Jump to content
Sign in to follow this  
steve595

Blank Screen

Recommended Posts

Hello steve595

 

When you typed in both and xPUD began searching for the hives, did it declare that both SOFTWARE and SYTEM were collected?

 

Did everything go okay up until that point?

Share this post


Link to post
Share on other sites

Hello steve595

 

Lets see of we can get the following to work:

 

From xPUD, please navigate to:

 

sda3/windows/system32/config and locate SYSTEM and SOFTWARE.

 

Please do the same for the ntuser.dat file from sda3/Users/{insert_username}

 

Once you have located the each of the above, manually Copy them to the flash drive (right click > copy then Paste into the flash drive) then zip them up.

 

 

Next, please search the root of sda2, sda3 and sda5 for a folder named "Boot" that contains the file BCD

 

If there is more than one, please collect them all (right click > copy then Paste into the flash drive) and append the names of the copies with the sda? device they came from, eg: bcdsda2 or similar.

 

Once you have these files please zip those up too and upload all of the requested files here: http://noahdfear.net/max/upload.php

 

Please enter the link to this topic too, where requested - http://forums.pcpitstop.com/index.php?/topic/194548-blank-screen/

 

 

Once uploaded, (or if you have any problems with the above steps) please let me know.

Share this post


Link to post
Share on other sites

Hello steve595

 

When you typed in both and xPUD began searching for the hives, did it declare that both SOFTWARE and SYTEM were collected?

 

Did everything go okay up until that point?

 

 

I'm sorry but I did not note that both SOFTWARE and SYSTEM WERE COLLECTED.....:(

 

and it did appear that every thing went finr to that point...

Share this post


Link to post
Share on other sites

Hello steve595

 

Lets see of we can get the following to work:

 

From xPUD, please navigate to:

 

sda3/windows/system32/config and locate SYSTEM and SOFTWARE.

 

Please do the same for the ntuser.dat file from sda3/Users/{insert_username}

 

Once you have located the each of the above, manually Copy them to the flash drive (right click > copy then Paste into the flash drive) then zip them up.

 

 

Once I find these files i am unable to determine how to paste them to the flash drive??

Sorry for not being more computer literate...

Share this post


Link to post
Share on other sites

Hello steve595

 

Sorry for not being more computer literate...

There is no need to apologise, you are doing just fine :)

 

Once I find these files i am unable to determine how to paste them to the flash drive??

Lets try it this way:

 

Your flash drive would normally correspond to sdb1.

 

Remember a few steps back, when you downloaded driver.sh on the clean machine and transferred it to the USB stick? When you plugged the USB into the infected machine you confirmed the presence of driver.sh on the USB drive by navigating to sdb1 (you did this by pressing File, Expand mnt... ). If driver.sh was indeed present in sdb1, then sdb1 corresponds to the USB drive.

 

While in xPUD, navigate to each of the required files, right click on them and select Copy. Once you have done that navigate to sdb1 (you should be able to see that driver.sh is still there), right click and selct Paste.

 

Do this for each of the files required.

 

Once completed, remove the USB stick from the infected machine and plug it into the clean machine. When you open the USB drive the copied files ought to be present.

 

If you can see the files on the drive, please zip and upload them using the link I provided earlier along with the link to your thread.

 

If you have any problems with the above just come back and let me know :)

Share this post


Link to post
Share on other sites

Hello steve595

 

The upload went okay but the zipped file was empty.

 

Once the required files have been copied to the Flash drive and transferred to the clean machine, Right click on each one, select Send to ====> Compressed (zipped) folder. A zipped folder should appear that contains the compressed file.

 

Once each of the files has been zipped in this way try the upload again :)

Share this post


Link to post
Share on other sites

Hello steve595

 

Once I hear word about the upload I will let you know. If the information was sent successfully it may take a bit of time to analyse. I'll get back to you as soon as I can.

Share this post


Link to post
Share on other sites

Hello steve595

 

Once I hear word about the upload I will let you know. If the information was sent successfully it may take a bit of time to analyse. I'll get back to you as soon as I can.

 

 

Thanks

Share this post


Link to post
Share on other sites

Hello steve595

 

Great job with the upload, you did it perfectly :tup:

 

There is another file that we would like to take a closer look at:

 

Please navigate through xPUD on the infected machine to the following file in bold: mnt>sda3>Users>Arianna>ntuser.dat

 

Once located, Copy by right clicking as before, Paste it into the USB drive just as you did before, then use the clean machine to zip it and upload it along with the link to your thread.

 

Once our xPUD expert has taken a close look at it I'll get back to you :)

 

If you run into any problems with the above steps just let me know.

