[Solution] Spyhunter made Windows 7 unbootable

The problem:
Spyhunter is a program by Enigma Software intended to be a remover for crapware/malware/etc.
Besides whether it works or not for the intended scope, it has been reported in the past to overcharge customers that bought a license for it and to renew subscriptions billing the credit card without authorization.
Additionally, we had a number of reports that in some cases it can effectively make a Windows 7 unbootable.
It is STRONGLY NOT recommended by me.
However if you are reading this most probably you either installed on your system the trial or are a moron less experienced user that actually paid good money for it and you are now stuck with an unbootable system.

The symptoms:
You are presented with a screen (white text on black background) with three choices:

Spyhunter
Windows XP
Windows Vista/7

None of which when chosen leads to have your system booted.
The screen comes from a now obsolete version of grub4dos grldr, the 0.4.3 2007-10-15, that is renamed to shldr and has the internal embedded menu.lst modified as follows:

debug off
default 0
timeout 3
title SpyHunter
find --set-root /sh4ldr/vmlinuz
kernel /sh4ldr/vmlinuz quiet
initrd /sh4ldr/initrd.gz
title Windows XP
find --set-root /ntldr_
chainloader /ntldr_
makeactive
title Windows Vista/7
find --set-root /bootmgr_
chainloader /bootmgr_
makeactive

Evidently *somehow* the program makes a copy of bootmgr renaming it to bootmgr_ and as long as this works everything works.
Several people have reported that the provision does not work.

The solution:
In some cases what does not work is the chainloading of bootmgr_, but there is still a good copy of bootmgr so all it is needed is to press "c" to get to a grub4dos command prompt and issue the commands:

chainloader /bootmgr
boot

or, at the most:

find --set-root /bootmgr
chainloader /bootmgr
boot

What has been increasingly reported is that also chainloading the bootmgr does not work (it is very possible that this happens because of a concurrent different issue, such as malware or similar, no way to know the exact reason).
In these cases there is a way out by chainloading a copy of the bootmgr that is normally present in \Windows\boot\PCAT\, i.e. after having pressed "c" for the prompt issuing the commands:

chainloader /windows/boot/pcat/bootmgr
boot

or, at the most:

find --set-root /windows/boot/pcat/bootmgr
chainloader /windows/boot/pcat/bootmgr
boot

will work.
The above will only work if the Windows 7 has been installed on a single partition, i.e. the "system" and "boot" partition are the same volume, typically (hd0,0) in grub4dos notation.
However the "default" install on Windows 7 on a new hard disk/system creates two partitions, a first one ((hd0,0) in grub4dos notation) containing only the bootmgr and the \boot\BCD (which is the active partition in the MBR partition table or "boot" partition, called by MS "system", that normally has not a drive letter assigned) and a second partition ((hd0,1) in grub4dos notation) containing the rest of the operating system (which everyone would call "system", but that the goof MS guys call "boot", that normally has the drive letter C: assigned).
In these case you need to "force" the assignment of the boot partition, otherwise the chainloaded bootmgr will attempt to find the \boot\BCD on the same (hd0,1) partition from which it is booted and fail.
You do this by adding a parameter to the chainloader command --edx=0x0080 which basically overwrites a registry with the appropriate values, in the 0x0080 the 00 means first partition (or the second 0 in (hd0,0)) and the 80 means BIOS disk 0x80 or disk drive 128 decimal, i.e. first disk or (hd0), in a nutshell this set of commands:

find --set-root /windows/boot/pcat/bootmgr
chainloader --edx=0x0080 /windows/boot/pcat/bootmgr
boot

should manage to boot your system.

A similar situation may arise from other "rogue" or "improper" installs of grub4dos, particularly when the embedded menu.lst has been edited, it seems like some other crappy programs/loaders/whatever can create a similar issue, the good news is that attempting to run the above set of commands won't alter anything on the system, in the worst case it won't boot.

You should thank Tinybit (one of the Authors of grub4dos) for this nice, clean --edx=0x0080 trick and cdob for the finding about the existence of a working copy of bootmgr in \Windows\boot\PCAT\ .

Some past reference on the matter for historical reasons (including a few that were not solved due to OP leaving early the game):
http://reboot.pro/to...d-boot-problem/
http://reboot.pro/to...lp-grub-screen/
http://reboot.pro/to...ror-0xc000000f/
http://reboot.pro/to...file-not-found/
http://reboot.pro/to...ptop-wont-boot/
http://reboot.pro/to...nt-boot-server/
http://reboot.pro/to...ta-not-booting/


Wonko

Hi Wonko,

 

i'm a less experienced user who installed this crappy and got this kind of problem.

