Hoo boy, this one’s a doozy.<\/p>\n
So following the removal of certain rootkits (such as Rootkit.Boot.SST.a, which is associated with the Windows Recovery rogue), you may find that your Windows boot configuration data has been totally corrupted. Worse yet, the usual steps to remedy (such as those described in my earlier post about TDL4 and the resulting blue screen) all fall apart when you reach the bootrec \/RebuildBCD<\/strong> command, which returns the message:<\/p>\n Total identified\u00a0Windows installations:\u00a00<\/p><\/blockquote>\n <\/em>Geez. \u00a0This essentially means that the bootrec command cannot identify your Windows installation, even though the Windows Recovery Environment has no trouble doing so upon starting. \u00a0So, now what?<\/p>\n Sometimes it’s as simple as opening up your favorite disk partitioning software and marking the C: partition as ACTIVE, and if there are still problems, subsequently recovering the boot data as I mentioned in the TDL4 post<\/a> (keep in mind however that the System Managed partition is typically Active normally on a Windows 7 system thanks to the isolated boot partition that it uses). \u00a0This problem occurs because of some modern rootkits which create a hidden, encrypted partition at the end of the system drive and mark it as Active and Primary (while simultaneously marking the standard boot partition as Inactive). \u00a0This infection has been covered in other recent blog posts<\/a> as well.<\/p>\n Sometimes, however, the BCD is totally corrupted and this doesn’t even work. \u00a0At this point, most every source on the internet comes up a dead end. \u00a0Everyone ends up reformatting or reinstalling Windows overtop their existing partition; nothing else seems to work.<\/p>\n You might not think it’d be helpful, but there’s an intimidating post over at the EasyBCD NeoSmart site<\/a>\u00a0which explains how to manually rebuild the Vista <\/em>bootloader from the ground up in catastrophic situations. \u00a0As it turns out, this procedure applies to Windows 7 as well (which uses the same bootloader and BCD structure), and it’s the key to your recovery here.<\/p>\n It’s no easy feat however, so roll up your sleeves and get ready to do some typing. \u00a0Here’s the full procedure from start to finish:<\/p>\n bootrec.exe \/fixmbr At this point, note the value within the curly braces {……..} <\/strong>as you will need it during the next steps. \u00a0Replace the dots within the curly braces below with that entire string on each line. \u00a0<\/strong>NOTE: \u00a0To make this easier, once you type it once, you can press the Up arrow to restore the last command and simply edit that line for the next one.<\/em><\/p>\n bcdedit.exe \/set {…..} device partition=C: Thanks to\u00a0Bitt Faulk for the final line, which restores the correct Windows loading screen as well. \u00a0You will need to replace the en-US entry with something different representing your region if you are not in the US.<\/em><\/p>\n Then you’re back in Windows, miraculously. \u00a0No reinstall necessary!<\/p>\n Side effects? \u00a0A little. \u00a0Hopefully you can handle not having the nifty new Windows 7 startup animation screen, because this will lose it for you. \u00a0Instead, you’ll be stuck with the old-school plain Jane Windows Vista progress bar. \u00a0You’ll also lose any special boot options you had previously. \u00a0But as a last resort, this works, and it’s still just as quick as ever.<\/p>\n Apart from that, once you’re back in Windows, of course, you’ll still have to disinfect the rest of the way. \u00a0In my customer’s case, the system damage was actually so bad that I ended up performing an in-place upgrade (the Vista\/7 equivalent of a Repair Install), but after that, everything was great. \u00a0It was a triumph for sure, and yet another situation where the usual solution of reformat\/reinstall was not necessary. \u00a0Now you know how to avoid it!<\/p>\n I hope you’ve found this post useful–if so, please take a moment to leave me a comment!<\/p>\n If you need computer help in the Louisville, KY area, there’s simply no one better. \u00a0Give me a call today!<\/em><\/p>\n","protected":false},"excerpt":{"rendered":" Hoo boy, this one’s a doozy. So following the removal of certain rootkits (such as Rootkit.Boot.SST.a, which is associated with the Windows Recovery rogue), you may find that your Windows boot configuration data has been totally corrupted. Worse yet, the … Continue reading \n
\nbootsect.exe \/nt60 all \/force
\nbcdedit \/export C:\\BCD_Backup
\nattrib -h -s C:\\boot\\BCD
\nren C:\\boot\\BCD BCD.old
\nbcdedit \/createstore c:\\boot\\bcd.temp
\nbcdedit.exe \/store c:\\boot\\bcd.temp \/create {bootmgr} \/d “Windows Boot Manager”
\nbcdedit.exe \/import c:\\boot\\bcd.temp
\nbcdedit.exe \/set {bootmgr} device partition=C:
\nbcdedit.exe \/timeout 10
\nattrib -h -s C:\\boot\\bcd.temp
\ndel c:\\boot\\bcd.temp
\nbcdedit.exe \/create \/d “Windows 7” \/application osloader<\/p><\/blockquote>\n
\nbcdedit.exe \/set {…..} osdevice partition=C:
\nbcdedit.exe \/set {…..} path \\Windows\\system32\\winload.exe
\nbcdedit.exe \/set {…..} systemroot \\Windows
\nbcdedit.exe \/displayorder {…..}
\nbcdedit.exe \/default {…..}
\nbcdedit.exe \/set {…..} locale en-US<\/p><\/blockquote>\n