Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Inadvertantly disabled svc host pc won't boot


  • This topic is locked This topic is locked
44 replies to this topic

#1 lungbuster

lungbuster

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2012 - 02:45 PM

Yesterday I was running Pinnacle 12.1 editing software and it was locking and running slow. I have a Dell e520 running Win XP media edition. I have had a toolbar updater running in the background causing slow and unresponsive workings, so I would go to task manager and disable it.........well yesterday I must have disabled a SVChost instead (I am positive I did) so when I went to restart it would no longer boot to windows and a blue screen appeared listing a Stop error : 0x0000007e (0xc0000005 0x860e6988 0xf7a53be8 0xf7a538e4) I tried rebooting in safe mode, last knowngood config, to no avail. stops at the blue screen of death. So I tried a system repair using the CD during boot up, it would go as far as copying files and then want to reboot.(This step: http://pcsupport.about.com/od/operating ... air1_8.htm ) On reboot it went to the BSOD and windows would not boot up. I have run chkdsk from the recovery console, but came up with no results.
Is there any way to repair this problem w/o loosing all of my files? I was in the midst of editing a 2 1/2 hour DVD project and if I loose all my data I will have lost about 150 hours of editing time.
Please help!

BC AdBot (Login to Remove)

 


#2 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:11 AM

Posted 10 February 2012 - 03:29 PM

Hi, :welcome:

Lets give it a try.

We will need to view the system status from an external environment. You will need a USB drive and a CD to burn. There will be several steps to follow.

Download GETxPUD.exe to the desktop of your clean computer
  • Run GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
  • Click on Start and follow the prompts to burn the image to a CD.
  • Next download driver.sh to your USB drive
  • Also Download Query.exe to the USB drive. In your working computer, navigate to the USB drive and click on the Query.exe. A folder and a file, query.sh, will be extracted.
  • Remove the USB & CD and insert them in the sick computer
  • Boot the Sick computer with the CD you just burned
  • The computer must be set to boot from the CD
  • In some computers you need to tap F12 and choose to boot from the CD, in others is the Esc key. Please consult your computer's documentation.
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?)
  • Confirm that you see driver.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh
  • Press Enter
  • After it has finished a report will be located on your USB drive named report.txt
  • Then type bash driver.sh -af
  • Press Enter
  • You will be prompted to input a filename.
  • Type the following:

    Winlogon.exe

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    volsnap.sys

  • Press Enter
  • If successful, the script will search for this file.
  • After it has completed the search enter the next file to be searched
  • Type the following:

    explorer.exe

  • Press Enter
  • After it has completed the search enter the next file to be searched
  • Type the following:

    Userinit.exe

  • Press Enter
  • After the search is completed type Exit and press Enter.
  • After it has finished a report will be located in the USB drive as filefind.txt
  • While still in the Open Terminal, type bash query.sh
  • Press Enter
  • After it has finished a report will be located in the USB drive as RegReport.txt
  • Then type dd if=/dev/sda of=mbr.bin bs=512 count=1


    Leave a space among the following Statements:

    dd is the executable application used to create the backup
    if=/dev/sda is the device the backup is created from - the hard drive when only one HDD exists
    of=mbr.bin is the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
    bs=512 is the number of bytes in the backup
    count=1 says to backup just 1 sector


    It is extremely important that the if and of statements are correctly entered.

  • Press Enter
  • After it has finished a report will be located in the USB drive as mbr.bin
  • Plug the USB back into the clean computer, zip the mbr.bin, and except for the mbr.bin zipped file, post the contents of the report.txt, filefind.txt and RegReport.txt in your next reply. The mbr.bin zipped file must be attached to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#3 boopme

boopme

    To Insanity and Beyond


  • Global Moderator
  • 73,416 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:NJ USA
  • Local time:07:11 AM

Posted 10 February 2012 - 03:31 PM

Hello, just letting you know I moved this topic to Here in the Virus, Trojan, Spyware, and Malware Removal Logs forum where it will stay.

Please remember to click the Watch Topic button at the top right and select Immediate Notification so you do not miss any replies now that you were moved.
How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

#4 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2012 - 05:48 PM

Cannot find my USB drive when I open any of the mnt files.

