Jump to content











Photo
- - - - -

Spyhunter 4 and boot problem


  • Please log in to reply
50 replies to this topic

#26 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 August 2015 - 09:05 AM

@tinybit
Nahh, I don't think it is a modified version, it is simply a very old (never recommended) version.

@Agrael98
Rethinking about the matter, it is likely that the issue is that the BOOTMGR that is chainloaded from the Windows directory on (hd0,1) tries to load the \boot\BCD from the same partition (while in reality it is in (hd0,0)).
If this is the case the \boot\BCD is still OK, and all it is needed is to *somehow* copy the BOOTMGR from the second partition to the first one.

Possibly with a more recent version of grub4dos we could try a few more tricks, but I believe that version being a very old one it simply misses a number of needed commands. :(

Now we need to boot to *something* (like a CD/DVD or USB stick).

If I am right and the \boot\BCD is OK there is no need of a windows 7 install disk or of a PE, *anything* that can copy (on NTFS) the /Windows/Boot/PCAT/bootmgr

 to root of first partition would do.

 

We haven't tried to see if any of the files found on (hd0,0) is a copy (renamed) of BOOTMGR:
bootmgr <- this is most probably a "fake" or however not-working BOOTMGR
bootmgr_ <- this maybe is a backup copy of BOOTMGR
BOOTSECT.BAK <- this very likely is a backup copy of the bootsector that 
GRLDR <- this is a grub4dos GRLDR (what is actually loaded)
sh4ldr <- this is part odf the spyhunter crap

 

Again since it costs nothing (at the most it won't work) what happens with:

root (hd0,0)

chainloader /bootmgr_

boot

 

If the above doesn't work, you need to find an alternative boot media, what do you have available? Any USB stick that you can re-format for this?

 

:duff:

Wonko



#27 sixcentgeorge

sixcentgeorge

    Frequent Member

  • Advanced user
  • 190 posts
  •  
    France

Posted 11 August 2015 - 09:25 AM

some are using modified gtub4dos to patch the bios and make it having a licence for windows .

sometimes i use it with my win7 ;'] [ to register without phone or when phone number does not show in the register window ], i never had a trouble with any antivirus or anti-malware , that works well . there are already some for win10 ..that is from yesterday , free for pirated windows...

so these tools should vanish soon...



#28 tinybit

tinybit

    Gold Member

  • Developer
  • 1078 posts
  •  
    China

Posted 11 August 2015 - 10:26 AM

@tinybit
Nahh, I don't think it is a modified version, it is simply a very old (never recommended) version.

 

root command did not feed back with root info. This is an indicator of the version which is modified.



#29 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 11 August 2015 - 10:40 AM

root command did not feed back with root info. This is an indicator of the version which is modified.

I may be. (or it may be not), in any case it has the least relevance or no relevance whatsoever HERE,  Agrael98 has a real world issue, there is little sense in going on philosophical discussions.

 

We may start a new, separate thread about these themes.

 

:duff:

Wonko



#30 sixcentgeorge

sixcentgeorge

    Frequent Member

  • Advanced user
  • 190 posts
  •  
    France

Posted 11 August 2015 - 02:46 PM

i am killed to see a man of China explaining that "genuine is better" to an Italian....

if the grub is a modified one , it is very possible that commands are removed or changed...so any knowledge of commands can not work ...

 

his boot is dead , so he should use a vhd install , do some backup and many hard things to do for may be not any chance of seeing again his windows because of some "guid mismatch"...

better format and start with a fresh computer



#31 tinybit

tinybit

    Gold Member

  • Developer
  • 1078 posts
  •  
    China

Posted 12 August 2015 - 12:28 AM

I may be. (or it may be not), in any case it has the least relevance or no relevance whatsoever HERE, Agrael98 has a real world issue, there is little sense in going on philosophical discussions.

We may start a new, separate thread about these themes.

