Win 7 MBR Issue? "System Repair Not Successful"

[Mr.Mike]

Greetings all.

My client reported a virus had infected his Win 7 computer. So I showed up with my trusty D7 usb (shout out to Nick-Foolishit!) fired up safe mode and ran the latest malware scans (MWB, SAS, etc.) including MWB Root Kit. Then I ran the full D7 maintenance suite. After shut down and restart, the OS fails to boot. The machine keeps reboot/looping from frozen splash screen.

Here's what I've already done to resolve this one:

1. Backed up the ailing HDD.

2. Ran System Repair from Win 7 retail disk. Result: "System Repair not successful"

3. Ran System Recovery. Result: "System Recovery not possible"

4. Tried to Restore from earlier time. Result: No restore points.

5. Ran Windows diagnostics. Result: "Operating system files were changed/altered so that windows will not start."

6. Ran chkdsk /r and rebooted. Result: "The boot selection failed because a required device is inaccessible. Error: 0xc000000f."

7. Searched these forums and found advice to check whether the AHCI had be changed to IDE. Result: Nope

8. Slaved the drive on my bench machine.

9. Ran onboard BIOS SMART Self Test. Result: No Problems

10. Ran GSmartcontrol short and extended tests. Result: No Problems

11. Ran CrystalDiskInfo for grins. Result: No Problems.

12. Swapped out Memory Modules with known good memory. Result: No change.

12. Ran MemTest86. Result: Passed.

Before I try FIXMBR, Does anyone else have any ideas about where to go next?

Thanks ahead of time for your responses.

 

[brandonkick]

I hope your doing this all from the backup image that has been deployed onto a different hard drive.

If not you might be killing the original drive....

 

[Mr.Mike]

I hope your doing this all from the backup image that has been deployed onto a different hard drive.

If not you might be killing the original drive....

Thanks for your comment.

If you read #1, I made a backup.

Thanks for the reminder.

Out.

 

[FremontPC]

Boot from a Linux disk and use Gparted to make sure there aren't any partitions that don't belong.

What's the brand/model of the computer? At what point did you back up the drive?

What malware did this thing get hit with?

 

[Ccomp5950]

1. Backed up the ailing HDD.
[...]
10. Ran GSmartcontrol short and extended tests. Result: No Problems

Either you are misusing "Ailing" or you have a contradiction here.

Please, post the smart info that GSmartcontrol finds, should be a text file that says "smartctrl" at the top.

 

[Xander]

You've got the disk backed up. Why not try FixMBR?

 

[brandonkick]

Thanks for your comment.

If you read #1, I made a backup.

Thanks for the reminder.

Out.

I read the entire post. I understand that you made a backup image.


Your post doesn't say if you made a clone of the drive onto another physical drive and were trying to fix the clone or if you were still working with the original drive. Asides from possibly killing the original drive, there are worse things that could happen such as you actually fixing the drive to the point where it will boot and then it dies shortly after the customer gets the machine back.

 

[Mr.Mike]

I hope your doing this all from the backup image that has been deployed onto a different hard drive.

If not you might be killing the original drive....

Your point is well taken. I am using a drive that I cloned with clonezilla (sorry, I should have said "cloned" in initial post). Thank you.

 

[Mr.Mike]

Boot from a Linux disk and use Gparted to make sure there aren't any partitions that don't belong.

What's the brand/model of the computer? At what point did you back up the drive?

What malware did this thing get hit with?

There are three partitions on the drive. I will take closer look at each one after I do some more testing.

The computer is an HP P6000 series with a 1Tb HDD and an AMD quad-core processor.

My antivirus sweeps found no malware, but I'm not convinced it wasn't malware that screwed up the MBR. I have decided to run GSmartcontrol again and will post the result as requested by Ccomp5950.

 

[Mr.Mike]

Either you are misusing "Ailing" or you have a contradiction here.

Please, post the smart info that GSmartcontrol finds, should be a text file that says "smartctrl" at the top.

Here is the smartctrl report text:

smartctl 5.41 2011-06-09 r3365 [i686-w64-mingw32-win7(64)-sp1] (sf-win32-5.41-1)
Copyright (C) 2002-11 by Bruce Allen, http://smartmontools.sourceforge.net

=== START OF INFORMATION SECTION ===
Model Family: Hitachi Deskstar 7K1000.C
Device Model: Hitachi HDS721010CLA332
Serial Number: JP2940HD1JBYGC
LU WWN Device Id: 5 000cca 373d58a4d
Firmware Version: JP4OA3GC
User Capacity: 1,000,204,886,016 bytes [1.00 TB]
Sector Size: 512 bytes logical/physical
Device is: In smartctl database [for details use: -P show]
ATA Version is: 8
ATA Standard is: ATA-8-ACS revision 4
Local Time is: Fri Jun 14 14:04:32 2013 PDT
SMART support is: Available - device has SMART capability.
SMART support is: Enabled

