Laptop won't boot & Recovery partition corrupt... Rootkit?

wwjd · 02 Jun 2013

My Toshiba laptop suddenly was unable to boot to Windows 7 Home yesterday... the post was generating an error "No operating system."

So then I booted into Linux via a live CD. From there, I could mount my Windows C-drive and see documents still intact. However, using the app GParted to look at my hard drive, I noticed that sda3, the Toshiba Recovery Partition, was of "unknown file format."

Also, it was missing its usual label "HDD RECOVERY" and no space was used out of its 10.08GB (usually, 9.49GB is filled). Strangely, the boot flag was set to that partition (sda3) instead of its usual location on sda1, the System partition.

I used GParted to move the boot flag back to sda1, and after that, the laptop was able to boot to Win7 again. However, Disk Management showed that the recovery partition was of "RAW" file format with 0GB used.

Any clue on whether this was caused by a destructive trojan or MBR rootkit? Perhaps attempting to hide in the recovery partition? I just returned from a 1-week visit to my cousin's house, which has a "suspect" network... she had 40 trojans removed from her laptop a month before. I was getting a few script error messages while on the internet there.

Or was this related to hardware failure? FYI, I did have a poor shutdown from Linux live CD right before (CD was ejected too early, shutdown failed, and I had to force Power button down. But after that, I cleared the memory with an unplug and battery removal). Could that mess up the MBR/boot AND corrupt an entire partition? I doubt it, as Linux was booted off a CD into memory, not installed.

I can no longer use the non-existent recovery partition to reinstall Windows7 (and wouldn't trust the hard drive without a 0-fill wipe first, anyway), but thankfully, I made 3 recovery DVDs last year. I just need to run those, correct? Thanks.

VistaKing · 02 Jun 2013

Do you get the Repair Your Computer option when you press F8 during boot? Also do you have a USB Flash Drive ?

Warning

You will need a USB FLASH DRIVE

Tip

Download the Tool from a non infected PC

Download Farbar Recovery Scan Tool

64-Bit Version OS

Farbar Recovery Scan Tool x64

Plug the flash drive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
Restart the computer.
As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
Use the arrow keys to select the Repair your computer menu item.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account an click Next.

To enter System Recovery Options by using Windows installation disc:
Insert the installation disc.
Restart your computer.
If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
Click Repair your computer.
Select US as the keyboard language settings, and then click Next.
Select the operating system you want to repair, and then click Next.
Select your user account and click Next.

On the System Recovery Options menu you will get the following options:
Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Command Prompt

Select Command Prompt

In the command window type Z:\FRST64.exe and press Enter

Note

Replace letter Z with the drive letter of your flash drive.

Tip

Type the commands below to see what your letter is for the USB drive and press ENTER after each command

Code:

Diskpart
List volume

The tool will start to run.
When the tool opens click Yes to disclaimer.
Press Scan button.
FRST will let you know when the scan is complete and has written the FRST.txt to file
Please copy and paste both logs in your reply.(FRST.txt and Addition.txt)

wwjd · 02 Jun 2013

"Do you get the Repair Your Computer option when you press F8 during boot?" No, I wasn't getting anything except the message "no operating system." There was no progress in boot at all.

Thanks for the FRST64.exe suggestion... What is the purpose of this scan?

I don't have a spare flash drive to sacrifice at this very moment (and don't trust plugging my other USB drives into this laptop). However, I'm booted into a Linux live CD and can download the exe... If I save the executable onto my C-drive, can I still follow your directions and run the scan from that filepath instead?

By the way, I had mentioned that I moved the boot flag to sda1, and the laptop now boots. Should I move the boot flag back to sda3, just for this scan? Or should I just run Avast or TDSS Killer while booted into Windows offline? That said, anti-virus scans are fairly useless when rootkits are present.

VistaKing · 02 Jun 2013

You could try to run tdsskiller . The Frst64 was to see for viruses for reasons why you're not able to boot into your desktop .

gregrocker · 02 Jun 2013

Work through the steps for Troubleshooting Windows 7 Failure to Start

It would help to have a drive map snap of Partition Wizard bootable CD. If Recovery is truly ruined and the Boot flag on the Linux boot disk means that the System Active flags were there, then you might be able to start Win7 by Marking 7 Partition Active to run Startup Repair - Run up to 3 Separate Times.

