Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Vista will not boot - am I infected?


  • This topic is locked This topic is locked
15 replies to this topic

#1 MontyW

MontyW

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 29 August 2012 - 06:20 PM

MOVED to Virus,Trojan and Malware Removal Logs ~~boopme


Hi, I hope this is going to be an easy or interesting one for you BC experts.

I do all the maintenance for our extended family's pcs which is about 9 all told, all running Windows: XP, Vista and Win7. (The oldest is from 1999 which is still running, but slow!)

A couple of days ago, I had a first look at my younger sister's 2007 Toshiba running Vista 64-bit which she has been complaining about and right away I noticed she had 2 anti-virus programs installed: Norton (expired) and Avast. So having updated Avast I set about uninstalling Norton. There were viruses (root kits) previously in the Norton vault that were detected by Avast as Norton was uninstalled. At this point I moved over to help my Dad with his pc and when I came back sister's pc had crashed, would not boot into Windows and was just showing a black screen with a flashing cursor.

After loading Toshiba Bios it goes straight to the black screen with flashing cursor.
F8 does not work. Does not boot into Safe Mode.
F2 goes to Phoenix TrustedCore Setup utility. The hard drive and CD-ROM drive are listed in Main and Boot in the correct order.

I created a System Repair Disc from my Windows 7 (64 bit) laptop,
F12, select CDROM and press any key to boot from CD
No operating system listed.
Cannot find system image on this computer.
HDD is Toshiba MK1237GSX-(S1) 120GB

Startup Repair lasts only 10 seconds or so and finds root problem is
System volume on disk is corrupt.

chkdsk does not work.

Windows Memory Diagnostic
windows cannot check for memory problems.
"An error is preventing windows from checking memory problems during startup. To run the Windows memory diagnostic manually, boot the computer from the windows installation disc, then select windows memory diagnostic from the windows boot manager. Does not work.

Command Prompt
sfc /scannow
"There is a system repair pending which requires reboot to complete. Restart windows and run sfc again."

Using Notepad/File/Open I can look in Computer:
Hard Disk Drives (4)
Local Disk (C:)
Data (D:) 42 GB free of 54.5 GB
WinRE (E:) 1.11 GB free of 1.46 GB
Boot (X:) 29.0 MB free of 31.5 MB

So the C: drive is listed but without capacity.

Created Linux Live USB
Using File Manager - Dolphin I can see a /sda2 of 55.8 GiB Hard Drive but
"An error occured while accessing hard drive, the system responded: the requested operation has failed. Error mounting: mount exited with exit code 18. failed to open $MFT/$BITMAP No such file or directory. Failed to load $MFT: no such file or directory.
Failed to mount '/dev/sda2': no such file or directory.

By going into root using Terminal I can see the HDD is split into 3 elements with sda2 being the boot section.

Boot with AVG Rescue CD on USB

-----smartctl reports some problems with disk!-----

/dev/sda:
ATA Error Count: 2
Error 2 occurred at disk power-on lifetime: 3702 hours (154 days + 6 hours)
Error 1 occurred at disk power-on lifetime: 3702 hours (154 days + 6 hours)

Virus scanning works for /sda1 (NTFS 1.5 G) and /sda3 (NTFS 54.5G) with no infections found.
but /sda2 does not show up in list of volumes for scanning (presumably due to these 2 errors).

Running TESTDISK

Analysis:
Partition Start End Size in Sectors
1 P Windows RE(store) 0 32 33 191 89 26 3072000
2 * HPFS - NTFS 191 89 27 7477 118 1 117051392
3 P HPFS - NTFS 7477 118 2 14592 190 62 114307072 (data)


* = Primary bootable
When doing Quick Search and then P - list files, of the second partition it reports:
"Can't open filesystem. Filesystem seems damaged."

TESTDISK - Repair An NTFS MFT

"The MFT (Master File Table) is sometimes corrupted. If Microsoft's Checkdisk (chkdsk) failed to repair the MFT, run TestDisk. In the Advanced menu, select your NTFS partition, choose Boot, then Repair MFT. TestDisk will compare the MFT and MFT mirror (its backup). If the MFT is damaged, it will try to repair the MFT using the backup. If the MFT backup is damaged, it will use the main MFT."

