Messed up the registry(?) due to rootkit removal and now BCD is broken

SoccerGuy · Nov 2, 2014

Computer is a LenovoT420 with Win 7, 64bit

I made a huge mistake. In the future I think I'll avoid scanning for rootkits till I learn how to do this properly, but here's how my troubles started.

So I was in safemode removing malware from the computer with MalwareBytes and I included rootkit scanning. Well it found one and I removed it. I go to restart computer and now I get the message from Windows Boot Manager

File: \Boot\BCD
Status: 0xc000000f
Info: An error occurred while attempting to read the boot configuration data.

For my next steps, here's what I've tried to resolve the issue.
I can still access the BIOs so I move booting from the CD drive to the top. I inserted a Win 7 recovery cd to do Startup Repair; however, it doesn't show me an OS to repair in the list. I still select the first option although it is now it says at the top

Operating system: Unknown on (unknown) Local Disk

Then, running startup repair shows me the following

Root cause found:
------------------
Boot sector for system disk partition is corrupt.

Repair action: Boot sector repair
Result: Failed. Error code = 0x490
Time taken = 185423 ms

I tried some other solutions around this topic using bootrec /fixmbr, /fixboot, /scanos, /rebuildbcd. They all say "The operation completed successfully", but the "Total identified Windows installations: 0". Willing to try these options again though to make sure I did everything right.

Also when I'm in the command prompt the current directory is "X:" and I thought I should be working in C:? I've heard the letters can get rearranged but I wanted to be sure I was in the right place.

Help would be greatly appreciated as I'm completely lost now @_@

Brighttail · Nov 2, 2014

I'm going to make this simple for you. It may not be what you want to hear... when talking about rootkits they are very hard to fully get rid of them and when yo uthink you have they are back. Delete all partitions, recreate them and reinstall is the best way to get rid of all the malware on your computer, very little can survive that process.

USAFRet · Nov 2, 2014

Secondly, whenever you mess around in the Reg.....make a back up of the whole Registry first.

SoccerGuy · Nov 2, 2014

Brighttail :

Thanks for the hard honest advice though it is very sad to hear

Is there any way to get my computer to boot up normally again even with the rootkits still there? I still haven't backed up any of the data and reallllyyy don't want to lose it so getting back in to recover it would be great.

@USAFRet

Yea I really underestimated how badly things would go wrong when I added scanning for rootkits to the MalwareBytes options. Assuming I had made a backup of the registry, how would I go about fixing it? Interested in at least learning from this experience so I might not repeat the same mistake.

Brighttail · Nov 2, 2014

if you can get into safe mode you can back up there and off the top of my head nothing comes to mind if the disk has corrupted files preventing it to boot. Best choice is to take the HDD out, put it on another computer and back up your files there, but.....

Anything you pull from backup has the chance that it could be infected and so when you put everything back together, it could come back, even if you scan that drive before you reinstall your backups. If they are that important, put it onanother computer, pull your files off. Then reinstall, install all your virus programs and scan the shit out of the backups, hope it works then.

Paul NZ · Nov 2, 2014

Boot from the DVD again this time go to advanced repair. Log in as local admin run the command prompt.

Type in C:\bootrec.exe /FixMbr wait for it to finish then reboot. See what happens

Brighttail · Nov 2, 2014

I suppose if he can get to a dos prompt he can go old school and try to copy files/directories that way

been a while since i had to do it but should be possible

SoccerGuy · Nov 2, 2014

Brighttail :

Ok thanks Brighttail. Unfortunately can't even get into safemode anymore so I guess I'll have to try the latter. Kind of scary to think there's still a chance the files will be infected and infect another computer, but I'll try scanning it with a few antiviruses. Normally I use Microsoft Security Essentials and Malware Bytes, would you recommend anything else?

USAFRet · Nov 2, 2014

SoccerGuy :

A backup of the Registry would at least allow a return to the state of:
Messed up file system but OK Registry, rather than
Messed up file system AND messed up Registry.

If it were me, I'd just wipe and reinstall. Or just reimage from the OS drive image I made last week.

SoccerGuy · Nov 2, 2014

Paul NZ :

So it starts the command prompt with "X:" instead of "C:". No idea why. Tried fixmbr as well as some of the other fixboot, rebuildbcd, and they all say "complete successfully" but the error persists on reboot.

@Brighttail

Haha... well I'm willing to try the copy files/directories approach if you know of a guide. Thanks for the help and sorry, I don't mean to take up too much of your time.

Edit: I will try recovering the files off the HD by hooking it up to another computer then do an OS reinstall. Thanks again for the help and don't worry about spending more time on it!

Paul NZ · Nov 2, 2014

Try post #4

http://www.bleepingcomputer.com/forums/t/487747/laptop-boots-from-random-x-drive-instead-of-c-help-please/

I booted to a Windows Repair Disk 64 bit (use the proper one for your system) and brought up the CMD prompt.

I decided to first check which partition was active so I used the "diskpart" command and pressed enter

From here, it will show you which drives you have on your PC ex: Disk 0, Disk 1, Disk 2 etc. as well as the size of each drive.

