It is currently Thu Jun 07, 2018 7:16 pm

All times are UTC - 8 hours [ DST ]




Post new topic Reply to topic  [ 100 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Tue Aug 02, 2016 2:09 pm 
Offline

Joined: Tue Aug 02, 2016 1:55 pm
Posts: 2
After I Installed the windows 10 anniversary update I noticed it had uninstalled Classic Shell and had an even worse start menu as before. So I went to the site, checked if the latest version 4.3 supported the update and downloaded it.


When I installed it said it couldn't be trusted, I installed anyway but it did nothing. When I restarted my laptop it went straight to BIOS. Luckily I had a System Repair Disc close by and I could fix Windows.

But now I still don't have Classic Shell and I don't want to risk it until I'm sure it will work. I hope I get an answer soon, because I really hate how windows is designing everything atm. It seems to get worse every update they do.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 2:36 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
Classic Shell should not break anything in the BIOS. None of its code runs so early in the boot process.

Download the Classic Shell Utility from here: http://www.classicshell.net/downloads/
Run it, select the option to manually uninstall. Since you've already uninstalled, you may have to enter the Classic Shell folder manually, like for example C:\Program Files\Classic Shell.
This should clear all traces from previous installs.

Then restart, and attempt to install 4.3.0 again.

Update: Also see the topic 'The Classic Shell software got hacked [Aug 2 2016]' and the section of the forum which has various solutions to fix computers affected by the hack


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 3:01 pm 
Offline

Joined: Tue Aug 02, 2016 2:53 pm
Posts: 1
Same problem here. Classicshell.net site or files have been hacked ....

The message after the first reboot (after installing the hacked classicshell) :

AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MBR !
IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE!
DIRECT ALL HATE TO PEGGLECREW (@CULTOFRAZER ON TWITTER)
...

See here :
https://twitter.com/cultofrazer


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 3:33 pm 
Offline

Joined: Tue Aug 02, 2016 3:32 pm
Posts: 4
Same here. Used the Download link on the front page, which redirected to fosshub.

The file was compromised somehow Ivo.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 3:41 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
FossHub is the actual mirror where the downloads are stored. It's legit.

If you have an actual installer that you suspect is not genuine, please, please, please, upload it to my mediafire drop folder here: http://www.mediafire.com/filedrop/filed ... ca5151aa1d

I've heard occasional reports of counterfeit files, but I've never seen one myself.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 4:15 pm 
Offline

Joined: Tue Aug 02, 2016 3:32 pm
Posts: 4
Ivo, I uploaded what I *think* is the file I downloaded. Named it PossibleInfected.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 4:25 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
This is very suspicious. How did you get it? By clicking the Download button on the main page? And did it send you to FossHub?


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 4:42 pm 
Offline

Joined: Tue Aug 02, 2016 4:35 pm
Posts: 2
Found my way here confirming this, same message on a test machine in my lab as I was doing the 1607 RS1 update on a sacrificial laptop.

I downloaded using the main download button on the front page, was prompted by Windows Defender that the publisher was not trusted (whatever), agreed, and attempted to install. Installer seemed to open and close quickly, but I was blaming Microsoft for breaking it in RS1.

I went to appwiz.cpl to try to uninstall the existing version and I got a BSOD. On reboot, I got the message posted above.

Sorry for the potato quality attachments. I'll see if my filesystem isn't damaged, if not I will retrieve the file I just downloaded.


Attachments:
IMG_20160802_192838939.jpg
IMG_20160802_192838939.jpg [ 95.86 KiB | Viewed 112355 times ]
IMG_20160802_192759789.jpg
IMG_20160802_192759789.jpg [ 75.59 KiB | Viewed 112355 times ]
Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 4:46 pm 
Offline

Joined: Tue Aug 02, 2016 4:41 pm
Posts: 1
Your installer from Fosshub was hacked. Installer from MediaFire not affected. I went to the FossHub Install page and a download prompt came up. Upon downloading and trying to install, nothing happened. I then restarted and got this right after the bootscreen



Fun times


Last edited by NewUser5 on Tue Aug 02, 2016 5:30 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 4:53 pm 
Offline

Joined: Tue Aug 02, 2016 4:40 pm
Posts: 8
I can confirm that Classic Shell 4.3.0 the download link (FOSSHUB) on the main page is infected.

