Solved

After HitMan Pro scan system only boots to recovery partition

Posted on 2014-04-14
14
846 Views
Last Modified: 2014-04-22
Greetings Experts,

So not sure if I'm alone here or if this is a coincidence but recently I have had this same exact issue on two completely different systems (once acer laptop and one gateway laptop) with the only common denominator being Windows 7 Home 64-bit as far as I know...

Basically I would run my routine HitMan Pro scan and in the instance of these two laptops HitMan would need to reboot in order remove the remaining trojans. Well, after the reboot the system will only boot straight into the manufactures recovery partition.

Interestingly when booting from the Windows 7 disc and navigate to "repair" it doesn't even detect an existing operating system.

So not sure if there is any simple MBR fix I could do or even what direction I need to be looking for a solution, any input is greatly appreciated, thanks :)
0
Comment
Question by:JordyBoy100
  • 5
  • 5
  • 4
14 Comments
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40000004
You must be careful with all software when running Windows 7 64 bit.  The 64 bit operating systems use a trick to make 32bit programs work that looks to many anti-malware programs like malware (it is a redirect of calls to the operating system).
0
 
LVL 91

Expert Comment

by:nobus
ID: 40000968
boot from a live cd, and loook what is listed on the OS partition, or post a screenshot here
here a couple :
http://distrowatch.com/table.php?distribution=knoppix      
http://www.technorms.com/8098/create-windows-7-live-cd
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40001552
If you are going to go the livecd route, I highly suggest downloading and using SARDU.  This utility lets you put everything you will ever need onto one boot device (I use a USB and it is loaded with about 30 gbs worth of tools and boot CD images).  Check out my article originally written for the former version of SARDU, but somewhat updated:

http://www.experts-exchange.com/Hardware/Storage/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
0
 

Author Comment

by:JordyBoy100
ID: 40002545
Great input gentlemen!

In response to Sage's initial comment I guess I don't understand why this "redirect of calls" would be flagged if I was using the 64-bit version of Hitman? But regardless if/when I was to use a live environment what exactly is my objective once there?

In response to Savant I guess I don't understand what you mean by "look what is listed on the OS partition". Do you mean the file contents? The OS volume appears to be accessible and is marked as active from various partition utilities if that helps.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40002575
Some malware works by redirecting calls to operating system files to their own versions.  64 bit OSes redirect calls to 32 bit windows files to their 64 bit equivalents (basically).  To a program like Hitman that is looking for redirects this could look like malware.
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40002581
This is especially true of programs that are looking for rootkits.
0
 
LVL 91

Expert Comment

by:nobus
ID: 40003282
my name here is nobus -not savant plse! - that's a rank
and yes, i mean the file and folder content - to see what actually is still there.
i had a couple of similar cases, where nearly everything was gone from the OS partition
so post a picture of the contents
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 

Author Comment

by:JordyBoy100
ID: 40004144
Thank you for the followup Nobus (sorry about the name/rank mixup, I'm a novice :/ )

It appears the OS volume has been untouched (as far as files go). Based on some random research I think the issue might be a tampered with BCD, not sure if I'm looking in the right direction or how to go about reversing the damage even if this is the case...

OS Volume file contents
0
 
LVL 91

Expert Comment

by:nobus
ID: 40004211
i agree  that everything looks fien on the OS partition
as for your asjking  for "if there is any simple MBR fix I could do "   do you have an MBR - or is it a UEFI system?  there are differences
you can however change the active partition with Bootit-BM - free for what you need
download it -make the cd - and boot from it
do NOT install it on disk - hit Cancel
now select your disk -  it will show all partitions
your recovery one is probably active now -  change that to the oS partition - reboot to test
0
 

Accepted Solution

by:
JordyBoy100 earned 0 total points
ID: 40004216
SOLVED!

While searching around on how to "fix" the BCD I eventually stumbled upon Microsoft's Article ID: 927392 (http://support.microsoft.com/kb/927392) which explains how to use "bootrec.exe" from the command prompt in System Recovery Options. However using a standard Windows 7 CD I wasn't able to even enter System Recovery Options as the "Repair Your Computer" link would never even show up in the first place (assuming because it didn't detect the OS as a result of the BCD being screwed up in the first place). So I created a Windows 7 "System Recovery" flash drive just so I could access the command prompt, ran "bootrec /fixboot", rebooted and presto! Windows booted right up as normal!
0
 
LVL 26

Expert Comment

by:Thomas Zucker-Scharff
ID: 40004223
Glad to hear!  Give yourself the answer credit and I'll put it into my knowledge base.
0
 

Author Comment

by:JordyBoy100
ID: 40004232
Nobus,

Thanks again for the prompt followup and suggestions! During my initial troubleshooting I did attempt to mark the OS partition as the active (as you assumed the recovery one was active). Doing this did force the system to boot to the OS partition but would immediately crash with some missing files error (didn't write it down). And as I'm typing this feel I must apologize for not mentioning it in my initial description :/

As much as I appreciate everyone's contributions I'm not sure any of the suggestions "technically" were the answer but I want to fairly reward points, what is the proper etiquette/protocol for assigning reward points?
0
 
LVL 91

Expert Comment

by:nobus
ID: 40004435
all your questions on assigning points are answered in the hellp files - closing questions
if you found the solution - you can select your own answer as solution
if you want to award points to helpful posts, select multiple solutions, and distribute as you see fit
there's NO obligation to hand out points in this case
0
 

Author Closing Comment

by:JordyBoy100
ID: 40014365
The root of the issue ended up being with the BCD, which wasn't mentioned or suggested as a possible cause by anyone (not that our collaboration wouldn't have eventually led to it). I eventually figured it out myself after trying the other suggestions.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

First some basics on Windows 7 Backup.  It has 2 components one is a file based backup which is stored in .zip files each zip is split at around 200 Megabytes and there is the Image Backup which is as the name implies a total image of the partition …
If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial will teach you the basics of configuring your computer to improve its speed. It will also teach you how to disable programs that are running in the background simultaneously. This will be demonstrated using Windows 7 operating…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now