Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

XP nightmare! Cannot boot, suspect BOO/Wrestler


  • Please log in to reply
5 replies to this topic

#1 fireretired

fireretired

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 10 September 2011 - 05:25 PM

Hi All
Never done this before and I hope I can explain OK!


Last night AVIRA found and quarrantined BOO/Whistler during a weekly scan. Came to start Windows this morning and I have a black screen and a GERMAN message telling me to 'enter a disc', presumably to reboot. I only have the authentic Microsoft CD so I tried it. When I tried rebooting with it, I used F8 to access. The disc started loading windows elements then got as far as 'opening windows'. I then had to press F8 again for the loading to continue, at a page saying 'accept the Microsoft terms', but F8 was barred. As you will note I am a novice! I don't (stupidly) have a rescue disc for that computer. I'm writing this on a very slow Vista notepad and using a hotmail mail address. I tried the VISTA rescue disc and using the tools within it I found that the files on the C drive appeared to be OK. Hopefully it is only something in Windows that is corrupt. I downloaded a removal tool for the trojan, so I can hopefully deal with that when I can make Windows XP Pro work. What can I do next?
Can anyone help! It amazes me that these things always happen on a SATURDAY!
SpywareRemovalBlog.com says that the BOO/Whistler trojan should be removed immediately. Pity I didn't find that out before I shut down the computer last night!

BC AdBot (Login to Remove)

 


#2 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:08:30 PM

Posted 10 September 2011 - 06:11 PM

Hello to solve this we will need a deeper look. Please go here....
Preparation Guide ,do steps 6 - 9.

Create a DDS log and post it in the new topic explained in step 9,which is here Virus, Trojan, Spyware, and Malware Removal Logs and not in this topic,thanks.
If Gmer won't run,skip it and move on.
Let me know if that went well.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#3 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:10:30 AM

Posted 10 September 2011 - 06:35 PM

Hello and :welcome: to the BC forums.

Please sit tight and be patient.

I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.

Thank you.

@ boopme: The computer is not bootable .... so the required logs cannot be posted in the MRL forum.
AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#4 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:30 AM

Posted 11 September 2011 - 03:00 AM

Hello, if you still need help, do the following.

Try this please. You will need a USB drive.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Remove the USB & CD and insert it in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 and choose to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#5 fireretired

fireretired
  • Topic Starter

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:30 AM

Posted 11 September 2011 - 07:32 AM

Hi Elise
Done everything you asked-and thanks-until I opened mnt. The USB is not listed, only the hd. Is there anything I can access from the menu of this program to start windows? Great little program by the way!

#6 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,247 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:03:30 AM

Posted 11 September 2011 - 09:01 AM

Plug out the USB drive, then put it back in and see if the USB gets recognized now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users