Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Window 7 - Unable to Boot - Malware Suspected


  • This topic is locked This topic is locked

#46
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Okay. Below are the results from testdisk.log after running a Deeper Search with testdisk. Also, attached is a picture of my screen after attempting to run parted /dev/sda print >Parted.txt just as you instructed. But, as you can see, it apparently wants more operators or different syntax, or something, because there were no results that i could tell. I also tried it like this parted /dev/sda2 print >Parted.txt and got the same results. Hopefully testdisk.log (below) will give you what you need to move to the next step. :)



Fri Dec 30 01:27:37 2011
Command line: TestDisk

TestDisk 6.13, Data Recovery Utility, November 2011
Christophe GRENIER <[email protected]>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4
Compilation date: 2011-11-15T02:42:19
ext2fs lib: 1.41.9, ntfs lib: libntfs-3g, reiserfs lib: 0.3.1-rc8, ewf lib: 20100226
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 2930277168 sectors
/dev/sda: user_max 2930277168 sectors
/dev/sda: native_max 2930277168 sectors
/dev/sda: dco 2930277168 sectors
/dev/sdb: LBA, HPA, LBA48, DCO support
/dev/sdb: size 1953525168 sectors
/dev/sdb: user_max 1953525168 sectors
/dev/sdb: native_max 1953525168 sectors
/dev/sdb: dco 1953525168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63, sector size=512 - WDC WD1502FAEX-007BA0, S/N:WD-WMAY02625035, FW:05.01D05
Disk /dev/sdb - 1000 GB / 931 GiB - CHS 121601 255 63, sector size=512 - ST31000528AS, S/N:6VPAF29M, FW:CC3E
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32770 1 1 (RO), sector size=2048 - HL-DT-ST DVDRAM GH40N, S/N:K4299890743, FW:NM02

Partition table type (auto): Intel
Disk /dev/sda - 1500 GB / 1397 GiB - WDC WD1502FAEX-007BA0
Partition table type: Intel

Analyse Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182401 255 63
Geometry from i386 MBR: head=255 sector=63


test_FAT()
1 * FAT32 0 1 1 1305 254 63 20980827
sector_size 512
cluster_size 2
reserved 8
fats 1
dir_entries 1024
sectors 0
media F8
fat_length 0
secs_track 17
heads 4
hidden 1
total_sect 2097152
check_part_i386 failed for partition type 0B
NTFS at 1306/0/1
NTFS at 49947/0/1
get_geometry_from_list_part_aux head=255 nbr=5
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=5
Current partition structure:
Invalid FAT boot sector
1 * FAT32 0 1 1 1305 254 63 20980827
1 * FAT32 0 1 1 1305 254 63 20980827
2 P HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
3 P HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
NTFS at 1306/0/1
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
NTFS at 49947/0/1
filesystem size 2127874150
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
NTFS, 1089 GB / 1014 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=255 nbr=3

Results
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
NTFS, 1089 GB / 1014 GiB

interface_write()
1 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
2 P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]

search_part()
Disk /dev/sda - 1500 GB / 1397 GiB - CHS 182402 255 63
NTFS at 1306/0/1
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
NTFS at 49946/254/63
filesystem size 781417665
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS found using backup sector!, 400 GB / 372 GiB
NTFS at 49947/0/1
filesystem size 2127874150
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 49947 0 1 182401 10 10 2127874150 [DATA]
NTFS, 1089 GB / 1014 GiB
get_geometry_from_list_part_aux head=255 nbr=3
get_geometry_from_list_part_aux head=255 nbr=3

Results
* HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
NTFS, 400 GB / 372 GiB
P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
NTFS, 1089 GB / 1014 GiB

interface_write()
1 * HPFS - NTFS 1306 0 1 49946 254 63 781417665 [WIN7]
2 P HPFS - NTFS 49947 0 1 182401 254 63 2127889575 [DATA]
simulate write!

write_mbr_i386: starting...
write_all_log_i386: starting...
No extended partition

TestDisk exited normally.

Attached Thumbnails

  • screen-shot.jpg

  • 0

Advertisements


#47
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
I need to leave now for about 10 hours or so on a day trip. Will check back later to see if you have more directions. Thank you for your assistance. -chris
  • 0

#48
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Hello JSntgRvr,

I'm back in town now. Any thoughts on the info i posted today?

I will be around the next 4 hours or so if you want me to try any solutions.

Thanks again for your help.

Kind Regards,

Chris
  • 0

#49
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
I'm here JSntgRvr. ;) Any chance we can knock this out tonight? :D
  • 0

#50
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
We got the report. I will change the boot process to partition 2 as it seems logical based on the scans we have perform.

  • While on xPUD, click on the folder that represents your System drive (sda2)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following:

    parted /dev/sda set 2 boot on

    Leave a space between the following arguments:

    parted
    /dev/sda
    set
    2
    boot
    on


If successful restart the computer in Normal mode. Let me know the outcome.
  • 0

#51
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
When i ran:

parted /dev/sda set 2 boot on

it returned:

Information: You may need to update /etc/fstab.


Did the testdisk.log help at all?
  • 0

#52
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
I need to consult these results with the developer. Will post soon.
  • 0

#53
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Thank you JSntgRvr. When you say, "Will post soon<" do you think that will be tonight? I am not trying to pressure you; just wondering if i should wait up? ;)
  • 0

#54
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
That will all depend on the availability of the expert in this field.
  • 0

#55
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Okay. I thought you were the expert! :D How long are you planning to stay up? I will go get some sleep when you do. :D

From what you have seen up to this point, do you think it is some sort of malware that is ailing my computer? Or could it be a legitimately bad hard drive?
  • 0

Advertisements


#56
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
There is a bad partition (Partition 1), that is causing all this trouble. It is flagged as an older file system, but misconfigured, and has the boot flag. I rather consult with someone who knows more than me in this field before continuing. I definitely believe it was done by malware.
  • 0

#57
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts
Cool. If it is malware then there is hope that it can be fixed. In case it matters, it is a new Western Digital drive that i installed just this past August. hard to believe it went bad.

Thanks again for your help. I really tired from the last two nights. I think I am going to head to bed here in a few minutes unless you think i should stick around.
  • 0

#58
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
I will do the same. Hopefully we will have an answer in the morning.
  • 0

#59
TangentMedia

TangentMedia

    Member

  • Topic Starter
  • Member
  • PipPip
  • 75 posts

I will do the same. Hopefully we will have an answer in the morning.


That would be great. :)

Sleep well!
  • 0

#60
JSntgRvr

JSntgRvr

    Global Moderator

  • Global Moderator
  • 11,018 posts
Seems the command worked. Are you able to boot now into Normal Windows?

Run Testdisk as before, but follow these steps.

  • Press Enter
  • The TestDisk command window will open
  • Choose Create and press Enter
  • TestDisk will now detect all local hard drives
  • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
  • If your not sure then note everything you see and post it for my review
  • Select [Intel] and press Enter
  • Select [Analyse] and press Enter, then press Enter again to run a [Quick Search], select yes
  • You will now see the partitions on the drive. Use the arrows to select the FAT partition (I believe is 1), then prees P to list the files in that partition.
  • When done, press Q repeatedly until TestDisk closes.
  • Close the Terminal Window
  • Remove the flash drive and put it back in the working computer, then post the contents of (or attach) the testdisk.log file on the flash drive, or however was done befofe.

It will also be nice to run:

parted /dev/sda print >Parted.txt

And post either the image or report.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP