Recovery partition compromised after rootkit

I've just gone through the cleanup process after the olmarik.TDL4 boot record rootkit on my HP G72 B60US notebook.  I downloaded several programs and went through the cleanup process step by step with someone in the Malwarebytes forum.  I noticed this morning that the BOOT folder on the Recovery Partition D showed a modifed date from the time of purchase of the laptop to last night at 10:27pm when I was running cleanup programs with Malwarebytes.  When I open this folder, the only file with a similar modified date is the BCD file.  My question is, would the cleanup tools have modified this file, or could it have been the rootkit?  I want to know if my recovery partition was compromised and if it is unsafe for me to recover the computer from it now.
Thanks.

Hello lilsassy,
I understand that you are worried if the partition was affected by the virus.
It’s not that often that a virus will affect the recovery partition but it does happen.
More than likely it was the cleanup program that modified the files.
You can always order the recovery media to grantee that there is no trace of the virus on the system.

Similar Messages

  • Recovery Partition Destroyed After Bootcamping

    Hi guys, I'm hoping someone can help me with this conundrum.  I installed win. 7 on my macbook air running OS X Mavericks through bootcamp and it worked great.  However, I noticed that anytime I tried to start the recovery partition, it would instead use internet recovery.  Why is this?

    What are you doing, exactly, when trying to boot from the Recovery HD?
    Boot to the Recovery HD:
    Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the arrow button below the icon.

  • 'Recovery' partition disappeared after BootCamp installation

    Since i've installed Windows on BootCamp, Lion's 'Recovery' partition containing a recovery system just disappeared.
    Is there a way of getting it back? It isn't really important, but i was just wondering if it could be reinstalled.
    Thank you!
    penguin01210

    Since i've installed Windows on BootCamp, Lion's 'Recovery' partition containing a recovery system just disappeared.
    Is there a way of getting it back? It isn't really important, but i was just wondering if it could be reinstalled.
    Thank you!
    penguin01210

  • Recovery partition missing after Time Machine restore of Lion

    I recently purchased a new hard drive for my macbook pro and restored my system to the new disc via a Time Machine backup of the old disc. Everything worked fine and my mac is running faster than ever thanks to the new drive
    I just recently realized, however, that by using this method of restoration, the Lion recovery partition that was created during my first install is gone. This is probably due to it being a hidden partition that disc utility on my install disc was unable to recreate.
    I verified that the partition is missing by downloading the new recovery tool that Apple released a few days ago. It failed to work because the partiton could not be found.
    My question is if anyone else has realized this issue and if there is a solution. Is it possible to recreate the partition without going through an archive-and-reinstall routine? In my opinion this is a bit of a blunder by Apple as it renders Time Machine usless.
    Thoughts? Suggestions?

    Read the instructions for using the Recovery HD installation tool. You must make a small partition on the new hard drive of about 1 GB or so on which to install the Recovery HD.
    To resize the drive do the following:
    1. Open Disk Utility and select the drive entry (mfgr.'s ID and size) from the left side list.
    2. Click on the Partition tab in the DU main window. You should see the graphical sizing window showing the existing partitions. A portion may appear as a blue rectangle representing the used space on a partition.
    3. In the lower right corner of the sizing rectangle for each partition is a resizing gadget. Select it with the mouse and move the bottom of the rectangle upwards until you have reduced the existing partition enough to create the desired new volume's size. The space below the resized partition will appear gray. Click on the Apply button and wait until the process has completed.  (Note: You can only make a partition smaller in order to create new free space.)
    4. Click on the [+] button below the sizing window to add a new partition in the gray space you freed up. Give the new volume a name, if you wish, then click on the Apply button. Wait until the process has completed.
    You should now have a new volume on the drive.
    It would be wise to have a backup of your current system as resizing is not necessarily free of risk for data loss.  Your drive must have sufficient contiguous free space for this process to work.

  • File Vault 2 and Lion Recovery Partition

    Has anyone noticed that the Lion recovery partition disapears after enabling File Vault 2? I don't have one anymore. It's Gone!

