MBRCheck - Undo!

I recently had some malware on a friend's computer. Long story short I managed (so I thought) to remove all the malware and the computer seemed fine. A few days after getting it back he called me to tell me the same problem returned. I received the computer, removed the malware using malwarebytes, superantispyware, kaspersky virus revomal tool, and verified everything was clean using all those mentioned, gmer and then MBRCheck (just in case the others weren't checking for MBR viruses).

After running MBRCheck it declared "Found non-standard or infected MBR". I followed the steps to rewrite the Vista MBR header to replace it (The computer does definitely have Vista). I rebooted after it finished.

Upon restarting the computer I get the message that there are no bootable devices. I have slaved the hard drive to a different working computer and it shows the whoel drive as unallocated space.

I'm freaked out! At a pinch I don't mind reinstalling Windows, but some of those files are important and I need to be able to salvage them!

Can anyone help? Also how can I backup the information on the drive without making things worse?

 

Thank you for your fast reply!

I'm currently scanning the drive with the trial version of RecoverMyFiles to verify that the files *could* be recoverable (if I then bought the program...). My understanding is that changes to the MBR shouldn't effect the data on the drive, but I would love verification on that. Basically I'd like to try your approach first before buying software, and yet I don't want to do anything that could jeapordize the recovery of those files.

Would bootrec /fixmbr or bootrec /fixboot risk the data on the drive?

 

Thanks again .

I'm reassured that RecoverMyFiles *does* find my files. It's what you'd expect, but still makes me feel a lot better.

Unfortunately I don't have the installation DVD. The recovery media was on the second partition, which is of course floating in the unallocated space. I have a fully licensed and paid for OEM Windows XP Home SP3, OEM XP Pro SP2 and several manufacturer's Vista Home Premium DVDs (although none from Acer, if that matters).

As I understood it you wanted me to navigate to a cmd prompt from the Vista DVD and use the commands:
bootrec /FixMbr
bootrec /fixboot

Am I right in thinking I must use a Vista DVD to do this, rather than the XP CDs?

Will it be okay to use a Vista DVD that did not come with that computer?

 

I have to stop doing this tonight and pick it up again tomorrow, but will post back with my results. Many thanks .

 

I booted to the Vista x64 (installation was indeed 64 bit) DVD, navigated to the System Recovery Options screen but it failed to find an operating system. I ran the command prompt anyway, but couldn't navigate to the drive.

It occurred to me this morning that for the whole drive to show as unallocated space that the partitions are lost, so I switched my attention to fixing that. I ran the home edition of EASUS Partition Master 6.1.1 (there will be a much newer one these days) which found and recovered my partitions - yay! I was able to navigate the partitions and finally back up all the information on the drive.

I then went back to trying to make the disk bootable. I repeated the steps to run those commands but I've received the same results each time - the operating cannot be found, and the partitions cannot be navigated to in the command prompt. When trying to do so it returns the message "The device is not ready". When I try to navigate to mythical drive letters it instead says "The system cannot find the drive specified".

I've connected the HDD to my working PC and set the hidden rescue partition "PQSERVICE" to active and retried. I then tried setting the partition with windows installed, "ACER", as the active partition and retried. In each case System Recovery Options fails to populate its list.

Any idea where to go from here?

 

Small update:

When I set the recovery partition (PQSERVICE) to active I can successfully boot to it, but only with the option of restoring to factory settings. When I set the Windows installation partition (ACER) to active it's considered unbootable and skips to the next boot device such as a CD. When I use a program such as Hirens to forcefully attempt to boot from the ACER partition I black screen and the computer restarts, which is probably just something it does if no bootable information is found.

Being unable to use the bootfix commands I tried EASUS Partition Master to fixMBR for Vista but it didn't change my circumstance.

I'm starting to think that ACER has something tricksy, such as it's own version of a Vista MBR.

 

We can mark this thread as closed (and move it to the software forum too for prosperity).

I wasn't able to fix the problem as I wanted to, but was able to preserve the data and reinstall Windows - my plan B. I'm posting the steps I took for others in my situation.

Firstly, if your MBR or partitions are deleted then the data itself may well be in perfectly good order. Now from experience (about 16 of the last 24 hours of experience...) I can say that Easus Partition Master can recover the lost partitions and amend the MBR. It isn't free, but my now antique version of 6.1.1 worked just fine.

Secondly, several manufacturer's install Windows in a tricksy way. I'm unclear if there's something sneaky in the MBR (suspect not) or their 'recovery' partition (I believe so) but rebuilding the MBR for ACER and DELLS at least will cause headaches. The Recovery partition of the ACER I was working on had states - ie after booting from it as an active partition it once it would then make the second partition active and remove it's own active status. This took a lot of headaches to realize, so when experimenting you may well have to keep restoring that partition from a backup to be sure you're accurately getting the same set of variables. It would also change it's Partition ID from 07 (normal NTFS) to 12 (Compaq/HP Diagnostics) depending on it's state, which was another headache.

Anyway here are the steps to follow:
1. Use Easus Partition Master (or another program) to restore lost/deleted partitions. It will only look for lost partitions in unallocated space, so if you accidentally divided a partition into pieces and cannot access it, then you will have to delete them before being able to recover them.
2. Use a backup program to store a backup image of your important partitions. I recommend Acronis True Image Home.

Now with your files accessible and safe, you can try to reinstall Windows.

3. You must delete all other partitions on the hard drive leaving just the recovery partition, which in my case was called PQSERVICE.
4. Next you must make a partition in FAT32 (yes I know, it's rediculous but it genuinely doesn't work without doing so). I don't know the minimum size of the partition but presumably 15 gigs or so for Vista, and possibly as big as you like. It will ultimately end up being the Windows partition (and will become NTFS crazily enough).
5. Now make the recovery partition Active and with Partition ID 07. You can use Easus Partition Master again for this.

Windows should be installed from here, just follow the onscreen advice.

Problems:

- If you receive the error "cannot find file:C:\D2D\Images\*.WSI" during installation, then go back to step 5. Forcing the drive to boot from UBCD or Hiron's won't work.

- If you get error "0xa0000003" then go back to step 4 - see, creating a FAT32 partition for ACER to install windows onto really was necessary!

- If you're asked for the eRecovery Password then it's stored in the aimdrs.dat file on the Windows partition. It's in plain text and the password is the word or phrase after "PD: ".


I had tried to then delete this newly installed Windows partition and recover the one we backed up from step 2. This was unsuccessful. I either didn't manage to properly rebuild the partition table, or else the Recovery partition was somehow able to tell.