:duff:
Wonko


I completely agree to help others in the real world. I only tried to draw attention to something hidden, unheeded or neglected. The modified software could be: (1)a good software that makes improvement. (2) a malware. (3) a close-source software that breaks GPL license agreement.



#32 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 August 2015 - 09:43 AM

I completely agree to help others in the real world. I only tried to draw attention to something hidden, unheeded or neglected. The modified software could be: (1)a good software that makes improvement. (2) a malware. (3) a close-source software that breaks GPL license agreement.

 

Surely the second and most probably :unsure: also the third you said:

http://www.enigmasoftware.com/eula/

http://www.spyhunter...e.com/terms.php

 

The funny part is their "mission statement":

http://www.enigmasof...sion-statement/

 

The issue however is on how crappy the tool is, resulting  to all effects a hijacker that in many cases simply makes the system unbootable without repairing it.

And - as seen in the links given on one of the other related threads they additionally have a record for overcharging customers.

 

:duff:

Wonko



#33 Agrael98

Agrael98

    Newbie

  • Members
  • 19 posts
  •  
    Serbia

Posted 12 August 2015 - 03:06 PM

Guys im sorry for not replying before since i wasnt at home..in the meantime my dad decided to take laptop to service(im not really sure if that is the right word=basicaly place where they repair computers...).So i wasnt able to do anything you guys suggested but there they "fixed" it..deleting windows7 and installing windows8 it works fine now but im sorry for causing you trouble and wasting your time :( though atleast i learned  something about boot thing :D


Edited by Agrael98, 12 August 2015 - 03:07 PM.


#34 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 12 August 2015 - 04:43 PM

Guys im sorry for not replying before since i wasnt at home..in the meantime my dad decided to take laptop to service(im not really sure if that is the right word=basicaly place where they repair computers...).So i wasnt able to do anything you guys suggested but there they "fixed" it..deleting windows7 and installing windows8 it works fine now but im sorry for causing you trouble and wasting your time :( though atleast i learned  something about boot thing :D

No prob whatever :).

Maybe now (that you have a fully working install, hopefully clean) it would be a good time to think about a recovery/emergency plan (should some similar accident happen in the future).

 

:duff:

Wonko



#35 sixcentgeorge

sixcentgeorge

    Frequent Member

  • Advanced user
  • 190 posts
  •  
    France

Posted 12 August 2015 - 05:20 PM

windows 8 is no longer supported...better for you to go win10...

before that , use computer management / disk to attrib a letter to the primary partition of the hard-drive

then open explorer and go in folder search and view option / in view then select to show hidden files and clear the box about protected file .

 

now go see the drive you gave a letter , there should be only a bootmgr and may be a BOOTSECT.BAK...if you have an other one with a strange name ..then your windows is cracked using a grub4dos modified patch



#36 Agrael98

Agrael98

    Newbie

  • Members
  • 19 posts
  •  
    Serbia

Posted 12 August 2015 - 06:10 PM

No prob whatever :).

Maybe now (that you have a fully working install, hopefully clean) it would be a good time to think about a recovery/emergency plan (should some similar accident happen in the future).

 

:duff:

Wonko

What do you suggest??

 

windows 8 is no longer supported...better for you to go win10...

before that , use computer management / disk to attrib a letter to the primary partition of the hard-drive

then open explorer and go in folder search and view option / in view then select to show hidden files and clear the box about protected file .

 

now go see the drive you gave a letter , there should be only a bootmgr and may be a BOOTSECT.BAK...if you have an other one with a strange name ..then your windows is cracked using a grub4dos modified patch

Well i followed you till disk managment and im kinda stuck there im not sure how to attrib a letter to the primary partitionT3xX3E.png



#37 sixcentgeorge

sixcentgeorge

    Frequent Member

  • Advanced user
  • 190 posts
  •  
    France

Posted 13 August 2015 - 06:36 AM

the first is the one not having letter : the 100 Mo named "system reserved" ; it has a folder named boot that has the famous BCD file that has the information of installed os...aka only windows 7 or 8 or 10 after install

after that you can do it again in reverse : remove the drive letter and re-hide files

 

the drive D: that is missing , should be the usb stick used to install the windows...



