After HitMan Pro scan system only boots to recovery partition
Greetings Experts,
So not sure if I'm alone here or if this is a coincidence but recently I have had this same exact issue on two completely different systems (once acer laptop and one gateway laptop) with the only common denominator being Windows 7 Home 64-bit as far as I know...
Basically I would run my routine HitMan Pro scan and in the instance of these two laptops HitMan would need to reboot in order remove the remaining trojans. Well, after the reboot the system will only boot straight into the manufactures recovery partition.
Interestingly when booting from the Windows 7 disc and navigate to "repair" it doesn't even detect an existing operating system.
So not sure if there is any simple MBR fix I could do or even what direction I need to be looking for a solution, any input is greatly appreciated, thanks :)
So not sure if I'm alone here or if this is a coincidence but recently I have had this same exact issue on two completely different systems (once acer laptop and one gateway laptop) with the only common denominator being Windows 7 Home 64-bit as far as I know...
Basically I would run my routine HitMan Pro scan and in the instance of these two laptops HitMan would need to reboot in order remove the remaining trojans. Well, after the reboot the system will only boot straight into the manufactures recovery partition.
Interestingly when booting from the Windows 7 disc and navigate to "repair" it doesn't even detect an existing operating system.
So not sure if there is any simple MBR fix I could do or even what direction I need to be looking for a solution, any input is greatly appreciated, thanks :)
Thomas Zucker-Scharff
You must be careful with all software when running Windows 7 64 bit. The 64 bit operating systems use a trick to make 32bit programs work that looks to many anti-malware programs like malware (it is a redirect of calls to the operating system).
boot from a live cd, and loook what is listed on the OS partition, or post a screenshot here
here a couple :
http://distrowatch.com/table.php?distribution=knoppix
http://www.technorms.com/8098/create-windows-7-live-cd
here a couple :
http://distrowatch.com/table.php?distribution=knoppix
http://www.technorms.com/8098/create-windows-7-live-cd
If you are going to go the livecd route, I highly suggest downloading and using SARDU. This utility lets you put everything you will ever need onto one boot device (I use a USB and it is loaded with about 30 gbs worth of tools and boot CD images). Check out my article originally written for the former version of SARDU, but somewhat updated:
https://www.experts-exchange.com/Hardware/Storage/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
https://www.experts-exchange.com/Hardware/Storage/A_3038-Boot-Disks-UBCD-UBCD4Win-and-SARDU.html
ASKER
Great input gentlemen!
In response to Sage's initial comment I guess I don't understand why this "redirect of calls" would be flagged if I was using the 64-bit version of Hitman? But regardless if/when I was to use a live environment what exactly is my objective once there?
In response to Savant I guess I don't understand what you mean by "look what is listed on the OS partition". Do you mean the file contents? The OS volume appears to be accessible and is marked as active from various partition utilities if that helps.
In response to Sage's initial comment I guess I don't understand why this "redirect of calls" would be flagged if I was using the 64-bit version of Hitman? But regardless if/when I was to use a live environment what exactly is my objective once there?
In response to Savant I guess I don't understand what you mean by "look what is listed on the OS partition". Do you mean the file contents? The OS volume appears to be accessible and is marked as active from various partition utilities if that helps.
Some malware works by redirecting calls to operating system files to their own versions. 64 bit OSes redirect calls to 32 bit windows files to their 64 bit equivalents (basically). To a program like Hitman that is looking for redirects this could look like malware.
This is especially true of programs that are looking for rootkits.
my name here is nobus -not savant plse! - that's a rank
and yes, i mean the file and folder content - to see what actually is still there.
i had a couple of similar cases, where nearly everything was gone from the OS partition
so post a picture of the contents
and yes, i mean the file and folder content - to see what actually is still there.
i had a couple of similar cases, where nearly everything was gone from the OS partition
so post a picture of the contents
ASKER
Thank you for the followup Nobus (sorry about the name/rank mixup, I'm a novice :/ )
It appears the OS volume has been untouched (as far as files go). Based on some random research I think the issue might be a tampered with BCD, not sure if I'm looking in the right direction or how to go about reversing the damage even if this is the case...
It appears the OS volume has been untouched (as far as files go). Based on some random research I think the issue might be a tampered with BCD, not sure if I'm looking in the right direction or how to go about reversing the damage even if this is the case...
i agree that everything looks fien on the OS partition
as for your asjking for "if there is any simple MBR fix I could do " do you have an MBR - or is it a UEFI system? there are differences
you can however change the active partition with Bootit-BM - free for what you need
download it -make the cd - and boot from it
do NOT install it on disk - hit Cancel
now select your disk - it will show all partitions
your recovery one is probably active now - change that to the oS partition - reboot to test
as for your asjking for "if there is any simple MBR fix I could do " do you have an MBR - or is it a UEFI system? there are differences
you can however change the active partition with Bootit-BM - free for what you need
download it -make the cd - and boot from it
do NOT install it on disk - hit Cancel
now select your disk - it will show all partitions
your recovery one is probably active now - change that to the oS partition - reboot to test
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Glad to hear! Give yourself the answer credit and I'll put it into my knowledge base.
ASKER
Nobus,
Thanks again for the prompt followup and suggestions! During my initial troubleshooting I did attempt to mark the OS partition as the active (as you assumed the recovery one was active). Doing this did force the system to boot to the OS partition but would immediately crash with some missing files error (didn't write it down). And as I'm typing this feel I must apologize for not mentioning it in my initial description :/
As much as I appreciate everyone's contributions I'm not sure any of the suggestions "technically" were the answer but I want to fairly reward points, what is the proper etiquette/protocol for assigning reward points?
Thanks again for the prompt followup and suggestions! During my initial troubleshooting I did attempt to mark the OS partition as the active (as you assumed the recovery one was active). Doing this did force the system to boot to the OS partition but would immediately crash with some missing files error (didn't write it down). And as I'm typing this feel I must apologize for not mentioning it in my initial description :/
As much as I appreciate everyone's contributions I'm not sure any of the suggestions "technically" were the answer but I want to fairly reward points, what is the proper etiquette/protocol for assigning reward points?
all your questions on assigning points are answered in the hellp files - closing questions
if you found the solution - you can select your own answer as solution
if you want to award points to helpful posts, select multiple solutions, and distribute as you see fit
there's NO obligation to hand out points in this case
if you found the solution - you can select your own answer as solution
if you want to award points to helpful posts, select multiple solutions, and distribute as you see fit
there's NO obligation to hand out points in this case
ASKER
The root of the issue ended up being with the BCD, which wasn't mentioned or suggested as a possible cause by anyone (not that our collaboration wouldn't have eventually led to it). I eventually figured it out myself after trying the other suggestions.