Result:
Boot sector
Status: OK

Backup Boot Sector
Status: OK

Sectors are identical.

"A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable."

Farbar Recovery Scan Tool

I booted the laptop from the Win7 Repair Disk again and ran FRST from the Command Prompt.

Scan result of Farbar Recovery Scan Tool Version: 29-08-2012 03
Ran by SYSTEM at 29-08-2012 22:18:44
Running from G:\
(X64) OS Language: English(US)
Attention: Could not load system hive.Attention: System hive is missing.

==================== Registry (Whitelisted) ===================

Attention: Software hive is missing.

HKLM\...\Winlogon: [Userinit]
HKLM-x32\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()
HKLM-x32\...\Winlogon: [Shell] [x ] ()

==================== Services (Whitelisted) ======


==================== Drivers (Whitelisted) ===================


==================== NetSvcs (Whitelisted) =================


==================== One Month Created Files and Folders ======================

2012-08-29 21:58 - 2012-08-29 21:58 - 00000000 ___AD \Windows\debug


==================== 3 Months Modified Files ================================


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\wininit.exe IS MISSING <==== ATTENTION!.
C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\SysWOW64\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 21%
Total physical RAM: 2038.4 MB
Available physical RAM: 1604.44 MB
Total Pagefile: 2038.4 MB
Available Pagefile: 1589.78 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions ============================

1 Drive d: (Data) (Fixed) (Total:54.51 GB) (Free:42.05 GB) NTFS
2 Drive e: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.11 GB) NTFS
3 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.21 GB) (Free:0 GB) UDF
4 Drive g: (USB2) (Removable) (Total:3.72 GB) (Free:3.42 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 111 GB 3072 KB
Disk 1 Online 3814 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 55 GB 1501 MB
Partition 3 Primary 54 GB 57 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E WinRE NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RAW Partition 55 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Data NTFS Partition 54 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3810 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G USB2 FAT32 Removable 3810 MB Healthy

=========================================================
==================== End Of Log =============================

This is as far as I have got.

What next, good sirs?

Edited by boopme, 29 August 2012 - 08:45 PM.


BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 29 August 2012 - 11:14 PM

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 Y RAW Partition 55 GB Healthy


:welcome:

Seems the C: drive has changed from NTFS to a RAW partition. Chances are the data may be lost, but lets give it a try.

Download MBRFix from here.

Save and extract its contents to the working computer's desktop. There are three files in the MBRFix folder. From these, only copy the MBRFix64.exe to the USB drive.

Also download the enclosed file and save it in the USB drive.

Insert the USB drive into the ailing computer.

Now please enter System Recovery Options and run FRST64 as you did before, except that this time around, press the Fix button just once and wait.

The tool will make a log on the flashdrive (Fixlog.txt). It will also create a file labeled MBRDUMP.txt. Copy and Paste the contents of the Fixlog.txt in your next reply, but attach the MBRDUMP.txt as it is a hex file.

In addition, For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:
  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 MontyW

MontyW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 30 August 2012 - 02:41 AM

Hi JSntgRvr, :waves back: Thanks for your reply.

Here is the fix log and I've attached the MBRDUMP.txt:

Fix result of Farbar Recovery Tool (FRST written by Farbar) Version: 29-08-2012 03
Ran by SYSTEM at 2012-08-30 08:29:59 Run:1
Running from G:\

==============================================

MBRDUMP.txt is made successfully.

==== End of Fixlog ====
Attached File  MBRDUMP.txt   512bytes   6 downloads

Edit 3: Please note as there was no instruction to run MBRFix64.exe manually I did not run it.

Edit 4: There is some confusion about whether this is a 32-bit or a 64-bit machine. According to the Toshiba Support website this particular machine was shipped with Vista 32bit Home Premium but FRST for 32-bit did not work and FRST64 did. So I am not sure.