Since I'm working on a laptop I only had 1 show up so I then proceeded to select that drive by typing " select disk 0"

You can replace 0 with which ever drive you might have, in this case mine is 0

Then I went on to check the partitions on this drive by typing "list partition" which brought up a list of the partitions on that specific drive

Take notice that they are not letter coded but rather are listed as "Partition 1, Partition 2, etc along with the partition type and size"

I had a total of 4 Partitions 1 labeled "OS", another "RECOVERY" a third "DELLUTILITY" and the star of the show Partition 4 aka drive X:

From here i wanted to set the PC to boot from the "OS" aka partition 1 so I typed "select partition 1" change the number according to your specific partition setup.

it will say "Disk (#) selected" # being your partition number

once that was done I went along and typed "active" and pressed enter.

You will get "Partition "#" is active", Then I closed command prompt and ran System repair from the repair disk and the laptop restarted.

Finally it booted into the windows 7 partition but I received the error

File: \Boot\BCD

Status: 0xc000000f

Info: "an error occurred while attempting to read the boot configuration data"

This usually means the boot sector is damaged or missing, but can be replaced with a repair disk

So type this in a command prompt

I booted from the repair disk once more and went back into the command prompt and typed "C:" where Windows is then ENTER, there i typed "Bootrec /RebuildBcd" don't forget the spaces and then press ENTER.

I then closed command prompt and rebooted and VOILA sexy windows 7 booted up like a charm.

Brighttail · Nov 2, 2014

That is awesome....I hope it works for him, that being said, even if he can get his stuff backed up he really should delete all partitions from his hard drive, recreate them and reinstall.

SoccerGuy · Nov 2, 2014

Paul NZ :

Try post #4

http://www.bleepingcomputer.com/forums/t/487747/laptop-boots-from-random-x-drive-instead-of-c-help-please/

I booted to a Windows Repair Disk 64 bit (use the proper one for your system) and brought up the CMD prompt.

I decided to first check which partition was active so I used the "diskpart" command and pressed enter

From here, it will show you which drives you have on your PC ex: Disk 0, Disk 1, Disk 2 etc. as well as the size of each drive.

Since I'm working on a laptop I only had 1 show up so I then proceeded to select that drive by typing " select disk 0"

You can replace 0 with which ever drive you might have, in this case mine is 0

Then I went on to check the partitions on this drive by typing "list partition" which brought up a list of the partitions on that specific drive

Take notice that they are not letter coded but rather are listed as "Partition 1, Partition 2, etc along with the partition type and size"

I had a total of 4 Partitions 1 labeled "OS", another "RECOVERY" a third "DELLUTILITY" and the star of the show Partition 4 aka drive X:

From here i wanted to set the PC to boot from the "OS" aka partition 1 so I typed "select partition 1" change the number according to your specific partition setup.

it will say "Disk (#) selected" # being your partition number

once that was done I went along and typed "active" and pressed enter.

You will get "Partition "#" is active", Then I closed command prompt and ran System repair from the repair disk and the laptop restarted.

Finally it booted into the windows 7 partition but I received the error

File: \Boot\BCD

Status: 0xc000000f

Info: "an error occurred while attempting to read the boot configuration data"

This usually means the boot sector is damaged or missing, but can be replaced with a repair disk

So type this in a command prompt

I booted from the repair disk once more and went back into the command prompt and typed "C:" where Windows is then ENTER, there i typed "Bootrec /RebuildBcd" don't forget the spaces and then press ENTER.

I then closed command prompt and rebooted and VOILA sexy windows 7 booted up like a charm.

So I tried it and no dice unfortunately. After switching to C: and running bootrec /rebuildbcd, it said it didn't see any windows installations. Though on the plus side I managed to the C: directory for the first time. I'm thinking this might work if it saw my windows installations so I'll try to figure out a way to make it stop saying "Total identified Windows Installations: 0" and try this again.

Brighttail · Nov 2, 2014

Well even if you have a windows directory if you don't have a good Master Boot Record, it won't know what to do ...good news is you may be able to copy some of yoru files old school way from the DoS prompt. Get a flash drive do the ol:

Copy C:\foldermyfileisin\FILENAME F:\Directoryyouwanttosavein

SoccerGuy · Nov 2, 2014

So after trying the diskpart command and activating and repairing the two partitions I had to see which one worked. It finally had some amount of success? I have the same Status: 0xc000000f, but the message is now

The boot selection failed because a required device is inaccessible

However, after this point all the iterations of bootrec and partition selecting don't seem to be getting any further. I'll take Brighttail's advice on the file recovery and just reinstall the OS. Thanks again everyone for the help.

Paul NZ · Nov 2, 2014

Should have used tdsskiller it would have done a better job than malwarebytes

Brighttail · Nov 2, 2014

I wish we could give you better advice, but rootkits are insane cause of how far and wide their hold is. I have yet to really see a good remover remove it without causing more damage. Keep running backups from now on and in the future you can just reinstall clean.

Remember to scan the hell out of the backups before putting them back on your computer.

Please remember to choose the best solution for this issue and good luck.

Messed up the registry(?) due to rootkit removal and now BCD is broken

Reputable

Reputable

Titan

Reputable

Reputable

Polypheme

Reputable

Reputable

Titan

Reputable

Polypheme

Reputable

Reputable

Reputable

Reputable

Polypheme

Reputable

Share this page