Windows 7 Forums
Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Laptop won't boot & Recovery partition corrupt... Rootkit?

02 Jun 2013   #1

Windows 7 Home 64-bit
 
 
Laptop won't boot & Recovery partition corrupt... Rootkit?

My Toshiba laptop suddenly was unable to boot to Windows 7 Home yesterday... the post was generating an error "No operating system."

So then I booted into Linux via a live CD. From there, I could mount my Windows C-drive and see documents still intact. However, using the app GParted to look at my hard drive, I noticed that sda3, the Toshiba Recovery Partition, was of "unknown file format."

Also, it was missing its usual label "HDD RECOVERY" and no space was used out of its 10.08GB (usually, 9.49GB is filled). Strangely, the boot flag was set to that partition (sda3) instead of its usual location on sda1, the System partition.

I used GParted to move the boot flag back to sda1, and after that, the laptop was able to boot to Windows 7 again. However, Disk Management showed that the recovery partition was of "RAW" file format with 0GB used.

Any clue on whether this was caused by a destructive trojan or MBR rootkit? Perhaps attempting to hide in the recovery partition? I just returned from a 1-week visit to my cousin's house, which has a "suspect" network... she had 40 trojans removed from her laptop a month before. I was getting a few script error messages while on the internet there.

Or was this related to hardware failure? FYI, I did have a poor shutdown from Linux live CD right before (CD was ejected too early, shutdown failed, and I had to force Power button down. But after that, I cleared the memory with an unplug and battery removal). Could that mess up the MBR/boot AND corrupt an entire partition? I doubt it, as Linux was booted off a CD into memory, not installed.

I can no longer use the non-existent recovery partition to reinstall Windows7 (and wouldn't trust the hard drive without a 0-fill wipe first, anyway), but thankfully, I made 3 recovery DVDs last year. I just need to run those, correct? Thanks.



Attached Thumbnails
Laptop won't boot & Recovery partition corrupt... Rootkit?-portege-2013-06-recovery-partition-corrupt.png   Laptop won't boot & Recovery partition corrupt... Rootkit?-portege-2013-06-recovery-partition-corrupt-win7-view-.png  
My System SpecsSystem Spec
.

02 Jun 2013   #2

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

Do you get the Repair Your Computer option when you press F8 during boot? Also do you have a USB Flash Drive ?

warning   Warning

You will need a USB FLASH DRIVE


Tip   Tip
Download the Tool from a non infected PC


Download Farbar Recovery Scan Tool


64-Bit Version OS Farbar Recovery Scan Tool x64


Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

In the command window type Z:\FRST64.exe and press Enter
Note   Note
Replace letter Z with the drive letter of your flash drive.

Tip   Tip
Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Code:
Diskpart
List volume
The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file
Please copy and paste both logs in your reply.(FRST.txt and Addition.txt)
My System SpecsSystem Spec
02 Jun 2013   #3

Windows 7 Home 64-bit
 
 

"Do you get the Repair Your Computer option when you press F8 during boot?" No, I wasn't getting anything except the message "no operating system." There was no progress in boot at all.

Thanks for the FRST64.exe suggestion... What is the purpose of this scan?

I don't have a spare flash drive to sacrifice at this very moment (and don't trust plugging my other USB drives into this laptop). However, I'm booted into a Linux live CD and can download the exe... If I save the executable onto my C-drive, can I still follow your directions and run the scan from that filepath instead?

By the way, I had mentioned that I moved the boot flag to sda1, and the laptop now boots. Should I move the boot flag back to sda3, just for this scan? Or should I just run Avast or TDSS Killer while booted into Windows offline? That said, anti-virus scans are fairly useless when rootkits are present.
My System SpecsSystem Spec
.


02 Jun 2013   #4

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

You could try to run tdsskiller . The Frst64 was to see for viruses for reasons why you're not able to boot into your desktop .
My System SpecsSystem Spec
02 Jun 2013   #5
Microsoft MVP

 

Work through the steps for Troubleshooting Windows 7 Failure to Start

It would help to have a drive map snap of Partition Wizard bootable CD. If Recovery is truly ruined and the Boot flag on the Linux boot disk means that the System Active flags were there, then you might be able to start Windows 7 by Marking 7 Partition Active to run Startup Repair - Run up to 3 Separate Times.

However if the OS is heavily infected it might not repair until disinfected so work through the steps in the tutorial in order to disinfect then repair system files and attempt to repair the boot. If that fails there are steps to rescue your files then get the superior Clean Reinstall - Factory OEM Windows 7
My System SpecsSystem Spec
04 Jun 2013   #6

Windows 7 Home 64-bit
 
 

I will try the suggestions above: FRST64, TDSS, and Windows 7 troubleshooting, and report back results.

