Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

MBR Ransomware safe-data.ru infection


  • This topic is locked This topic is locked
76 replies to this topic

#1 lampy

lampy

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 02 December 2010 - 01:55 PM

Hello mates I seem to have the same problem as everyone in this thread.I am running a Windows 7 Ultimate 32bit and I'd really want to save my data.I saw the work being done with testdisk sadly no resolve as I see.I'm wondering what to do a) use hiren as someone else noted on the first page with that miniXP system or wait for this testdisk and see if I can by without having to format my system.As noted I really care about my data and that has to be saved first.
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 02 December 2010 - 02:09 PM

Hello there, please follow these steps.

You will need a blank CD and a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
    • The TestDisk command window will open
    • Choose Create and press Enter
    • TestDisk will now detect all local hard drives
    • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
    • If your not sure then note everything you see and post it for my review
    • Select Intel (even if you have an AMD processor) and press Enter
    • Select Analyse and press Enter
    • Now, your current partition structure is listed. Examine your current partition structure for missing partitions and errors.
      Confirm at Quick Search to proceed.
      When asked to search for Vista Partitions, type N (if you have XP) or Y (if you have Vista/Windows 7).
      Any found partitions will now be listed. Please see if the information is correct.

      At this point press Q until you exit and post me the Testdisk log (will be created on your USB drive).
  • A log will be created in the root of the usb device
  • Remove the USB drive and insert back in your working computer

    Please note - all text entries are case sensitive
Copy and paste the resultant log for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 02:34 AM

Hello I did all the steps you listed I didn't get any bad block I think all my partition sizes looked okey.Here's the info from the log:


Fri Dec 3 09:29:41 2010
Command line: TestDisk

TestDisk 6.12-WIP, Data Recovery Utility, April 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4 - Jul 27 2010 17:00:22
ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 976773168 sectors
/dev/sda: user_max 976773168 sectors
/dev/sda: native_max 976773168 sectors
/dev/sda: dco 976773168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63, sector size=512 - ATA ST3500630NS
Disk /dev/sdb - 4063 MB / 3875 MiB - CHS 1024 125 62, sector size=512 - Kingston DataTraveler 2.0
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32768 1 1, sector size=2048 - HL-DT-ST DVDRAM GSA-4163B

Partition table type (auto): Intel
Disk /dev/sda - 500 GB / 465 GiB - ATA ST3500630NS
Partition table type: Intel

Analyse Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Current partition structure:
No partition is bootable
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 December 2010 - 02:53 AM

Hi, can you view and browse your drive (sda) on xPUD?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 03:08 AM

Hi, can you view and browse your drive (sda) on xPUD?


Hello ,I go to mnt and I can only see sdb1 (my usb drive) ,so I guess I can't browse my main drive.
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 December 2010 - 03:14 AM

What version of windows do you have installed?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 03:17 AM

What version of windows do you have installed?


Windows 7 Ultimate 32bit
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 December 2010 - 03:27 AM

Select Analyse and press Enter
Now, your current partition structure is listed. Examine your current partition structure for missing partitions and errors.
Confirm at Quick Search to proceed.
When asked to search for Vista Partitions, type N (if you have XP) or Y (if you have Vista/Windows 7).
Any found partitions will now be listed. Please see if the information is correct.

Did you get at this point? I see no partitions listed, only the disk.

You should end up at something like this:Posted Image
Typically there should be two partitions since Windows 7 installs the recovery environment by default.
At that point press Q and post me the new testdisk log. If you're not sure, just let me know at which point you have a problem.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 03:38 AM

Hello ,at the point of your screen shot I see all my partitions with the right sizes and the windows drive is marked at primary (as it should be I guess.)
Here is the new log.Now I'm going to try and see if I can see sba.I can't see the sda in mnt ,as before it's only the sdb1.

Fri Dec 3 10:29:14 2010
Command line: TestDisk

TestDisk 6.12-WIP, Data Recovery Utility, April 2010
Christophe GRENIER <grenier@cgsecurity.org>
http://www.cgsecurity.org
OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686
Compiler: GCC 4.4 - Jul 27 2010 17:00:22
ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20080501
/dev/sda: LBA, HPA, LBA48, DCO support
/dev/sda: size 976773168 sectors
/dev/sda: user_max 976773168 sectors
/dev/sda: native_max 976773168 sectors
/dev/sda: dco 976773168 sectors
Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512
/dev/sr0 is not an ATA disk
Hard disk list
Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63, sector size=512 - ATA ST3500630NS
Disk /dev/sdb - 4063 MB / 3875 MiB - CHS 1024 125 62, sector size=512 - Kingston DataTraveler 2.0
Disk /dev/sr0 - 67 MB / 64 MiB - CHS 32768 1 1, sector size=2048 - HL-DT-ST DVDRAM GSA-4163B

