JonTom Report post Posted April 16, 2011 Hello steve595 When you typed in both and xPUD began searching for the hives, did it declare that both SOFTWARE and SYTEM were collected? Did everything go okay up until that point? Share this post Link to post Share on other sites
JonTom Report post Posted April 16, 2011 Hello steve595 Lets see of we can get the following to work: From xPUD, please navigate to: sda3/windows/system32/config and locate SYSTEM and SOFTWARE. Please do the same for the ntuser.dat file from sda3/Users/{insert_username} Once you have located the each of the above, manually Copy them to the flash drive (right click > copy then Paste into the flash drive) then zip them up. Next, please search the root of sda2, sda3 and sda5 for a folder named "Boot" that contains the file BCD If there is more than one, please collect them all (right click > copy then Paste into the flash drive) and append the names of the copies with the sda? device they came from, eg: bcdsda2 or similar. Once you have these files please zip those up too and upload all of the requested files here: http://noahdfear.net/max/upload.php Please enter the link to this topic too, where requested - http://forums.pcpitstop.com/index.php?/topic/194548-blank-screen/ Once uploaded, (or if you have any problems with the above steps) please let me know. Share this post Link to post Share on other sites
steve595 Report post Posted April 16, 2011 Hello steve595 When you typed in both and xPUD began searching for the hives, did it declare that both SOFTWARE and SYTEM were collected? Did everything go okay up until that point? I'm sorry but I did not note that both SOFTWARE and SYSTEM WERE COLLECTED..... and it did appear that every thing went finr to that point... Share this post Link to post Share on other sites
steve595 Report post Posted April 16, 2011 Hello steve595 Lets see of we can get the following to work: From xPUD, please navigate to: sda3/windows/system32/config and locate SYSTEM and SOFTWARE. Please do the same for the ntuser.dat file from sda3/Users/{insert_username} Once you have located the each of the above, manually Copy them to the flash drive (right click > copy then Paste into the flash drive) then zip them up. Once I find these files i am unable to determine how to paste them to the flash drive?? Sorry for not being more computer literate... Share this post Link to post Share on other sites
JonTom Report post Posted April 17, 2011 Hello steve595 Sorry for not being more computer literate... There is no need to apologise, you are doing just fine Once I find these files i am unable to determine how to paste them to the flash drive?? Lets try it this way: Your flash drive would normally correspond to sdb1. Remember a few steps back, when you downloaded driver.sh on the clean machine and transferred it to the USB stick? When you plugged the USB into the infected machine you confirmed the presence of driver.sh on the USB drive by navigating to sdb1 (you did this by pressing File, Expand mnt... ). If driver.sh was indeed present in sdb1, then sdb1 corresponds to the USB drive. While in xPUD, navigate to each of the required files, right click on them and select Copy. Once you have done that navigate to sdb1 (you should be able to see that driver.sh is still there), right click and selct Paste. Do this for each of the files required. Once completed, remove the USB stick from the infected machine and plug it into the clean machine. When you open the USB drive the copied files ought to be present. If you can see the files on the drive, please zip and upload them using the link I provided earlier along with the link to your thread. If you have any problems with the above just come back and let me know Share this post Link to post Share on other sites
steve595 Report post Posted April 17, 2011 Ok all uploaded, hoping I did the zip part correctly Thanks, steve Share this post Link to post Share on other sites
JonTom Report post Posted April 17, 2011 Hello steve595 The upload went okay but the zipped file was empty. Once the required files have been copied to the Flash drive and transferred to the clean machine, Right click on each one, select Send to ====> Compressed (zipped) folder. A zipped folder should appear that contains the compressed file. Once each of the files has been zipped in this way try the upload again Share this post Link to post Share on other sites
