Help to recover win7 installation

coffee

coffee

Well-Known Member
Reaction score
1,832
Location
United States
I had a computer come back on me with a rootkit in it. I did a long scan with kasperksy (sp?) boot disk and it found the rootkit and got rid of it. Now, Win7 begins to boot and displays the win7 splash screen then I get a quick dos screen type error message that is so fast its unreadable. Then the system just reboots. I have tried to boot into safe mode but cannot get there. Pressing F8 brings me to a restore or boot normally option. Restore to earlier version fails.

Im thinking its something in the registry that is screwed up. I have tried the repair option but that does not fix it.

Anyone have some ideas or just backup important files and nuke it all?

Thanks,
 
Ok, Ill research that. I did take a webcam and hooked it up to my laptop and recorded the boot sequence. Hopefully to get a snapshot of the error message. But it didnt work out at all too blurry. Worth a try though:D

Im on it, Ill check it out. Thanks for the quick reply.
 
sfc /scannow /offbootdir=d:\ /offwindir=d:\windows
Click to expand...

No problems found. Im thinking Im gonna have to nuke it. But Id sure like to know what the problem is. I think I will look in the windows folder for a possible log file perhaps...
 
Don't nuke yet. Press F8 and then Disable Automatic Restart on System Failure. Let me know what it says. Is it 0x7b?

Also, what was the rootkit and what file/MBR did it infect?
 
othersteve said:
Don't nuke yet. Press F8 and then Disable Automatic Restart on System Failure. Let me know what it says. Is it 0x7b?

Also, what was the rootkit and what file/MBR did it infect?
Click to expand...

Problem is, Hitting F8 gives me 2 options 1. Run Restore, and 2. Boot normally.

?????

ran a sfc on the mounted win7 drive and it found no errors. Im kinda lost here.

To recap, Kaspersey boot disk found rootkit and I chose disinfect it. Then windows reboots, splash screen and then automatic reboot.

I really dont want to have to backup this drive as Im running low on disk space on my raid. I suppose I could grab important files and save them but I would rather fix this problem and learn from it.

chkdsk reported no problems with drive. sfc - no problem there. Cannot do a restore it errors out.

????
 
I know you said a restore fails, but have you tried booting to the Windows disk and selecting repair your computer, who knows it might work once in awhile.
 
HEY, Got it to go into the boot options when hitting F8. I did "do not stop on errors".

STOP: 0x0(ect...) 007B

Finally starting to make headway here. ....

Thanks so far everyone. Gotta get this done today for customer. They are not in a hurry but it looks bad if I have this thing in the shop too long...
 
othersteve said:
Don't nuke yet. Press F8 and then Disable Automatic Restart on System Failure. Let me know what it says. Is it 0x7b?

Also, what was the rootkit and what file/MBR did it infect?
Click to expand...

Stupid me, I was in a bit of a hurry and didnt notice where infection was. Just hit disinfect. Hard lesson learned. But now Iam getting the 0x7b error. Gonna google that thing.
:)
 
othersteve said:
Hey,

Check out my post on this issue here:

http://triplescomputers.com/blog/?p=81

You were likely dealing with an SST/Pihar variant which creates a hidden/encrypted partition at the end of the drive. That post should solve it for you!
Click to expand...

Oh Great One, I bow my essence to your computer manlyhood. I humble my feeble body to your greatness. All others learch in your presence!!!!!!!!

IT WORKED!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

You ROCK.!


**** I do understand partually what I was doing. Reparing the device definitions for windows booting I guess. But anyways, I never did see a hidden partition (thus hidden??) even booting into linux and checking partitions that way didnt help. Interesting...
 
Last edited:
It could have simply been a borked BCD. It happens a lot these days with the modern rootkits unfortunately. It most certainly was TDL family however... probably SST.a or SST.b. Pihar creates the hidden partition, SST does not.

Glad to hear it worked for you! :D
 
[SOLVED] Help to recover win7 installation

othersteve said:
It could have simply been a borked BCD. It happens a lot these days with the modern rootkits unfortunately. It most certainly was TDL family however... probably SST.a or SST.b. Pihar creates the hidden partition, SST does not.

Glad to hear it worked for you! :D
Click to expand...

Well it worked greatly. Im very greatful to your post. I was almost ready to launch a nuke on it and reinstall. But this is great. A bit more cleanup on the O/S and I can get this back out to the customer.

My many thanks,
 
You must log in or register to reply here.

Similar threads

Appletax
AVG hosed the OS - BSODs, bootrec/fixboot "Access is Denied"
2
Replies
25
Views
1K
britechguy
britechguy
LordX
Odd and Frustrating HP Laptop will NOT boot to Windows (But boots Linux)
Replies
7
Views
916
brandonkick
B
A
BSOD on boot
Replies
17
Views
1K
ell
E
InitOrNot
Cannot move Samsung Notes from Galaxy J3 (2016; Android 5.1.1) to Galaxy A33 G5 (Android 13)
Replies
4
Views
1K
InitOrNot
InitOrNot
bertie40
Lenovo Laptop V145-15AST : Black Screen & Failure to Boot.
Replies
11
Views
2K
Rigo
Rigo
Back
Top