From Toshiba support website:
Registered YES
Project TIU
Production Date 2007-12-13
Country Manufactured China
Shipping Date 2007-12-27
Shipping Country Great Britain (UK)
Purchase Date 2008-01-04
Purchase Country Great Britain (UK)
EAN Code 402620352264
Preinstalled Software
ImageNumber: H08011EN
Supported OS: Windows Vista 32Bit Home Premium
Supported Language: Language as delivered

Now on to the next section...

Edit 1 to add: Here is the ListParts results below:

Edit 2 to add that F8 does not work so I used my Win7 Rescue Disc to boot into System Recovery Options and then followed the instructions above.

ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 30-08-2012 at 08:58:08
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 21%
Total physical RAM: 2038.4 MB
Available physical RAM: 1608.4 MB
Total Pagefile: 2038.4 MB
Available Pagefile: 1590.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

2 Drive d: (Data) (Fixed) (Total:54.51 GB) (Free:42.05 GB) NTFS
3 Drive e: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.11 GB) NTFS
4 Drive f: (Repair disc Windows 7 64-bit) (CDROM) (Total:0.21 GB) (Free:0 GB) UDF
5 Drive g: (USB2) (Removable) (Total:3.72 GB) (Free:3.42 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 111 GB 3072 KB
Disk 1 Online 3814 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 1500 MB 1024 KB
Partition 2 Primary 55 GB 1501 MB
Partition 3 Primary 54 GB 57 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E WinRE NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C RAW Partition 55 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Data NTFS Partition 54 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3810 MB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G USB2 FAT32 Removable 3810 MB Healthy

======================================================================================================
The boot configuration data store could not be opened.
The system cannot find the file specified.


****** End Of Log ******

Edited by MontyW, 30 August 2012 - 05:30 AM.


#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 30 August 2012 - 11:39 AM

Kind of odd, as the boot table lists the partition as one with a NTFS format.

Boot to the Command prompt with your recovery CD. At the prompt type the following and press Enter:

CHKDSK C: /R

Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 MontyW

MontyW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 30 August 2012 - 01:03 PM

Kind of odd, as the boot table lists the partition as one with a NTFS format.

Boot to the Command prompt with your recovery CD. At the prompt type the following and press Enter:

CHKDSK C: /R

Let me know the outcome.


Opening Command Prompt:
X:\windows\system32>_

I type in your instruction:
X:\windows\system32> chkdsk c: /r and press return

"The type of the file system is NTFS.
Unable to determine volume version and state. CHKDSK aborted.
Failed to transfer logged messages to the event log with status 50.

X:\windows\system32>_"

EDIT 1: I am now reading indications that running a Win7 64-bit recovery disc CDROM on a 32-bit Vista may cause confusing results. The 64-bit CD will load and may be used to access Command Prompt on a 32-bit version but will not activate automated startup repair or windows system image GUI.
http://www.sevenforums.com/performance-maintenance/148973-use-repair-disc-different-computer.html

So, if this true and in order to eliminate possible spurious results, I will see if I can obtain a Vista 32-bit Install dvd or a Win7 32-bit Repair disc cd and run all the above tests again.

Anybody know about this?

Edited by MontyW, 30 August 2012 - 05:16 PM.


#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 30 August 2012 - 10:32 PM

We are taking a look to the Master Boot Record, which is OS independent. But yes, a Vista 32-bit CD will be helpful.

I am consulting this case with the experts. Will post back promptly.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 31 August 2012 - 10:51 AM

If you are able to obtain a Vista 32-bit Install dvd, please attempt to run CHKDSK once again and let us know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#8 MontyW

MontyW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 31 August 2012 - 11:59 AM

Thanks, JSntgRvr.
I will get a full Vista 32-bit dvd from a friend in the next town over the next couple of days and report back.

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 31 August 2012 - 02:17 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 MontyW

MontyW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 03 September 2012 - 01:30 PM

Hey JSntgRvr, hope you had a nice w/e.

