Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Operating system won't run.


  • This topic is locked This topic is locked
51 replies to this topic

#1 goldenchild

goldenchild

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 24 November 2011 - 12:39 PM

I have a Gateway netbook that was running on Windows OS XP. I believe I caught a virus. I removed the hd and ran it as a slave on another system. I performed a virus scan (found viruses and removed them) 2. check disk (found errors and repaired them) 3. ran defrag. Assumed hd would work but did not. Tried to repair MBR but system does not have a cd, I did however, boot the xp disc on a usb. But now i'm at a lost. I've been working on this project for some time now and I do not know what to do. I don't want to delete partition and lose my data so please help me.

Thank you!

Edited by hamluis, 24 November 2011 - 12:46 PM.
Moved from XP to Am I infected.

Golden Lucks "Gifted and Talented"

BC AdBot (Login to Remove)

 


#2 kbit

kbit

  • Members
  • 61 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:ontario canada
  • Local time:01:45 AM

Posted 25 November 2011 - 03:42 PM

if data is all you want just copy hdd or reinstall xp. if copy ,use something like wd data lifeguard {removes security thing-a-jigs} and you should see all your data on new hdd. if reinstall , install to same folder {c:\windows} overwrite all files and you should see all your data when done {try to move or rename my docs BEFORE installing} everything should be there but all your programs WON`T work. if you get your data { try copy before reinstall } i would zero the drive { special hdd utility }. if you have no password at log in you might just have to copy drive as slave. {can you see data you want when in slave mode on other machine?}

#3 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 26 November 2011 - 08:49 AM

Hello goldenchild,

Does Windows still boot normally?

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#4 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 26 November 2011 - 12:32 PM

No it does not. All I get is the BIOS selection screen then a black screen with a cursor blinking at the top left.
Golden Lucks "Gifted and Talented"

#5 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 26 November 2011 - 12:39 PM

Hi, then lets see if we can get an MBR dump.

Try this please. You will need a USB drive.

Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer
  • Insert your USB drive
  • Press Start > My Computer > right click your USB drive > choose Format > Quick format
  • Double click the unetbootin-xpud-windows-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type the following and press enter:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

  • Press Enter
  • After it has finished a file will be located on your USB drive named mbr.bin
  • Remove the USB drive and insert it back in your working computer and navigate to mbr.bin, zip it up and attach it to your next reply.

This will allow me to have a look at the MasterBootRecord of your drive and see if it is infected.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#6 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 26 November 2011 - 02:33 PM

Here is the information you requested.Attached File  mbr.zip   569bytes   3 downloads
Golden Lucks "Gifted and Talented"

#7 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 26 November 2011 - 03:13 PM

That is indeed rootkit-infected.

Try this please. You will need a USB drive.

Download xPUDtestdisk.exe and save it to the USB device
  • Double click xPUDtestdisk.exe to extract the contents to your USB device
  • Remove the USB and insert it in the sick computer
  • Boot the Sick computer with the xPUD USB drive
  • The computer must be set to boot from the USB
  • Gently tap F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Press Tool at the top
  • Choose Open Terminal
  • Type testdisk/testdisk_static
  • Press Enter
The first screen will present log options - press Enter to continue.

Posted Image

TestDisk will scan the system and show drive information.
If more than 1 drive, select the correct drive, make sure [Proceed] is selected then press Enter to continue.

Posted Image

Select [Intel] partiton and press Enter to continue.

Posted Image

Select [MBR Code] and press Enter to continue.

Posted Image

Type Y when prompted to write a new mbr code to the first sector, then confirm at the next screen by typing Y again.

Posted Image

Press Q repeatedly until TestDisk exits then reboot.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#8 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 26 November 2011 - 05:38 PM

Hello I'm having some issues. I've formatted my usb to make sure it was prepared for the download. I followed the instructions...downloaded the program and added it to the usb, extracted the contents and it made a folder called test. I put the usb in the "sick" system and when it boots it states disk error press any key to restart. I've did this procedure twice now. Am I doing something wrong?
Golden Lucks "Gifted and Talented"

#9 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 27 November 2011 - 04:49 AM

You didn't have to reformat the USB, now you'll have to reinstall xPUD first on it, after which you'll have to put Testdisk on it.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#10 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 27 November 2011 - 06:52 AM

Hello I followed the instructions and restarted the system and can not get into windows. I have an option to get into safe mode but then when I attempted it stats Windows could not start because the following file is missing or corrupt: \windows\system32\config\system
Golden Lucks "Gifted and Talented"

#11 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 27 November 2011 - 07:52 AM

That is an indication the System hive of the registry is either corrupt or missing. Lets use a system restore point to replace it.