 

fortunately i found your explanation and was able to boot and log in to the windows.

 

this below is the one that works for me (i quote below):

 

"

root (hd0,0)

chainloader /bootmgr_

boot

"

 

however now i need to enter that everytime i boot.

could you please be kind give simple explanation/solution to fix/repair this boot problem?

i can find the bootmgr in pcat folder but still have not find the bootmgr_ and don't know what to do about it.

 

thank you very much sir.

 

http://reboot.pro/to...-2?hl=spyhunter

You need to copy C:\/windows\boot\pcat\bootmgr to C:\bootmgr.

 

FIrst thing try to boot issuing these commands in the grub4dos:

 

find --set-root /windows/boot/pcat/bootmgr
chainloader /windows/boot/pcat/bootmgr
boot

(just to make sure that the copy of bootmgr in \windows\boot\pcat\ is "good".

 

Then copy the C:\windows\boot\pcat\bootmgr to C:\bootmgr

 

Then reboot and try:

 

root (hd0,0)
chainloader /bootmgr
boot

(just to make sure that the newly copied file file works as expected)

 

That is Windows 7, right?

 

Then open a command prompt and in it run:

bootsect.exe /nt60 SYS /mbr

see:

http://www.sevenforu...oot-record.html

 

Right now your boot sequence is either of the following:

BIOS->MBR->Bootsector->grub4dos

or

BIOS->MBR->grub4dos

 

the bootsect command above will restore the "standard" MBR and bootsector so that the boot sequence will return to the "standard":

BIOS->MBR->bootsector->bootmgr

 

Most probably the C:\bootmgr_ is a Hidden and System file, you will need to set Explorer to show such files, *like*:

http://www.howtogeek...-windows-vista/

in order to "see" it and, after the computer boots successfully after the repair, delete it.

 

BEFORE all that it would be smart, since though through the manual typing of the cmmands the computer boots successfully, to procure and test *something* (liek a PE or a small live Linux distro) capable of booting the PC (just in case something goes wrong with the repair).

 

Wonko

Hi Wonko,

Thanks for the reply man.

 

Yea i'm using windows 7..

so i tried the first commands

 

find --set-root /windows/boot/pcat/bootmgr
chainloader /windows/boot/pcat/bootmgr
boot

 

but get results :

 

"

Windows Boot Manager

 

Windows failed to start. A recent hardware or software change might be the cause. To fix the problem :

1. insert your windows installation disc and restart your computer.

2. choose your language settings, and then click 'next.'

3. click 'repair your computer.'

 

if you do not have this disc, contact your system administrator or computer manufacturer for assistance.

 

file: \boot\BCD

status: 0xc000000f

info: an error occurred while attempting to read the boot configuration data.

"

 

i have followed the instruction in the link you gave about seeing hidden and system files, however still no sight of bootmgr_ in c:\

 

Thanks

 

 

Edited by rongrong, 26 March 2016 - 11:37 AM.

Maybe you are in the situation (typical of a pre-installed Windows 7, like on a laptop) that the first partition (which is (hd0,0) in grub4dos notation) is not mounted on the booted system.
In this case the partition on which \windows\boot\pcat\bootmgr is in grub4dos notation (hd0,1) and has a drive letter C:\ assigned in Windows.
 
You will need to use either DISKPART (command line) or Disk Manager (GUI) to temporarily assign a drive letter to it (hd0,0) and mount it, let's say that you assign to it the drive letter T:\
 
In this case you then need to copy the C:\windows\boot\pcat\bootmgr to root of T:\, i.e. T:\bootmgr (and you should find the bootmgr_ on T:\ as well).
 
To test if this is the case, try running (as given in the first post):

find --set-root /windows/boot/pcat/bootmgr
chainloader --edx=0x0080 /windows/boot/pcat/bootmgr
boot

the idea is that of "forcing" the loading of /windows/boot/pcat/bootmgr as if it was on (hd0,0) i.e. with --edx=0x0080
You can also run in grub4dos:

find --set-root /windows/boot/pcat/bootmgr
root

and you should get (hd0,1) as feedback/output.
 

Wonko

Maybe you are in the situation (typical of a pre-installed Windows 7, like on a laptop) that the first partition (which is (hd0,0) in grub4dos notation) is not mounted on the booted system.