If you download from http://www.classicshell.net/downloads/ ...The install is clean.

If you install the infected one, it will kill your Windows 10 installation. (Overwrite the Master Boot Record). My Lenovo ThinkPad Yoga cannot boot now. Its a blank screen with a blinking cursor. :o :(

Please kill the link on the main page and redirect everyone to http://www.classicshell.net/downloads/



Here are the details to check yourself.

ClassicShellSetup_4_3_0_clean.exe
MD5: e10881b65c27c6e09e5a33cd8bcd99c6
SHA1: a6b06d07fe3b1a7204b1b62c67fbf3c602385364
File size: 7220496 bytes

ClassicShellSetup_4_3_0_infected.exe
MD5: c67dff7c65792e6ea24aa748f34b9232
SHA1: 438b6fa7d5a2c7ca49837f403bcbb73c14d46a3e
File size: 7148732 bytes


I have uploaded ClassicShellSetup_4_3_0_infected.exe to the mediafire filedrop as you have requested.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:05 pm 
Offline

Joined: Tue Aug 02, 2016 4:35 pm
Posts: 2
I booted System Rescue CD but was unable to retrieve my download, looks like it took the partition table with it, and jacked it up enough that testdisk isn't putting it back together easily.

Looks like others have infected uploads for confirmation/comparison though.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:06 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
Thanks for the quick reporting, guys!
Appears that FossHub got hacked and the file got switched. I fixed the main Download button to point to the Mediafire mirror, which is intact.
I will shortly remove the files from FossHub completely, and contact their support to investigate the breach.

To be safe, always check the digital signature of EXEs you downloaded, before you run them. The official Classic Shell installer has a signature for "Ivaylo Beltchev", and the fake one doesn't even have a signature.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:10 pm 
Offline

Joined: Tue Aug 02, 2016 5:06 pm
Posts: 3
Registered just to say god damn it.
And I don't think I have a restore disk or anything of the sort.
Any ideas?
Posting from my phone right now.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:17 pm 
Offline

Joined: Tue Aug 02, 2016 4:40 pm
Posts: 8
I just booted up my ThinkPad with a Win10 boot USB stick I created on another computer.

The infection deletes your partition! Its gone!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:23 pm 
Offline

Joined: Tue Aug 02, 2016 5:21 pm
Posts: 2
Hey all, to those affected by the malware, I just fixed my partition table on my compromised drive using this software:

http://www.cgsecurity.org/wiki/TestDisk

Restored my partition table completely with no issues. Did a quick scan and then added the found partition back and wrote it to disk. You will definitely want to rewrite the hard drive's MBR code with the Windows MBR code though.

http://www.thewindowsclub.com/repair-ma ... br-windows


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:32 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
I'm so sorry you got infected.

This appears to be a targeted attack by hackers. Must be some new virus, because most AV software doesn't detect it: https://www.virustotal.com/en/file/a848 ... 470182253/
Only AVG, AegisLabs and Kaspersky warn about that file, and even they don't know the specifics, but complain about a generic threat.

Unfortunately I don't know much about recovery from MBR corruption, and can't help you recover.
If somebody can provide detailed instructions what to do, that would be most appreciated!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:35 pm 
Offline

Joined: Tue Aug 02, 2016 5:28 pm
Posts: 2
Never ran into any problems listed this thread. Seems like the compromised file only works on older non GPT/EFI systems. I uninstalled Classic Shell and did multiple virus scans and restarted it and everything was okay. Reinstalled with Ivo's mediafire link and restarted again and everything is still okay.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:37 pm 
Offline

Joined: Tue Aug 02, 2016 4:40 pm
Posts: 8
Ghamster wrote:
Registered just to say god damn it.
And I don't think I have a restore disk or anything of the sort.
Any ideas?
Posting from my phone right now.


You have two options...


(1) You can try to fix your system as suggested by ayyyylmao (Repair your system's partition and Master Boot Record).

OR

(2) You do a fresh install.
ie: You presume whatever you had on your system is not to be trusted.


You'll need another computer to download Windows 10 ISO (DVD image file) and Rufus (bootable USB creator).