Share this post


Link to post
Share on other sites

Thanks for letting me know steve

 

As soon as noahdfear (xPUD expert) has analysed the information I'll get back to you :)

Share this post


Link to post
Share on other sites

Hi Steve,

 

I've looked over your registry hives, and the bcd, and frankly I don't see a problem with any of them. That said, I cannot get true results from your bcd - true results can only come from the machine on which the bcd lives. So, lets see if we can get an export from your bcd.

 

Plug in your flash drive and start the computer, pressing F8 to enable the Advanced Start menu

Select Repair your computer

If Startup Repair starts automatically, when it completes click the link View advanced options for system recovery and support to open the System Recovery Options menu

Select Command prompt

Type diskpart and press Enter

When the diskpart> command prompt appears type list volume and press Enter

Jot down the drive letters assigned and their corresponding label - I'll want that information in your reply.

Identify which drive letter is assigned to your flash drive (you should know by the size)

Type exit and press Enter to quit the diskpart tool

Now type the following command, replacing the red x with the drive letter that corresponds to your flash drive, then press Enter

 

bcdedit /enum all>x:\bcd.txt

 

*Please note that there is a space between bcdedit and /enum, and another between /enum and all

 

*If for some reason your flash drive does not show up in diskpart, use one of the drive letters shown there in place of the red x and we can retrieve the export in xPUD.

 

Close the command window and shut down the machine.

 

I would also like to get a dump of the hard drive's MBR (Master Boot Record). We'll use xPUD for that.

 

Download dumpit and save it to your flash drive

Boot into xPUD with the flash drive attached, click the File icon, then navigate to your flash drive (mnt>sdb1)

Double click dumpit to execute it.

When it completes press Enter to exit the Terminal window.

If you were unsuccessful exporting the bcd to the flash drive, click each mnt>sda folder to locate the bcd.txt file - when you find it, right click and select Cut then navigate back to the flash drive, right click and select Paste.

Shut down and remove the flash drive, then on your working computer attach the mbr.zip and bcd.txt files on the flash drive to a reply here.

Please remember to also post the drive letter and label information obtained in the Recovery Environment.

Share this post


Link to post
Share on other sites

Hello noahdfear,

 

Thank you for your assistance!

 

When I click on dumpit I do not recieve a download, but rather a text page opens......

 

Is there something special I should be doing to get the download??

Share this post


Link to post
Share on other sites

Click Add Reply then on the Replying to Blank Screen page click the Browse button located below the reply textbox.

Select your file and click Open.

Click Attach this file.

Finally, click Add Reply.

Share this post


Link to post
Share on other sites

You will need to type something into the reply text box - I don't think the forum software will allow you to post a blank reply.

Share this post


Link to post
Share on other sites

Please save xPUDtd to your flash drive.

Boot to xPUD with the flash drive attached, navigate to the flash drive then double click xPUDtd to run it.

 

  • At the first screen, leave [Create] selected and press Enter
  • The next screen will show your disk drives, generally the hard drive will be first, usb second. You should be able to verify by the size
  • Select the hard drive, select [Proceed] and press Enter
  • At the next screen select [intel] and press Enter
  • Now at the actions option screen, arrow down to [Advanced] and press Enter
  • Select [boot] and press Enter - you may have to arrow up/down to select a different partition to get the [boot] option to show.
  • Select [Dump] and press Enter
  • At this screen, use the page down button (or press Enter on the [Next] option repeatedly) to view the entire boot sector, which may be about 4 screens full and ends at approximately the 01F8 sector in the left column
  • Now press Q three times, which should return you to the actions option screen
  • Select [Analyse] and press Enter
  • Select [Quick Search] and press Enter
  • If prompted to search for partitions created under Vista type Y
  • The next screen will show the current partition structure. Press Enter to continue.
  • Now press Q repeatedly until TestDisk exits.

There will be a log created on the flash drive named testdisk.log

Either zip and upload that log or open it (should open with notepad by default) and copy/paste it's contents in a reply here.