#5 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:11 AM

Posted 10 February 2012 - 06:57 PM

Remove and reinsert the USB drive while on xPUD. Allow xPUD to mount the device. You will see its progress on the top right corner of xPUD menu. If it fails again, as an alternate, see if you can build a Linux Poppy boot CD, and boot the computer with it. Let me know the outcome.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#6 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2012 - 07:02 PM

Ok will try that now.

#7 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2012 - 07:05 PM

Tried installing the USB , first had a message that said mounted on sdc1, then a few seconds later got asn error that said unmounted........as I was downloading the other OS, I got the infected pc to mount the usb device, gathering the information now.

Edited by lungbuster, 10 February 2012 - 07:16 PM.


#8 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2012 - 07:33 PM

Attached File  filefind.txt   566bytes   4 downloadsAttached File  RegReport.txt   5.57KB   6 downloadsAttached File  report.txt   18.18KB   4 downloads

I found all the report txts. but Mbr.bin was not on the usb drive??????
I have attached the reports, hopefully they will be of help w/o the zip file.......

I will be gone the next few hours, but will check when I get back.
Thank you for your help!

#9 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:11 AM

Posted 10 February 2012 - 09:08 PM

Nothing in those reports we can work on.

Download rst.sh to the USB drive
Also download Dumpit by noahdfear to the USB drive.

  • Boot the Sick computer with the USB drive again
  • Press File
  • Expand mnt
  • Expand your USB (sdb1)
  • Confirm that you see rst.sh that you downloaded there
  • Press Tool at the top
  • Choose Open Terminal
  • Type bash rst.sh
  • Press Enter
  • After it has finished a report will be located at sdb1 named enum.log
  • Close the Terminal window and confirm that you see the file dumpit in your USB drive. Double click on it.
  • After it has finished a report will be located in your USB drive named mbr.zip

Please also note - all text entries are case sensitive

Copy and paste the contents of the enum.log for my review in your next reply, but attach the MBR.zip.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#10 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 10 February 2012 - 09:46 PM

I can download rst.sh but the dumpit link does not take me to a download, it shows an encrypted page but no download options show up??????

#11 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:11 AM

Posted 10 February 2012 - 11:52 PM

It does from my PC. I have zipped the file and enclosed it:

You will need to unzip the file prior to move it to the USB drive.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#12 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 11 February 2012 - 01:29 AM

enum.log



31.9M Feb 10 11:07 /mnt/sda2/WINDOWS/system32/config/software
5.0M Feb 10 22:56 /mnt/sda2/WINDOWS/system32/config/system