    Check out the OS X Lion: About FileVault2 kb.
    Starting from the Recovery HD partition after FileVault 2 is enabled
    When FileVault 2 is enabled, Recovery HD does not appear in the Startup Manager (which is accessed by holding Option during startup).  However, you can select the Recovery HD by holding Command-R as Lion starts up.

  • Tx1312AU Windows Vista Recovery partition lost

    tx1312AU Windows Vista Recovery partition lost after HD crash, how to get it back or should I try Win XP? (I hate Vista already...)

    sijyb00 wrote:
    See, the the thing is, I DID make the recovery cd... but it isn't working. From my understanding, the cd uses the information from the recovery partition to restore Windows? Correct me if I'm wrong.  Every time I boot up the cd it detects no OS and when I click continue, it begins the installation and immediately says Installation cancelled, missing files, something like C:\win.int is missing.
    So the recovery cd is not working. I called Toshiba and from what I could understand from the horrible english, was that they would charge me for another recovery cd... which I don't need, because I have one. Or send in my laptop for "repair." They said it was my hard drive. Which is complete bull**bleep**, when windows failed I ran a linux os on it perfectly fine, so it is not my hard drive.
    Anyone have any ideas on how I can fix this? I have a product key for vista which I PAID for when I bought the laptop... I don't think it's fair to have to buy it over again for $100-200
    No, the recovery disks don't rely on anything on the hard drive.  From what you say, either you are not booting from the optical drive, or the disks indeed are faulty.
    The last I knew, replacement disks were $25.  See the sticky at the top of the General Discussion topic for details.
    There have been a lot of reports of problems with recovery disks, so I'm a bit surprised that Toshiba won't ship you replacements at no charge.  Might be worth another try, and an attempt to get to the next tech level.

  • ICloud (Find My Mac) won't recognize my Lion Recovery Partition.

    When I open the iCloud prefs, Find My Mac is greyed out and says "Recovery partition required." My recovery partion is bootable and working.
    This happened after I resized my partitions using GParted. As mentioned, I tested the Recovery Partition right after resizing them, and it still works.
    Here is the output of 'diskutil list /dev/disk0':
    /dev/disk0
       #:                  TYPE NAME            SIZE       IDENTIFIER
       0: GUID_partition_scheme                *320.1 GB   disk0
       1:                   EFI                 209.7 MB   disk0s1
       2:             Apple_HFS Macintosh HD    213.9 GB   disk0s2
       3:             Apple_HFS Recovery HD     649.1 MB   disk0s3
       4:  Microsoft Basic Data BOOTCAMP        75.5 GB    disk0s4
       5:  Microsoft Basic Data                 21.0 GB    disk0s5
       6:            Linux Swap                 8.7 GB     disk0s6
    Partition 5 is ext3 formatted for Linux.

    I tried using the RecoveryHDUpdate from Apple, but no dice. When selecting an install disk, it gave this error with a yellow triangle icon:
    Lion Recovery Update can't be installed on this disk. An error occurred while evaluating JavaScript for the package.
    Selecting the Recovery HD itself yielded a different yellow triangle error:
    Lion Recovery Update can't be installed on this disk. This update requires Mac OS X version 10.7.

  • HT203543 "Find my Mac" says "Recovery Partition Required".

    "Find my Mac" says "Recovery Partition Required" after recently replacing my HDD with a Solid State Drive. I used Carbon Copy Cloner to mirror the hard drive before install. I am looking for some help to get this fixed on my Late 2011 Macbook Pro.