steve595 Report post Posted April 17, 2011 Almost positive that I did it correctly this time..... Share this post Link to post Share on other sites
JonTom Report post Posted April 17, 2011 Hello steve595 Once I hear word about the upload I will let you know. If the information was sent successfully it may take a bit of time to analyse. I'll get back to you as soon as I can. Share this post Link to post Share on other sites
steve595 Report post Posted April 17, 2011 Hello steve595 Once I hear word about the upload I will let you know. If the information was sent successfully it may take a bit of time to analyse. I'll get back to you as soon as I can. Thanks Share this post Link to post Share on other sites
JonTom Report post Posted April 17, 2011 Hello steve595 Great job with the upload, you did it perfectly There is another file that we would like to take a closer look at: Please navigate through xPUD on the infected machine to the following file in bold: mnt>sda3>Users>Arianna>ntuser.dat Once located, Copy by right clicking as before, Paste it into the USB drive just as you did before, then use the clean machine to zip it and upload it along with the link to your thread. Once our xPUD expert has taken a close look at it I'll get back to you If you run into any problems with the above steps just let me know. Share this post Link to post Share on other sites
steve595 Report post Posted April 17, 2011 OK uploaded ntuser.dat Share this post Link to post Share on other sites
JonTom Report post Posted April 18, 2011 Thanks for letting me know steve As soon as noahdfear (xPUD expert) has analysed the information I'll get back to you Share this post Link to post Share on other sites
noahdfear Report post Posted April 20, 2011 Hi Steve, I've looked over your registry hives, and the bcd, and frankly I don't see a problem with any of them. That said, I cannot get true results from your bcd - true results can only come from the machine on which the bcd lives. So, lets see if we can get an export from your bcd. Plug in your flash drive and start the computer, pressing F8 to enable the Advanced Start menu Select Repair your computer If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu Select Command prompt Type diskpart and press Enter When the diskpart> command prompt appears type list volume and press Enter Jot down the drive letters assigned and their corresponding label - I'll want that information in your reply. Identify which drive letter is assigned to your flash drive (you should know by the size) Type exit and press Enter to quit the diskpart tool Now type the following command, replacing the red x with the drive letter that corresponds to your flash drive, then press Enter bcdedit /enum all>x:\bcd.txt *Please note that there is a space between bcdedit and /enum, and another between /enum and all *If for some reason your flash drive does not show up in diskpart, use one of the drive letters shown there in place of the red x and we can retrieve the export in xPUD. Close the command window and shut down the machine. I would also like to get a dump of the hard drive's MBR (Master Boot Record). We'll use xPUD for that. Download dumpit and save it to your flash drive Boot into xPUD with the flash drive attached, click the File icon, then navigate to your flash drive (mnt>sdb1) Double click dumpit to execute it. When it completes press Enter to exit the Terminal window. If you were unsuccessful exporting the bcd to the flash drive, click each mnt>sda folder to locate the bcd.txt file - when you find it, right click and select Cut then navigate back to the flash drive, right click and select Paste. Shut down and remove the flash drive, then on your working computer attach the mbr.zip and bcd.txt files on the flash drive to a reply here. Please remember to also post the drive letter and label information obtained in the Recovery Environment. Share this post Link to post Share on other sites
steve595 Report post Posted April 20, 2011 Hello noahdfear, Thank you for your assistance! When I click on dumpit I do not recieve a download, but rather a text page opens...... Is there something special I should be doing to get the download?? Share this post Link to post Share on other sites
noahdfear Report post Posted April 20, 2011 Right click on the link and select Save Target As Share this post Link to post Share on other sites
