Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Laptop won't boot & Recovery partition corrupt... Rootkit?


  • Please log in to reply
No replies to this topic

#1 bcnv

bcnv

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:36 AM

Posted 02 June 2013 - 10:25 PM

My Toshiba laptop suddenly was unable to boot to Windows 7 Home yesterday... the post was generating an error "No operating system."

So then I booted into Linux via a live CD. From there, I could mount my Windows C-drive... its documents were still intact. However, using the app GParted to look at my hard drive, I noticed that sda3, the Toshiba Recovery Partition, was of "unknown file format."

Also, it was missing its usual label "HDD RECOVERY" and no space appeared to be used out of its 10.08GB (usually, 9.49GB is filled). Strangely, the boot flag was set to that partition (sda3) instead of its usual location on sda1, the System partition.

 

270935d1370226496-laptop-wont-boot-recov

 

I used GParted to move the boot flag back to sda1, and after that, the laptop was able to boot to Win7 again. However, Disk Management showed that the recovery partition was of "RAW" file format with 0GB used.

Any clue on whether all this might have been caused by a destructive trojan or MBR rootkit which messed with my boot flag? Perhaps it was attempting to hide in the recovery partition? I just returned from a 1-week visit to my cousin's house, which has a "suspect" network... she had 40 trojans removed from her laptop a month before. I was getting a few script error messages while on the internet there.

Or was this related to hardware failure... how could that destroy one partition and move a boot flag? FYI, I did have a poor shutdown from Linux live CD right before (CD was ejected too early, but after the failed shutdown, I cleared the memory with an unplug and battery removal)... could that mess up the MBR/boot AND corrupt an entire partition? (I doubt it, as Linux was booted off a CD into memory, not installed.)

I can no longer use the non-existent recovery partition to reinstall Windows7 (and wouldn't trust the hard drive without a 0-fill wipe first, anyway), but thankfully, I made 3 recovery DVDs last year. I just need to run those, correct? Thanks.

 



BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users