#38 Agrael98

Agrael98

    Newbie

  • Members
  • 19 posts
  •  
    Serbia

Posted 13 August 2015 - 07:33 AM

the first is the one not having letter : the 100 Mo named "system reserved" ; it has a folder named boot that has the famous BCD file that has the information of installed os...aka only windows 7 or 8 or 10 after install

after that you can do it again in reverse : remove the drive letter and re-hide files

 

the drive D: that is missing , should be the usb stick used to install the windows...

In system reserved there is only one folder and its named "sh4ldr"



#39 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 August 2015 - 08:28 AM

The files may well have been set as hidden.

Check in Explorer to show hidden and system files.

 

I was suggesting that you set up a basic "recovery provision", i.e. a bootable *something* DVD or USB stick with the OS install source (that also has some repair capabilities) or - maybe even better - a basic PE capable of booting that machine in case of issues.

 

@tinybit

I made a quick check, the current installer for the thingy seems like a "web installer", I found a "full installer" that is a WISE installer.

It contains a shldr file which is a byte-by-byte copy :whistling: of grub4dos grldr 0.4.3 2007-10-15  with the embedded menu.lst edited to :frusty::

debug off
default 0
timeout 3
title SpyHunter
find --set-root /sh4ldr/vmlinuz
kernel /sh4ldr/vmlinuz quiet
initrd /sh4ldr/initrd.gz
title Windows XP
find --set-root /ntldr_
chainloader /ntldr_
makeactive
title Windows Vista/7
find --set-root /bootmgr_
chainloader /bootmgr_
makeactive

:duff:

Wonko



#40 sixcentgeorge

sixcentgeorge

    Frequent Member

  • Advanced user
  • 190 posts
  •  
    France

Posted 13 August 2015 - 02:23 PM

i searched with google and what wrote wonko , is confirming , sh4ldr seems very old ...so that is "normal" it broke your boot...

try to go again at the shop and ask for a clean win 10 install plus the usb stick in case you have to repair the computer or reinstall .



#41 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 13 August 2015 - 02:44 PM

i searched with google and what wrote wonko , is confirming , sh4ldr seems very old ...so that is "normal" it broke your boot...

try to go again at the shop and ask for a clean win 10 install plus the usb stick in case you have to repair the computer or reinstall .

No. :hyper:

Let's make things clear.

  1. Wonko is if not right :unsure: surely accurate by definition.
  2. The version of grub4dos being an old one DOES NOT create an issue in itself, only it misses some features/commands that maybe could have been used to recover the system.
  3. Suggesting someone to downgrade to Windows 10 - while of course is part of your freedom - particularly after that the user has already been downgraded to 8.1 from an otherwise perfectly working Windows 7 is a form of sadism. :w00t: :ph34r:
  4. in any case the statement about Windows 8 not being supported is FALSE.

Windows 7 is supported until 2020.

Windows 8/8.1 are supported until 2023.

 

There is no "need" (and personally I strongly advise against it) to downgrade to Windows 10.

 

:duff:

Wonko



#42 Agrael98

Agrael98

    Newbie

  • Members
  • 19 posts
  •  
    Serbia

Posted 13 August 2015 - 04:15 PM

Well i doubt i will go for windows 10 since some of my friends say it isnt something special at all..

I will check out that "bootable device" thing and try to get one for case like this,do you guys have any links to guides on how to create these bootable devices

And also thanks for your advices and valuable info  :thumbsup:



#43 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 15 August 2015 - 01:58 PM

Well i doubt i will go for windows 10 since some of my friends say it isnt something special at all..

I will check out that "bootable device" thing and try to get one for case like this,do you guys have any links to guides on how to create these bootable devices

And also thanks for your advices and valuable info  :thumbsup:

At the very minimum you should have handy a bootable PE of some kind and/or a Linux of some kind.

