Recovery partition or MBR was damaged

wwjd · 06 Jun 2013

I was advised to post my FRST logs here... please see attached. I was booted from system repair command line for the scans. Here is the original thread describing my situation: Laptop won't boot & Recovery partition corrupt... Rootkit?

Basically, a few days ago, my Toshiba laptop's recovery partition disappeared (0GB full, and unknown RAW file format). It appeared that the boot flag had also been moved there, from the System partition. This may have been caused by either a forced powerdown gone bad, or an infection after visiting my cousin and being on her suspect network for a week. Any thoughts are appreciated.

Background FYI -- I experienced a targeted hack and RAT last year which might or might not have returned off an external drive, but I did restore this laptop's Windows 7 from Recovery partition just ~1 month ago, and I've only installed a handful of programs (bbex stands for Blueberry, which is a audio/screen recorder). No file-sharing nor any remote programs/connections are installed or allowed. I keep two separate accounts for admin and user, with strong Windows login passwords. Thanks.

cottonball · 06 Jun 2013

wwjd,

Not quite sure this is a malware issue...the laptop is able to boot to Windows 7. However, with a corrupt or missing boot sector the partition cannot be accessed.

Please take action Downloading ListParts
Save to the Desktop.

Double-click ListParts64.exe to launch the program.

At the program console, press: Scan

When done the tool produces a report on the Desktop: Result.txt
Please post the Result.txt in your reply.

Also, please Download RogueKiller (Official website)

Select the x64 version.
Click the applicable button to download.
Save to the Desktop.

Close all windows and browsers.
Right-click the downloaded file and select: Run as Administrator

At the program console, wait for the prescan to finish. (Under Status, it says: Prescan finished.)
Press: SCAN

When done, a report opens on the Desktop: RKreport.txt
Please provide the RKreport.txt (Mode: Scan) in your reply.

cottonball · 07 Jun 2013

wwjd,

Also, please download: aswMBR:
http://public.avast.com/~gmerek/aswMBR.exe
Save to the Desktop.

Right-click the downloaded file and select: Run as Administrator

Click Scan

Upon completion of the scan, click: Save log
Save it to the Desktop.

Please post the log produced by aswMBR in your reply.
Note - Do NOT attempt any fix anything!!

Also, you will notice that another file is created on the Desktop.
It is named MBR.dat. (Path on the Desktop = C:\Users\(Your User Name)\Desktop\MBR.dat)

Please submit MBR.dat for analysis to VirusTotal:
http://www.virustotal.com/

Use the 'Choose File' button to navigate to the location of the file.
(Path on the Desktop = C:\Users\(Your User Name)\Desktop\MBR.dat)

In the Choose file to upload prompt, select the file, then, click the 'Open' button.
The file is now displayed in the blank box of VirusTotal
Click: Scan It, and wait for the results.

If you get a message saying: File has already been analyzed, click: Reanalyze file now

Once scanned, please provide the link to the results page in your reply.

wwjd · 08 Jun 2013

cottonball said:

Double-click ListParts64.exe to launch the program.

Please post the Result.txt in your reply.

Also, please Download RogueKiller (Official website)

Please provide the RKreport.txt (Mode: Scan) in your reply.

Attached are the ListPart64 and RogueKiller reports. For the latter, the 1st attachment was run as Admin, and the 2nd log attachement was run as User (but prompted for the admin password, to run). I enclosed the User log as well only because this showed up on it, but didn't show up on the Admin run subsequently, after I had remembered to shut down Firefox:

¤¤¤ Bad processes : 1 ¤¤¤
[SUSP PATH] 09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe -- C:\Users\Admin\AppData\Local\Temp\09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe [7] -> KILLED [TermProc]

Also, this showed up in the Quarantine report:

[09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe.vir] -> C:\Users\Admin\AppData\Local\Temp\09BE50CA-42F2-42FA-91EF-2A8314E93ED5.exe

VirusTotal scan was inconclusive (0/47 found anything):
https://www.virustotal.com/en/file/e...is/1370725522/

Thanks.

wwjd · 08 Jun 2013

cottonball said:

Please post the log produced by aswMBR in your reply.
Note - Do NOT attempt any fix anything!!

Also, you will notice that another file is created on the Desktop.
It is named MBR.dat. (Path on the Desktop = C:\Users\(Your User Name)\Desktop\MBR.dat)

Please submit MBR.dat for analysis to VirusTotal:
Once scanned, please provide the link to the results page in your reply.

Attached is the aswMBR scan result.

Here is the link to the VirusTotal analysis of MBR.dat:
https://www.virustotal.com/en/file/f...is/1370725929/

Your help is much appreciated. Thanks!

cottonball · 08 Jun 2013

wwjd,

Thank you for providing the information.

You mention...

...my Toshiba laptop's recovery partition disappeared (0GB full, and unknown RAW file format). It appeared that the boot flag had also been moved there, from the System partition.

Normally, we should be looking at:

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 E HDDRECOVERY NTFS Partition 10 GB Healthy

ListParts is not showing a 0 GB sized partition, but it does show a RAW File System, and no Label.

Need to do some more checking on this issue...

cottonball · 09 Jun 2013

wwjd,

The partition type is showing as 07 which is NTFS. Also, there is a drive letter (E) showing.
Listparts does not see it as a formatted drive, though, and there is nothing we can do here with ListParts.

You may have to use a PartedMagic Linux BootCD containing GSmartControl and TestDisk to fix the disk.

Download Parted Magic from SourceForge.net
Save to the Desktop

InfraRecorder » Downloads
Save to tht Desktop

Place a blank CD in the CD writer drive.
Run: Infrarecorder

At the program console, click: Write Image

Next, go to the PartedMagic ISO and click: Open
Click: OK

When the CD is done it automatically ejects from the drive.

Next, boot the computer from the PartedMagic Linux BootCD.
Run gsmartcontrol.exe

Double-click the problem drive
Click: View Output

Then, provide the smartctl report in your reply.

wwjd · 11 Jun 2013

Attached is the GSmartControl output. The only 2 options to test were DVD and HD... I chose the latter, and I'm assuming it checked all 3 partitions. The test was 3.5 hours long, and it ran overnight, so the laptop might've gone to sleep at some point. But this morning, the test was finished, seemingly without problems. Let me know if you'd like me to re-run it. Thanks.

cottonball · 11 Jun 2013

wwjd,

The GSmartControl output is an area that I am not familiar with, and, hencefortth cannot interpret its results.

Please post the report in the following forum:
Hardware & Devices - Windows 7 Help Forums

Someone there may be able to help you.