Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Black screen - blinking cursor


  • Please log in to reply
23 replies to this topic

#1 rushjr

rushjr

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 06 September 2012 - 07:25 AM

One of my users in the dept. brought me their home PC with a very frustrating issue. It's a Gateway SX2850, 4gb RAM, 640 gb hard drive.
It came with Windows 7 home prem. 64-bit installed. After the Gateway logo, the screen goes black except for a blinking cursor. The hard drive appears to be fine. I can boot to a bootable CD or DVD. I've booted to a Win. 7 install disk and ran all the fix/recovery utilities.
I even followed some threads on here Tue. and ran xPUD, QUERY.exe and FRST64.exe --- neither one fixed the issue. help!

BC AdBot (Login to Remove)

 


#2 jhayz

jhayz

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 06 September 2012 - 07:56 AM

Can you go to BIOS and check if the hard drive is being recognized and is being booted as first? Did you try moving to another port or using another cable? Were there infections prior to the problem?

Tekken
 


#3 rushjr

rushjr
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 06 September 2012 - 08:16 AM

Yes, the hard drive is recognized and is trying to boot to first. I can PF12 it to force it to boot to the CD/DVD.
I don't know about prior infections, but 2 teens used this PC, so I wouldn't be surprised!

#4 jhayz

jhayz

  • BC Advisor
  • 6,922 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:03:55 PM

Posted 06 September 2012 - 08:40 AM

Since you mentioned the drive is fine, I would ask a BC staff to check if its not an infection that is causing your BLKSCR. Please wait for a malware expert may respond to you.

Tekken
 


#5 hamluis

hamluis

    Moderator


  • Moderator
  • 56,426 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Killeen, TX
  • Local time:01:55 AM

Posted 06 September 2012 - 09:24 AM

See Gateway documeentation for such: http://support.gateway.com/s/Checklists/BPC/ck20071024125.shtml .

Louis

#6 rushjr

rushjr
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 06 September 2012 - 09:35 AM

Yes, the hard drive is fine. One of the first things I ran was a CHKDSK.exe. I have several disk utilities I've used and I can "see" the partitions and all the Windows files.

#7 rushjr

rushjr
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 06 September 2012 - 11:34 AM

Do I need to post this to Security -> Am I infected now?

#8 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:55 PM

Posted 06 September 2012 - 04:03 PM

Let's have a look at the MBR (MasterBootRecord).

Please try the following: You will need a USB drive/flashdrive and a new blank writable CD.

:step1: Please do the following on a working computer:
  • Download GETxPUD.exe to the Desktop.
  • Run GETxPUD.exe
    A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on get&burn.bat
  • The program will download xpud_0.9.2.iso, and when finished will open BurnCDCC ready to burn the image.
    Please be patient: This could take awhile - download file size 63MB.
  • Click on Start and follow the prompts to burn the image to a CD.
You will use this CD to boot the ailing computer from.


:step2: Boot the ailing computer with the xPUD CD.
  • (You may have to configure the Boot Menu or BIOS Setup Menu to boot first from the optical/CD/DVD drive.)
    A Welcome to xPUD screen will appear.
  • Click on File.
  • Expand the mnt icon on the left (click on the little arrow beside the icon).
    • sda1, sda2 etc. ...usually correspond to your HDD partitions
    • sdb1, sdc1 is likely to correspond to a USB flashdrive, external USB hard drive etc.
  • Click on the folder that represents your USB drive (sdb1 ?).
  • Click Tool on the top menu, and choose Open Terminal.
  • Type the following at the hash prompt:

    dd if=/dev/sda of=mbr.bin bs=512 count=1

    • Note: Leave a space between the following:
      • dd ... the executable application used to create the backup
      • if=/dev/sda ... the device the backup is created from (the hard drive when only one HDD exists)
      • of=mbr.bin ... the backup file to create - note the lack of a path - it will be created in the directory currently open in the Terminal
      • bs=512 ... the number of bytes in the backup
      • count=1 ... says to backup just 1 sector
        It is extremely important that the if and of statements are correctly entered.
  • Press the <ENTER> key.
    After it has finished a file will be located on your USB drive named mbr.bin.
  • Go to Home > Power Off > Turn Off and remove the flashdrive as the system shuts down.