Some tests now repeated with borrowed original Vista 32-bit dvd.

CHKDSK (no change)
X:\sources>_

X:\sources>CHLDSK C: /R
the type of the file system is NTFS.
Unable to determine volume version and state. CHKDSK aborted.

Other test results are similar with the following differences:

SCANNOW
sfc /scannow does now load and offers 6 options, verifyonly, scanfile, etc.

Which should I use?

Listparts 32-bit
ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 03-09-2012 at 18:40:21
Windows Vista (X86)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 14%
Total physical RAM: 2037.81 MB
Available physical RAM: 1739.07 MB
Total Pagefile: 1854.14 MB
Available Pagefile: 1732.82 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.57 MB

======================= Partitions =========================

2 Drive d: (Data) (Fixed) (Total:54.51 GB) (Free:42.05 GB) NTFS
3 Drive e: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
4 Drive f: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.11 GB) NTFS
5 Drive g: (USB2) (Removable) (Total:3.72 GB) (Free:3.41 GB) FAT32
6 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 4537 KB
Disk 1 Online 3814 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 56 GB 1501 MB
Partition 3 Primary 55 GB 57 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F WinRE NTFS Partition 1500 MB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C RAW Partition 56 GB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 D Data NTFS Partition 55 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3810 MB 4032 KB

======================================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 G USB2 FAT32 Removable 3810 MB Healthy

======================================================================================================
The boot configuration data store could not be opened.
The system cannot find the file specified.


****** End Of Log ******

Farbar Recovery Scan Tool (32-bit)

Scan result of Farbar Recovery Scan Tool (FRST written by Farbar) Version: 29-08-2012 03
Ran by SYSTEM at 03-09-2012 19:15:44
Running from G:\
(X86) OS Language: English(US)
Attention: Could not load system hive.Attention: System hive is missing.

==================== Registry (Whitelisted) ===================

Attention: Software hive is missing.

HKLM\...\Winlogon: [Userinit] [x]
HKLM\...\Winlogon: [Shell] [x ] ()

========================== Services (Whitelisted) ========================


==================== Drivers (Whitelisted) ===================


==================== NetSvcs (Whitelisted) =================


============ One Month Created Files and Folders ==============


============ 3 Months Modified Files ========================


==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\explorer.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\winlogon.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\svchost.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\services.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\User32.dll IS MISSING <==== ATTENTION!.
C:\Windows\System32\userinit.exe IS MISSING <==== ATTENTION!.
C:\Windows\System32\Drivers\volsnap.sys IS MISSING <==== ATTENTION!.

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: <===== ATTENTION!
HKLM\...\exefile\DefaultIcon: <===== ATTENTION!
HKLM\...\exefile\open\command: <===== ATTENTION!

==================== Restore Points =========================


==================== Memory info ===========================

Percentage of memory in use: 15%
Total physical RAM: 2037.81 MB
Available physical RAM: 1729.71 MB
Total Pagefile: 1854.14 MB
Available Pagefile: 1723.97 MB
Total Virtual: 2047.88 MB
Available Virtual: 1983.94 MB

==================== Partitions ============================

1 Drive d: (Data) (Fixed) (Total:54.51 GB) (Free:42.05 GB) NTFS
2 Drive e: (LRMCFRE_EN_DVD) (CDROM) (Total:2.49 GB) (Free:0 GB) UDF
3 Drive f: (WinRE) (Fixed) (Total:1.46 GB) (Free:1.11 GB) NTFS
4 Drive g: (USB2) (Removable) (Total:3.72 GB) (Free:3.41 GB) FAT32
5 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 112 GB 4537 KB
Disk 1 Online 3814 MB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 OEM 1500 MB 1024 KB
Partition 2 Primary 56 GB 1501 MB
Partition 3 Primary 55 GB 57 GB

==================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 F WinRE NTFS Partition 1500 MB Healthy Hidden

==================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 0 Y RAW Partition 56 GB Healthy

==================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 D Data NTFS Partition 55 GB Healthy

==================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 3810 MB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 0C
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 G USB2 FAT32 Removable 3810 MB Healthy

==================================================================================
==================== End Of Log =============================

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 04 September 2012 - 10:22 AM

Seems that the volume in the C: partition as you can see here is corrupted:

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 C RAW Partition 56 GB Healthy


It is the volume that has the Operating System and boot components. The only way out will be to re-format the partition, but all data will be lost. There is no way to convert a RAW volume to a NTFS file system without loosing the data as the volume will need to be reformatted.