steve595 Report post Posted April 20, 2011 Right click on the link and select Save Target As I am sure it is right in front of me, but how do I attach files in my replies? Share this post Link to post Share on other sites
noahdfear Report post Posted April 20, 2011 Click Add Reply then on the Replying to Blank Screen page click the Browse button located below the reply textbox. Select your file and click Open. Click Attach this file. Finally, click Add Reply. Share this post Link to post Share on other sites
noahdfear Report post Posted April 20, 2011 You will need to type something into the reply text box - I don't think the forum software will allow you to post a blank reply. Share this post Link to post Share on other sites
steve595 Report post Posted April 20, 2011 Sorry, getting very frustrated as I do not see a browse button, below the text box..... Share this post Link to post Share on other sites
noahdfear Report post Posted April 20, 2011 Let's do it this way then. First, zip up the bcd.txt file (right click>Send To>Compressed (zipped) folder) Go to my submissions site and upload the bcd.zip and mbr.zip files. http://noahdfear.net/max/upload.php Share this post Link to post Share on other sites
steve595 Report post Posted April 21, 2011 Let's do it this way then. First, zip up the bcd.txt file (right click>Send To>Compressed (zipped) folder) Go to my submissions site and upload the bcd.zip and mbr.zip files. http://noahdfear.net/max/upload.php Thank you! Share this post Link to post Share on other sites
noahdfear Report post Posted April 21, 2011 Please save xPUDtd to your flash drive. Boot to xPUD with the flash drive attached, navigate to the flash drive then double click xPUDtd to run it. At the first screen, leave [Create] selected and press Enter The next screen will show your disk drives, generally the hard drive will be first, usb second. You should be able to verify by the size Select the hard drive, select [Proceed] and press Enter At the next screen select [intel] and press Enter Now at the actions option screen, arrow down to [Advanced] and press Enter Select [boot] and press Enter - you may have to arrow up/down to select a different partition to get the [boot] option to show. Select [Dump] and press Enter At this screen, use the page down button (or press Enter on the [Next] option repeatedly) to view the entire boot sector, which may be about 4 screens full and ends at approximately the 01F8 sector in the left column Now press Q three times, which should return you to the actions option screen Select [Analyse] and press Enter Select [Quick Search] and press Enter If prompted to search for partitions created under Vista type Y The next screen will show the current partition structure. Press Enter to continue. Now press Q repeatedly until TestDisk exits. There will be a log created on the flash drive named testdisk.log Either zip and upload that log or open it (should open with notepad by default) and copy/paste it's contents in a reply here. Share this post Link to post Share on other sites
steve595 Report post Posted April 21, 2011 Thu Apr 21 04:46:24 2011 Command line: TestDisk TestDisk 6.12-WIP, Data Recovery Utility, October 2010 Christophe GRENIER <grenier@cgsecurity.org> http://www.cgsecurity.org OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686 Compiler: GCC 4.4 - Feb 7 2011 09:24:20 ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20100226 /dev/sda: LBA, HPA, LBA48, DCO support /dev/sda: size 488397168 sectors /dev/sda: user_max 488397168 sectors /dev/sda: native_max 488397168 sectors /dev/sda: dco 488397168 sectors Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512 Hard disk list Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63, sector size=512 - ATA ST9250320AS Disk /dev/sdb - 1033 MB / 986 MiB - CHS 1017 32 62, sector size=512 - Flash Disk Partition table type (auto): Intel Disk /dev/sda - 250 GB / 232 GiB - ATA ST9250320AS Partition table type: Intel Interface Advanced Geometry from i386 MBR: head=255 sector=63 check_part_i386 1 type DE: no test NTFS at 5/25/21 NTFS at 1279/234/44 check_part_i386 5 type DD: no test get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 1 P Dell Utility 0 1 1 4 254 63 80262 2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] NTFS, 10485 MB / 10000 MiB 3 * HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS] NTFS, 236 GB / 220 GiB 4 E extended LBA 30074 239 54 30401 42 41 5240832 5 L Sys=DD 30075 17 23 30401 42 41 5238784 ntfs_boot_sector 2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] NTFS, 10485 MB / 10000 MiB NTFS at 5/25/21 NTFS at 5/25/21 filesystem size 20480000 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 16 clusters_per_mft_record -10 clusters_per_index_record 1 Boot sector Status: OK Backup boot sector Status: OK Sectors are identical. A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable. Boot sector Backup boot sector 0000 eb52904e 54465320 .R.NTFS eb52904e 54465320 .R.NTFS 0008 20202000 02080000 ..... 