However if the OS is heavily infected it might not repair until disinfected so work through the steps in the tutorial in order to disinfect then repair system files and attempt to repair the boot. If that fails there are steps to rescue your files then get the superior Clean Reinstall - Factory OEM Windows 7

wwjd · 04 Jun 2013

I will try the suggestions above: FRST64, TDSS, and Windows 7 troubleshooting, and report back results.

Any thoughts on why or how my boot flag got moved from sda1 (system) to sda3 (recovery)? Was it simply because I had just tried booting from the Recovery partition; will such action cause the boot flag to move? Just wondering, because a boot flag move can also be nefarious... here's an interesting article about TDL4 Rootkit: http://secure-computer-solutions.com...he_part_1.html

Is the purpose of Partition Wizard to move the boot flag to a working partition?

As mentioned in my post, I actually AM able to boot to Win7 again if I use GParted to move the boot flag back to sda1 (system) from sda3 (recovery), probably because the latter partition is, I suspect, corrupted. It shows as "RAW" or unknown file format and takes up 0 MB. Question is, what caused that... more likely the poor shutdown, or an MBR rootkit? If it's the latter, I can't trust the Recovery partition ever again, even if a boot flag or MBR is recoverable... agree?

gregrocker · 05 Jun 2013

It is common for some OEM machines to have the Recovery partition contain the boot files and be marked Actve so it can be booted in case Recovery is needed. Others use the F8 System Recovery Options to boot Recovery which is more volatile.

So it may be required that Recovery is marked Active to run, or it may no longer run. But you can always get the vastly superior Clean Reinstall - Factory OEM Windows 7 when you're ready to settle down with a perfect install of Win7 which we specialize in here.

Since you can boot Win7 I would run a full scan with Malwarebytes, your AV and post up any questions about the findings in our Security forum if you need specialized help with rootkits. I have not yet seen the dreaded MBR virus.

wwjd · 06 Jun 2013

VistaKing said:

Please copy and paste both logs in your reply.(FRST.txt and Addition.txt)

I've attached the FRST and Additions logs (VistaKing). Seems like a useful scan to do.

They were run while booted into Windows, but I also ran another set while booted from System Repair/command line. Let me know if you'd rather look at the other set. Or if you'd prefer that I paste the logs directly into this thread. Thanks again for any thoughts.

wwjd · 06 Jun 2013

gregrocker said:

It is common for some OEM machines to have the Recovery partition contain the boot fails and be marked Actve so it can be booted in case Recovery is needed.

What I do know is that my Toshiba laptop's boot flag used to be on sda1 (System partition). What I don't know is if an attempt to boot from Recovery is supposed to cause that boot flag to move from there to the sda3 Recovery partition. Actually, I should test it (will let you know). The alternative explanation would be the nefarious one (rootkit), I guess!?

gregrocker said:

Since you can boot Win7 I would run a full scan with Malwarebytes, your AV and post up any questions about the findings in our Security forum if you need specialized help with rootkits. I have not yet seen the dreaded MBR virus.

TDSS scan was negative. Is it possible to download MalwareBytes in an updated form? If so, I can do so on my home network from Linux. If not, I'll have to try to get to a public network, unless you think it's safe to get online here just for a few minutes from my (potentially) hacked or infected computer.

gregrocker said:

But you can always get the vastly superior Clean Reinstall - Factory OEM Windows 7 when you're ready to settle down with a perfect install of Win7 which we specialize in here.

So these are trusted downloads for Windows 7 that one can burn to DVD? Very nice, especially if these ISOs are the same as the Technet website's, with the same hashes, so a person can even run checksums. Thank you!

VistaKing · 06 Jun 2013

wwjd

Create a new thread inside the System Security and upload the FRST log that you ran inside Recovery Console ( pressing F8 choosing Repair Your Computer )