:step3: On the working computer:
  • Insert the USB drive, and navigate to the file mbr.bin
  • Zip-up the mbr.bin file:
    • Right-click on the file and choose Send to .. > Compressed (zipped) Folder.
      A zipped folder will appear in the same location as the mbr.bin file.
  • Please attach the zipped file to your next reply.
    This will allow the MasterBootRecord of your hard drive to be checked to see whether or not it is infected &/or damaged.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#9 rushjr

rushjr
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 06 September 2012 - 08:05 PM

Great! --- I burned the CD, but will have to run it tomorrow (7am EST)

#10 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:55 PM

Posted 06 September 2012 - 08:08 PM

... will have to run it tomorrow (7am EST)

I have no idea where in the world you are, or what time that may be where I am ... but no problem, I will be notified when you reply ... whenever that is.

I will have a look at the MBR when you get it attached.

Edited by AustrAlien, 06 September 2012 - 08:09 PM.

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#11 rushjr

rushjr
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 07 September 2012 - 06:31 AM

Pennsylvania (Eastern Standard Time) B)

Attached Files

  • Attached File  mbr.zip   572bytes   2 downloads


#12 AustrAlien

AustrAlien

    Inquisitor


  • Members
  • 6,772 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cowra NSW Australia
  • Local time:05:55 PM

Posted 07 September 2012 - 03:27 PM

Thank you. Examination of the MBR partition table reveals that the boot flag is set to an invalid first partition. This is most likely the product of a malware infection.

Please sit tight and be patient for now:
  • I have requested that an experienced helper who specialises in malware-related un-bootable computers respond to your topic.
  • A suitably experienced helper will respond when they are available.

MBR Analyzer v1.1.0

File : C:\Documents and Settings\GEOFF\Desktop\rushjr_BC\mbr.bin

--------------------------------------------------------------

--OFFSET--  0-1-2-3-4-5-6-7-8-9-A-B-C-D-E-F-  0123456789ABCDEF

0x00000000  33C08ED0BC007C8EC08ED8BE007CBF00  3.м.|..ؾ.|.
0x00000010  06B90002FCF3A450681C06CBFBB90400  ...Ph....
0x00000020  BDBE07807E00007C0B0F850E0183C510  ..~..|.......
0x00000030  E2F1CD1888560055C6461105C6461000  ..V.UF..F..
0x00000040  B441BBAA55CD135D720F81FB55AA7509  AU.]r..Uu.
0x00000050  F7C101007403FE46106660807E100074  ..t.F.f`.~..t
0x00000060  2666680000000066FF76086800006800  &fh....f.v.h..h.
0x00000070  7C680100681000B4428A56008BF4CD13  |h..h..B.V...
0x00000080  9F83C4109EEB14B80102BB007C8A5600  ........|.V.
0x00000090  8A76018A4E028A6E03CD136661731CFE  .v..N..n..fas.
0x000000A0  4E11750C807E00800F848A00B280EB84  N.u..~........
0x000000B0  5532E48A5600CD135DEB9E813EFE7D55  U2.V..]..>}U
0x000000C0  AA756EFF7600E88D007517FAB0D1E664  un.v...u.d
0x000000D0  E88300B0DFE660E87C00B0FFE664E875  ..`|..du
0x000000E0  00FBB800BBCD1A6623C0753B6681FB54  ...f#u;f.T
0x000000F0  435041753281F90201722C666807BB00  CPAu2...r,fh..
0x00000100  00666800020000666808000000665366  .fh....fh....fSf
0x00000110  5366556668000000006668007C000066  SfUfh....fh.|..f
0x00000120  6168000007CD1A5A32F6EA007C0000CD  ah....Z2.|..
0x00000130  18A0B707EB08A0B607EB03A0B50732E4  .........2
0x00000140  0500078BF0AC3C007409BB0700B40ECD  ....<.t....
0x00000150  10EBF2F4EBFD2BC9E464EB002402E0F8  .+d.$.
0x00000160  2402C3496E76616C6964207061727469  $.Invalid parti
0x00000170  74696F6E207461626C65004572726F72  tion table.Error
0x00000180  206C6F6164696E67206F706572617469   loading operati
0x00000190  6E672073797374656D004D697373696E  ng system.Missin
0x000001A0  67206F7065726174696E672073797374  g operating syst
0x000001B0  656D000000637B9A6B58662000008000  em...c{.kXf ....
0x000001C0  04000000000003000000000000000020  ............... 
0x000001D0  210027FEFFFF000800000080B50180FE  !.'..........
0x000001E0  FFFF07FEFFFF0088B5010020030000FE  ......... ...
0x000001F0  FFFF07FEFFFF00A8B801B0D2CC4855AA  .......HU

---------------------------[ MBR ]----------------------------

MBR_CODE        : 7 MBR Code
MD5             : 632B177ABFDBB7AB8C106F09F6797446
SHA1            : 3C084253AB1D433BA780DAE2598175CBCB7F5090
PARTITIONS      : 3
DISK_SIGNATURE  : 6B586620
SIGNATURE_ID    : AA55h

