Windows 7 Forums

Welcome to Windows 7 Forums. Our forum is dedicated to helping you find support and solutions for any problems regarding your Windows 7 PC be it Dell, HP, Acer, Asus or a custom build. We also provide an extensive Windows 7 tutorial section that covers a wide range of tips and tricks.


Windows 7: Recovery partition or MBR was damaged

06 Jun 2013   #1
wwjd

Windows 7 Home 64-bit
 
 
Recovery partition or MBR was damaged

I was advised to post my FRST logs here... please see attached. I was booted from system repair command line for the scans. Here is the original thread describing my situation: Laptop won't boot & Recovery partition corrupt... Rootkit?

Basically, a few days ago, my Toshiba laptop's recovery partition disappeared (0GB full, and unknown RAW file format). It appeared that the boot flag had also been moved there, from the System partition. This may have been caused by either a forced powerdown gone bad, or an infection after visiting my cousin and being on her suspect network for a week. Any thoughts are appreciated.

Background FYI -- I experienced a targeted hack and RAT last year which might or might not have returned off an external drive, but I did restore this laptop's Windows 7 from Recovery partition just ~1 month ago, and I've only installed a handful of programs (bbex stands for Blueberry, which is a audio/screen recorder). No file-sharing nor any remote programs/connections are installed or allowed. I keep two separate accounts for admin and user, with strong Windows login passwords. Thanks.


My System SpecsSystem Spec
.
06 Jun 2013   #2
cottonball

Windows 7 Home Premium
 
 

wwjd,

Not quite sure this is a malware issue...the laptop is able to boot to Windows 7. However, with a corrupt or missing boot sector the partition cannot be accessed.


Please take action Downloading ListParts
Save to the Desktop.

Double-click ListParts64.exe to launch the program.

At the program console, press: Scan

When done the tool produces a report on the Desktop: Result.txt
Please post the Result.txt in your reply.


Also, please Download RogueKiller (Official website)

Select the x64 version.
Click the applicable button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click the downloaded file and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.
My System SpecsSystem Spec
07 Jun 2013   #3
cottonball

Windows 7 Home Premium
 
 

wwjd,


Also, please download: aswMBR:
http://public.avast.com/~gmerek/aswMBR.exe
Save to the Desktop.

Right-click the downloaded file and select: Run as Administrator

Click Scan

Upon completion of the scan, click: Save log
Save it to the Desktop.

Please post the log produced by aswMBR in your reply.
Note - Do NOT attempt any fix anything!!



Also, you will notice that another file is created on the Desktop.
It is named MBR.dat. (Path on the Desktop = C:\Users\(Your User Name)\Desktop\MBR.dat)

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Choose File' button to navigate to the location of the file.
(Path on the Desktop = C:\Users\(Your User Name)\Desktop\MBR.dat)

In the Choose file to upload prompt, select the file, then, click the 'Open' button.
The file is now displayed in the blank box of VirusTotal
Click: Scan It, and wait for the results.

If you get a message saying: File has already been analyzed, click: Reanalyze file now

Once scanned, please provide the link to the results page in your reply.
My System SpecsSystem Spec
.

08 Jun 2013   #4
wwjd

Windows 7 Home 64-bit
 
 

Quote   Quote: Originally Posted by cottonball View Post
Double-click ListParts64.exe to launch the program.

Please post the Result.txt in your reply.


Also, please Download RogueKiller (Official website)

Please provide the RKreport.txt (Mode: Scan) in your reply.
Attached are the ListPart64 and RogueKiller reports. For the latter, the 1st attachment was run as Admin, and the 2nd log attachement was run as User (but prompted for the admin password, to run). I enclosed the User log as well only because this showed up on it, but didn't show up on the Admin run subsequently, after I had remembered to shut down Firefox:
Bad processes : 1
[SUSP PATH] 09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe -- C:\Users\Admin\AppData\Local\Temp\09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe [7] -> KILLED [TermProc]
Also, this showed up in the Quarantine report:
[09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe.vir] -> C:\Users\Admin\AppData\Local\Temp\09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe
VirusTotal scan was inconclusive (0/47 found anything):
https://www.virustotal.com/en/file/e...is/1370725522/

Thanks.


Attached Files
File Type: txt ListParts64 2013-06-08 Result.txt (6.4 KB, 6 views)
File Type: txt RKreport_S_06082013_02d1552 (logged in as Admin).txt (1.4 KB, 2 views)
File Type: txt RKreport[1]_S_06082013_02d1540.txt (1.6 KB, 3 views)
File Type: txt QuarantineReport.txt (250 Bytes, 2 views)
My System SpecsSystem Spec
08 Jun 2013   #5
wwjd

Windows 7 Home 64-bit
 
 

Quote   Quote: Originally Posted by cottonball View Post

Please post the log produced by aswMBR in your reply.
Note - Do NOT attempt any fix anything!!