Rufus can be found here.
=> https://rufus.akeo.ie/

Official Windows 10 ISO can be found here.
=> https://www.microsoft.com/en-au/softwar ... ndows10ISO


You decide what is best for you.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:41 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
@ayyyylmao - thanks for the tips. Looks like the instructions on http://www.thewindowsclub.com maybe very helpful to recover.

@AnotherNewUser - the hack was quite recent. Hopefully not many people got affected. Certainly if you used the built-in Classic Shell updater you would get a clean copy. Not only does it download from another location (that wasn't compromised), but it also validates the signature of the download before letting you run it.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:48 pm 
Offline

Joined: Tue Aug 02, 2016 4:40 pm
Posts: 8
AnotherNewUser wrote:
Never ran into any problems listed this thread. Seems like the compromised file only works on older non GPT/EFI systems.


Correct. I just tested the infected file on a sacrificial system with both "UEFI" and "Legacy boot" options in the BIOS. Presuming most new systems use EFI, infection would be rather limited as a whole.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:52 pm 
Offline

Joined: Tue Aug 02, 2016 3:32 pm
Posts: 4
I am set up to boot with UEFI and still had my MBR borked. However, I did not receive the message that the other folks received. I simply had a blinking cursor on a black screen.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:54 pm 
Offline

Joined: Tue Aug 02, 2016 5:28 pm
Posts: 2
aussiebear wrote:
Correct. I just tested the infected file on a sacrificial system with both "UEFI" and "Legacy boot" options in the BIOS. Presuming most new systems use EFI, infection would be rather limited as a whole.


I'm going to flatten and reinstall tonight anyway.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 5:57 pm 
Offline

Joined: Tue Aug 02, 2016 4:40 pm
Posts: 8
cr00kedview wrote:
I am set up to boot with UEFI and still had my MBR borked. However, I did not receive the message that the other folks received. I simply had a blinking cursor on a black screen.


Had that exact problem on my ThinkPad. Your Master Boot Record and Partition has been messed with by the infection. You can try to repair it, as suggested by ayyyylmao. OR blow the install away with a fresh installation.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 6:01 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
Ugh. This is terrible!

For every person like you guys, that know your way around a PC, and care enough to register for the forum and post here, who knows how many people there are out there that will be completely helpless!
F@#$@#in hackers


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 6:02 pm 
Offline

Joined: Tue Aug 02, 2016 5:06 pm
Posts: 3
cr00kedview wrote:
I am set up to boot with UEFI and still had my MBR borked. However, I did not receive the message that the other folks received. I simply had a blinking cursor on a black screen.


Same here. No message, just a spade symbol and a blinking cursor.

Managed to resurrect my laptop and burned ubcd which has that testdisk program that was mentioned. Here's hoping that all goes well.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 6:06 pm 
Offline

Joined: Tue Aug 02, 2016 4:40 pm
Posts: 8
fcpub wrote:
Same problem here. Classicshell.net site or files have been hacked ....

The message after the first reboot (after installing the hacked classicshell) :

AS YOU REBOOT, YOU FIND THAT SOMETHING HAS OVERWRITTEN YOUR MNR !
IT IS A SAD THING YOUR ADVENTURES HAVE ENDED HERE!
DIRECT ALL HATE TO PEGGLECREW (@CULTOFRAZER ON TWITTER)
...

See here :
https://twitter.com/cultofrazer


...They are reading this thread.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 6:31 pm 
Offline

Joined: Tue Aug 02, 2016 6:20 pm
Posts: 2
Just registered to the forum to let you know I was hit by a malware installer as well. I downloaded a compromised classic shell installer from the classic shell main page about 2 hours ago after I installed the anniversary update of Windows 10. As far as I remember, it was from fosshub. My system went down and left a seemingly empty hard disk. No message was displayed, it just booted into the bios and no boot device was available.

Fortunately, no damage was done, because I made a system image backup right before the Windows update, so I just restored the system drive and my machine was up again. I revisited the classic shell download page and redownloaded the installer, it was different from the bogus installer and signed as well, which was not the case with the bogus installer.
The problem with signed installers is: many software developers don't sign, so you install even if Windows warns you. Even if someone signs and then stops signing, it may be that he forgot about it. But you want to install NOW, so you skip the warning.

