Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

blackscreen on boot - unhide.exe


  • This topic is locked This topic is locked
39 replies to this topic

#1 finalcut

finalcut

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2011 - 11:17 AM

Hello,
I am new to this community and I am comming to you cause I have an unsolvable problem. A few days ago
I was infected with a malware/spyware called:
'Windows Recovery'.
After lots of hours I was able to remove everything the virus has left. (Kaspersky TDSS removed rootkit
and ComboFix did a great job bringing back all my invisible folders)
I did a complete scan and everything seemed to be fine but then I connected my external hdd. All folders
on it were invisible. Now I made a big mistake. I read something about the Tool 'unhide' by grinler. So
I downloaded and executed it. It took very long so I wanted to minimize it but I hit the close button. Damn!
I did not restartet since everything worked fine.
I thougt, 'now that the virus is gone, you can the opportunity to defrag the system'. Afterwards I
restarted my pc. Boot Process:
'checkin nvram...'
-> black screen and high activity since the fan is
very loud. But nothing happens.

Tried: chkdsk /f /r via vista cd
- bootrec nearly all options
- no recoverypoints available
- cant get to the point to choose safe mode

I don't know what I can do now :/
Any help? Would be really really lucky.
Thank you.

Greetings

Edited by finalcut, 17 April 2011 - 11:19 AM.


BC AdBot (Login to Remove)

 


#2 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 17 April 2011 - 12:26 PM

Hello and welcome to BleepingComputer! :)

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#3 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2011 - 01:30 PM

everything works fine, except I cannot find the file on my
usb stick under windows. It was on my usb drive but after
removing it from my pc I put it into my laptop and there was
no file. tried it again with the same result. So I uploaded
the mbr file to the Internet and downloaded it on my Laptop.
So here it is:

Edit: Seems to be something wrong with this file?
Contain: 'Invalid partition table Error loading operating system Missing operating system'?

Attached Files

  • Attached File  mbr.zip   551bytes   3 downloads

Edited by finalcut, 17 April 2011 - 01:37 PM.


#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 17 April 2011 - 01:41 PM

Have you tried running a Startup Repair?

The MBR looks good, those things you noticed are standard error messages that will be displayed when a partition manager is missing or the partition table is invalid.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2011 - 01:47 PM

Yeah I tried Startup Repair but I does not find anything and
the progress is way too fast. It searches a few seconds and says
there's no problem :/

Edited by finalcut, 17 April 2011 - 01:50 PM.


#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 17 April 2011 - 02:06 PM

Please start the command prompt in the Recovery Environment and execute the following command:

bootrec /scanos

Let me know what comes back.

At what point do you see the "checking nvram" message?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#7 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2011 - 02:34 PM

oh, thats strange.
There's no scan.
The message that comes up is like:
Number of identified windows-installations: 0

Edited by finalcut, 17 April 2011 - 02:35 PM.


#8 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 17 April 2011 - 03:10 PM

At what point do you see the "checking nvram" message?

What about this?

Using the xPUD CD, can you get online (it has firefox, and a pretty easy way to set up a connection).
Most internet connections should work wihtout problems.

If you can get online, can you visit www.virustotal.com and upload /mnt/sda1/windows/system32/drivers/volsnap.sys?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#9 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 17 April 2011 - 03:30 PM

First Bootscreen comes up, it counts up to 4GB Ram.
Then two screens arrive in short time. On the last one is
checking nvram...
Thats it. I disabled fast boot in the bios and now there's another
screen after checking nvram...
There are listed the drives and many other things.
And a countdown:
Escape to boot <9>
The number 9 counts down.
Then the black screen appears.

And yeah I will go online tomorrow and thanks so far.
In my country it's nearly midnight.
Hope to see you in a few hours here again :)
Thank You!

Edited by finalcut, 17 April 2011 - 03:31 PM.


#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 17 April 2011 - 03:32 PM

Okay, if you can upload the file, please link me to the results.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 18 April 2011 - 12:04 AM

Ok, now something strange comes up.
In the 'C:\Windows\System32\drivers\' Folder on sda1 are NO files.
At least xPud can't see any files. Cause afterwards I booted with the Win Vista CD
and went via repair console to the folder. Strange thing is that now I can see all the files.
Just xPud is not able to. So I copied volsnap.sys via command to another folder
and now I uploaded it via xPud to virustotal.com

test - volsnap.sys

And yes sda1 is the right partition, cause sda2 is my storage disk.
Btw: Here's the last screen that comes up just before the black screen.

Posted Image

Edited by finalcut, 18 April 2011 - 12:05 AM.


#12 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 18 April 2011 - 04:26 AM

At the screen you posted, when you pres ESC, what happens?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#13 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 18 April 2011 - 07:50 AM

The same as if I dont hit escape.
black screen, just the countdown is skipped.

Edited by finalcut, 18 April 2011 - 07:51 AM.


#14 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:11:50 AM

Posted 18 April 2011 - 10:40 AM

Please follow the steps below and let me know afterwards if you can boot normally.

Enter the command prompt of the Recovery Environment and execute the following commands in the give order. Press enter after each line.

bcdedit /export C:\BCD_Backup

c:

cd boot

attrib bcd -s -h -r

ren c:\boot\bcd bcd.old

bootrec /RebuildBcd


When asked if you want to add the found installation, confirm.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#15 finalcut

finalcut
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Local time:03:50 AM

Posted 18 April 2011 - 10:48 AM

No, sorry it didn't help.
I confirmed the found installation but nothing changed.
Restartet and the black screen was there...

I did another try and put a Knoppix Live CD into my pc
and booted from it. And even this doesn't work...

Posted Image

Edited by finalcut, 18 April 2011 - 10:51 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users