=== START OF READ SMART DATA SECTION ===
SMART overall-health self-assessment test result: PASSED

General SMART Values:
Offline data collection status: (0x84) Offline data collection activity
was suspended by an interrupting command from host.
Auto Offline Data Collection: Enabled.
Self-test execution status: ( 0) The previous self-test routine completed
without error or no self-test has ever
been run.
Total time to complete Offline
data collection: ( 9988) seconds.
Offline data collection
capabilities: (0x5b) SMART execute Offline immediate.
Auto Offline data collection on/off support.
Suspend Offline collection upon new
command.
Offline surface scan supported.
Self-test supported.
No Conveyance Self-test supported.
Selective Self-test supported.
SMART capabilities: (0x0003) Saves SMART data before entering
power-saving mode.
Supports SMART auto save timer.
Error logging capability: (0x01) Error logging supported.
General Purpose Logging supported.
Short self-test routine
recommended polling time: ( 2) minutes.
Extended self-test routine
recommended polling time: ( 167) minutes.
SCT capabilities: (0x003d) SCT Status supported.
SCT Error Recovery Control supported.
SCT Feature Control supported.
SCT Data Table supported.

SMART Attributes Data Structure revision number: 16
Vendor Specific SMART Attributes with Thresholds:
ID# ATTRIBUTE_NAME FLAG VALUE WORST THRESH TYPE UPDATED WHEN_FAILED RAW_VALUE
1 Raw_Read_Error_Rate 0x002f 100 075 016 Pre-fail Always - 0
2 Throughput_Performance 0x0027 135 100 054 Pre-fail Always - 98
3 Spin_Up_Time 0x0023 117 100 024 Pre-fail Always - 321 (Average 325)
4 Start_Stop_Count 0x0022 100 100 000 Old_age Always - 98
5 Reallocated_Sector_Ct 0x0033 100 100 005 Pre-fail Always - 0
7 Seek_Error_Rate 0x002f 100 100 067 Pre-fail Always - 0
8 Seek_Time_Performance 0x0025 138 100 020 Pre-fail Offline - 31
9 Power_On_Hours 0x0032 097 097 000 Old_age Always - 21952
10 Spin_Retry_Count 0x0033 100 100 060 Pre-fail Always - 0
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 89
183 Runtime_Bad_Block 0x0032 100 100 000 Old_age Always - 0
184 End-to-End_Error 0x0033 100 100 097 Pre-fail Always - 0
185 Unknown_Attribute 0x0032 100 100 000 Old_age Always - 65535
187 Reported_Uncorrect 0x0032 100 100 000 Old_age Always - 0
188 Command_Timeout 0x0032 095 095 000 Old_age Always - 207
189 High_Fly_Writes 0x0032 100 100 000 Old_age Always - 0
190 Airflow_Temperature_Cel 0x0022 060 059 000 Old_age Always - 40 (Min/Max 18/41)
192 Power-Off_Retract_Count 0x0032 100 100 000 Old_age Always - 114
193 Load_Cycle_Count 0x0032 100 100 000 Old_age Always - 114
194 Temperature_Celsius 0x0002 150 146 000 Old_age Always - 40 (Min/Max 18/41)
196 Reallocated_Event_Count 0x0032 100 100 000 Old_age Always - 0
197 Current_Pending_Sector 0x0032 100 100 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0030 100 100 000 Old_age Offline - 0
199 UDMA_CRC_Error_Count 0x0032 200 200 000 Old_age Always - 0

SMART Error Log Version: 0
No Errors Logged

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed without error 00% 21952 -
# 2 Short captive Completed without error 00% 21947 -
# 3 Extended offline Aborted by host 90% 21947 -
# 4 Short offline Completed without error 00% 21947 -
# 5 Extended offline Interrupted (host reset) 90% 1 -

SMART Selective self-test log data structure revision number 1
SPAN MIN_LBA MAX_LBA CURRENT_TEST_STATUS
1 0 0 Not_testing
2 0 0 Not_testing
3 0 0 Not_testing
4 0 0 Not_testing
5 0 0 Not_testing
Selective self-test flags (0x0):
After scanning selected spans, do NOT read-scan remainder of disk.
If Selective self-test is pending on power-up, resume after 0 minute delay.

So it seems to have passed again. This seems to point to a bad MBR. What do you think?

 

[Ccomp5950]

4 Start_Stop_Count 0x0022 100 100 000 Old_age Always - 98
9 Power_On_Hours 0x0032 097 097 000 Old_age Always - 21952
12 Power_Cycle_Count 0x0032 100 100 000 Old_age Always - 89

This guy doesn't turn off his computer much, and this hard drive has been active for ~2.5 years

5 Reallocated_Sector_Ct 0x0033 100 100 005 Pre-fail Always - 0
196 Reallocated_Event_Count 0x0032 100 100 000 Old_age Always - 0

No reallocated sectors...