What a waste of time. Simply a waste of time.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 6:36 pm 
Offline

Joined: Tue Aug 02, 2016 3:32 pm
Posts: 4
Ivo, I'm not angry with you at all. It was out of your control. I appreciate Classic Shell, and your commitment to updating the application. It's just unfortunate that this happened.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 8:29 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
I got hacked, too. I don't blame you, Ivo. I love Classic Shell. This is just incredibly terrible, and I'm mildly freaking out right now.

I'm reading through this thread, and unfortunately for me, much of what is being said goes over my head. I'm moderately tech savvy, but I'm an amateur when it comes to partitioning, image backups, etc.

As of now, I get the Dell logo and then I get this black screen with a spade and blinking cursor when I start my computer.

I did not get the "Adventures have ended here" message though, oddly enough. I also cannot boot into safe mode.

I'm really hoping (pleading) that someone here would be kind enough to explain to me a simple, easy-to-follow guide for how to get things back to normal on my computer. I downloaded TestDisk on a different computer as suggested by ayyyylmao, but I don't even know how I would get it to run on my infected PC when I can't even get to the welcome screen, nor can I even boot in safe mode.

Please. Can someone please help me? I would be forever grateful.


Last edited by SquaredCircle84 on Tue Aug 02, 2016 8:47 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 8:32 pm 
Offline

Joined: Tue Aug 02, 2016 8:29 pm
Posts: 2
I tried to install ClassicShell earlier today but it didn't work, I assume I've been compromised. I haven't restarted my computer yet, Is there any way I can fix this without just backing everything up and wiping?


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 8:57 pm 
Offline

Joined: Tue Aug 02, 2016 5:21 pm
Posts: 2
SquaredCircle84 wrote:
I got hacked, too. I don't blame you, Ivo. I love Classic Shell. This is just incredibly terrible, and I'm mildly freaking out right now.

I'm reading through this thread, and unfortunately for me, much of what is being said goes over my head. I'm moderately tech savvy, but I'm an amateur when it comes to partitioning, image backups, etc.

As of now, I get the Dell logo and then I get this black screen with a spade and blinking cursor when I start my computer.

I did not get the "Adventures have ended here" message though, oddly enough. I also cannot boot into safe mode.

I'm really hoping (pleading) that someone here would be kind enough to explain to me a simple, easy-to-follow guide for how to get things back to normal on my computer. I downloaded TestDisk on a different computer as suggested by ayyyylmao, but I don't even know how I would get it to run on my infected PC when I can't even get to the welcome screen, nor can I even boot in safe mode.

Please. Can someone please help me? I would be forever grateful.


You need to run TestDisk from one of these LiveCD distributions: http://www.cgsecurity.org/wiki/TestDisk_Livecd

Either run it from a CD/DVD or a USB Flash Drive.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:05 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
Quote:
You need to run TestDisk from one of these LiveCD distributions: http://www.cgsecurity.org/wiki/TestDisk_Livecd

Either run it from a CD/DVD or a USB Flash Drive.


Thank you SO much for the response. The page you linked me to...is there a particular link you recommend I follow if I have never done anything remotely like this before, and I have no idea what I'm doing? I clicked on BootMed Plus first. Should I just go ahead and pay the $9.99 for that, download it to a USB drive, and follow the tutorials there?

EDIT: Panic mode.


Last edited by SquaredCircle84 on Tue Aug 02, 2016 11:06 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:12 pm 
Offline

Joined: Tue Aug 02, 2016 5:06 pm
Posts: 3
Alright, I'm back on my desktop.

My steps, more or less. Not incredibly detailed but it may help someone.
1. Grabbed the testdisk as linked on one the above posts. Specially I got the ubcd live cd, which has it.
2. Ran testdisk, selected the boot drive, quick analyse, and then wrote the partitions it found.
That resulted in this kind of screen on next boot.

In my case simply running fixmbr, fixboot or any other common boot fixes didn't work. I looked at the restored partitions with diskpart, and saw that the gpt partition types were all wrong.
3. So in diskpart I set correct types for gpt partitions. In diskpart you can type 'set help' to see correct types for basic data and efi system, the id for recovery partition I grabbed from wikipedia.
4. After that I did this, How to repair UEFI bootloader. The page is for Win8, but it's the same on Win10 as well.