A quick way to build a PE is the QuickPE:

http://reboot.pro/topic/18744-quickpe/

or if you want some more features, the MistyPE:

http://mistype.reboo...ocs/readme.html

 

To make a multiboot USB stick, you can use RMPREPUSB (more basic):

http://www.rmprepusb.com/

or the more featured (and giving so many options to become actually no-so-easy) Easy2Boot (still based on RMPREPUSB and by the same Author):

http://www.easy2boot.com/

 

@Tinybit

I did a few tests and I am perplexed.

The solution found on the other thread (to chainload the /Windows/boot/PCAT/bootmgr) works fine if the Windows 7 is installed to a "single" partition (let's say (hd0,0)) but - as seen here - it doesn't work if the install is done on two partitions (typically (hd0,0) 200 Mb in size for the "system" - actually "boot" - and (hd0,1) for the "boot" - actually "system").

The issue is that obviously chainloading (hd0,1)/Windows/boot/PCAT/bootmgr the grub4dos will show:

Will boot NTLDR from drive 0x00, partiion 0x01, hidden sectors 0xnnn

 

the chainloaded bootmgr will attempt to locate the \boot\BCD on (hd0,1) and throw an error because it cannot find it.

I expected that a more recent grub4dos version was needed, hypotizing some rather complex use of dd and/or write, but after a number of "random" tests I found out how these command were nto really *needed*.

The tests were done in a Qemu VM with grub4dos 0.4.5 2014-11-10.

And this works nicely :):

blocklist (hd0,1)/windows/boot/pcat/bootmgr

[(hd0,1)1764600+750]<-output of the command

Subtract 2048 from 1764600=1762552


map --mem (hd0,1)1762552+3000 (rd)
partnew (rd,0) 0x07 2048 800
chainloader (rd,0)0+750
boot

 

though maybe it is a side-effect of some peculiarities of the specific grub4dos version :unsure: as it seems to me like one of those things that shouldn't work in theory (but that does in practice) the message is correct (for our use) but really should be "from drive 0x7f":

Will boot NTLDR from drive 0x00, partiion 0x00, hidden sectors 0x800

 

 

Trying the same with the 0.4.3 (the shldr) it does not work, even if setting manually the rd-base and rd-size and providing --heads and --sectors-per-track, the parser does not recognize the (rd,0), on the other hand if I map the (rd) to a hd device it works, but then the chainloader will use the "non-0x00" drive and the \boot\BCD is then not found.

 

Maybe there is a way, using some of the more obscure chainloader command parameters to change drive/partition/offset?

Or some other set of commands that may work?

 

:duff:

Wonko



#44 sixcentgeorge

sixcentgeorge

    Frequent Member

  • Advanced user
  • 190 posts
  •  
    France

Posted 15 August 2015 - 04:34 PM

may be you would prefer a very simple solution ?

 

EaseUS
Todo Backup Free 8.6

http://www.easeus.co...re/tb-free.html

 

will save your windows

 

but you should get some tools made by your installed drive manufacturer , they can verify and repair some error

here is the seagate as an example : http://www.seagate.c...tware-and-apps/

it can also be the right place for firmware updates...



#45 tinybit

tinybit

    Gold Member

  • Developer
  • 1078 posts
  •  
    China

Posted 16 August 2015 - 01:14 AM

chainloading (hd0,1)/Windows/boot/PCAT/bootmgr the grub4dos will show:

 

Will boot NTLDR from drive 0x00, partition 0x01, hidden sectors 0xnnn

 

the chainloaded bootmgr will attempt to locate the \boot\BCD on (hd0,1) and throw an error because it cannot find it.

 

It is obvious you should place the BCD in \boot of (hd0,1). If the BCD is on (hd0,0), then you should try either of the following two methods:

 

1. add an argument --edx=0x0080(DL for drive number, DH for partition number) to the chainloader command, thus NTLDR/BOOTMGR will treat (0x80,0x00) as the boot partition, and load BCD on it.