You will need the usb drive with xPUD on it for this!

Download http://noahdfear.net/downloads/rst.sh to the USB drive
  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Plug that USB back into the clean computer and open it

Please note: If you have an ethernet connection you can access the internet by way of xPUD (Firefox). You can perform all these steps on your sick computer. When you download the download will reside in the Download folder. It can be found under the File tab also. You can similarly access our thread by way of this OS too so you can send the logs that way.

Please also note - all text entries are case sensitive

Copy and paste the enum.log for my review

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#12 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 27 November 2011 - 08:03 AM

4.0K Nov 27 06:45 boot
0 Nov 27 09:02 enum.log
13.3K Nov 27 06:46 ldlinux.sys
4.0K Nov 27 06:45 opt
3.6K Nov 27 07:56 rst.sh
2.8K Dec 7 2009 syslinux.cfg
4.0K Nov 27 06:44 testdisk
1.0K Nov 27 07:50 testdisk.log
142.3K Nov 27 06:46 vesamenu.c32
3.3M Nov 26 17:31 xPUDtestdisk.exe
4.0K Nov 27 06:45 boot
282 Nov 27 09:02 enum.log
13.3K Nov 27 06:46 ldlinux.sys
4.0K Nov 27 06:45 opt
3.6K Nov 27 07:56 rst.sh
2.8K Dec 7 2009 syslinux.cfg
4.0K Nov 27 06:44 testdisk
1.0K Nov 27 07:50 testdisk.log
142.3K Nov 27 06:46 vesamenu.c32
3.3M Nov 26 17:31 xPUDtestdisk.exe

27.2M Jul 1 11:08 /sda2/~/RP51/~SOFTWARE
27.2M Jul 4 13:18 /sda2/~/RP52/~SOFTWARE
27.3M Jul 17 13:57 /sda2/~/RP53/~SOFTWARE
27.3M Jul 19 10:22 /sda2/~/RP54/~SOFTWARE
27.3M Aug 12 17:05 /sda2/~/RP55/~SOFTWARE
27.4M Aug 27 12:28 /sda2/~/RP56/~SOFTWARE
27.4M Sep 10 15:18 /sda2/~/RP57/~SOFTWARE
27.4M Sep 16 23:12 /sda2/~/RP58/~SOFTWARE
27.4M Sep 17 12:07 /sda2/~/RP59/~SOFTWARE
27.4M Oct 2 15:52 /sda2/~/RP60/~SOFTWARE
27.4M Oct 19 03:47 /sda2/~/RP61/~SOFTWARE
5.4M Jul 1 11:08 /sda2/~/RP51/~SYSTEM
5.4M Jul 4 13:18 /sda2/~/RP52/~SYSTEM
5.4M Jul 17 13:57 /sda2/~/RP53/~SYSTEM
5.4M Jul 19 10:22 /sda2/~/RP54/~SYSTEM
5.4M Aug 12 17:05 /sda2/~/RP55/~SYSTEM
5.4M Aug 27 12:28 /sda2/~/RP56/~SYSTEM
5.4M Sep 10 15:18 /sda2/~/RP57/~SYSTEM
5.4M Sep 16 23:12 /sda2/~/RP58/~SYSTEM
5.4M Sep 17 12:07 /sda2/~/RP59/~SYSTEM
5.4M Oct 2 15:52 /sda2/~/RP60/~SYSTEM
5.4M Oct 19 03:47 /sda2/~/RP61/~SYSTEM
Golden Lucks "Gifted and Talented"

#13 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 27 November 2011 - 08:16 AM

Reboot in xPUD, navigate to your usb drive, make sure you see rst.sh and click Tool > Open terminal.
Type bash rst.sh -r and press enter.
Type 61 and press enter.

Restart your computer and see if it boots now.

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft


#14 goldenchild

goldenchild
  • Topic Starter

  • Members
  • 132 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Harlem, NY
  • Local time:02:45 AM

Posted 27 November 2011 - 08:26 AM

I followed instruction and I was told it was completed. I removed usb and restarted computer. States the same thing missing or corrupt: \windows\system32\config\system.
Golden Lucks "Gifted and Talented"

#15 Elise

Elise

    Bleepin' Blonde


  • Malware Study Hall Admin
  • 61,316 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Romania
  • Local time:09:45 AM

Posted 27 November 2011 - 08:31 AM

Using xPUD, click File > mnt > sda1 and see if the following exists: /mnt/sda1/windows/system32/config/system

regards, Elise


"Now faith is the substance of things hoped for, the evidence of things not seen."

 

Follow BleepingComputer on: Facebook | Twitter | Google+ | lockerdome

 

Malware analyst @ Emsisoft





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users