-----------------------[ PARTITION 2 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x27 ( RE Hidden partition )
PARTITION_SIZE  : 13.67 Go
STARTING_SECTOR : 2048
ENDING_SECTOR   : 28674048
TOTAL_SECTORS   : 28672000

-----------------------[ PARTITION 3 ]------------------------

BOOTABLE        : YES
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 100 Mo
STARTING_SECTOR : 28674048
ENDING_SECTOR   : 28878848
TOTAL_SECTORS   : 204800

-----------------------[ PARTITION 4 ]------------------------

BOOTABLE        : NO
PARTITION_TYPE  : 0x07 ( NTFS / HPFS)
PARTITION_SIZE  : 582 Go
STARTING_SECTOR : 28878848
ENDING_SECTOR   : 1250261680
TOTAL_SECTORS   : 1221382832

AustrAlien
Google is my friend. Make Google your friend too.

Posted Image

#13 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:55 AM

Posted 07 September 2012 - 08:15 PM

:welcome:

Lets give it a try.

For x86 (x32) bit systems please download Listparts
For x64 bit systems please download Listparts64
and save it to a flash drive.

Plug the flashdrive into the infected PC.

Enter System Recovery Options.

To enter System Recovery Options from the Advanced Boot Options:

Note: If you can't reach the Advanced Boot Options, boot to the install CD and reach the command prompt. Then follow the instructions below to run ListParts.exe

  • Restart the computer.
  • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
  • Click on Repair your computer menu item.
  • Select US as the keyboard language settings, and then click Next.
  • Select the operating system you want to repair, and then click Next.
  • Select your user account and click Next.
On the System Recovery Options menu you will get the following options:

Startup Repair
System Restore
Windows Complete PC Restore
Windows Memory Diagnostic Tool
Command Prompt

  • Select Command Prompt
  • In the command window type in notepad and press Enter.
  • The notepad opens. Under File menu select Open.
  • Select "Computer" and find your flash drive letter and close the notepad.
  • In the command window type e:\ListParts.exe (for x64 bit version type e:\ListParts64.exe) and press Enter
    Note: Replace letter e with the drive letter of your flash drive.
  • The tool will start to run.
  • When the tool opens click Yes to disclaimer.
  • Put check mark on List BCD.
  • Press Scan button.
  • It will make a log (Result.txt) in the flash drive. Please copy and paste it to your reply.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif


#14 rushjr

rushjr
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:University Park, PA; USA
  • Local time:03:55 AM

Posted 07 September 2012 - 09:04 PM

here it is:
ListParts by Farbar Version: 10-08-2012
Ran by SYSTEM (administrator) on 07-09-2012 at 21:57:55
Windows 7 (X64)
Running From: G:\
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 16%
Total physical RAM: 3959.11 MB
Available physical RAM: 3305.9 MB
Total Pagefile: 3957.31 MB
Available Pagefile: 3286.57 MB
Total Virtual: 8192 MB
Available Virtual: 8191.91 MB

======================= Partitions =========================

1 Drive c: (SYSTEM RESERVED) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
2 Drive d: (Gateway) (Fixed) (Total:582.4 GB) (Free:524.5 GB) NTFS
3 Drive e: (PQSERVICE) (Fixed) (Total:13.67 GB) (Free:2.73 GB) NTFS
4 Drive f: (W7SP1_PROFESSIONAL) (CDROM) (Total:5.23 GB) (Free:0 GB) UDF
5 Drive g: () (Removable) (Total:1.87 GB) (Free:0.01 GB) FAT
8 Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS

Disk ### Status Size Free Dyn Gpt
-------- ------------- ------- ------- --- ---
Disk 0 Online 596 GB 0 B
Disk 1 Online 1912 MB 0 B
Disk 2 No Media 0 B 0 B
Disk 3 No Media 0 B 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Recovery 13 GB 1024 KB
Partition 2 Primary 100 MB 13 GB
Partition 3 Primary 582 GB 13 GB

======================================================================================================

Disk: 0
Partition 1
Type : 27
Hidden: Yes
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 3 E PQSERVICE NTFS Partition 13 GB Healthy Hidden

======================================================================================================

Disk: 0
Partition 2
Type : 07
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C SYSTEM RESE NTFS Partition 100 MB Healthy

======================================================================================================

Disk: 0
Partition 3
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D Gateway NTFS Partition 582 GB Healthy

======================================================================================================

Partitions of Disk 1:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 1911 MB 16 KB

======================================================================================================

Disk: 1
Partition 1
Type : 06
Hidden: No
Active: Yes

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 4 G FAT Removable 1911 MB Healthy