Hope that helps someone.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:16 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
SquaredCircle84 wrote:
Thank you SO much for the response. The page you linked me to...is there a particular link you recommend I follow if I have never done anything remotely like this before, and I have no idea what I'm doing? I clicked on BootMed Plus first. Should I just go ahead and pay the $9.99 for that, download it to a USB drive, and follow the tutorials there?

Do you have a Windows 10 install DVD?


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:23 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
Ivo wrote:
SquaredCircle84 wrote:
Thank you SO much for the response. The page you linked me to...is there a particular link you recommend I follow if I have never done anything remotely like this before, and I have no idea what I'm doing? I clicked on BootMed Plus first. Should I just go ahead and pay the $9.99 for that, download it to a USB drive, and follow the tutorials there?

Do you have a Windows 10 install DVD?


Unfortunately I do not. I was running Windows 7 and got the free upgrade to 10. I think I might have the 7 CD around here somewhere though.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:27 pm 
Offline

Joined: Sun Feb 15, 2015 4:19 pm
Posts: 6
SquaredCircle84 wrote:
Quote:
You need to run TestDisk from one of these LiveCD distributions: http://www.cgsecurity.org/wiki/TestDisk_Livecd

Either run it from a CD/DVD or a USB Flash Drive.


Thank you SO much for the response. The page you linked me to...is there a particular link you recommend I follow if I have never done anything remotely like this before, and I have no idea what I'm doing? I clicked on BootMed Plus first. Should I just go ahead and pay the $9.99 for that, download it to a USB drive, and follow the tutorials there?


TestDisk is completely free. You must have clicked on an ad to a third-party site.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:29 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
Ghamster wrote:
Alright, I'm back on my desktop.

My steps, more or less. Not incredibly detailed but it may help someone.
1. Grabbed the testdisk as linked on one the above posts. Specially I got the ubcd live cd, which has it.
2. Ran testdisk, selected the boot drive, quick analyse, and then wrote the partitions it found.
That resulted in this kind of screen on next boot.

In my case simply running fixmbr, fixboot or any other common boot fixes didn't work. I looked at the restored partitions with diskpart, and saw that the gpt partition types were all wrong.
3. So in diskpart I set correct types for gpt partitions. In diskpart you can type 'set help' to see correct types for basic data and efi system, the id for recovery partition I grabbed from wikipedia.
4. After that I did this, How to repair UEFI bootloader. The page is for Win8, but it's the same on Win10 as well.


Hope that helps someone.


Thank you for posting this! I'm glad you were able to get back up and running.

I hate to be a bother, but would you be able to provide a little more information?
  1. UBCD I assume means you downloaded Ultimate Boot CD, right?
  2. I can just put this on a flash drive and then boot to that through the BIOS, right?
  3. Diskpart is something I'll find on the Ultimate Boot CD?
  4. How did you set the correct types for GPT partitions? Honestly, I don't even know what that means.
  5. EFI system?
I'm nervous to try this, but in reality I have nothing to lose. I don't want to do anything yet though until I know more. Again, thanks for taking the time to do this!


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:32 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
Win 7 disc may also work. You need to boot into recovery mode, then get to the command prompt, and then run these commands:
bootrec /fixmbr
bootrec /fixboot
exit

This worked for me with a Windows 10 disc, and I'm sure will work for Win 7.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:33 pm 
Offline

Joined: Sun Feb 15, 2015 4:19 pm
Posts: 6
@Ivo Put up a disclaimer on the top of the forum and main website about it. Even better, write a full "press release". Tomorrow people will be talking about it like it was your fault, and not Fosshub's (assuming your password there wasn't letmein >.>).


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:35 pm 
Offline

Joined: Tue Aug 02, 2016 9:28 pm
Posts: 3
I got hit with it too. It showed up as a blinking cursor with a spade in the lower left corner.
I "updated" Classic Shell on a server running Server 2012 R2, installed some Windows updates, rebooted, no go.
I "updated" on one of my personal computers. Same thing. I knew it wasn't drive failure at this point. Classic Shell was the last thing I had installed a couple hours earlier before I ended up rebooting.

