Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan/Malware


  • This topic is locked This topic is locked
15 replies to this topic

#1 chestnut212

chestnut212

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 13 November 2010 - 11:48 AM

My husband has an Asus EEE PC Netbook with Windows XP SP3, Bios 0601 and has an external CDROM drive. It will not boot, safe mode not available. When I go into the BIOS, all boot options are disabled and cannot be enabled. I downloaded a new BIOS file from the
ASUS website to a flash drive and used the EZ flash utility to update the BIOS. It says it successfully completed, but when I restart the computer, nothing has changed.

I also tried making an ISO CD using PE Builder (following another post), but since the CDROM is disabled, I can't boot from it. Is there anything I can do?

Thanks for your help!
Regards,
Barbara

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 14 November 2010 - 04:47 AM

Do you have an XP CD at hand and what happens when you try to boot normally?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 14 November 2010 - 09:45 AM

When I try to boot normally, the Windows logo comes up, but Windows doesn't start. I get a message to the effect that "We agopogive for the inconvenience, Windows was not able to start normally..." this loops over and over. I can't start in Safe Mode. The only option is F2 and when I go into the BIOS setup, all startup options are disabled. I do have a Windows XP CD, but when I attempted to startup with it, I got a message that the hard drive could not be found.
Regards,
Barbara

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 14 November 2010 - 12:15 PM

Please try the following:

Let's try to boot your computer using a Boot CD.

Please print this guide for future reference!

You will need a blank CD, your Windows XP install disc, a clean computer and a flash drive.

Please follow the steps below and let me know if you were successful. Please tell me what error messages you got and/or what steps you got hung up on.

1. Download the PE Builder to your desktop

http://www.nu2.nu/download.php?sFile=pebuilder3110a.exe
  • Double-Click on the PE Builder that you just downloaded to your desktop.
  • Follow all of the instructions/prompts that come up.
2. Insert your XP CD with SP1/SP2/SP3 into a CD Rom drive
  • Double-Click on PE Builder.exe located on your desktop.
  • Click NO to Search for Windows Installation Files
  • Make the following selections from the Main Screen that pops up:
    • Builder
    • Source:(path to Windows installation files)
    • Enter the path to the drive where your XP CD is located.
    • You can click on the "..." button on the right to navigate to the path as well.
  • Custom: (include files and folders from this directory)
    • No information is necessary, leave blank.
  • Output:
    • Keep the default
  • Media output
    • Choose Create ISO image
    • Do not choose Burn to CD/DVD
    • Download the RunScanner plugin and save it to your desktop

    http://www.paraglidernc.com/Files/RunScanner10025.cab

    Please note: You will be prompted for the folder that it shall be saved. By default it appears as runscanner10025. It should be modified to just runscanner <--- Important!!!


    • Press the Plugin button on the PE Builder interface
    • Press the Add button and navigate to the location of the RunScanner plugin to install
    • Please note: If you are using a Windows XP disc with sp2 then highlight RpsSS needs to launch DComLaunch and then press Enable
  • When your done press Close and the PE Builder interface will re-appear
3. Click on the "Build" button
  • You will see the Windows EULA message. Click on I Agree
  • You will now see the Build Screen. Let it run it's course
  • When the Build is finished you can click close, then exit
4. Burn your ISO file to CD==========

Next........

From your clean computer..

Please download OTLPE.zip and save it to a flash drive.
http://oldtimer.geekstogo.com/OTLPE.zip
http://www.itxassociates.com/OT-Tools/OTLPE.zip

Double click and unzip OTLPE.zip to its own folder on your flash drive. Name it OTLPE <-- Important!!

==========

Plug your flash drive into your sick computer now and do as instructed below..

==========

1. Restart Your sick Computer Using the PE Builder ISO CD That You Have Created
  • Insert the CD in to one of your CD/DVD drives.
  • Restart your computer.
    • The computer should choose to boot from the CD automatically. If it doesn't and you are asked if you want to boot from CD, then choose that option.
  • Once the desktop appears, you will receive a message asking: Do you want to start Network support?
    • Click on No
  • After it loads press the Go button in the lower left and do this....
    • Go
    • System
    • Display
    • Screen Resolution
    • 1024x768
    Next choose....
    • Go
    • Programs
    • A43 File Management Utility

==========

In A43File Management you should see your flash drive
Navigate to the OTLPE folder that you saved to your flash drive.

Open the OTLPE folder and double click Start.bat.