In this case the partition on which \windows\boot\pcat\bootmgr is in grub4dos notation (hd0,1) and has a drive letter C:\ assigned in Windows.

 

You will need to use either DISKPART (command line) or Disk Manager (GUI) to temporarily assign a drive letter to it and mount it, let's say that you assign to it the drive letter T:\

 

In this case you then need to copy the C:\windows\boot\pcat\bootmgr to root of T:\, i.e. T:\bootmgr (and you should find the bootmgr_ on T:\ as well).

 

To test if this is the case, try running (as given in the first post):

find --set-root /windows/boot/pcat/bootmgr
chainloader --edx=0x0080 /windows/boot/pcat/bootmgr
boot

the idea is that of "forcing" the loading of /windows/boot/pcat/bootmgr as if it was on (hd0,0) i.e. with --edx=0x0080

You can also run in grub4dos:

find --set-root /windows/boot/pcat/bootmgr
root

and you should get (hd0,1) as feedback/output.

 

Wonko

 

i tried the first commands and it let me boot and log in to windows.

the second commands gives me no feedback/output

i tried the first commands and it let me boot and log in to windows.

the second commands gives me no feedback/output

Strange.

If you issue the "root" command it should output "current root" (just set by the previous "find --set-root" command).

You can try:

root (hd0,1)
chainloader --edx=0x0080 /windows/boot/pcat/bootmgr
boot

to further confirm that the first partition (hd0,0) is "hidden" and that the second partition (hd0,1) is the actual volume where windows files are.

In any case if you boot and open Disk Manager you should see in it the first partition 100 (or 200) Mb in size without a drive letter assigned, *like*:

 

Or, as in the screenshot attached to first post, try:

find /boot/bcd

and

find /windows/boot/pcat/bootmgr

 

They should return, respectively, (hd0,0) and (hd0,1).

 

Wonko

hi Wonko,

 

i tried the command with root (hd0,1) also let me boot and log in to windows.

and yes there is system reserve with 100mb listed in disk management.

 

i think hd0,1 is the actual volume where windows file are.

hi Wonko,
 
i tried the command with root (hd0,1) also let me boot and log in to windows.
and yes there is system reserve with 100mb listed in disk management.
 
i think hd0,1 is the actual volume where windows file are.

Yep , then you can assign to that first partition (hd0,0) a drive letter in Disk Manager and proceed.
 

Maybe you are in the situation (typical of a pre-installed Windows 7, like on a laptop) that the first partition (which is (hd0,0) in grub4dos notation) is not mounted on the booted system.

In this case the partition on which \windows\boot\pcat\bootmgr is in grub4dos notation (hd0,1) and has a drive letter C:\ assigned in Windows.
 
You will need to use either DISKPART (command line) or Disk Manager (GUI) to temporarily assign a drive letter to it (hd0,0) and mount it, let's say that you assign to it the drive letter T:\
 
In this case you then need to copy the C:\windows\boot\pcat\bootmgr to root of T:\, i.e. T:\bootmgr (and you should find the bootmgr_ on T:\ as well).

Wonko

Thanks Wonko!

 

That is really working~

 

Thank you very much!

Thanks Wonko!
 
That is really working~
 
Thank you very much!

Good , only too glad to have contributed to another happy bunny :
https://www.msfn.org...&comment=828512


Wonko

Hi guys!

 

First of all i would like to thank Wonko the Sane, he was really helpful and gladly i was able to sucessfully boot my computer after following the steps on this thread. But i still fail to set my computer for the normal booting method. I'm not sure how to proceed on this.

 

I have sucessfully booted my computer after typing this:

 

find --set-root /windows/boot/pcat/bootmgr
chainloader --edx=0x0080 /windows/boot/pcat/bootmgr
boot

 

Any tips on how to change back the booting to a normal state ?  I didnt quite understand the process explained above.

Yep, now you have two partitions (volumes) on your disk (@all, I know this as the info was provided to me earlier via PM):
(hd0,0) is Active, 0x1B (hidden FAT32)
(hd0,1) is 0x07 (NTFS) <- this is the one that you see as drive letter C:

The first is not normally mounted (please read assigned a drive letter) in Windows, it is a (stupid BTW) way to "protect" the BOOTMGR and \boot\BCD from the user...

