My Windows 7 64-bit laptop suffered a BSOD with "Unknown hard error". A reboot resulted in Windows immediately going into Startup Repair mode, and the log showed that the file ci.dll had been corrupted.
I tried booting into Safe Mode, tried a Last Known Good boot, neither option worked, each time the system jumped back into Startup Repair. Finally, I chose the option Disable Driver Signature Enforcement, and was able to successfully boot into normal mode. This option bypasses the functionality in Windows which checks for system or driver file corruption and thus far it seemed like perhaps some software or driver I'd recently installed or updated might've led to this boot issue.
Days prior I'd been noticing some strange behavior in Windows. I had been unable to access my GMail and Live accounts. GMail would forever remain at the initial progress bar, eventually timing out and asking if I wanted to use basic HTML mode; Live would load the initial screen showing my email but just sit there, any clicks on my Inbox or Sent Items or other folders did nothing. Once I booted in this Disable Driver Signature Enforcement mode though, a new twist; it appeared my Google search results were now occasionally being redirected to advertising sites.
It turned out to be malware, a rootkit to be specific.
I ran a full scan with the latest SpyBot as well as Symantec Endpoint Protection, installed on all our workplace PCs, but these found nothing.
However, in tracking down other reports of apparent ci.dll file corruption, I discovered Kaspersky's TDSSKiller tool. I downloaded and ran the tool, which performed a concise scan that took roughly a minute to complete. Lo and behold, a rootkit, a member of the notorious TDSS family.
 |
Rootkit.Win32.TDSS.tdl4 |
I ensured the Cure option was selected, then clicked Continue, and allowed the tool to initiate a reboot and hopefully clean out the rootkit.
Following the removal, I could once again boot into Windows normally, and the anomalous behaviors described above no longer occurred.
ProblemSo my wife's office has a DELL OPTIPLEX 745 that's having issues. Every few hours its hard drive cooling fan sounds like it's a Pratt & Whitney™ turbojet engine prepping for launch off a convenient flight deck. I checked the BIOS under Maintenance -> Event Log. Saw some colorful error messages such as:Previous shutdown due to thermal eventCPU0 fan out of rangeHer office manager calls Dell. They send one tech, then another. They replace a fan, remove another. The problem recurs. Level 2 tech support engaged, and Dell nicely sends the office a warranty replacement, a DELL OPTIPLEX 755.PlanGeeks, you know what I'm thinking. This is Dell, this is a 755, a close incremental revision up from the old model. Windows XP Repair Install, baby! Wait a minute, not even that, I could just clone the drive, boot into Safe Mode, a little Device Manager magic and driver download deliciousness and I'll be home free!Using the still accessible old PC, I'd attach my external USB hard drive, and use Acronis True Image Home to take a snapshot of the 745's hard drive, then restore it over the top of the 755's. Then, the XP Repair Install to get Windows reacquainted with the hardware, intimately.
Thwartage
My initial efforts were thwarted. The symptoms of thwartage included a "quick" BSOD, despite having installed the Intel Matrix Storage Drivers from Dell's support site specific to the 755. These are the type of drivers which you would supply to Windows setup upon hitting the F6 function key when prompted for any third-party drivers to help Windows communicate with hardware that isn't currently supplied on the install disc.
Immediately upon reboot, the system quickly yielded a BSOD and rebooted. I haven't got photographic memory, but after a few attempts with identical results I caught hint of a driver issue. Whether trying a Normal, Last Known Good, or Safe Mode boot, I got the same result.The answer hit me like a pound of bricks (for a ton would just leave a gooey mess for CSI to scratch their heads over).
Solution
I entered the BIOS, discovered the Drives -> SATA Operation option, and noticed that Dell had set it by default to AHCI, which according to Wikipedia is Vista-specific. I switched this to plain old ATA which XP is quite fluent in.
Upon reboot, Windows XP loaded successfully and began acclimating itself to the new hardware. A few additional driver installs for the audio, video, and network and the system was its old self in more time than I'd originally have liked.
Lessons Learned
Given the industry strife inspired by Vista, prompting even system builders like Dell to respond to customer demand and offer XP on some of their new desktops, expect that even if your PC, when new, was preloaded with XP, a warranty replacement might be outfitted with newer hardware for a newer world. Not necessarily better, just newer.
"Why'd the Dell dude get busted? Because pot is a Gateway drug!" - Anonymous
