[salt4502]

I have a dell laptop that was infected with a rootkit. I tried malwarebytes anti-rootkit beta instead of tds killer. Once I had cleaned the laptop and rebooted all that was displayed was "missing operating system" on the screen. Tried to restore the os with win 7 recovery disk, diskpart, several flavors of unbutu, and flinging it against the wall(just kidding). Then I found your site and yours was the first one that described my problem almost to a "t".

I ran frst64 and will post the logs at the end

If someone can help it would be appreciated

Thanks
salt4502


Scan result of Farbar Recovery Scan Tool (FRST) (x64) Version: 18-11-2012
Ran by SYSTEM at 18-11-2012 18:12:28
Running from G:\
Windows 7 Home Premium (X64) OS Language: English(US)
The current controlset is ControlSet001

==================== Registry (Whitelisted) ===================

Tcpip\Parameters: [DhcpNameServer] 172.31.79.142 172.31.79.144 157.54.104.75 157.54.14.146 157.54.14.162 157.54.80.10

==================== Services (Whitelisted) ===================


==================== Drivers (Whitelisted) =====================


==================== NetSvcs (Whitelisted) ====================


==================== One Month Created Files and Folders ========

2012-11-18 15:23 - 2012-11-18 15:23 - 00000000 ____D C:\Windows\Panther
2012-11-18 15:23 - 2011-02-15 18:11 - 00000028 __RAH C:\Windows\version
2012-11-18 15:23 - 2011-02-15 18:11 - 00000013 ___RA C:\Windows\csup.txt
2012-11-18 15:10 - 2012-11-18 15:10 - 00000000 ____D C:\Windows.old.000
2012-11-18 15:09 - 2012-11-18 15:23 - 00000000 ____D C:\$WINDOWS.~LS
2012-11-18 15:09 - 2012-11-18 15:09 - 00000000 ____D C:\$WINDOWS.~BT
2012-11-18 14:48 - 2012-11-18 15:10 - 536870912 __ASH C:\WinPEpge.sys
2012-11-18 14:48 - 2012-11-18 14:48 - 00000000 ____D C:\Windows.old
2012-11-17 02:31 - 2012-11-17 02:31 - 00024576 ____A C:\BCD_Backup
2012-11-17 02:31 - 2012-11-17 02:31 - 00021504 __ASH C:\BCD_Backup.LOG


==================== One Month Modified Files and Folders =======

2012-11-18 17:44 - 2012-11-18 17:44 - 00000000 ____D C:\FRST
2012-11-18 15:23 - 2012-11-18 15:23 - 00000000 ____D C:\Windows\Panther
2012-11-18 15:23 - 2012-11-18 15:09 - 00000000 ____D C:\$WINDOWS.~LS
2012-11-18 15:23 - 2011-12-02 11:22 - 00008192 _RASH C:\BOOTSECT.BAK
2012-11-18 15:23 - 2009-07-13 21:38 - 00025600 __ASH C:\Windows\System32\config\BCD-Template.LOG
2012-11-18 15:23 - 2009-07-13 21:32 - 00028672 ____A C:\Windows\System32\config\BCD-Template
2012-11-18 15:23 - 2009-07-13 20:45 - 00000000 ____D C:\Windows\Setup
2012-11-18 15:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\Recovery
2012-11-18 15:23 - 2009-07-13 19:20 - 00000000 ____D C:\Windows\System32\oobe
2012-11-18 15:10 - 2012-11-18 15:10 - 00000000 ____D C:\Windows.old.000
2012-11-18 15:10 - 2012-11-18 14:48 - 536870912 __ASH C:\WinPEpge.sys
2012-11-18 15:09 - 2012-11-18 15:09 - 00000000 ____D C:\$WINDOWS.~BT
2012-11-18 14:48 - 2012-11-18 14:48 - 00000000 ____D C:\Windows.old
2012-11-17 02:31 - 2012-11-17 02:31 - 00024576 ____A C:\BCD_Backup
2012-11-17 02:31 - 2012-11-17 02:31 - 00021504 __ASH C:\BCD_Backup.LOG

==================== Known DLLs (Whitelisted) =================


==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== EXE ASSOCIATION =====================

HKLM\...\.exe: exefile => OK
HKLM\...\exefile\DefaultIcon: %1 => OK
HKLM\...\exefile\open\command: "%1" %* => OK