You need to open Disk Manager and select the first partition in it (see screenshot in post #7 above) that hidden partition is usually 100 Mb (but could be also 200 Mb or 300 Mb, it depends on the OS).
Then assign a drive letter to it, right-click on the partition, and then click "Change Drive Letter and Paths", then assign a drive letter, click "Add", click the drive letter you want to use, and then click "OK".

Or, if you prefer to use command line, like here:
http://www.howtogeek...-drive-letters/

Let's say you assign to it the drive letter R:, then you will need to copy:
C:\windows\boot\pcat\bootmgr
to:
R:\

Try rebooting.

Now just issuing (in grub4dos):

find --set-root /bootmgr
chainloader /bootmgr
boot

Should work to boot.

If that is fine, you can open a command prompt in the booted system and run (on Windows 7):

bootsect.exe /nt60 SYS /mbr

(see post #3 above) to make the Windows 7  boot "as before", i.e. without grub4dos.

 

Try rebooting (hopefully it should work), then you can remove again the drive letter R: from the volume.

 

Wonko
 

Okay, i tried to do that the both ways and i've come up with two different inconsistencies:

The first way, when i tried to rename the first partition the option was not highlighted. Yet, if i were to try to rename C: all the options were available.

When i tried via the Diskpart method, i only get this response, after typing ''list volume'':

 

Volume 0  D - DVD ROM 0b none

Volume 1  C            nfts 1tb healthy.

 

I didnt get the option of unnamed partition.

 

Edit: i also didn't try the (bootsect.exe /nt60 SYS /mbr) because i think i should rename the first partition first right ?

Edited by EverGreenMountains, 04 August 2016 - 02:48 PM.

Yes, wait to run bootsect until you have copied BOOTMGR to the "right" volume.

 

Probably the reason (it is not highlighted/not seen as volume) is because of the partition type being 0x1B (which is a 0x0B but "hidden"), try  unhiding it , reboot to grub4dos and in it run either:

unhide (hd0,0)

or:

hiddenflag --clear (hd0,0)

(if you run geometry (hd0) now the partition should return as being 0x0B), then boot to Windows 7  and try again with disk manager or diskpart to assign a letter to it.

 

Wonko

Yes! It worked perfectly!!!

 

I cant thank you enough Wonko, you really saved my day with these steps. I get surprised that i saw a post of you at 2012 while looking for a solution on the internet and surprisingly was able to actually get a response from you in an almost instantaneous way, you are awesome!

 

I really apreciate all that, really altruistic of your part to be that helpful, cheers and keep up the good work!

Good , another happy bunny in the basket.

http://www.msfn.org/...#comment-828512

 

Now, depending on the actual reason why that first partition was marked as 0x01B, it could be something an OEM might do (and then it would be a good idea to set it back as so) or it could be the effect of some  - if not downright malware - "rogue" tool (and then it would make VERY little sense to set it back to 0x01B) you might want to take further steps.

Anyway, if it works no need to attempt fixing it.

 

The "standard" install of Windows 7 usually creates that small partition as NTFS and it has a partition ID of 0x27 which more or less means, "it is a 0x07 but don't automatically assign a drive letter to it".

 

The partition type is anyway little relevant, as it is only a "protection type", in the PM you sent me with the output of geometry (hd0) grub4dos saw it as NTFS but with partition type 0x1B, so I believe that it's "right" type should be either 0x07 or 0x27 (actually most probably the latter).

 

BUT right now you don't have (anymore) a grub4dos bootable (even if it was the obsolete version that is included in that Spyhunter crap) so BEFORE doing anything else you should procure yourself a USB stick and make it bootable with a more recent version of grub4dos (and confirm it is booting fine).

 

Changing the partition type is obviously possible also from the booted Windows 7, but if - for any reason - the idea is wrong or however the result is not the expected one you could find yourself with an unbootable machine, so DO NOT attempt doing it (unless you have a working/tested alternate way yo boot that machine).

 

Wonko

Hi!
Thanks now i have some hope! ... Aaaaand its gone...
I have a Windows 7 alongside with Kali Linux. (When i installed Kali Linux i got grub2 with that installation.)
I have been with that setup with about half year with no problems... Exept now.
When i try to boot in to Windows i get the error "Boot failed!".
Then i press key and i get to the GRUB4DOS 0.4.4.
There reads "Press ESC for recovery menu.".
There are different options:

Windows with SLIC Loader (default)
Windows without Loader
Windows with SLIC Loader (use alternative method)
Windows with SLIC Loader (use low memory)
Windows with SLIC Loader (full debug output)
Windows with SLIC Loader (more forceful - may crash)
Load Externel Menu (menu.lst)
Grub Command line

None of these work. When editing "Windows with SLIC Loader (default)" there is:

emulateslic
errorcheck off
find --set-root --ignore-floppies -ignore-cd /XELDZ
chainloader /bootmgr
boot
find --set-root --ignore-floppies -ignore-cd /bootmgr
chainloader /bootmgr
boot
errorcheck on
pause Boot failed!
commandline

So when boot without lines 2, 9, 10, 11 , i get error saying:

Booting command-list

chainloader /bootmgr

Error 13: Invalid or unsupported executable format

Press any key to continue...