32.7M Dec 14 06:48 /sda2/~/RP278/~SOFTWARE
32.7M Dec 15 12:50 /sda2/~/RP279/~SOFTWARE
32.7M Dec 15 21:50 /sda2/~/RP280/~SOFTWARE
32.7M Dec 16 09:00 /sda2/~/RP281/~SOFTWARE
32.7M Dec 18 03:45 /sda2/~/RP282/~SOFTWARE
32.7M Dec 19 03:57 /sda2/~/RP283/~SOFTWARE
32.7M Dec 20 05:02 /sda2/~/RP284/~SOFTWARE
32.7M Dec 21 05:47 /sda2/~/RP285/~SOFTWARE
32.7M Dec 22 12:59 /sda2/~/RP286/~SOFTWARE
32.7M Dec 23 14:17 /sda2/~/RP287/~SOFTWARE
32.7M Dec 24 14:24 /sda2/~/RP288/~SOFTWARE
32.7M Dec 25 16:28 /sda2/~/RP289/~SOFTWARE
32.7M Dec 26 19:03 /sda2/~/RP290/~SOFTWARE
32.7M Dec 27 20:12 /sda2/~/RP291/~SOFTWARE
32.7M Dec 29 00:17 /sda2/~/RP292/~SOFTWARE
32.7M Dec 30 02:44 /sda2/~/RP293/~SOFTWARE
32.7M Dec 31 04:01 /sda2/~/RP294/~SOFTWARE
32.7M Jan 1 06:02 /sda2/~/RP295/~SOFTWARE
32.7M Jan 2 20:40 /sda2/~/RP296/~SOFTWARE
32.7M Jan 4 01:53 /sda2/~/RP297/~SOFTWARE
32.7M Jan 6 03:16 /sda2/~/RP299/~SOFTWARE
32.7M Jan 7 16:39 /sda2/~/RP300/~SOFTWARE
32.7M Jan 8 21:30 /sda2/~/RP301/~SOFTWARE
32.7M Jan 10 01:39 /sda2/~/RP302/~SOFTWARE
32.7M Jan 11 04:01 /sda2/~/RP303/~SOFTWARE
32.7M Jan 11 09:00 /sda2/~/RP304/~SOFTWARE
32.7M Jan 13 01:45 /sda2/~/RP305/~SOFTWARE
32.7M Jan 14 01:58 /sda2/~/RP306/~SOFTWARE
32.7M Jan 15 07:31 /sda2/~/RP307/~SOFTWARE
32.7M Jan 16 13:18 /sda2/~/RP308/~SOFTWARE
32.7M Jan 17 13:28 /sda2/~/RP309/~SOFTWARE
32.7M Jan 19 06:20 /sda2/~/RP310/~SOFTWARE
32.7M Jan 20 06:51 /sda2/~/RP311/~SOFTWARE
32.7M Jan 22 01:06 /sda2/~/RP312/~SOFTWARE
32.7M Jan 23 04:20 /sda2/~/RP313/~SOFTWARE
32.7M Jan 25 01:59 /sda2/~/RP314/~SOFTWARE
32.7M Jan 26 05:17 /sda2/~/RP315/~SOFTWARE
32.7M Jan 27 08:07 /sda2/~/RP316/~SOFTWARE
32.7M Jan 28 08:46 /sda2/~/RP317/~SOFTWARE
32.7M Jan 29 10:40 /sda2/~/RP318/~SOFTWARE
32.7M Jan 30 14:08 /sda2/~/RP319/~SOFTWARE
32.7M Jan 31 20:32 /sda2/~/RP320/~SOFTWARE
32.7M Feb 1 21:11 /sda2/~/RP321/~SOFTWARE
32.7M Feb 3 00:11 /sda2/~/RP322/~SOFTWARE
32.7M Feb 4 05:23 /sda2/~/RP323/~SOFTWARE
32.7M Feb 5 09:00 /sda2/~/RP324/~SOFTWARE
32.7M Feb 6 12:03 /sda2/~/RP325/~SOFTWARE
32.7M Feb 7 15:11 /sda2/~/RP326/~SOFTWARE
32.6M Nov 11 05:52 /sda2/~/RP275/~SOFTWARE
32.7M Dec 3 07:11 /sda2/~/RP276/~SOFTWARE
32.7M Dec 13 04:17 /sda2/~/RP277/~SOFTWARE
32.7M Jan 5 02:28 /sda2/~/RP298/~SOFTWARE
6.2M Dec 14 06:48 /sda2/~/RP278/~SYSTEM
6.2M Dec 15 12:50 /sda2/~/RP279/~SYSTEM
6.2M Dec 15 21:50 /sda2/~/RP280/~SYSTEM
6.2M Dec 16 09:00 /sda2/~/RP281/~SYSTEM
6.2M Dec 18 03:45 /sda2/~/RP282/~SYSTEM
6.2M Dec 19 03:57 /sda2/~/RP283/~SYSTEM
6.2M Dec 20 05:02 /sda2/~/RP284/~SYSTEM
6.2M Dec 21 05:47 /sda2/~/RP285/~SYSTEM
6.2M Dec 22 12:59 /sda2/~/RP286/~SYSTEM
6.2M Dec 23 14:17 /sda2/~/RP287/~SYSTEM
6.2M Dec 24 14:24 /sda2/~/RP288/~SYSTEM
6.2M Dec 25 16:28 /sda2/~/RP289/~SYSTEM
6.2M Dec 26 19:03 /sda2/~/RP290/~SYSTEM
6.2M Dec 27 20:12 /sda2/~/RP291/~SYSTEM
6.2M Dec 29 00:17 /sda2/~/RP292/~SYSTEM
6.2M Dec 30 02:44 /sda2/~/RP293/~SYSTEM
6.2M Dec 31 04:01 /sda2/~/RP294/~SYSTEM
6.2M Jan 1 06:02 /sda2/~/RP295/~SYSTEM
6.2M Jan 2 20:40 /sda2/~/RP296/~SYSTEM
6.2M Jan 4 01:53 /sda2/~/RP297/~SYSTEM
6.2M Jan 6 03:16 /sda2/~/RP299/~SYSTEM
6.2M Jan 7 16:39 /sda2/~/RP300/~SYSTEM
6.2M Jan 8 21:30 /sda2/~/RP301/~SYSTEM
6.2M Jan 10 01:39 /sda2/~/RP302/~SYSTEM
6.2M Jan 11 04:01 /sda2/~/RP303/~SYSTEM
6.2M Jan 11 09:00 /sda2/~/RP304/~SYSTEM
6.2M Jan 13 01:45 /sda2/~/RP305/~SYSTEM
6.2M Jan 14 01:58 /sda2/~/RP306/~SYSTEM
6.2M Jan 15 07:31 /sda2/~/RP307/~SYSTEM
6.2M Jan 16 13:18 /sda2/~/RP308/~SYSTEM
6.2M Jan 17 13:28 /sda2/~/RP309/~SYSTEM
6.2M Jan 19 06:20 /sda2/~/RP310/~SYSTEM
6.2M Jan 20 06:51 /sda2/~/RP311/~SYSTEM
6.2M Jan 22 01:06 /sda2/~/RP312/~SYSTEM
6.2M Jan 23 04:20 /sda2/~/RP313/~SYSTEM
6.2M Jan 25 01:59 /sda2/~/RP314/~SYSTEM
6.2M Jan 26 05:17 /sda2/~/RP315/~SYSTEM
6.2M Jan 27 08:07 /sda2/~/RP316/~SYSTEM
6.2M Jan 28 08:46 /sda2/~/RP317/~SYSTEM
6.2M Jan 29 10:40 /sda2/~/RP318/~SYSTEM
6.2M Jan 30 14:08 /sda2/~/RP319/~SYSTEM
6.2M Jan 31 20:32 /sda2/~/RP320/~SYSTEM
6.2M Feb 1 21:11 /sda2/~/RP321/~SYSTEM
6.2M Feb 3 00:11 /sda2/~/RP322/~SYSTEM
6.2M Feb 4 05:23 /sda2/~/RP323/~SYSTEM
6.2M Feb 5 09:00 /sda2/~/RP324/~SYSTEM
6.2M Feb 6 12:03 /sda2/~/RP325/~SYSTEM
6.2M Feb 7 15:11 /sda2/~/RP326/~SYSTEM
6.2M Nov 11 05:52 /sda2/~/RP275/~SYSTEM
6.2M Dec 3 07:11 /sda2/~/RP276/~SYSTEM
6.2M Dec 13 04:17 /sda2/~/RP277/~SYSTEM
6.2M Jan 5 02:28 /sda2/~/RP298/~SYSTEM