Partition table type (auto): Intel
Disk /dev/sda - 500 GB / 465 GiB - ATA ST3500630NS
Partition table type: Intel

Analyse Disk /dev/sda - 500 GB / 465 GiB - CHS 60801 255 63
Current partition structure:
No partition is bootable
Ask the user for vista mode
Computes LBA from CHS for Disk /dev/sda - 500 GB / 465 GiB - CHS 60802 255 63
Allow partial last cylinder : Yes
search_vista_part: 1

search_part()
Disk /dev/sda - 500 GB / 465 GiB - CHS 60802 255 63
NTFS at 0/1/1
filesystem size 102398247
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 2
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 0 1 1 6373 254 63 102398247
NTFS, 52 GB / 48 GiB
NTFS at 6374/1/1
filesystem size 291451167
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 18215697
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 6374 1 1 24515 254 63 291451167
NTFS, 149 GB / 138 GiB
NTFS at 24516/1/1
filesystem size 291451167
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 18215697
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 24516 1 1 42657 254 63 291451167
NTFS, 149 GB / 138 GiB
NTFS at 42658/1/1
filesystem size 291451167
sectors_per_cluster 8
mft_lcn 786432
mftmirr_lcn 18215697
clusters_per_mft_record -10
clusters_per_index_record 1
HPFS - NTFS 42658 1 1 60799 254 63 291451167
NTFS, 149 GB / 138 GiB
get_geometry_from_list_part_aux head=255 nbr=8
get_geometry_from_list_part_aux head=8 nbr=1
get_geometry_from_list_part_aux head=16 nbr=1
get_geometry_from_list_part_aux head=32 nbr=1
get_geometry_from_list_part_aux head=64 nbr=1
get_geometry_from_list_part_aux head=128 nbr=1
get_geometry_from_list_part_aux head=240 nbr=1
get_geometry_from_list_part_aux head=255 nbr=8

Results
* HPFS - NTFS 0 1 1 6373 254 63 102398247
NTFS, 52 GB / 48 GiB
L HPFS - NTFS 6374 1 1 24515 254 63 291451167
NTFS, 149 GB / 138 GiB
L HPFS - NTFS 24516 1 1 42657 254 63 291451167
NTFS, 149 GB / 138 GiB
L HPFS - NTFS 42658 1 1 60799 254 63 291451167
NTFS, 149 GB / 138 GiB
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 December 2010 - 04:14 AM

In that case, select the Write option to write this partition structure to the partition table, confirm with Y and enter and you'll get a note that you need to reboot your computer.
Restart and let me know what happens. Then check in xPUD if sda shows up.

No need to see if sda shows up in xPUD before writing the new structure and rebooting, since it will not show up.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 04:29 AM

In that case, select the Write option to write this partition structure to the partition table, confirm with Y and enter and you'll get a note that you need to reboot your computer.
Restart and let me know what happens. Then check in xPUD if sda shows up.

No need to see if sda shows up in xPUD before writing the new structure and rebooting, since it will not show up.


I wrote the new mbr ,restarted went to mnt and I still only see the sdb1.
I should be looking in the same place my usb flash drive comes up right? (In mnt?) If so I only see sdb2.
If there is a need I can try and take pictures with my cell ,but I think I'm explaining this fairly well.
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 December 2010 - 04:33 AM

Did you write a new MBR, or did you write the new Partition structure?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 04:39 AM

Did you write a new MBR, or did you write the new Partition structure?


Ah my bad I did write a new MBR.
How do I write a new partiotion structure?
In which option menu is that? (If you could give me a screenshot or step by step to that menu please)
I only hope my mistake of writing a new mbr didn't mess everything up. :(
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"

#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,113 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:02:10 AM

Posted 03 December 2010 - 04:45 AM

Sure, sorry I have some connection problems, which is why I made a rather short post in hopes it would go through.

Start Testdisk from your USB. Select Create and press enter (see screenshot).Posted Image

Make sure the drive /dev/sda is selected and and enter Proceed (see screenshot).Posted Image

On the next screen select Intel and press enter.
On the next screen select Analyse and press enter.

You will now see something like below. Please note the details down as explained in the screenshot. Then select Proceed and press enter (Type Y to search for Vista partitions).Posted Image

In the next screen, when the quick search completes, press Enter to continue then select [Write] and press Enter.
Type Y to confirm the operation then Enter to select [OK] at the reboot message screen.
Press Q repeatedly until TestDisk closes then close the Terminal window and reboot.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 lampy

lampy
  • Topic Starter

  • Members
  • 38 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Dobrich
  • Local time:01:10 AM

Posted 03 December 2010 - 05:03 AM

Oh yes that did work I can see all my partitions from sda1 to sda7 with sdb1 (usb drive).
sda1 is the windows partition (C:).
Brilliant work so far.What is next ,I'm getting pretty excited :D
Drake Younger: "Pain Is Temporary ,but PRIDE is Forever!"




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users