Share this post


Link to post
Share on other sites

Thu Apr 21 04:46:24 2011

Command line: TestDisk

 

TestDisk 6.12-WIP, Data Recovery Utility, October 2010

Christophe GRENIER <[email protected]>

http://www.cgsecurity.org

OS: Linux, kernel 2.6.31.2 (#5 SMP Mon Dec 7 11:56:35 UTC 2009) i686

Compiler: GCC 4.4 - Feb 7 2011 09:24:20

ext2fs lib: 1.41.9, ntfs lib: 10:0:0, reiserfs lib: 0.3.1-rc8, ewf lib: 20100226

/dev/sda: LBA, HPA, LBA48, DCO support

/dev/sda: size 488397168 sectors

/dev/sda: user_max 488397168 sectors

/dev/sda: native_max 488397168 sectors

/dev/sda: dco 488397168 sectors

Warning: can't get size for Disk /dev/mapper/control - 0 B - CHS 1 1 1, sector size=512

Hard disk list

Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63, sector size=512 - ATA ST9250320AS

Disk /dev/sdb - 1033 MB / 986 MiB - CHS 1017 32 62, sector size=512 - Flash Disk

 

Partition table type (auto): Intel

Disk /dev/sda - 250 GB / 232 GiB - ATA ST9250320AS

Partition table type: Intel

 

Interface Advanced

Geometry from i386 MBR: head=255 sector=63

check_part_i386 1 type DE: no test

NTFS at 5/25/21

NTFS at 1279/234/44

check_part_i386 5 type DD: no test

get_geometry_from_list_part_aux head=255 nbr=2

get_geometry_from_list_part_aux head=8 nbr=1

get_geometry_from_list_part_aux head=16 nbr=1

get_geometry_from_list_part_aux head=32 nbr=1

get_geometry_from_list_part_aux head=64 nbr=1

get_geometry_from_list_part_aux head=128 nbr=1

get_geometry_from_list_part_aux head=240 nbr=1

get_geometry_from_list_part_aux head=255 nbr=2

1 P Dell Utility 0 1 1 4 254 63 80262

2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

NTFS, 10485 MB / 10000 MiB

3 * HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS]

NTFS, 236 GB / 220 GiB

4 E extended LBA 30074 239 54 30401 42 41 5240832

5 L Sys=DD 30075 17 23 30401 42 41 5238784

 

ntfs_boot_sector

2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

NTFS, 10485 MB / 10000 MiB

NTFS at 5/25/21

NTFS at 5/25/21

filesystem size 20480000

sectors_per_cluster 8

mft_lcn 786432

mftmirr_lcn 16

clusters_per_mft_record -10

clusters_per_index_record 1

Boot sector

Status: OK

 

Backup boot sector

Status: OK

 

Sectors are identical.

 

A valid NTFS Boot sector must be present in order to access

any data; even if the partition is not bootable.

Boot sector Backup boot sector

0000 eb52904e 54465320 .R.NTFS eb52904e 54465320 .R.NTFS

0008 20202000 02080000 ..... 20202000 02080000 .....

0010 00000000 00f80000 ........ 00000000 00f80000 ........

0018 3f00ff00 00400100 [email protected] 3f00ff00 00400100 [email protected]

0020 00000000 80008000 ........ 00000000 80008000 ........

0028 ff7f3801 00000000 ..8..... ff7f3801 00000000 ..8.....

0030 00000c00 00000000 ........ 00000c00 00000000 ........

0038 10000000 00000000 ........ 10000000 00000000 ........

0040 f6000000 01000000 ........ f6000000 01000000 ........

0048 b7eed8b6 21d9b6aa ....!... b7eed8b6 21d9b6aa ....!...

0050 00000000 fa33c08e .....3.. 00000000 fa33c08e .....3..

0058 d0bc007c fb68c007 ...|.h.. d0bc007c fb68c007 ...|.h..

0060 1f1e6866 00cb8816 ..hf.... 1f1e6866 00cb8816 ..hf....

0068 0e006681 3e03004e ..f.>..N 0e006681 3e03004e ..f.>..N

0070 54465375 15b441bb TFSu..A. 54465375 15b441bb TFSu..A.

0078 aa55cd13 720c81fb .U..r... aa55cd13 720c81fb .U..r...

0080 55aa7506 f7c10100 U.u..... 55aa7506 f7c10100 U.u.....

0088 7503e9d2 001e83ec u....... 7503e9d2 001e83ec u.......

0090 18681a00 b4488a16 .h...H.. 18681a00 b4488a16 .h...H..

0098 0e008bf4 161fcd13 ........ 0e008bf4 161fcd13 ........

00A0 9f83c418 9e581f72 .....X.r 9f83c418 9e581f72 .....X.r

00A8 e13b060b 0075dba3 .;...u.. e13b060b 0075dba3 .;...u..

00B0 0f00c12e 0f00041e ........ 0f00c12e 0f00041e ........

00B8 5a33dbb9 00202bc8 Z3... +. 5a33dbb9 00202bc8 Z3... +.

00C0 66ff0611 0003160f f....... 66ff0611 0003160f f.......

00C8 008ec2ff 061600e8 ........ 008ec2ff 061600e8 ........