Assuming this is a laptop, if you feel that there is no need for the personal data within the computer, you can try the Toshiba process to re-image the computer to factory settings, otherwise, there may be a program you can use to recover the personal data, then proceed with the re-imaging process.

Here is the link:

https://www.csd.toshiba.com/cgi-bin/tais/support/jsp/bulletinDetail.jsp?soid=2737864&pf=true

If a PC, here are other alternatives.

https://www.csd.toshiba.com/cgi-bin/tais/support/jsp/serviceUnitVerification.jsp

Keep me posted.

Edited by JSntgRvr, 04 September 2012 - 10:25 AM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 MontyW

MontyW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 04 September 2012 - 01:00 PM

Thanks for your reply.

I downloaded the Toshiba user manual for this specific laptop and in the System Recovery Options section it only refers to using F8 to access the advanced boot options from which to perform the recovery.

This is useless advice in this case as F8 does nothing.

I tried the instructions given in your link (Press and hold down the 0 (zero) key on the keyboard) but it also has no effect and the pc boots through the BIOS to the black screen with the flashing cursor. There is no mention of pressing the zero key in the user manual for this machine. That technique must be for different Toshiba laptops.

In this manual it does say to use a Product Recovery DVD to restore the operating system and all pre-installed software. I don't have one of them but...

So anyway I have this borrowed Vista 32-bit disc to reload from....

HOWEVER, there is another problem: the Vista product key sticker is missing from the underside of this machine. (As you know, Vista stickers were not plasticised as the XP ones were and are not durable when applied on the underside of laptops.)

I have tried some key readers on UBCD and Hirens Boot CD but as the C:\ is corrupted they cannot read the hive where the product key is encrypted. :deadhorse:

So between Microsoft and Toshiba they have not really thought this through :-\ :smash:

So it looks like you and I have been beaten with this one... Thanks again for all your assistance.

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 04 September 2012 - 09:05 PM

I am sure Toshiba will send you the Product Recovery DVD upon request. The second link has the information required.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 MontyW

MontyW
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:12:53 AM

Posted 05 September 2012 - 01:15 AM

Hi JSntgRvr,
thanks for your reply.

Unfortunately, my serial number will not work in those links as it is not bought in US but UK (England).

I can order Product Recovery CD in UK but I am reluctant to spend another $50 with Toshiba for two reasons.

[1] I am not at all confident it will work (as neither F8 nor pressing zero at boot work).
[2] the battery is not working and the HDD has some bad results from tests run in Ubuntu Live with:

sudo apt-get install smartmontools --no-install-recommends
sudo smartctl -a /dev/sda:

5 Reallocated_Sector_Ct 0x0033 100 100 050 Pre-fail Always - 72
196 Reallocated_Event_Count 0x0032 100 100 000 Old_age Always - 70

I am trying one more technique - using DISKPART to boot the recovery partition from the Command Prompt as other Toshiba users are reporting some success.

If this does not work, I will install Kubuntu OS.

Thanks for all your time, JSntgRvr. Best wishes, Monty.

TL;DR

2008 Toshiba Equium A200
the C:\ drive is corrupted where the OS is stored.
the Recovery Partition is intact but unobtainable on the F:\ drive,
the Vista Product Key has peeled of the bottom of the machine,
the encrypted Product Key file cannot retrieved from the corrupted drive.
will have Kubuntu Linux installed.
Toshiba suck.

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,839 posts
  • ONLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:53 PM

Posted 05 September 2012 - 01:36 PM

Good luck! :thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users