Attached Files

  • Attached File  mbr.zip   2.72KB   4 downloads


#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:11 AM

Posted 11 February 2012 - 01:24 PM

The MBR reads infected.

  • Download NTBR_CD by noahdfear.
  • Extract its contents to the desktop.
  • Once extracted, open the NTBR_CD folder and click on the BurnItCD application.
  • Insert a blank CD when prompted. The .iso image will be burned to the CD.
  • Boot the computer with the CD you just burned and follow the prompts.
  • Press Enter for English.
  • At the menu type 1 to select MBRWORK then hit Enter

    This screen will show the hard drive configuration.
    Posted Image
  • Type 5 to Install standard MBR code then hit Enter
  • Type 1 to select Standard then hit Enter
  • Type Y then hit Enter to confirm
  • Type E then hit Enter to exit
  • Back at the menu, type 6 to Quit.
  • Press Ctrl+Alt+Del to restart the machine.
  • Eject the CD upon restart and boot normally.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 lungbuster

lungbuster
  • Topic Starter

  • Members
  • 26 posts
  • OFFLINE
  •  
  • Local time:05:11 AM

Posted 12 February 2012 - 07:54 PM

So I got windows to boot, but it tried to finish a repair install that I had previously initiated trying to correct the original problem.............it booted and went through almost the entire repair install and then hung. I shut it down and rebooted, it went through the splash screen and to the user accounts page, I logged into my account, all my programs and file were there, then it started listing sysytem failures. I did a recommended pc scan and it had a fix errors option, I ran it and it still listed 9 errors, some hd some registry.........all of a sudden ALL of my programs and files started to disappear.................I tried a re start but everything is gone..............is there anyway to get my programs and files back????? If not I am screwed!

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,692 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:07:11 AM

Posted 13 February 2012 - 01:22 AM

Boot to xPUD. Are you able to see the contents of the main drive? /mnt/sda2/?

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users