Also, you will notice that another file is created on the Desktop.
It is named MBR.dat. (Path on the Desktop = C:\Users\(Your User Name)\Desktop\MBR.dat)

Please submit MBR.dat for analysis to VirusTotal:
Once scanned, please provide the link to the results page in your reply.
Attached is the aswMBR scan result.

Here is the link to the VirusTotal analysis of MBR.dat:
https://www.virustotal.com/en/file/f...is/1370725929/

Your help is much appreciated. Thanks!


Attached Files
File Type: txt aswMBR 2013-06-08 scan.txt (2.1 KB, 3 views)
My System SpecsSystem Spec
08 Jun 2013   #6
cottonball

Windows 7 Home Premium
 
 

wwjd,

Thank you for providing the information.

You mention...
Quote:
...my Toshiba laptop's recovery partition disappeared (0GB full, and unknown RAW file format). It appeared that the boot flag had also been moved there, from the System partition.
Normally, we should be looking at:

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E HDDRECOVERY NTFS Partition 10 GB Healthy

ListParts is not showing a 0 GB sized partition, but it does show a RAW File System, and no Label.

Need to do some more checking on this issue...
My System SpecsSystem Spec
09 Jun 2013   #7
cottonball

Windows 7 Home Premium
 
 

wwjd,

The partition type is showing as 07 which is NTFS. Also, there is a drive letter (E) showing.
Listparts does not see it as a formatted drive, though, and there is nothing we can do here with ListParts.

You may have to use a PartedMagic Linux BootCD containing GSmartControl and TestDisk to fix the disk.

Download Parted Magic from SourceForge.net
Save to the Desktop

InfraRecorder Downloads
Save to tht Desktop

Place a blank CD in the CD writer drive.
Run: Infrarecorder

At the program console, click: Write Image

Next, go to the PartedMagic ISO and click: Open
Click: OK

When the CD is done it automatically ejects from the drive.

Next, boot the computer from the PartedMagic Linux BootCD.
Run gsmartcontrol.exe

Double-click the problem drive
Click: View Output

Then, provide the smartctl report in your reply.
My System SpecsSystem Spec
11 Jun 2013   #8
wwjd

Windows 7 Home 64-bit
 
 

Attached is the GSmartControl output. The only 2 options to test were DVD and HD... I chose the latter, and I'm assuming it checked all 3 partitions. The test was 3.5 hours long, and it ran overnight, so the laptop might've gone to sleep at some point. But this morning, the test was finished, seemingly without problems. Let me know if you'd like me to re-run it. Thanks.


Attached Files
File Type: txt Portege 2013-06-11 GSmartControl tests.txt (9.5 KB, 3 views)
My System SpecsSystem Spec
11 Jun 2013   #9
cottonball

Windows 7 Home Premium
 
 

wwjd,

The GSmartControl output is an area that I am not familiar with, and, hencefortth cannot interpret its results.


Please post the report in the following forum:
Hardware & Devices - Windows 7 Help Forums

Someone there may be able to help you.
My System SpecsSystem Spec
Reply

 Recovery partition or MBR was damaged




Thread Tools Search this Thread
Search this Thread:

Advanced Search




Similar help and support threads
Thread Forum
Cannot recover damaged MFT on a TrueCrypt partition
I've been using TrueCrypt 7.0a to encrypt the partitions on my external and internal hard drives for quite some time now. In fact, because I had no other available space, I copied a disc iso to one such partition just last night. This morning, however, when I try to mount and access that...
General Discussion
MBR damaged and Win7 System Recovery menu doesn't see an operating sys
Hi everyone, I'll keep it short and to the point. What I had initially: What I did: Now, Problem: MBR got damaged as win XP partition was formatted (which had bootloader) and thus I can't login to win 7 from Ubuntu Grub.
Installation & Setup
MBR damaged, partition unknown
Hi all, It happened all at once, I restarted my asus K52E with windows 7 x64 and a black page with a blinking underscore was shown, indicating a damaged mbr. The recovery partition is not accessible. I tried all the Win7 mbr recovery (with the command prompt of the win7 installation disk)...
Installation & Setup
ubuntu damaged my windows partition
Now I can't boot from the harddrive at all,even after reinstallng windows. history. I installed a new drive and since I need to test apps on multiple operating systems, I install several windows versions. I spend two weeks installing many windows versions, then updating and installing...
Installation & Setup
Recover damaged partition
A friend brought over a hard drive from a damaged laptop. I put it in an enclosure and connected it to my computer. The drive spins up but is not recognized by Windows. Disk Management sees the partition and says it is not initialized, but when I tell it to initialize it, it says "the device is not...
General Discussion


Our Sites

Site Links

About Us

Find Us

Windows 7 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 7" and related materials are trademarks of Microsoft Corp.

Designer Media Ltd

All times are GMT -5. The time now is 03:58.

Twitter Facebook Google+



Windows 7 Forums

Seven Forums Android App Seven Forums IOS App