    You did not transfer the Recovery HD from your old drive. CCC does not do that unless you specifically set it up to do so. Had you used Disk Utility instead it would have cloned the Recovery HD automatically. If you cannot restore the Recovery HD from your old hard drive to your new SSD, then you cannot use Find My Mac.
    At this point you can try the following:
    Reinstalling OS X Without Erasing the Drive
    Boot to the Recovery HD: Restart the computer and after the chime press and hold down the COMMAND and R keys until the menu screen appears. Alternatively, restart the computer and after the chime press and hold down the OPTION key until the boot manager screen appears. Select the Recovery HD and click on the downward pointing arrow button.
    Repair the Hard Drive and Permissions: Upon startup select Disk Utility from the main menu. Repair the Hard Drive and Permissions as follows.
    When the recovery menu appears select Disk Utility. After DU loads select your hard drive entry (mfgr.'s ID and drive size) from the the left side list.  In the DU status area you will see an entry for the S.M.A.R.T. status of the hard drive.  If it does not say "Verified" then the hard drive is failing or failed. (SMART status is not reported on external Firewire or USB drives.) If the drive is "Verified" then select your OS X volume from the list on the left (sub-entry below the drive entry,) click on the First Aid tab, then click on the Repair Disk button. If DU reports any errors that have been fixed, then re-run Repair Disk until no errors are reported. If no errors are reported click on the Repair Permissions button. Wait until the operation completes, then quit DU and return to the main menu.
    Reinstall OS X: Select Reinstall OS X and click on the Continue button.
    Download and install the 10.10.1 update.
    Note: You will need an active Internet connection. I suggest using Ethernet if possible because it is three times faster than wireless.
    Also see:
    Reinstall OS X Without Erasing the Drive
    OS X Yosemite- Reinstall OS X
         Note: You will need an active Internet connection. I suggest using Ethernet
                     if possible because it is three times faster than wireless.

  • System recovery from partition fails after first boot

    I just purchased and recieve the following notebook: Pavilion DV7-6C95DX. I went through setup and then created recovery DVDs. 
    After playing with it for a short while, I decided to try restoring it to factory condition using the recovery partiton and F11 during boot.  This started the recovery manager, which (according to its checklist) reformatted the Windows partition, copied required files and restored file to the hard disk.  Then it prompted me to continue to reboot and finish the process, which I did.
    Upon boot, it reported it immediately reported "Windows failed to start... Status: 0xc000000f ... a required device inaccessible"
    I pressed Enter to contine and the screen said "Choose an operating system to start ..." and it gave me only the option "Ramdisk Options [EMS enabled]" Choosing it takes me back to the previous screen and so on.
    So, I tried using the recovery media I made earlier.  That booted Windows and Recovery Manager reported the following: "The system recovery media does not support this computer. You are not able to restore this computer with the media"  There was a code below it that read "0110-A6X02UAR#ABA-A6X02UA#ABA"
    There are apparently two problems -- the reecovery partition does not work and the recovery media does not work.  I do not know if they are related, but, in any case, now the computer is unusable. It is less than a week old.
    Thanks in advance for any advice for correcting this.
    This question was solved.
    View Solution.

    Hi Lance,
    This error can occur if there are any USB devices or media cards connected to your notebook.  If this is the case, remove everything connected to your notebook and try the Recovery process again.
    If the above is not relevant, I would try the following to rule out a potential Hardware issue.
    Before trying the following, make sure you can read the Activation key on your Windows COA label ( 5 blocks of 5 alpha/numeric sets ).
    Assuming that this is just a software problem with the Recovery process, there is a straight forward work around if you have ( or can borrow ) a retail Windows 7 installation disc that is exactly the same version as your OEM installation - ie if your notebook came with Windows 7 Home Premium 64bit this is the exact retail version you would need.
    If you don't have access to a retail disc, you can create an installation disc yourself using another PC - just download the correct Disc Image from the link below and use an application such as ImgBurn to burn the ISO correctly to a blank DVD - a guide on using ImgBurn to write an ISO to a disc is Here.  These Images are clean and from a well-respected source, however there are only limited versions available.
    Windows-7 sp1-iso-official-32-bit-and-64-bit
    Use the disc to perform the installation, enter the Windows activation key found on the COA Label when requested and when the installation has completed, use the 'Phone Method' detailed in the link below to activate the OS - this method supported by Microsoft and is popular with people who just want a clean installation of Windows 7 without the additional software load normally bundled with OEM installations.
    http://www.kodyaz.com/articles/how-to-activate-win​dows-7-by-phone.aspx
    Any additional drivers you may need can be found starting Here.
    If this also fails to install Windows, I would simply return the notebook to the retailer it was purchased from and get a replacement while you are still within the time frame where this is an option.
    Regards,
    DP-K
    ****Click the White thumb to say thanks****
    ****Please mark Accept As Solution if it solves your problem****
    ****I don't work for HP****
    Microsoft MVP - Windows Experience

  • How to install a recovery partition after installing a new Hard drive? and FileVault help.