00D0 40002bc8 77efb800 @.+.w... 40002bc8 77efb800 @.+.w...

00D8 bbcd1a66 23c0752d ...f#.u- bbcd1a66 23c0752d ...f#.u-

00E0 6681fb54 43504175 f..TCPAu 6681fb54 43504175 f..TCPAu

00E8 2481f902 01721e16 $....r.. 2481f902 01721e16 $....r..

00F0 6807bb16 68700e16 h...hp.. 6807bb16 68700e16 h...hp..

00F8 68090066 53665366 h..fSfSf 68090066 53665366 h..fSfSf

0100 55161616 68b80166 U...h..f 55161616 68b80166 U...h..f

0108 610e07cd 1ae96a01 a.....j. 610e07cd 1ae96a01 a.....j.

0110 90906660 1e0666a1 ..f`..f. 90906660 1e0666a1 ..f`..f.

0118 11006603 061c001e ..f..... 11006603 061c001e ..f.....

0120 66680000 00006650 fh....fP 66680000 00006650 fh....fP

0128 06536801 00681000 .Sh..h.. 06536801 00681000 .Sh..h..

0130 b4428a16 0e00161f .B...... b4428a16 0e00161f .B......

0138 8bf4cd13 66595b5a ....fY[Z 8bf4cd13 66595b5a ....fY[Z

0140 66596659 1f0f8216 fYfY.... 66596659 1f0f8216 fYfY....

0148 0066ff06 11000316 .f...... 0066ff06 11000316 .f......

0150 0f008ec2 ff0e1600 ........ 0f008ec2 ff0e1600 ........

0158 75bc071f 6661c3a0 u...fa.. 75bc071f 6661c3a0 u...fa..

0160 f801e808 00a0fb01 ........ f801e808 00a0fb01 ........

0168 e80200eb feb4018b ........ e80200eb feb4018b ........

0170 f0ac3c00 7409b40e ..<.t... f0ac3c00 7409b40e ..<.t...

0178 bb0700cd 10ebf2c3 ........ bb0700cd 10ebf2c3 ........

0180 0d0a4120 6469736b ..A disk 0d0a4120 6469736b ..A disk

0188 20726561 64206572 read er 20726561 64206572 read er

0190 726f7220 6f636375 ror occu 726f7220 6f636375 ror occu

0198 72726564 000d0a42 rred...B 72726564 000d0a42 rred...B

01A0 4f4f544d 47522069 OOTMGR i 4f4f544d 47522069 OOTMGR i

01A8 73206d69 7373696e s missin 73206d69 7373696e s missin

01B0 67000d0a 424f4f54 g...BOOT 67000d0a 424f4f54 g...BOOT

01B8 4d475220 69732063 MGR is c 4d475220 69732063 MGR is c

01C0 6f6d7072 65737365 ompresse 6f6d7072 65737365 ompresse

01C8 64000d0a 50726573 d...Pres 64000d0a 50726573 d...Pres

01D0 73204374 726c2b41 s Ctrl+A 73204374 726c2b41 s Ctrl+A

01D8 6c742b44 656c2074 lt+Del t 6c742b44 656c2074 lt+Del t

01E0 6f207265 73746172 o restar 6f207265 73746172 o restar

01E8 740d0a00 00000000 t....... 740d0a00 00000000 t.......

01F0 00000000 00000000 ........ 00000000 00000000 ........

01F8 809db2ca 000055aa ......U. 809db2ca 000055aa ......U.

 

ntfs_boot_sector

2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

NTFS, 10485 MB / 10000 MiB

NTFS at 5/25/21

NTFS at 5/25/21

filesystem size 20480000

sectors_per_cluster 8

mft_lcn 786432

mftmirr_lcn 16

clusters_per_mft_record -10

clusters_per_index_record 1

Boot sector

Status: OK

 

Backup boot sector

Status: OK

 

Sectors are identical.

 

A valid NTFS Boot sector must be present in order to access

any data; even if the partition is not bootable.