197 Current_Pending_Sector 0x0032 100 100 000 Old_age Always - 0
198 Offline_Uncorrectable 0x0030 100 100 000 Old_age Offline - 0

...still looking great

SMART Error Log Version: 0
No Errors Logged

No errors

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Extended offline Completed without error 00% 21952 -
# 2 Short captive Completed without error 00% 21947 -
# 3 Extended offline Aborted by host 90% 21947 -
# 4 Short offline Completed without error 00% 21947 -
# 5 Extended offline Interrupted (host reset) 90% 1 -

Has past every test it's been allowed to complete.


...It's not the hard drive, that's a perfectly healthy drive. Not Ailing.

Run the MBR fix if you like, keep in mind it will remove the ability to use the restore partition easily.

 

[FremontPC]

If you tried running the HP System Recovery via the F11 key and got the error message you reported, then the MBR has probably been messed with.

Take a look at this:

http://h30434.www3.hp.com/t5/Notebo...sn-t-boot-into-recovery-partition/td-p/197434

Sound like your problem?

Maybe check with the customer to see what tools he used before he brought it in, perhaps you'll find something in the logs or quarantine for that app.

 

[Gary Rockliff]

Was the computer ever able to boot into Windows mode?

What made the client think his computer was infected?

Try running Kaspersky's WindowsUnlocker from the live cd and see if that finds anything.

 

[HFultzjr]

In addition to the info supplied, you could also try the following.
Specifically look at answer #1.
I have has to run System repair disk several times, before it would "fix" something. Also, try another system repair disk.

http://answers.microsoft.com/en-us/...ys-is-it/899c08a2-2b25-4f3b-a506-89e3782d6b9c

Just another option to try.

 

[Mr.Mike]

If you tried running the HP System Recovery via the F11 key and got the error message you reported, then the MBR has probably been messed with.

Take a look at this:

http://h30434.www3.hp.com/t5/Notebo...sn-t-boot-into-recovery-partition/td-p/197434

Sound like your problem?

Maybe check with the customer to see what tools he used before he brought it in, perhaps you'll find something in the logs or quarantine for that app.

Thanks for the help. I followed up on setting the recovery partition on the cloned drive. Using the F11 key on booting gave a black screen with:

"BOOTMGR is missing. Press Ctrl-Alt-Del to restart."

Odd that the boot manager in the recovery partition would be gone. There are three partitions: Partition 1 = OS, Partition 2 = 12 Gb thought to be Recovery , and a third that is 100 Mb which I assume is not Recovery which I will make active and see if the F11 approach works.

Thanks again.

 

[Mr.Mike]

This guy doesn't turn off his computer much, and this hard drive has been active for ~2.5 years




No reallocated sectors...



...still looking great



No errors



Has past every test it's been allowed to complete.


...It's not the hard drive, that's a perfectly healthy drive. Not Ailing.

Run the MBR fix if you like, keep in mind it will remove the ability to use the restore partition easily.

Thanks for your review of the drive. Much appreciated. If this is successful, I'll create a new system restore point.

UPDATE: Went and ran the following in sequence in repair command prompt:

bootrec.exe /fixmbr

bootrec.exe /fixboot

bootrec.exe /RebuildBcd

Then I returned to startup repair and tried again several times. Tried then to reboot from cloned drive and No joy.

I've got one nerve left and this issue is all over it.

Could the fact that this machine was used as a client machine as part of a network be a factor?

 

[Mr.Mike]

In addition to the info supplied, you could also try the following.
Specifically look at answer #1.
I have has to run System repair disk several times, before it would "fix" something. Also, try another system repair disk.

http://answers.microsoft.com/en-us/...ys-is-it/899c08a2-2b25-4f3b-a506-89e3782d6b9c

Just another option to try.

Hey, thanks for that link. Although I've tried a couple of those options, I'll give them all a try.

UPDATE: Just got finished trying the system repair disk several times again with the clone. the last time I did the repair option, it said "could not detect a problem." Trying to boot normally after this brought no joy.

 

[Gary Rockliff]

If you did a factory reinstall using the recovery partition, were there any errors in the device manager?

Have you tried using windowsunlocker via a terninal window in the Kaspersky Live CD to remove any possible mbr viruses.

Try updating the drivers using driveridentifier, I use it all the time to get updated drivers.

Worse case scenario, backup clients data, download the latest drivers, delete the partitions, repartition the drive, clean install of windows.

 

[FremontPC]

Mike -

Can you get to the startup repair on the HDD? Are you still getting the bootloop? It was probably configured for the preinstalled HP config, so you would probably want to use THAT startup repair, rather than a retail Windows disc. If F8 doesn't get you to the options, then tap the spacebar repeatedly when starting up.

 

[lcoughey]

...It's not the hard drive, that's a perfectly healthy drive. Not Ailing.

This is possibly true, but just because SMART doesn't report failure, it does not mean that the drive is 100% healthy. It just means that SMART hasn't yet detected any issues.