======================================================================================================

Windows Boot Manager
--------------------
identifier {9dea862c-5cdd-4e70-acc1-f32b344d4795}
device partition=C:
description Windows Boot Manager
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
default {2dec51c0-771c-11dc-8182-969ceb654362}
resumeobject {2dec51bf-771c-11dc-8182-969ceb654362}
displayorder {2dec51c0-771c-11dc-8182-969ceb654362}
bootsequence {b2721d73-1db4-4c62-bf78-c548a880142d}
toolsdisplayorder {b2721d73-1db4-4c62-bf78-c548a880142d}
timeout 30

Windows Boot Loader
-------------------
identifier {2dec51c0-771c-11dc-8182-969ceb654362}
device partition=D:
path \Windows\system32\winload.exe
description Windows 7
locale en-US
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
recoverysequence {2dec51c1-771c-11dc-8182-969ceb654362}
recoveryenabled Yes
osdevice partition=D:
systemroot \Windows
resumeobject {2dec51bf-771c-11dc-8182-969ceb654362}
nx OptIn

Windows Boot Loader
-------------------
identifier {2dec51c1-771c-11dc-8182-969ceb654362}
device ramdisk=[D:]\Recovery\2dec51c1-771c-11dc-8182-969ceb654362\Winre.wim,{2dec51c2-771c-11dc-8182-969ceb654362}
path \windows\system32\winload.exe
description Windows Recovery Environment
inherit {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
osdevice ramdisk=[D:]\Recovery\2dec51c1-771c-11dc-8182-969ceb654362\Winre.wim,{2dec51c2-771c-11dc-8182-969ceb654362}
systemroot \windows
nx OptIn
winpe Yes
custom:46000010 Yes

Resume from Hibernate
---------------------
identifier {2dec51bf-771c-11dc-8182-969ceb654362}
device partition=D:
path \Windows\system32\winresume.exe
description Windows Resume Application
locale en-US
inherit {1afa9c49-16ab-4a5c-901b-212802da9460}
filedevice partition=D:
filepath \hiberfil.sys
debugoptionenabled No

Windows Memory Tester
---------------------
identifier {b2721d73-1db4-4c62-bf78-c548a880142d}
device partition=C:
path \boot\memtest.exe
description Windows Memory Diagnostic
locale en-US
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
badmemoryaccess Yes

EMS Settings
------------
identifier {0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
bootems Yes

Debugger Settings
-----------------
identifier {4636856e-540f-4170-a130-a84776f4c654}
debugtype Serial
debugport 1
baudrate 115200

RAM Defects
-----------
identifier {5189b25c-5558-4bf2-bca4-289b11bd29e2}

Global Settings
---------------
identifier {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
inherit {4636856e-540f-4170-a130-a84776f4c654}
{0ce4991b-e6b3-4b16-b23c-5e0d9250e5d9}
{5189b25c-5558-4bf2-bca4-289b11bd29e2}

Boot Loader Settings
--------------------
identifier {6efb52bf-1766-41db-a6b3-0ee5eff72bd7}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}
{7ff607e0-4395-11db-b0de-0800200c9a66}

Hypervisor Settings
-------------------
identifier {7ff607e0-4395-11db-b0de-0800200c9a66}
hypervisordebugtype Serial
hypervisordebugport 1
hypervisorbaudrate 115200

Resume Loader Settings
----------------------
identifier {1afa9c49-16ab-4a5c-901b-212802da9460}
inherit {7ea2e1ac-2e61-4728-aaa3-896d9d0a9f0e}

Device options
--------------
identifier {2dec51c2-771c-11dc-8182-969ceb654362}
description Ramdisk Options
ramdisksdidevice partition=D:
ramdisksdipath \Recovery\2dec51c1-771c-11dc-8182-969ceb654362\boot.sdi


****** End Of Log ******

#15 JSntgRvr

JSntgRvr

    Master Surgeon General


  • Malware Response Team
  • 11,843 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Puerto Rico
  • Local time:03:55 AM

Posted 08 September 2012 - 12:31 AM

Download the enclosed file.

Save it next to ListParts.exe in the USB drive.

  • Run ListParts as you did before.
  • This time around Press Fix button.
  • When it is done close the notification pop up. Click Scan and copy and paste the log (Result.txt) it makes.

NOTICE: This script was written specifically for this user, for use on that particular machine. Running this on another machine may cause damage to your operating system


If successful, attempt to boot into Normal Mode.

No request for help throughout private messaging will be attended.

If I have helped you, consider making a donation to help me continue the fight against Malware!
btn_donate_SM.gif





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users