogs/xperts64
    >> http://mvp.support.microsoft.com/profile/charlie.russel
    >>
    >> "krakr" <> wrote in message
    >> news:D...
    >>>I need to clarify. I had a trojan. It's been removed. The accounts it
    >>> created were removed. Now I just have the Admin, my compromised account
    >>> (that
    >>> I don't log into but need to take the My docs & stuff from) and my new
    >>> account.
    >>>
    >>> I'm virus free and ready to move on for the past 2 days. Just installed
    >>> a
    >>> new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    >>> configuring the boot sequence again in BIOS. I had the issue. No other
    >>> HDD
    >>> has a boot.ini on it and I didn't have the issue on the old mobo.
    >>>
    >>> It's terribly confusing, especially after reading the security logs that
    >>> allowed a script to remove rights from my own account while adding more
    >>> to
    >>> it's own when it was in the "user" group. Talk about security flaws :(

    >>

    >
    >
     
    Charlie Russel - MVP, Jan 27, 2009
    #8
  9. krakr

    Kerry Brown Guest

    I'd go a bit further. Download a utility that will overwrite track 0. Most
    drive manufacturer's disk diagnostics will do this. They sometimes call it a
    low level format. This effectively sets the drive back to as new from the
    factory.

    --
    Kerry Brown
    MS-MVP - Windows Desktop Experience: Systems Administration
    http://www.vistahelp.ca/phpBB2/
    http://vistahelpca.blogspot.com/


    "Charlie Russel - MVP" <> wrote in message
    news:...
    > Personally, I'd pull off any data files you absolutely positively trust,
    > and then do a complete wipe of the system, booting off the XP x64 disk and
    > deleting all partitions, recreating and formatting them. Whatever is going
    > on, it feels more like a root kit than a simple trojan, and I'd say you
    > still have problems.
    >
    > --
    > Charlie.
    > http://msmvps.com/blogs/xperts64
    > http://mvp.support.microsoft.com/profile/charlie.russel
    >
    > "krakr" <> wrote in message
    > news:D...
    >>I need to clarify. I had a trojan. It's been removed. The accounts it
    >> created were removed. Now I just have the Admin, my compromised account
    >> (that
    >> I don't log into but need to take the My docs & stuff from) and my new
    >> account.
    >>
    >> I'm virus free and ready to move on for the past 2 days. Just installed a
    >> new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    >> configuring the boot sequence again in BIOS. I had the issue. No other
    >> HDD
    >> has a boot.ini on it and I didn't have the issue on the old mobo.
    >>
    >> It's terribly confusing, especially after reading the security logs that
    >> allowed a script to remove rights from my own account while adding more
    >> to
    >> it's own when it was in the "user" group. Talk about security flaws :(

    >
     
    Kerry Brown, Jan 27, 2009
    #9
  10. I have also seen a couple of references claiming it is best
    to do the full format of the hard drive vs the quick format.
    Supposedly a full format wipes the previous information
    left behind and could cause some errors with the new
    install. The quick format only zeros out the MFT.


    krakr wrote:
    > many thx, though I'm not looking forward to it.
    >
    > "Charlie Russel - MVP" wrote:
    >
    >> Personally, I'd pull off any data files you absolutely positively trust, and
    >> then do a complete wipe of the system, booting off the XP x64 disk and
    >> deleting all partitions, recreating and formatting them. Whatever is going
    >> on, it feels more like a root kit than a simple trojan, and I'd say you
    >> still have problems.
    >>
    >> --
    >> Charlie.
    >> http://msmvps.com/blogs/xperts64
    >> http://mvp.support.microsoft.com/profile/charlie.russel
    >>
    >> "krakr" <> wrote in message
    >> news:D...
    >>> I need to clarify. I had a trojan. It's been removed. The accounts it
    >>> created were removed. Now I just have the Admin, my compromised account
    >>> (that
    >>> I don't log into but need to take the My docs & stuff from) and my new
    >>> account.
    >>>
    >>> I'm virus free and ready to move on for the past 2 days. Just installed a
    >>> new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    >>> configuring the boot sequence again in BIOS. I had the issue. No other HDD
    >>> has a boot.ini on it and I didn't have the issue on the old mobo.
    >>>
    >>> It's terribly confusing, especially after reading the security logs that
    >>> allowed a script to remove rights from my own account while adding more to
    >>> it's own when it was in the "user" group. Talk about security flaws :(

    >>
     
    Bobby Johnson, Jan 27, 2009
    #10
  11. I have also seen a couple of references claiming it is best
    to do the full format of the hard drive vs the quick format.
    Supposedly a full format wipes the previous information
    left behind that could cause some errors with the new
    install. The quick format only zeros out the MFT.


    krakr wrote:
    > many thx, though I'm not looking forward to it.
    >
    > "Charlie Russel - MVP" wrote:
    >
    >> Personally, I'd pull off any data files you absolutely positively trust, and
    >> then do a complete wipe of the system, booting off the XP x64 disk and
    >> deleting all partitions, recreating and formatting them. Whatever is going
    >> on, it feels more like a root kit than a simple trojan, and I'd say you
    >> still have problems.
    >>
    >> --
    >> Charlie.
    >> http://msmvps.com/blogs/xperts64
    >> http://mvp.support.microsoft.com/profile/charlie.russel
    >>
    >> "krakr" <> wrote in message
    >> news:D...
    >>> I need to clarify. I had a trojan. It's been removed. The accounts it
    >>> created were removed. Now I just have the Admin, my compromised account
    >>> (that
    >>> I don't log into but need to take the My docs & stuff from) and my new
    >>> account.
    >>>
    >>> I'm virus free and ready to move on for the past 2 days. Just installed a
    >>> new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    >>> configuring the boot sequence again in BIOS. I had the issue. No other HDD
    >>> has a boot.ini on it and I didn't have the issue on the old mobo.
    >>>
    >>> It's terribly confusing, especially after reading the security logs that
    >>> allowed a script to remove rights from my own account while adding more to
    >>> it's own when it was in the "user" group. Talk about security flaws :(

    >>
     
    Bobby Johnson, Jan 27, 2009
    #11
  12. Good addition. Nothing short of a complete wipe would ever let me trust this
    system. And I suspect I'd be inclined to trash the HD and buy a new one...