 

2. after the "chainloader (hd0,1)/Windows/boot/PCAT/bootmgr" command, run "root (hd0,0)", and then "boot".



#46 tinybit

tinybit

    Gold Member

  • Developer
  • 1078 posts
  •  
    China

Posted 16 August 2015 - 03:01 AM

Let's look into this (special) case:

 

 

 

And this works nicely :):

blocklist (hd0,1)/windows/boot/pcat/bootmgr

[(hd0,1)1764600+750]<-output of the command

Subtract 2048 from 1764600=1762552


map --mem (hd0,1)1762552+3000 (rd)
partnew (rd,0) 0x07 2048 800
chainloader (rd,0)0+750
boot

 

though maybe it is a side-effect of some peculiarities of the specific grub4dos version :unsure: as it seems to me like one of those things that shouldn't work in theory (but that does in practice) the message is correct (for our use) but really should be "from drive 0x7f":

 

         Will boot NTLDR from drive 0x00, partition 0x00, hidden sectors 0x800

 

 

The above map command does not create a virtual  BIOS drive (rd). You cannot do "map --hook" for this map. This map command only do two jobs:

 

1. place disk sector data in RAM.

2. modify rd_base and rd_size so that (rd) will refer to the data in RAM.

 

Note that (rd) is not a BIOS drive.

 

(rd), (md), (pd), (ud) are only grub4dos drives, not BIOS drives. You cannot hook them in order to be used by DOS or other real-mode OSes.

 

by comparison, (fdX)'s, (hdY)'s are both grub4dos drive and BIOS drive, and each of them can act as a virtual BIOS drive.

 

So, in your case above, there is no virtual BIOS drive established.

 

Because you have not changed the drive number for (rd) (usually by "map --ram-drive=DRIVE"), the (rd) drive number is still the default 0x7F, which is floppy. And for older grub4dos versions, you cannot access partitions on a floppy. A later grub4dos version can operate smoothly on "floppy partitions".

 

I guess the chainloader command realized that the (rd) is not a BIOS drive, and refuse to set it as the boot partition for NTLDR/bootmgr. It even might force the drive number to be 0x00 for floppy, since (rd) is also a floppy for now.

 

Look at this info: floppy drive=0x00, partition=0x00 and part_start=0x800. it is obviously wrong for NTLDR/bootmgr. But luckily (as I may guess), when NTLDR/bootmgr tried to locate the partition data on the floppy, it failed, and NTLDR/bootmgr might be clever enough so that it can search for BCDes on the (hd0). Then it finally succeeded.

 

EDIT: And so I guess this might also work for you:

 

map (hd0,1)/windows/boot/pcat/bootmgr (rd)

chainloader (rd)+1

boot

 

The "--mem" option is omitted here, because (rd) already indicates a memory operation. And (rd)+1 means whole contents of data in (rd).

 

If failed, then wipe out a sector of data in memory address 0x7C00 - 0x7DFF (fill with 00's or FF's or any garbage) just before running the "boot" command, and try again.

 

If still failed, try dd'ing the beginning sector(512 bytes) of bootmgr onto memory address 0x7C00, and then "boot".



#47 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 August 2015 - 09:21 AM

My bad :( typo :frusty:.
 
The message I get with the sequence (in 0.4.5)
 

blocklist (hd0,1)/windows/boot/pcat/bootmgr
map --mem (hd0,1)1762552+3000 (rd)
partnew (rd,0) 0x07 2048 800
chainloader (rd,0)0+750
boot

is actually:

Will boot NTLDR from drive 0x80, partiion 0x00, hidden sectors 0x800

 
this is what I found "queer".
 
I will try your suggestions and see if any of them works to have bootmgr find the \boot\BCD and report, thanks.
 