  • When asked "Do you wish to load remote user profile(s) for scanning", select Yes
  • Ensure the box "Automatically Load All Remaining Users" is checked and press OK
  • OTLPE should now start

    Change the following settings
    • Change Services, Drivers, Standard and Extra Registry to Use Safelist
    • Uncheck LOP and Purity check

    Please note: Stay with your computer during the course of the scan. If "Entry Point Errors" are encountered simply press "ok" and allow the program to continue. <-- Important!!
  • Push Posted Image
  • A report will open named "OTL.tx"t and another will be minimized to the system tray named "Extra.txt". Save both log's to your flash drive. Copy and Paste them in your next reply.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 14 November 2010 - 02:49 PM

When I got to the prompt:
"Open the OTLPE folder and double click Start.bat."
There was only OTLPE.exe and Start.cmd which did not behave as the Start.bat you described. How should I proceed?
Regards,
Barbara

#6 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 14 November 2010 - 02:58 PM

Also, I opened the OTLPE.exe which seemed to open appropriately and it started to scan. A window popped up:
"Cannot find the D:\OLT.txt file. Do you want to create a new file?"
I'll wait for your response before I proceed.
Thanks!
Regards,
Barbara

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 14 November 2010 - 03:02 PM

Please have a look in the A43 filemanagement and let me know what the drive letter of your harddisk (windows installation) is.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 14 November 2010 - 03:11 PM

This is what is in the A43:
B: RAMDisk (the only folder under B is Documents and Settings)
C: USB
D: BartPE
Regards,
Barbara

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 14 November 2010 - 03:41 PM

That doesn't look good, it seems that your Harddisk isn't detected.

You're going to need a program called TestDisk. It's a free and open source disk recovery program.

Step 1: Download the TestDisk executable for Windows here: Download
Step 2: Extract the downloaded zip file using your favorite archive extractor.
Step 3: Double-click on the testdisk_win.exe file (found in the win folder of the extracted archive)
Step 4: You will now be at a scary looking text-based command window:
Posted Image
Press Enter here to create a new log file.

Step 5: TestDisk will now detect all local hard drives, and present them in a list like this:
Posted Image
You have indicated that there is only one hard drive attached to your computer, with two partitions. So, use the arrow (up and down) keys to highlight the disk called /dev/sda.

Note: If /dev/sda isn't listed or you have more than one hard drive, STOP and post back here.

With /dev/sda selected, press Enter

Step 6: Now we need to specify the type of partitions that are on your disk. Select Intel (even if you have an AMD processor).
Posted Image
Press Enter.

Step 7: Select Analyse and press Enter.
Posted Image

Step 8: The next screen will list all found partitions. Press Enter to run a Quick Search.
Posted Image

When asked, say No to this screen:
Posted Image

Step 9: If your missing partition is found, it should show up in the list:
Posted Image
Presh Q until Testdisk exits and post me the log (will be saved in the Testdisks Win folder.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 14 November 2010 - 04:18 PM

/dev/sda is pointing to the USB drive. the only other drive is the CDDDVW. I assume I've lost the HD?
Regards,
Barbara

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 14 November 2010 - 04:42 PM

You can try to rewrite the BartPE disk, a bad download/burn can also cause this. You may want to try the disk in a working computer to see if it recognizes the drives.

But given your first post, it is indeed possible the drive is a goner. I take it, however, that the CD rom works now?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 14 November 2010 - 04:56 PM

Yes, I think the first ISO disk I tried to write was bad. I ended up buying ISO Burner before I got a good disk.
I think the BartPE CD is OK. I did it again today and I can see the folders (I386, SYSTEM32 AND WINSXS). Should I try removing the hard drive to see if it can be read from another computer?
Regards,
Barbara

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 15 November 2010 - 03:26 AM

If with the new BartPE disk your harddrive shows up in A43 filemanagement, try to run OTLPE as instructed.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 60,831 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:01:44 AM

Posted 22 November 2010 - 06:26 AM

Hi, are you still there?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 chestnut212

chestnut212
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Pennsylvania
  • Local time:06:44 PM

Posted 22 November 2010 - 10:58 AM

Hi Elise - I should have responded sooner. The netbook had a bad harddrive and my husband opted to purchase a new laptop. Luckily, everything was backed up. So this can be closed.

My daughter's laptop has a similar issue as my husband's netbook had. She doesn't live with us, but I brought her computer home and removed the harddrive and could read it, so I know something else is wrong. I am going to follow the directions for the netbook and I'll open a new issue if I need assistance.

Thanks for your help!
Regards,
Barbara




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users