    --
    Charlie.
    http://msmvps.com/blogs/xperts64
    http://mvp.support.microsoft.com/profile/charlie.russel

    "Kerry Brown" <*a*m> wrote in message
    news:emvk8%...
    > I'd go a bit further. Download a utility that will overwrite track 0. Most
    > drive manufacturer's disk diagnostics will do this. They sometimes call it
    > a low level format. This effectively sets the drive back to as new from
    > the factory.
    >
    > --
    > Kerry Brown
    > MS-MVP - Windows Desktop Experience: Systems Administration
    > http://www.vistahelp.ca/phpBB2/
    > http://vistahelpca.blogspot.com/
    >
    >
    > "Charlie Russel - MVP" <> wrote in message
    > news:...
    >> Personally, I'd pull off any data files you absolutely positively trust,
    >> and then do a complete wipe of the system, booting off the XP x64 disk
    >> and deleting all partitions, recreating and formatting them. Whatever is
    >> going on, it feels more like a root kit than a simple trojan, and I'd say
    >> you still have problems.
    >>
    >> --
    >> Charlie.
    >> http://msmvps.com/blogs/xperts64
    >> http://mvp.support.microsoft.com/profile/charlie.russel
    >>
    >> "krakr" <> wrote in message
    >> news:D...
    >>>I need to clarify. I had a trojan. It's been removed. The accounts it
    >>> created were removed. Now I just have the Admin, my compromised account
    >>> (that
    >>> I don't log into but need to take the My docs & stuff from) and my new
    >>> account.
    >>>
    >>> I'm virus free and ready to move on for the past 2 days. Just installed
    >>> a
    >>> new Asus M3n72-d mobo this evening and a killer heat sink as well. After
    >>> configuring the boot sequence again in BIOS. I had the issue. No other
    >>> HDD
    >>> has a boot.ini on it and I didn't have the issue on the old mobo.
    >>>
    >>> It's terribly confusing, especially after reading the security logs that
    >>> allowed a script to remove rights from my own account while adding more
    >>> to
    >>> it's own when it was in the "user" group. Talk about security flaws :(

    >>
     
    Charlie Russel - MVP, Jan 27, 2009
    #12
  13. Hello,
    If I recall properly if the default entry in the boot.ini does not equal
    one of the entries below it, you will see an additional selection added to
    the boot menu.
    You solve this by editing the default line in the boot menu to equal one of
    the selections below in the boot.ini.
    What is currently in the boot.ini file?
    Thanks,
    Darrell Gorter[MSFT]

    This posting is provided "AS IS" with no warranties, and confers no rights
    --------------------
    | >Thread-Topic: Bogus Boot
    | >thread-index: AcmAL9KUySALdZLjSQC4s/Hnz22f6g==
    | >X-WBNR-Posting-Host: 65.55.21.8
    | >From: =?Utf-8?B?a3Jha3I=?= <>
    | >Subject: Bogus Boot
    | >Date: Mon, 26 Jan 2009 19:32:04 -0800
    | >Lines: 10
    | >Message-ID: <>
    | >MIME-Version: 1.0
    | >Content-Type: text/plain;
    | > charset="Utf-8"
    | >Content-Transfer-Encoding: 7bit
    | >X-Newsreader: Microsoft CDO for Windows 2000
    | >Content-Class: urn:content-classes:message
    | >Importance: normal
    | >Priority: normal
    | >X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.3168
    | >Newsgroups: microsoft.public.windows.64bit.general
    | >Path: TK2MSFTNGHUB02.phx.gbl
    | >Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.64bit.general:21937
    | >NNTP-Posting-Host: tk2msftsbfm01.phx.gbl 10.40.244.148
    | >X-Tomcat-NG: microsoft.public.windows.64bit.general
    | >
    | >I have a major issue. Despite editing my boot.ini manually and thru
    msconfig,
    | >there are 2 boot options. The default IS NOT a valid install and does
    not
    | >appear on the .ini.
    | >I recently had a nasty trojan horse on my system that I've been
    attempting
    | >to root out. The scripts in it created admin level accounts while
    revoking
    | >rights to my own admin level acoount.
    | > However, I didn't have this issue until I swapped out my mobo.
    | >
    | >I have no idea what on earth could override boot.ini, but it's on my
    hdd.
    | >Any input is welcome
    | >
     
    Darrell Gorter[MSFT], Jan 28, 2009
    #13
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. David

    Filtering bogus TCP packets

    David, Jun 3, 2004, in forum: Cisco
    Replies:
    5
    Views:
    1,653
    David
    Jun 3, 2004
  2. John Caruso
    Replies:
    5
    Views:
    4,293
    Phillip Remaker
    Nov 26, 2005
  3. Tina
    Replies:
    3
    Views:
    508
  4. Bill Schowengerdt

    Bogus MS security updates, patches, etc.

    Bill Schowengerdt, Sep 19, 2003, in forum: Computer Support
    Replies:
    12
    Views:
    595
    MaryL
    Sep 19, 2003
  5. Louis

    Bogus Email from "Microsoft?"

    Louis, Sep 20, 2003, in forum: Computer Support
    Replies:
    8
    Views:
    438
    Plato
    Sep 21, 2003
Loading...

Share This Page