:duff:
Wonko
 
P.S.:
Some results:
 
Test1:

map (hd0,1)/windows/boot/pcat/bootmgr (rd)
chainloader (rd)+1
Error 14: Invalid or unsupported executable format
chainloader --force (rd)+1
boot

HANG.

Test 2:

chainloader (hd0,1)/windows/boot/pcat/bootmgr
Will boot NTLDR from drive 0x80, partition 0x01, hidden sectors 0x32800
root (hd0,0)
Filesystem type is ntfs, partition type 0x7
boot

BCD not found error 0xc000000f An error occurred while attempting to read the boot configuration data

We have a winner :yahoo:
Test 3:

chainloader --edx=0x0080 (hd0,1)/windows/boot/pcat/bootmgr
Will boot NTLDR from drive 0x80, partition 0x00, hidden sectors 0x800
boot

SUCCESS!

Simple and effective. :thumbsup:

#48 tinybit

tinybit

    Gold Member

  • Developer
  • 1078 posts
  •  
    China

Posted 16 August 2015 - 12:28 PM

it is actually:

Will boot NTLDR from drive 0x80, partition 0x00, hidden sectors 0x800

 

this is what I found "queer".


But this seems "correct and normal" to me. The chainloader did not set the boot drive to 0x7F. Instead, it kept the drive number(of just before running the chainloader command) of 0x80 untouched. It is a wise decision. It used the specified partition number 0 in (rd,0), and the specified part_start of 0x800 established by the partnew. It happens to be the correct values of the real (hd0,0): the real (hd0,0) did have partition number 0 and part_start of 0x800. Therefore, the PBR of the real (hd0,0) is loaded(by the chainloader command) onto the memory range of 0x7C00 - 0x7DFF.
 
But the drive number might not be so important to ntldr/bootmgr. ---- I mean, a wrong drive number could make no difference for ntldr/bootmgr to boot up, because ntldr/bootmgr uses the boot sector at 0000:7C00(the BPB) to determine the boot drive number and the part_start parameter.

So the real important thing(to ntldr/bootmgr) might be this: the BPB at 0x7C00 must correctly reflect the real boot partition(the ending 55 AA at 0x7DFE might also be checked by ntldr/bootmgr). ntldr/bootmgr uses this BPB to determine the boot partition.



#49 Wonko the Sane

Wonko the Sane

    The Finder

  • Advanced user
  • 14284 posts
  • Location:The Outside of the Asylum (gate is closed)
  •  
    Italy

Posted 16 August 2015 - 12:41 PM

But this seems "correct and normal" to me. The chainloader did not set the boot drive to 0x7F. Instead, it kept the drive number(of just before running the chainloader command) of 0x80 untouched. It is a wise decision.

Undoubtedly "wise" :), only I didn't expect it, the (rd) drive is declared as being 0x7f and I expected that this would have been reflected in the "will boot ...".


However, providing the --edx=0x0080 switch is the actual "right way" to do it, I just posted a new (hopefully) one-size-fits-most suggested solution for the issue here:
http://reboot.pro/to...s-7-unbootable/

Let's see if it works for the people that actually are stuck in this situation (as opposed to my "simulated" environment) :unsure:.

Thanks again :thumbsup:, I had till now believed that the --edx switch would have accepted only the drive number (as in --edx=0x80) :blush: , and not also the partition number, it's always good to learn new things :smiling9:.

:duff:
Wonko



#50 tinybit

tinybit

    Gold Member

  • Developer
  • 1078 posts
  •  
    China

Posted 16 August 2015 - 02:14 PM

The (rd) is not a BIOS drive( it is only a grub4dos drive). It would be invalid and would disappear when ntldr/bootmgr gains control. So the chainloader command decides to not use it. This is understandable.

 

TEST 1: Error 14 and HANG ------ this should be a bug introduced recently. Try older versions.

 

TEST 2: failed to set the boot partition for ntldr/bootmgr. This should also be an introduced bug. Try version 0.4.4.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users