    Hi,
    I recently swapped out hard drives and when I did a Time Machine backup to the new drive, I noticed there was no Recovery HD partition for my drive. Is there a way to install it back on my MacBook Pro (Late 2011, running 10.7.4)?
    On a slighlty different topic FileVault won't let me encrypt my new HD it says "Some disk formats don’t support the recovery partition required by encryption. To use encryption, reinstall this version of Mac OS X on a reformatted disk."
    What formatting does my disk require for FV to be turned on? Currently it is Mac OS Extended (journaled)
    If there is a solution to solve both these issues, or any one issue it would be appreciated.

    The formatting being referred to is actually the presence of the Recovery Disk.
    You can't enable FV2 without a recovery partition being present. The reason is strictly logical: if your entire disk was encrypted, how could you run the unencryption procedure you need to start up? That would itself be hidden behind the encryption. Hence, for FV2 to be able to work, you must have a Recovery disk present.
    When you boot up with FV2 enabled, the login screen you see to enter your password is actually running from the recovery disk (invisible to the user). After you enter your password, recovery boots your encrypted partition and logs you in to your account.

  • After install of Mavericks, it looks like my system kernal panics and just sits there. I tried waiting over two nights. Tried reinstalling twice, booting r/s. Recovery partition now has Mavericks as OS. Im running a iMac i3 27 inch circa 2011. Any ideas?

    After install of Mavericks, it looks like my system kernal panics and just sits there. I tried waiting over two nights. Tried reinstalling twice, booting ro the repair partition and repairs permissions/drive/verify , with no problems. Tried reseting PVRAM(or whateverit called). Recovery partition now has Mavericks as OS. Im running a iMac i3 27 inch circa 2011. Any ideas? Can still bootcamp into windows.
    Thank you

    bhadotia wrote:Anyway's the file downloaded from dell to update the partition for Studio 1555 is corrupted (checksums don't match). My partition still doesn't boot. I'm working to fix this and will update my post when I'm done.
    The file seems to create the CD/DVD/Image and USB just fine. So I used this only to create a CD image which I then wrote on a blank CD which seems to work fine. Also, I played around a bit and had some partial success in booting the partition. I've updated my original opening post with the new findings.
    Whew!! what a waste of time! Never want to do all of this again .
    Last edited by bhadotia (2012-03-03 00:05:22)

  • Install from Recovery partition after upgrade from 10.9

    Hi all, on my MacBook 13" nov. 2012 I upgraded from Mavericks to Yosemite using the standard upgrade.
    After a couple of days I decided to perform a clean install:
    - formatted "Macintosh HD Partition"
    - rebooted with cmd+R
    - reinstalled from recovery partition.
    Is this really a clean install or my recovery partition contains pieces of the old Mavericks?
    Thanks in advance for answering
    Paolo

    paolo_italy wrote:
    First I upgraded from Mavericks to Yosemite (with no erase). Then I  booted from recovery partition, erased Macintosh HD partition and installed Yosemite.
    My question is: did I perform a really clean install or to be sure I had to erase the entire disk and recover from the Internet?
    Paolo
    You performed a clean install of OS X Yosemite.
    You were in the Yosemite Recovery HD.
    You erased the Macintosh HD which erases the previous OS install, user accounts and data files -- everything! Then you reinstalled JUST OS X Yosemite.

  • After upgrading from win 7 - win 8, do I really need the win 7 recovery partition?