20202000 02080000 ..... 0010 00000000 00f80000 ........ 00000000 00f80000 ........ 0018 3f00ff00 00400100 ?....@.. 3f00ff00 00400100 ?....@.. 0020 00000000 80008000 ........ 00000000 80008000 ........ 0028 ff7f3801 00000000 ..8..... ff7f3801 00000000 ..8..... 0030 00000c00 00000000 ........ 00000c00 00000000 ........ 0038 10000000 00000000 ........ 10000000 00000000 ........ 0040 f6000000 01000000 ........ f6000000 01000000 ........ 0048 b7eed8b6 21d9b6aa ....!... b7eed8b6 21d9b6aa ....!... 0050 00000000 fa33c08e .....3.. 00000000 fa33c08e .....3.. 0058 d0bc007c fb68c007 ...|.h.. d0bc007c fb68c007 ...|.h.. 0060 1f1e6866 00cb8816 ..hf.... 1f1e6866 00cb8816 ..hf.... 0068 0e006681 3e03004e ..f.>..N 0e006681 3e03004e ..f.>..N 0070 54465375 15b441bb TFSu..A. 54465375 15b441bb TFSu..A. 0078 aa55cd13 720c81fb .U..r... aa55cd13 720c81fb .U..r... 0080 55aa7506 f7c10100 U.u..... 55aa7506 f7c10100 U.u..... 0088 7503e9d2 001e83ec u....... 7503e9d2 001e83ec u....... 0090 18681a00 b4488a16 .h...H.. 18681a00 b4488a16 .h...H.. 0098 0e008bf4 161fcd13 ........ 0e008bf4 161fcd13 ........ 00A0 9f83c418 9e581f72 .....X.r 9f83c418 9e581f72 .....X.r 00A8 e13b060b 0075dba3 .;...u.. e13b060b 0075dba3 .;...u.. 00B0 0f00c12e 0f00041e ........ 0f00c12e 0f00041e ........ 00B8 5a33dbb9 00202bc8 Z3... +. 5a33dbb9 00202bc8 Z3... +. 00C0 66ff0611 0003160f f....... 66ff0611 0003160f f....... 00C8 008ec2ff 061600e8 ........ 008ec2ff 061600e8 ........ 00D0 40002bc8 77efb800 @.+.w... 40002bc8 77efb800 @.+.w... 00D8 bbcd1a66 23c0752d ...f#.u- bbcd1a66 23c0752d ...f#.u- 00E0 6681fb54 43504175 f..TCPAu 6681fb54 43504175 f..TCPAu 00E8 2481f902 01721e16 $....r.. 2481f902 01721e16 $....r.. 00F0 6807bb16 68700e16 h...hp.. 6807bb16 68700e16 h...hp.. 00F8 68090066 53665366 h..fSfSf 68090066 53665366 h..fSfSf 0100 55161616 68b80166 U...h..f 55161616 68b80166 U...h..f 0108 610e07cd 1ae96a01 a.....j. 610e07cd 1ae96a01 a.....j. 0110 90906660 1e0666a1 ..f`..f. 90906660 1e0666a1 ..f`..f. 0118 11006603 061c001e ..f..... 11006603 061c001e ..f..... 0120 66680000 00006650 fh....fP 66680000 00006650 fh....fP 0128 06536801 00681000 .Sh..h.. 06536801 00681000 .Sh..h.. 0130 b4428a16 0e00161f .B...... b4428a16 0e00161f .B...... 0138 8bf4cd13 66595b5a ....fY[Z 8bf4cd13 66595b5a ....fY[Z 0140 66596659 1f0f8216 fYfY.... 66596659 1f0f8216 fYfY.... 0148 0066ff06 11000316 .f...... 0066ff06 11000316 .f...... 0150 0f008ec2 ff0e1600 ........ 0f008ec2 ff0e1600 ........ 0158 75bc071f 6661c3a0 u...fa.. 75bc071f 6661c3a0 u...fa.. 0160 f801e808 00a0fb01 ........ f801e808 00a0fb01 ........ 0168 e80200eb feb4018b ........ e80200eb feb4018b ........ 0170 f0ac3c00 7409b40e ..<.t... f0ac3c00 7409b40e ..<.t... 0178 bb0700cd 10ebf2c3 ........ bb0700cd 10ebf2c3 ........ 0180 0d0a4120 6469736b ..A disk 0d0a4120 6469736b ..A disk 0188 20726561 64206572 read er 20726561 64206572 read er 0190 726f7220 6f636375 ror occu 726f7220 6f636375 ror occu 0198 72726564 000d0a42 rred...B 72726564 000d0a42 rred...B 01A0 4f4f544d 47522069 OOTMGR i 4f4f544d 47522069 OOTMGR i 01A8 73206d69 7373696e s missin 73206d69 7373696e s missin 01B0 67000d0a 424f4f54 g...BOOT 67000d0a 424f4f54 g...BOOT 01B8 4d475220 69732063 MGR is c 4d475220 69732063 MGR is c 01C0 6f6d7072 65737365 ompresse 6f6d7072 65737365 ompresse 01C8 64000d0a 50726573 d...Pres 64000d0a 50726573 d...Pres 01D0 73204374 726c2b41 s Ctrl+A 73204374 726c2b41 s Ctrl+A 01D8 6c742b44 656c2074 lt+Del t 6c742b44 656c2074 lt+Del t 01E0 6f207265 73746172 o restar 6f207265 73746172 o restar 01E8 740d0a00 00000000 t....... 740d0a00 00000000 t....... 01F0 00000000 00000000 ........ 00000000 00000000 ........ 