Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black Screen Cursor Only


  • This topic is locked This topic is locked
33 replies to this topic

#1 bxharv2

bxharv2

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 11:45 AM

XP Pro sp3

Machine froze and would not reboot. Only get a blank screen with a cursor.

I booted with CD and entered recovery console. I ran command fixboot and fixmbr still no joy.

I think that I have a rootkit infection and need some help flushing it out.

BC AdBot (Login to Remove)

 


#2 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 12:29 PM

after following a similar topic on this forum I downloaded and ran the xPUD feature to that the status of the mbr could be determined. I am ready to forward the resulting mbr.bin file

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 10 August 2011 - 12:42 PM

Hello, can you please zip mbr.bin and attach it to your next reply?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 12:47 PM

mbr.bin attached

Attached Files

  • Attached File  mbr.zip   255bytes   1 downloads


#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 10 August 2011 - 01:08 PM

That is the MBR of your flash drive. :)

Please do the following in xPUD.
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:16 PM

trying to send accurate mbr.bin

Attached Files

  • Attached File  mbr.zip   255bytes   2 downloads


#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 10 August 2011 - 02:21 PM

No, that is still the same one.

Can you look in xPUD under mnt? Do you see there sda1/2? Do you see the Windows folder on any of them?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:26 PM

trying CD boot to xPUD again.

#9 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:28 PM

sda1 is my USB drive

sda2 appears to be local HDD but windows folders are not there

#10 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 10 August 2011 - 02:28 PM

If you boot in the Recovery Console, what do you see at the prompt?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#11 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:28 PM

oops

sda1 is USB

sdb1 is HDD

#12 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:30 PM

in recovery console I get a C:> prompt

#13 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:36 PM

in the xPUD window I have the following:


mnt/sdb1/Recycler
mnt/sdb1/System Volume Information
mnt/sdb1/QuickbooksBackup
The rest are personal folders I recognize but only a few

no windows folder

#14 bxharv2

bxharv2
  • Topic Starter

  • Members
  • 39 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Great State of Idaho
  • Local time:07:18 PM

Posted 10 August 2011 - 02:54 PM

I just ran the script again this time targeting sdb1 and got this mbr2.bin file

Attached Files

  • Attached File  mbr2.zip   500bytes   0 downloads


#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,208 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:05:18 AM

Posted 10 August 2011 - 03:10 PM

That all indicates that the Windows partition isn't recognized.

Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the xPUD CD.
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
    • The TestDisk command window will open
    • Choose Create and press Enter
    • TestDisk will now detect all local hard drives
    • Use the arrow (up and down) keys to highlight the disk called /dev/sda if it represents your primary hard drive and press Enter
    • If your not sure then note everything you see and post it for my review
    • Select Intel (even if you have an AMD processor) and press Enter
    • Select Advanced and press Enter
    • Select [Boot] and press Enter
    • Select [Dump] and press Enter
    • Select [Quit] to exit
  • A log will be created in the root of the usb device
  • Remove the USB drive and insert back in your working computer

    Please note - all text entries are case sensitive
Copy and paste the resultant log for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users