When in GNU GRUB version 2.02~beta2-36 i try this:

grub> ls
(hd0) (hd0,msdos6) (hd0,msdos5) (hd0,msdos1) (fd0)

I know that the (hdo,msdos1) is my windows partition. So i do: "ls (hd0,msdos1)/" and i seet there all my files and folders that are in my C:/ disk (Not any subfolders) and i see there some files and folders that looks like some boot files and those are: $Boot, $Volume, Boot/, bootmgr, System Volume Information/, Windows/, XELDZ bootsqm.dat, BOOTSECT.BAK

What should i do?
chainloader /bootmgr says "error: file `/bootmgr' not found"
chainloader (hd0,msdos1)/bootmgr says "error: invalid singature."

What should i do? Kali Linux works well still well.

Well, you actually have a Windows 7 that is loaded through a SLIC loader (which is not something that MS would provide) and for once, this is not even Spyhunter's fault.

A SLIC loader is a piece of software used on non properly activated Windows 7 copies, in order to workaround Windows (mandatory) activation.

 

I have no idea if it provides a modified BOOTMGR or if it works differently (by modifying something "on-the-fly".

 

Anyway, you need to get to command mode and type commands one by one, so that you can see (and report) the feedback messages that grub4dos will provide in interactive command line mode after each command is issued, you need to type (adding a [ENTER] at the end of each line:

emulateslic
find --set-root --ignore-floppies -ignore-cd /XELDZ
root
find --set-root --ignore-floppies -ignore-cd /bootmgr
root
chainloader /bootmgr
boot

If the error is about a corrupted BOOTMGR file, you can presumably use your Kali Linux to copy BOOTMGR from C:\Windows\boot\pcat\bootmgr to C:\ BUT the issue may be "worse", it is possible that there is (for *whatever* reasons) an issue in the filesystem, and it would not be a good idea to write anything to it if not after having booted a PE (a Windows install disc would do nicely) and having run CHKDISK on that volume.

 

Wonko

You need to copy C:\/windows\boot\pcat\bootmgr to C:\bootmgr.

 

FIrst thing try to boot issuing these commands in the grub4dos:

 

find --set-root /windows/boot/pcat/bootmgr
chainloader /windows/boot/pcat/bootmgr
boot

(just to make sure that the copy of bootmgr in \windows\boot\pcat\ is "good".

 

Then copy the C:\windows\boot\pcat\bootmgr to C:\bootmgr

 

Then reboot and try:

 

root (hd0,0)
chainloader /bootmgr
boot

(just to make sure that the newly copied file file works as expected)

 

That is Windows 7, right?

 

Then open a command prompt and in it run:

bootsect.exe /nt60 SYS /mbr

see:

http://www.sevenforu...oot-record.html

 

Right now your boot sequence is either of the following:

BIOS->MBR->Bootsector->grub4dos

or

BIOS->MBR->grub4dos

 

the bootsect command above will restore the "standard" MBR and bootsector so that the boot sequence will return to the "standard":

BIOS->MBR->bootsector->bootmgr

 

Most probably the C:\bootmgr_ is a Hidden and System file, you will need to set Explorer to show such files, *like*:

http://www.howtogeek...-windows-vista/

in order to "see" it and, after the computer boots successfully after the repair, delete it.

 

BEFORE all that it would be smart, since though through the manual typing of the cmmands the computer boots successfully, to procure and test *something* (liek a PE or a small live Linux distro) capable of booting the PC (just in case something goes wrong with the repair).

 

Wonko

Just registered to say my thanks, I installed this SHIT and it fucked up my pc,and you solved my problem..so thank you so much!

Just registered to say my thanks, I installed this SHIT and it fucked up my pc,and you solved my problem..so thank you so much!

 

Good .

Another happy bunny in the basket:

http://www.msfn.org/...#comment-828512

 

Wonko