Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black-screen after ComboFix restart


  • Please log in to reply
3 replies to this topic

#1 mike18xx

mike18xx

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 15 January 2010 - 05:01 AM

* XP Home edition
* infected with Internet Security 2010 (possibly other malware)
* ComboFun run, said found root-kit, and proceeded to restart (warning against interruption)
* upon restarting, after the Windows logo, the PC entered a black-screen state with the CPU fan on high, and apparently froze that way.
* Force-shutdown, restart, F8....no choice on list yields other than black-screen state with the CPU fan on high.


....the REAL problem here is a password-protected Documents and Settings user-account which is now inaccessible. (The password is known, but I don't know the procedure to open the folder when the hard drive is attached as a slave in another machine--help mucho appreciated.)

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:20 PM

Posted 15 January 2010 - 05:09 AM

Hi, did combofix ask you to note down rootkit file names? If so, please post them.

For everyone who is reading this:

Please note: ComboFix is an extremely powerful tool which should only be used when instructed to do so by someone who has been properly trained. ComboFix is intended by its creator to be "used under the guidance and supervision of an expert." It is NOT for unsupervised use. Please read Combofix's Disclaimer.

Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.

  • Restart your computer
  • Before Windows loads, you will be prompted to choose which Operating System to start
  • Use the up and down arrow key to select Microsoft Windows Recovery Console
  • You must enter which Windows installation to log onto. Type 1 and press enter.
  • At the C:\Windows prompt, type the following bolded text, and press Enter after each line:

    set allowallpaths = true Note, if this gives you an error message, just continue with the next line.

    dir c:\qoobox

    Please list all content that comes up after this command.
  • At the next prompt type the following bolded text, and press Enter:

    exit
Your computer will now restart.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 mike18xx

mike18xx
  • Topic Starter

  • Members
  • 37 posts
  • OFFLINE
  •  
  • Local time:06:20 AM

Posted 15 January 2010 - 11:23 AM

Hi, did combofix ask you to note down rootkit file names?

No.

dir c:\qoobox
Please list all content that comes up after this command.

BackEnv
LastRun
Quarantine
Test
TestC
ComboFix-quarantined-files.txt
ComboFix2.txt
ComboFix3.txt
ComboFix4.txt
ComboFix5.txt 69 KB 1/14/2010 7:45:55 PM
Quarantine
ComboFix-quarantined-files
SnapShot@2009-08-25_20.02.24.dat
SnapShot_2009-08-25_21.42.44.dat

...............


Did you know how to access a password-protected Documents and Settings user-account (for which the password is known) when the drive is a slave? Thanks....

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:20 PM

Posted 15 January 2010 - 12:30 PM

Please type the following at the recovery console prompt, hit enter after every line:

set allowallpaths = true

cd c:\qoobox

type combofix-quarantined-files.txt

This will show a list of files on the screen. Please copy them down for me.


To take ownership of files in XP, please see here

Edited by elise025, 15 January 2010 - 12:31 PM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users