01F8 809db2ca 000055aa ......U. 809db2ca 000055aa ......U. ntfs_boot_sector 2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] NTFS, 10485 MB / 10000 MiB NTFS at 5/25/21 NTFS at 5/25/21 filesystem size 20480000 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 16 clusters_per_mft_record -10 clusters_per_index_record 1 Boot sector Status: OK Backup boot sector Status: OK Sectors are identical. A valid NTFS Boot sector must be present in order to access any data; even if the partition is not bootable. Analyse Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63 Geometry from i386 MBR: head=255 sector=63 check_part_i386 1 type DE: no test NTFS at 5/25/21 NTFS at 1279/234/44 check_part_i386 5 type DD: no test get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 Current partition structure: 1 P Dell Utility 0 1 1 4 254 63 80262 2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] 3 * HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS] 4 E extended LBA 30074 239 54 30401 42 41 5240832 5 L Sys=DD 30075 17 23 30401 42 41 5238784 Computes LBA from CHS for Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63 Allow partial last cylinder : Yes search_vista_part: 1 search_part() Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63 FAT16 at 0/1/1 FAT1 : 1-79 FAT2 : 80-158 start_rootdir : 159 Data : 191-80258 sectors : 80259 cluster_size : 4 no_of_cluster : 20017 (2 - 20018) fat_length 79 calculated 79 FAT16 at 0/1/1 FAT16 >32M 0 1 1 4 254 60 80259 [DellUtility] FAT16, 41 MB / 39 MiB NTFS at 5/25/21 filesystem size 20480000 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 16 clusters_per_mft_record -10 clusters_per_index_record 1 HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] NTFS, 10485 MB / 10000 MiB NTFS at 1279/234/44 filesystem size 462590312 sectors_per_cluster 8 mft_lcn 786432 mftmirr_lcn 16 clusters_per_mft_record -10 clusters_per_index_record 1 HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS] NTFS, 236 GB / 220 GiB FAT32 at 30075/17/23 FAT1 : 6182-11282 FAT2 : 11283-16383 start_rootdir : 16384 root cluster : 2 Data : 16384-5238783 sectors : 5238784 cluster_size : 8 no_of_cluster : 652800 (2 - 652801) fat_length 5101 calculated 5101 FAT32 at 30075/17/23 FAT32 LBA 30075 17 23 30401 42 41 5238784 [MEDIADIRECT] FAT32, 2682 MB / 2558 MiB get_geometry_from_list_part_aux head=255 nbr=2 get_geometry_from_list_part_aux head=8 nbr=1 get_geometry_from_list_part_aux head=16 nbr=1 get_geometry_from_list_part_aux head=32 nbr=1 get_geometry_from_list_part_aux head=64 nbr=1 get_geometry_from_list_part_aux head=128 nbr=1 get_geometry_from_list_part_aux head=240 nbr=1 get_geometry_from_list_part_aux head=255 nbr=2 Results * FAT16 >32M 0 1 1 4 254 60 80259 [DellUtility] FAT16, 41 MB / 39 MiB P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] NTFS, 10485 MB / 10000 MiB P HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS] NTFS, 236 GB / 220 GiB L FAT32 LBA 30075 17 23 30401 42 41 5238784 [MEDIADIRECT] FAT32, 2682 MB / 2558 MiB interface_write() 1 * FAT16 >32M 0 1 1 4 254 60 80259 [DellUtility] 2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY] 3 P HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS] 4 E extended LBA 30075 0 1 30401 254 63 5253255 5 L FAT32 LBA 30075 17 23 30401 42 41 5238784 [MEDIADIRECT] simulate write! write_mbr_i386: starting... write_all_log_i386: starting... write_all_log_i386: CHS: 30075/0/1,lba=483154875 TestDisk exited normally. this is drive letter and label information obtained in the Recovery Environment that I did not post in the last reply. Ltr label E D Recvery C OS F Share this post Link to post Share on other sites
noahdfear Report post Posted April 23, 2011 (edited) Hi Steve, I have studied and re-studied everything you've submitted and I still do not see anything that could be blamed for the behavior of your computer. On the off chance that explorer.exe is corrupted, let's replace it with another copy on your drive. Please download the attached replace.txt file and save it to your flash drive. Make sure that the driver.sh script you downloaded previously is still on the flash drive as well. Boot into xPUD and navigate to the flash drive (sdb1) then click Tool>Open Terminal. Type the following bolded command then press Enter. bash driver.sh -r Close the Terminal window when the script completes and restart the computer, allowing it to start normally. Let me know if there's any change. Please post the contents of the report created on the flash drive named filerep.txt replace.txt Edited April 23, 2011 by noahdfear Share this post Link to post Share on other sites