Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Non Bootable Friends PC


  • This topic is locked This topic is locked
29 replies to this topic

#1 herg62123

herg62123

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 15 October 2011 - 02:57 PM

I have my friends PC in my possession at this time.

He had/has the Data Recovery FakeHDD Rogue Virus on his machine. Before I was involved he tried to do a system restore on it but failed. I had him order recovery disks (which I have as well). I have tried doing a restore from the recovery disks but this has failed as well. I get the following error when it tries to complete the repair: Cannot create file C:\hp\bin\SetRes.log.

I have downloaded xPUD and tried to get in that way but when I get xPUD up I never see the USB sdb1 file under mnt folder. I can see sda1 and sda2 (which is the hard drive) but no sdb1. I can see the files I am tring to back up but no sure how to do this with xPUD.

I am needing help to restore this PC or at least recover the data on to either a usb device or DVD disk.
Posted Image

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:00 AM

Posted 17 October 2011 - 06:41 PM

Which is the Operating System in the machine?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 17 October 2011 - 07:36 PM

Sorry it is XP Home
Posted Image

#4 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:00 AM

Posted 17 October 2011 - 08:11 PM

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

You already have xPUD.
  • Download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB and insert it in the ailing computer.
  • Boot the Sick computer To xPUD
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • If for some reason you can't see the USB drive, while on xPUD, remove the USB drive, wait 5 seconds and re-insert the drive. It it fails to load, let me know.
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

Edited by JSntgRvr, 17 October 2011 - 08:12 PM.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#5 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 17 October 2011 - 08:24 PM

working on it now be right back
Posted Image

#6 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:00 AM

Posted 17 October 2011 - 08:36 PM

:thumbup2:

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#7 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 17 October 2011 - 08:39 PM

I have count to 5 seconds 2 times and still no sdb1

i have also used other usb ports in the front and in the back but still no sdb1

Edited by herg62123, 17 October 2011 - 08:40 PM.

Posted Image

#8 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:00 AM

Posted 17 October 2011 - 09:11 PM

Perhaps the drivers are not compatible with the USB devices in the computer.

In xPUD you may be able to load network drivers which will give you access to the Internet.

Boot to xPUD. Select the drive that represents your main partition and navigate to the root folder, usually sda1.

  • Choose Open Terminal from the menu
  • Then type dd if=/dev/sda of=mbr.txt bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.txt is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the sda1 drive as mbr.txt
  • Connect to the internet and attempt to attach this file in a reply

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#9 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 17 October 2011 - 09:20 PM

Question: The current file format of the flash drive is FAT, should I format it to NTFS or does this not matter?


Question: I currently have this PC not connected to the internet, do I need to connect it?


I have created the mbr.txt and I have the PC hard wired but I am not able to connect to post it.

Edited by herg62123, 17 October 2011 - 09:37 PM.

Posted Image

#10 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:00 AM

Posted 17 October 2011 - 09:46 PM

That is OK, as least we can use it as a backup. You need to have access to the Internet. If we are able to boot in Normal Mode, you will need to run some scans to secure the computer, which are only available online. Follow these steps:

  • Download NTBR_CD by noahdfear.
  • Extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

If able to boot, run Combofix as follows:

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
  • Please, never rename Combofix unless instructed.
  • Close any open browsers.
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    -----------------------------------------------------------

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
    • Click on this link or this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

      If AVG or CA Internet Security Suite is installed, you must remove these programs before using Combofix. If any of these applications will not uninstall, it is first recommended to uninstall it with AppRemover by Opswat. http://www.appremover.com/supported-applications. Do not use AppRemover on Norton

      -----------------------------------------------------------

    • Close any open browsers.
    • WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
    • Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
    • If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

    -----------------------------------------------------------

  • Double click on combofix.exe & follow the prompts.
  • Install the Recovery Console if prompted.
  • When finished, it will produce a report for you.
  • Please post the "C:\ComboFix.txt" .
**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security.

Please do not install any new programs or update anything (always allow your antivirus/antispyware to update) unless told to do so while we are fixing your problem. If combofix alerts to a new version and offers to update, please let it. It is essential we always use the latest version.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#11 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 17 October 2011 - 10:08 PM

Alright now it gives me a warning message:

The system is not fully installed. please run setup again.


Now while I was in xPUD i could see all the files (for the most part) in there.

Edited by herg62123, 17 October 2011 - 10:10 PM.

Posted Image

#12 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 18 October 2011 - 12:03 AM

Ok I did some snooping on HP website forums and found this http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&docname=c00024476 to resolve the error (The system is not fully installed. please run setup again.) I was getting.

Hopefully I will have thePC up to run combofix soon.
Posted Image

#13 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 18 October 2011 - 12:08 AM

Ok I did some snooping on HP website forums and found this http://h10025.www1.hp.com/ewfrf/wc/document?cc=us&lc=en&docname=c00024476 to resolve the error (The system is not fully installed. please run setup again.) I was getting.

Hopefully I will have thePC up to run combofix soon.
Posted Image

#14 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,761 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:08:00 AM

Posted 18 October 2011 - 12:10 AM

I believe you started a Recovery and was halted.

Keep me posted.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#15 herg62123

herg62123
  • Topic Starter

  • Members
  • 553 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Montgomery, AL
  • Local time:07:00 AM

Posted 18 October 2011 - 01:50 AM

:bananas: I am in :bananas:


I ran unhide.exe and got all the files I was looking for to back up as well

Edited by herg62123, 18 October 2011 - 02:06 AM.

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users