Any thoughts on why or how my boot flag got moved from sda1 (system) to sda3 (recovery)? Was it simply because I had just tried booting from the Recovery partition; will such action cause the boot flag to move? Just wondering, because a boot flag move can also be nefarious... here's an interesting article about TDL4 Rootkit: http://secure-computer-solutions.com...he_part_1.html

Is the purpose of Partition Wizard to move the boot flag to a working partition?

As mentioned in my post, I actually AM able to boot to Windows 7 again if I use GParted to move the boot flag back to sda1 (system) from sda3 (recovery), probably because the latter partition is, I suspect, corrupted. It shows as "RAW" or unknown file format and takes up 0 MB. Question is, what caused that... more likely the poor shutdown, or an MBR rootkit? If it's the latter, I can't trust the Recovery partition ever again, even if a boot flag or MBR is recoverable... agree?
My System SpecsSystem Spec
05 Jun 2013   #7
Microsoft MVP

 

It is common for some OEM machines to have the Recovery partition contain the boot files and be marked Actve so it can be booted in case Recovery is needed. Others use the F8 System Recovery Options to boot Recovery which is more volatile.

So it may be required that Recovery is marked Active to run, or it may no longer run. But you can always get the vastly superior Clean Reinstall - Factory OEM Windows 7 when you're ready to settle down with a perfect install of Windows 7 which we specialize in here.

Since you can boot Windows 7 I would run a full scan with Malwarebytes, your AV and post up any questions about the findings in our Security forum if you need specialized help with rootkits. I have not yet seen the dreaded MBR virus.
My System SpecsSystem Spec
06 Jun 2013   #8

Windows 7 Home 64-bit
 
 

Quote   Quote: Originally Posted by VistaKing View Post
Please copy and paste both logs in your reply.(FRST.txt and Addition.txt)
I've attached the FRST and Additions logs (VistaKing). Seems like a useful scan to do.

They were run while booted into Windows, but I also ran another set while booted from System Repair/command line. Let me know if you'd rather look at the other set. Or if you'd prefer that I paste the logs directly into this thread. Thanks again for any thoughts.
My System SpecsSystem Spec
06 Jun 2013   #9

Windows 7 Home 64-bit
 
 

Quote   Quote: Originally Posted by gregrocker View Post
It is common for some OEM machines to have the Recovery partition contain the boot fails and be marked Actve so it can be booted in case Recovery is needed.
What I do know is that my Toshiba laptop's boot flag used to be on sda1 (System partition). What I don't know is if an attempt to boot from Recovery is supposed to cause that boot flag to move from there to the sda3 Recovery partition. Actually, I should test it (will let you know). The alternative explanation would be the nefarious one (rootkit), I guess!?

Quote   Quote: Originally Posted by gregrocker View Post
Since you can boot Windows 7 I would run a full scan with Malwarebytes, your AV and post up any questions about the findings in our Security forum if you need specialized help with rootkits. I have not yet seen the dreaded MBR virus.
TDSS scan was negative. Is it possible to download MalwareBytes in an updated form? If so, I can do so on my home network from Linux. If not, I'll have to try to get to a public network, unless you think it's safe to get online here just for a few minutes from my (potentially) hacked or infected computer.

Quote   Quote: Originally Posted by gregrocker View Post
But you can always get the vastly superior Clean Reinstall - Factory OEM Windows 7 when you're ready to settle down with a perfect install of Windows 7 which we specialize in here.
So these are trusted downloads for Windows 7 that one can burn to DVD? Very nice, especially if these ISOs are the same as the Technet website's, with the same hashes, so a person can even run checksums. Thank you!
My System SpecsSystem Spec
06 Jun 2013   #10

Windows 7 Ultimate 32-Bit & Windows 7 Ultimate 64-Bit
 
 

wwjd

Create a new thread inside the System Security and upload the FRST log that you ran inside Recovery Console ( pressing F8 choosing Repair Your Computer )
My System SpecsSystem Spec
Reply

 Laptop won't boot & Recovery partition corrupt... Rootkit?




Thread Tools



Similar help and support threads for2: Laptop won't boot & Recovery partition corrupt... Rootkit?
Thread Forum
Corrupt partition, can't boot, Startup Repair loop, tried chkdsk BSOD Help and Support
Solved How to Remove Recovery Partition in Dell XPS Laptop? Installation & Setup
Solved Boot sector for system disk partition is corrupt General Discussion
Boot Sector for system disk partition is corrupt guidance. General Discussion
deleted the recovery partition on my Laptop. Backup and Restore
Corrupt ci.dll rootkit virus help BSOD Help and Support
Cant boot into Hp recovery partition Installation & Setup

Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:33 AM.
Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App
  

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33