 

Analyse Disk /dev/sda - 250 GB / 232 GiB - CHS 30401 255 63

Geometry from i386 MBR: head=255 sector=63

check_part_i386 1 type DE: no test

NTFS at 5/25/21

NTFS at 1279/234/44

check_part_i386 5 type DD: no test

get_geometry_from_list_part_aux head=255 nbr=2

get_geometry_from_list_part_aux head=8 nbr=1

get_geometry_from_list_part_aux head=16 nbr=1

get_geometry_from_list_part_aux head=32 nbr=1

get_geometry_from_list_part_aux head=64 nbr=1

get_geometry_from_list_part_aux head=128 nbr=1

get_geometry_from_list_part_aux head=240 nbr=1

get_geometry_from_list_part_aux head=255 nbr=2

Current partition structure:

1 P Dell Utility 0 1 1 4 254 63 80262

2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

3 * HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS]

4 E extended LBA 30074 239 54 30401 42 41 5240832

5 L Sys=DD 30075 17 23 30401 42 41 5238784

Computes LBA from CHS for Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63

Allow partial last cylinder : Yes

search_vista_part: 1

 

search_part()

Disk /dev/sda - 250 GB / 232 GiB - CHS 30402 255 63

FAT16 at 0/1/1

FAT1 : 1-79

FAT2 : 80-158

start_rootdir : 159

Data : 191-80258

sectors : 80259

cluster_size : 4

no_of_cluster : 20017 (2 - 20018)

fat_length 79 calculated 79

 

FAT16 at 0/1/1

FAT16 >32M 0 1 1 4 254 60 80259 [DellUtility]

FAT16, 41 MB / 39 MiB

NTFS at 5/25/21

filesystem size 20480000

sectors_per_cluster 8

mft_lcn 786432

mftmirr_lcn 16

clusters_per_mft_record -10

clusters_per_index_record 1

HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

NTFS, 10485 MB / 10000 MiB

NTFS at 1279/234/44

filesystem size 462590312

sectors_per_cluster 8

mft_lcn 786432

mftmirr_lcn 16

clusters_per_mft_record -10

clusters_per_index_record 1

HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS]

NTFS, 236 GB / 220 GiB

FAT32 at 30075/17/23

FAT1 : 6182-11282

FAT2 : 11283-16383

start_rootdir : 16384 root cluster : 2

Data : 16384-5238783

sectors : 5238784

cluster_size : 8

no_of_cluster : 652800 (2 - 652801)

fat_length 5101 calculated 5101

 

FAT32 at 30075/17/23

FAT32 LBA 30075 17 23 30401 42 41 5238784 [MEDIADIRECT]

FAT32, 2682 MB / 2558 MiB

get_geometry_from_list_part_aux head=255 nbr=2

get_geometry_from_list_part_aux head=8 nbr=1

get_geometry_from_list_part_aux head=16 nbr=1

get_geometry_from_list_part_aux head=32 nbr=1

get_geometry_from_list_part_aux head=64 nbr=1

get_geometry_from_list_part_aux head=128 nbr=1

get_geometry_from_list_part_aux head=240 nbr=1

get_geometry_from_list_part_aux head=255 nbr=2

 

Results

* FAT16 >32M 0 1 1 4 254 60 80259 [DellUtility]

FAT16, 41 MB / 39 MiB

P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

NTFS, 10485 MB / 10000 MiB

P HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS]

NTFS, 236 GB / 220 GiB

L FAT32 LBA 30075 17 23 30401 42 41 5238784 [MEDIADIRECT]

FAT32, 2682 MB / 2558 MiB

 

interface_write()

1 * FAT16 >32M 0 1 1 4 254 60 80259 [DellUtility]

2 P HPFS - NTFS 5 25 21 1279 234 43 20480000 [RECOVERY]

3 P HPFS - NTFS 1279 234 44 30074 213 3 462590312 [OS]

4 E extended LBA 30075 0 1 30401 254 63 5253255

5 L FAT32 LBA 30075 17 23 30401 42 41 5238784 [MEDIADIRECT]

simulate write!

 

write_mbr_i386: starting...

write_all_log_i386: starting...

write_all_log_i386: CHS: 30075/0/1,lba=483154875

 

TestDisk exited normally.

 

 

 

 

this is drive letter and label information obtained in the Recovery Environment that I did not post in the last reply.

Ltr label

E

D Recvery

C OS

F

Share this post


Link to post
Share on other sites

Hi Steve,

 

I have studied and re-studied everything you've submitted and I still do not see anything that could be blamed for the behavior of your computer. On the off chance that explorer.exe is corrupted, let's replace it with another copy on your drive.

Please download the attached replace.txt file and save it to your flash drive.

Make sure that the driver.sh script you downloaded previously is still on the flash drive as well.

Boot into xPUD and navigate to the flash drive (sdb1) then click Tool>Open Terminal.

Type the following bolded command then press Enter.

 

bash driver.sh -r

 

Close the Terminal window when the script completes and restart the computer, allowing it to start normally.

Let me know if there's any change.

 

Please post the contents of the report created on the flash drive named filerep.txt

replace.txt

Edited by noahdfear

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  

×
×
  • Create New...