    Hello.
    I'm a happy camper after upgrading my HP Spectre XT from win 7 to win 8 (Win 8 upgrade offer). The 128GB SSD disks just makes everything so smooth and fast.
    However I am abit annoyed with the Win 7 recovery partition that still uses 20 GB of my total 128GB space.
    I have tried searching the forums, as well as the www for any good answers, but I end up more confused.
    So I am asking the community some questions that interests me, and hopefully you can provide me with some meaningsful answers
    1. Can I now delete my win 7 recovery partition, and if so what is the most effiecient and safe way to do it?
    2. Is there a a good way to make sure that if (heaven forbid) something would happen, I still would be able to recover my notebook preferably to win 8, and not the preinstalled OEM win 7?
    3. Of course the Spectre XT has no optical drive, so if its doable I might need to make an win 8 recovery partition in the end. Is it possible? 

    You can use Windows builtin Disk Management to delete the partition, or EaseUS software. Both procedures are outlined at EaseUS site:
    http://www.partition-tool.com/resource/windows-8-partition-manager/delete-windows-8-partition.htm
    As for a Recovery option after deleting, look at System Imaging which is builtin Windows 8 also.You need an external USB hdd for this.
    http://www.eightforums.com/tutorials/8956-system-image-create-windows-8-a.html
    ******Clicking the Thumbs-Up button is a way to say -Thanks!.******
    **Click Accept as Solution on a Reply that solves your issue to help others**

  • Boot Camp partition corrupted after OS X Yosemite Recovery Update

    As the written in the title, after installing the Recovery update i can no longer boot to Windows, the drive doesn't appear on either StartUp disk or on boot when holding the option key. Is there anyway to recover it? don't have a backup of it so my options are either fix it if possible or start from scratch.
    Macbook Pro 15-inch mid 2012
    Processor: 2,3 GHz Intel Core i7
    Memory: 8GB 1600 Mhz DDR3
    Graphic: NVIDIA GeForce GT 650M 512MB
    OS X 10.10.3

