Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Compaq Mini won't boot


  • This topic is locked This topic is locked
93 replies to this topic

#1 Blackstar57

Blackstar57

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 18 March 2011 - 11:20 AM

A friends netbook has been infected with malware/spyware. He said it started with a pop-up saying he had been infected and needed to go to this website for a fix, etc, etc. Anyway, his daughter clicked a few of the buttons on the pop-up and now the computer starts off with the F9, F10, F12 options to change boot order, bios set up or network boot.Then screen goes blank with a flashing cursor in upper left corner.
I tried a Kaspersky boot/scan tool via USB thumb drive but it wouldn't run a scan because of a needed update but won't retrieve the update. I can go online using the usb drive running the Kaspersky tool in Linix. Not very much up on Linix so don't really know where to go from here.
This is a Compaq Mini 110
Model# 110c-1100ca
Intel Atom inside
not sure of operating system... either XP or 7
Any suggestions or help would be greatly appreciated. Thanks.

Edit: Tried to boot the netbook into safe mode with F-key but none of the F keys do anything.

Edited by Blackstar57, 18 March 2011 - 11:46 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 19 March 2011 - 04:03 AM

Hello, lets see if we can find out what is wrong here.

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 19 March 2011 - 08:38 PM

Followed instructions but sick computer will not boot. Bootmgr is missing. Press Ctrl+Alt+Del to restart.

I did have the sick PC booted a couple days ago with a Kaspersky rescue OS on this same USB drive but I did format it before this attempt.

What did I do wrong?

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 March 2011 - 02:34 AM

Did you reformat the USB drive now? Did you follow the instructions exactly (not just copy the files to the USB)? Try to redownload the iso (may take a while based on your connection) and then try again.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 20 March 2011 - 07:34 AM

reformatted my USB drive to Fat32 and it worked this time.
Now I'm starting to feellike a dummy. I can not see a button or tab to allow me to attach a file to this dialog box.
I tried to copy and paste the mbr.bin file and it won't paste.
Please have patience with me. :)

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 March 2011 - 09:17 AM

Sorry, my bad, please upload the file here: http://www.bleepingcomputer.com/submit-malware.php?channel=105

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 20 March 2011 - 09:36 AM

Hi Elise. I just submitted the file using the link you provided.
Awaiting your advice.
Thanks
Glenn

#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 March 2011 - 10:13 AM

Thank you for the upload. This shows that your computers Master Boot Record is infected with the TDL4 rootkit. Please follow the steps below to fix this.

Try this please. You will need your USB drive.

  • Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer from the USB drive.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

Edited by elise025, 20 March 2011 - 10:13 AM.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 20 March 2011 - 02:15 PM

Hi Elise.
Followed the instructions. All seemed to gi fine. Rebooted into Windows and I got a Win Boot manager window.

Windows failed to start. A recent hardware or software change might be the cause. To fix the problem

1. Insert Win install disk and restart (don't have a disc or an optical drive)
2. Choose your language settings, and then click next
3. Click repair your computer

If you do not have this disc, contact sys admin or manufacturer for assisstance

File: \ntldr
Status: 0xc000000e
Info: The selected entry could not be loaded because the application is missing or corrupt.

At the bottom of page I have 2 options... Enter = Continue or ESC = Exit.

Enter brings me to Windows Boot Manager

Choose an operating system to start:
(use arrow keys to highlate, etc)

Only option is Windows XP.

When I click the XP option it takes me back to the original Windows Boot Manager

Windows failed to start.

Tried F8 for safe boot and it doesn'r boot... still same failed to boot.

Thank you Elise...

Glenn

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 March 2011 - 03:22 PM

Lets have a look for NTLDR then. :)

  • Boot the computer with the USB drive again.
  • Click on File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see driver.sh.
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh -f
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    ntldr

  • Press Enter
  • If succesful, the script will search this file.
  • After it has finished a report will be located in the USB drive as filefind.txt

Please note - all text entries are case sensitive

Copy and paste the filefind.txt for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 20 March 2011 - 03:53 PM

When I expand sdb1 there is no driver.sh

All I have is boot, opt, testdsk, ldlinux.sys, mbd.bin, syslinux.cfg, testdisk.log, vesamenu.c32, and xPUDtestdisk.exe.

#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 March 2011 - 04:00 PM

Sorry, thats my bad, I should have included the download link. Please download it from here and save it to your flashdrive.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 20 March 2011 - 04:13 PM

Ok, saved the driver.sh to the USB and tried the steps you mentioned earlier (post #8)

Still won't boot... I'm still here and still trying... B)

I'm back to the window I mentioned in post #9.

Glenn

Edited by Blackstar57, 20 March 2011 - 04:15 PM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,083 posts
  • ONLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:16 PM

Posted 20 March 2011 - 05:01 PM

Did you do the filefind for ntldr? If so, you need to post me filefind.txt so I can have a look at the location of that file.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 Blackstar57

Blackstar57
  • Topic Starter

  • Members
  • 269 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:03:16 PM

Posted 20 March 2011 - 05:17 PM

Sorry... had a brain freeze... file is now sent.

Thanks

Glenn




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users