Main Area and Open Discussion > General Software Discussion
Repairing Windows 7 from the recovery console
40hz:
I already typed this so I'll post it anyway.
-Stoic Joker (March 03, 2014, 11:31 AM)
--- End quote ---
In my case, I was able to identify the actual boot target and navigate to the correct boot repair tools. Even with that none of the repair attempts successfully concluded. It would go away for an hour or so, then come back with the helpful news that the repair could not be successfully completed and ask if I wanted to reboot...
In my case, I think killing the rootkit took some important stuff along with it. Repairing partition tables and MBR didn't help. System said successful and all ok. But same deal on reboot. Nada.
No joy I'm afraid.
Interestingly, the hidden factory recovery partition was completely trashed. I could see it. But the OEM recovery manager (Sony VAIO) reported it was invalid and couldn't be used. Don't know if the malware did something to it, or possibly Kapersky nuked something on it. But if so, it didn't indicate doing anything to it in the log therefor scratch Kapersky as a possible culprit.
So in this case it was less "scorched earth" and more like "last resort." Especially since the client hadn't made a recovery disk set and I had to order media from Sony. (Which is always great fun. Not.) Normally I won't bill a good client for a basic OS reinstall/recovery as long as they have a working disk set. In this case, I charged them one hour at my full hourly rate.
Show me some consideration - or show me a check. ;)
8)
Stoic Joker:
...Then it's starting to sound more and more like a rootkit. Repairing the install won't necessarily remove the bugg ... So it's best to go with the kill it with fire approach. Run the Kaspersky offline scan of at least the boot sector and recovery partition, then format and reinstall, or do the factory recovery.
--------------------------------------------------------------------------------------------------------------------------------
Damn he's quick today...(round 2)
I already typed this so I'll post it anyway.
-Stoic Joker (March 03, 2014, 11:31 AM)
--- End quote ---
In my case, I was able to identify the actual boot target and navigate to the correct boot repair tools. Even with that none of the repair attempts successfully concluded. It would go away for an hour or so, then come back with the helpful news that the repair could not be successfully completed and ask if I wanted to reboot...
In my case, I think killing the rootkit took some important stuff along with it. Repairing partition tables and MBR didn't help. System said successful and all ok. But same deal on reboot. Nada.
(see attachment in previous post)No joy I'm afraid.
Interestingly, the hidden factory recovery partition was completely trashed. I could see it. But the OEM recovery manager (Sony VAIO) reported it was invalid and couldn't be used. Don't know if the malware did something to it, or possibly Kapersky nuked something on it. But if so, it didn't indicate doing anything to it in the log therefor scratch Kapersky as a possible culprit.
So in this case it was less "scorched earth" and more like "last resort." Especially since the client hadn't made a recovery disk set and I had to order media from Sony. (Which is always great fun. Not.) Normally I won't bill a good client for a basic OS reinstall/recovery as long as they have a working disk set. In this case, I charged them one hour at my full hourly rate.
Show me some consideration - or show me a check. ;)
8)
-40hz (March 03, 2014, 01:16 PM)
--- End quote ---
I hear ya. Did something much like that to a machine just last week that got hit by CyberLocker. Domain user account/UAC enabled ... Still killed it deader than hell.
Kaspersky said the machine was fine...but it wasn't.
I managed to finally kill the thing with these:
http://www.adlice.com/softs/roguekiller/RogueKiller.exe
http://www.adlice.com/softs/roguekiller/RogueKillerX64.exe - For reference only, machines are 32-bit
From: http://www.techsupportforum.com/forums/f50/new-instructions-read-this-before-posting-for-malware-removal-help-305963.html
GMER Rootkit Scanner: http://www2.gmer.net/gmer.zip
Seriously freaky in memory kernel patch GMER finally spotlighted so that the SFC could notice that the kernel was not himself... but it took both the above to get the coffin nailed shut. They had good backups - Yay me - so I got the user files and main db of the Sunday night backups (accounting works weekends).
How the hell the little MF got past Kaspersky ofline I don't know ... but it did it 3 times.
40hz:
@Stoic - thx for that set of links. Wasn't familiar with RogueKiller. (There are so many tools out there.) :Thmbsup:
Addenda: It was a TDSS variant she got hit with BTW. Not in the catalog as named so somebody must have done a riff on it. But the essentials were still all TDSS.
Vurbal:
Just about the most annoying experience I ever had repairing a computer was when I had to fix a mess Best Buy made. A few months after this woman took it to Best Buy she got some malware and I ended up deciding to reinstall Windows. When Best Buy fixed it for her they had wiped the hard drive and used a Toshiba image to restore it. Then they told her she didn't have to worry about the Gateway restore disc because it had a recovery partition.
Of course, being a Toshiba OEM install, it refused to restore when it couldn't find a Toshiba laptop. She just wanted it fixed and didn't want to screw around with Best Buy and for some reason she had a Vista upgrade disc that wasn't installed on another computer and I had a stack of XP Pro OEM discs I got free and was selling cheap. Of course it also had a SATA hard drive so I ended up slipstreaming the driver into the XP install disc before installing.
Stoic Joker:
The cleanest most true to vanilla OEM disks I've ever found were Dell's. I've used them on all brands and never had a problem with anything as long as the COA was still readable.
@40 - I forget which one of the two caught the kernel patch, but neither one takes a long time to run. and both can be run in safe mode with command prompt only.
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version