    I followed the Steps in this thread(Bootcamp partition missing after yosemite installation). I dont see my Windows parition at startup-disk.
    When i hold alt at the boot process, i can select and boot windows but then a weird error windows opens, it tries to repair the problem automatically, fails and wants to restart the computer...
    What can i do?
    And my output is:
    Frederiks-MacBook-Pro:~ frederik$ diskutil list
    /dev/disk0
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:      GUID_partition_scheme                        *500.3 GB   disk0
       1:                        EFI EFI                     209.7 MB   disk0s1
       2:          Apple_CoreStorage                         299.4 GB   disk0s2
       3:                 Apple_Boot Recovery HD             650.1 MB   disk0s3
       4:       Microsoft Basic Data BOOTCAMP                200.0 GB   disk0s4
    /dev/disk1
       #:                       TYPE NAME                    SIZE       IDENTIFIER
       0:                  Apple_HFS Ohne Titel             *299.1 GB   disk1
                                     Logical Volume on disk0s2
                                     5F59958C-E8AF-4C32-A646-D58D15CE379E
                                     Unlocked Encrypted
    Frederiks-MacBook-Pro:~ frederik$ diskutil cs list
    CoreStorage logical volume groups (1 found)
    |
    +-- Logical Volume Group 4D75F3DC-C99C-47A3-9B55-3262BE4D4180
        =========================================================
        Name:         Ohne Titel
        Status:       Online
        Size:         299417849856 B (299.4 GB)
        Free Space:   118784 B (118.8 KB)
        |
        +-< Physical Volume B71D0BA3-8C42-4783-8595-6321D8F9B17F
        |   ----------------------------------------------------
        |   Index:    0
        |   Disk:     disk0s2
        |   Status:   Online
        |   Size:     299417849856 B (299.4 GB)
        |
        +-> Logical Volume Family 7F506808-72AD-4CE5-A316-897C84DDC722
            Encryption Status:       Unlocked
            Encryption Type:         AES-XTS
            Conversion Status:       Complete
            Conversion Direction:    -none-
            Has Encrypted Extents:   Yes
            Fully Secure:            Yes
            Passphrase Required:     Yes
            |
            +-> Logical Volume 5F59958C-E8AF-4C32-A646-D58D15CE379E
                Disk:                  disk1
                Status:                Online
                Size (Total):          299065409536 B (299.1 GB)
                Conversion Progress:   -none-
                Revertible:            Yes (unlock and decryption required)
                LV Name:               Ohne Titel
                Volume Name:           Ohne Titel
                Content Hint:          Apple_HFS
    Frederiks-MacBook-Pro:~ frederik$ sudo gpt -vv -r show /dev/disk0
    Password:
    gpt show: /dev/disk0: mediasize=500277790720; sectorsize=512; blocks=977105060
    gpt show: /dev/disk0: Suspicious MBR at sector 0
    gpt show: /dev/disk0: Pri GPT at sector 1
    gpt show: /dev/disk0: Sec GPT at sector 977105059
          start       size  index  contents
              0          1         MBR
              1          1         Pri GPT header
              2         32         Pri GPT table
             34          6        
             40     409600      1  GPT part - C12A7328-F81F-11D2-BA4B-00A0C93EC93B
         409640  584800488      2  GPT part - 53746F72-6167-11AA-AA11-00306543ECAC
      585210128    1269760      3  GPT part - 426F6F74-0000-11AA-AA11-00306543ECAC
      586479888       1776        
      586481664  390621184      4  GPT part - EBD0A0A2-B9E5-4433-87C0-68B6B72699C7
      977102848       2179        
      977105027         32         Sec GPT table
      977105059          1         Sec GPT header
    Frederiks-MacBook-Pro:~ frederik$ sudo fdisk /dev/disk0
    Disk: /dev/disk0    geometry: 60821/255/63 [977105060 sectors]
    Signature: 0xAA55
             Starting       Ending
    #: id  cyl  hd sec -  cyl  hd sec [     start -       size]
    1: EE    0   0   2 -   25 127  14 [         1 -     409639] <Unknown ID>
    2: AF   25 127  15 - 1023 254  63 [    409640 -  584800488] HFS+       
    3: AB 1023 254  63 - 1023 254  63 [ 585210128 -    1269760] Darwin Boot
    *4: 07 1023 254  63 - 1023 254  63 [ 586481664 -  390621184] HPFS/QNX/AUX
    Thank you

  • Recovery partition missing on new Mac Mini after bootcamp

    Hi folks.  I recently installed boot camp then removed it and now I do not have my recovery partition and I cant' find a way to get it back.  I have tried the option key at startup along with the option+R and neither allow me to do emergency recovery or boot to recovery partition.  Thanks.

    According to:
    http://www.adobe.com/products/aftereffects/tech-specs.html
    It should run, though the after market card they add for rendering obviously won't be something you can add to your Mini.

Maybe you are looking for

  • Came home from class to find several prblems with my Macbook Pro

    I want to start off by saying that over the weekend, I noticed that my light on my charger did not work any more, and it seems that the actual charger does not work any more either. It has been plugged in for a while but remains at 95%. Then today, I

  • Sending email notifications in oim 11g approval flow dynamically

    Hi, I have 4 level approval workflow in oim 11g and developed custom composite to get all the approver ids and and assigning these ids into 4 variables. And used these variables in my custom 4 level sequential workflow. This workflow is working fine.

  • Keeping styles when converting html to PDF

    Acrobat Professional 8.1.2, Word 11.42, PowerPC G5 Dual 2.7GHz 1.5Gb Ram, OS 10.4.11 I have been trying to save a word file to PDF with links that have been copied from my website. Creating a PDF from word doesn't keep the links, to get around this I

  • SOA with E-business suite

    Hi, I want to know something about SOA, and if the same can be integrated with E-biz suite ? What would be the benefit of this ? Thx.

  • How to implement sharepoint 2010 security implementation at site level ?

    Hi, We are going to implement one school automation system as internet application using sharepoint 2010. I want to know what type of step's i have to take for best security level implementation in the site level. Thanking You, Nagendra.