==================== Restore Points =========================

Restore point made on: 2012-11-06 10:27:21
Restore point made on: 2012-11-09 17:18:18
Restore point made on: 2012-11-13 06:42:09
Restore point made on: 2012-11-14 15:57:22
Restore point made on: 2012-11-16 20:29:46
Restore point made on: 2012-11-16 21:51:39

==================== Memory info ===========================

Percentage of memory in use: 10%
Total physical RAM: 6038.17 MB
Available physical RAM: 5392.08 MB
Total Pagefile: 6036.32 MB
Available Pagefile: 5378.68 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Partitions =============================

1 Drive c: (OSDisk) (Fixed) (Total:97.66 GB) (Free:40.35 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Graphics) (Fixed) (Total:484.83 GB) (Free:474.26 GB) NTFS
3 Drive e: (Recovery) (Fixed) (Total:13.67 GB) (Free:6.99 GB) NTFS
5 Drive g: (Mainframe 5) (Removable) (Total:14.93 GB) (Free:14.66 GB) NTFS
7 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 2048 KB
Disk 1 Online 14 GB 0 B
Disk 2 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 97 GB 1024 KB
Partition 0 Extended 484 GB 97 GB
Partition 3 Logical 484 GB 97 GB
Partition 2 Primary 13 GB 582 GB

==================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C OSDisk NTFS Partition 97 GB Healthy

=========================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Graphics NTFS Partition 484 GB Healthy

=========================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E Recovery NTFS Partition 13 GB Healthy

=========================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 14 GB 4032 KB

==================================================================================

Disk: 1
Partition 1
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G Mainframe 5 NTFS Removable 14 GB Healthy

=========================================================
==================== End Of Log =============================

[Advertisements]

Hi can you remember what was deleted with MBAM ?

I will initially try a system restore point and then go from there

Download the attached Fixlist.txt to the same location as FRST
[attachment=61603:fixlist.txt]
Run FRST and click fix
On completion try to boot back to normal windows .. If it should fail then let me know what errors you get

[Essexboy]

Hi can you remember what was deleted with MBAM ?

I will initially try a system restore point and then go from there

Download the attached Fixlist.txt to the same location as FRST
[attachment=61603:fixlist.txt]
Run FRST and click fix
On completion try to boot back to normal windows .. If it should fail then let me know what errors you get

[salt4502]

All I remember was "unknown rootkit on mbr". It did not save any logs. Tried the fixlist text, still the same.

Edited by salt4502, 19 November 2012 - 12:48 PM.

[Essexboy]

Ah ok that is a start, do you say you have the disc ?

If so then boot from the disc
Select "Repair my Computer"
Select Startup Repair

If that does not succeed then :

Start from the disc again
Select Repair my Computer
Select Command prompt
Type in the following Commands pressing enter after each :

Bootrec.exe /fixboot
Bootrec.exe /fixmbr

[salt4502]

I already did all that with no success, should I try it again?

[salt4502]

Essexboy

Now that I'm awake (late night person) now I see in my earlier post I forgot to mention that I had also tried reinstalling the os. It did install ok but it still won't boot.

[Essexboy]

Did you use the two bootrec commands ?

[salt4502]

Yes. Still the same "missing operating system" message.

[Essexboy]

OK next we will again use the bootrec tool

First we will see if windows can recognise any OS's

From the command prompt

bootrec.exe /ScanOs

Does this list your windows installation ?

If so then :

Bootrec.exe /RebuildBcd

Does this now allow a boot

[salt4502]

The ScanOs shows only 2 .old\windows installs which are just the folders that were made during installation.

[Essexboy]

That was what I noticed from FRST no drivers and no system 32 folder files of import

I feel your best bet at this stage would be to format the entire drive and start afresh. Use the windows CD to delete all partitions and then reformat

Sorry I could not be of more help

[salt4502]

Can I use gparted to format the c: partition and then install the os?

[Essexboy]

Certainly, do you have a copy available or would you like some links to make a USB copy ?

[salt4502]

Yes I Do. I have 2 partitions on the drive I didn't want to lose totally. But when I do will that fix my problem? I have already saved all the files I can off of C: drive that I need to rebuild my wife's system.

[Essexboy]

You will need to ensure that no one of the other partitions are marked as active and are set as simple partitions

Otherwise a full wipe would be recommended