How I fixed it: Applies to NT version 6 only! (Windows 7, 8, 8.1, Server 2008, 2012, 2012 R2. NOT 10)

I had Linux Mint 18 on a flash drive from a previous installation (lucked out).
Booted up Mint USB.
Open the Menu>Administration>GParted and see if you hard drive shows any partitions. You may luck out that your partition table wasn't cooked and only have to skip down and rewrite MBR. If it shows your drive as unallocated, continue with instructions.
Open terminal
run "sudo apt-get install testdisk" without quotes in terminal to install testdisk
(AT YOUR OWN RISK)
run "sudo testdisk"
analyse disk, made sure it found all of the correct partitions, wrote the partition table.
reboot and removed Mint USB.
booted from Windows installation USB/DVD corresponding to the version of Windows that is installed on the computer (for me, Server 2012 R2 and Windows 7)
When it gets to the start installation screen, push Shift + F10 to open command prompt

(AT YOUR OWN RISK)
bootsect /nt60 SYS /force /mbr
bootrec /fixmbr
bootrec /fixboot
bootrec /rebuildbcd (wait for it to find your installation and type y for yes)
exit (to close cmd)
reboot
Let it log into Windows.
May be good idea to remove any Classic Shell installations, download a clean copy provided by Ivo, and reinstall it.
Also probably good idea to run scan with something like malwarebytes to make sure you're clean.

sorry for the poorly written post. I was pulling my hair out for an hour until I found that someone else had the same problem. Hopefully I help someone. :)
♠_


edit:
added instruction to check to make sure partition table truly is destroyed before attempting to overwrite it. You don't want to risk losing data that isn't "gone."
thanks for danooct1 shoutout
danooct1 also made the comment in his video that the file size differs between the legit one and the fake one. The real one is around 6.88 MB and the fake one is about 6.81 MB. The fake one also doesn't have a signature which may trigger Windows Smartscreen.


Last edited by CaffeinePizza on Tue Aug 02, 2016 11:59 pm, edited 4 times in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:50 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
Ivo wrote:
Win 7 disc may also work. You need to boot into recovery mode, then get to the command prompt, and then run these commands:
bootrec /fixmbr
bootrec /fixboot
exit

This worked for me with a Windows 10 disc, and I'm sure will work for Win 7.


Pardon my most-likely incredibly obvious question, but if I were to do this, I'd end up with Windows 7 instead of 10 though, right?


Last edited by SquaredCircle84 on Tue Aug 02, 2016 9:53 pm, edited 1 time in total.

Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:52 pm 
Offline
Site Admin
User avatar

Joined: Wed Jan 02, 2013 11:38 pm
Posts: 5331
OK, I was mistaken. Testing with Window 7 CD did not work in practice. I'm running more tests.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 9:54 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
Ivo wrote:
OK, I was mistaken. Testing with Window 7 CD did not work in practice. I'm running more tests.


Anxiously sitting and waiting. Thank you for being so attentive to this.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 10:02 pm 
Offline
User avatar

Joined: Thu Jun 13, 2013 12:07 pm
Posts: 1014
Only finding out about this now.

If it has not been done already,
can a general statement notice be sent to all users emails and on Facebook.

Along with the best fix if bad one got installed?


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 10:12 pm 
Offline
User avatar

Joined: Tue Aug 02, 2016 8:21 pm
Posts: 21
I downloaded the UBCD iso file from here, copied it onto a flash drive (the only file there), plugged it in to my infected PC, changed the BIOS to boot from the flash drive first, but I'm still getting the spade and the blinking cursor. What am I doing wrong here?

EDIT: I also tried extracting all of the files to my flash drive using 7Zip. Same result.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 11:02 pm 
Offline

Joined: Tue Aug 02, 2016 8:29 pm
Posts: 2
It seems to have messed up the partition table of my HDD where it was downloaded to rather than my actual boot SSD. I need to repair the partition table somehow.


Top
 Profile  
Reply with quote  
PostPosted: Tue Aug 02, 2016 11:25 pm 
Offline

Joined: Sun Feb 15, 2015 4:19 pm
Posts: 6
SquaredCircle84 wrote:
I downloaded the UBCD iso file from here, copied it onto a flash drive (the only file there), plugged it in to my infected PC, changed the BIOS to boot from the flash drive first, but I'm still getting the spade and the blinking cursor. What am I doing wrong here?

EDIT: I also tried extracting all of the files to my flash drive using 7Zip. Same result.

Friend, you aren't supposed to just copy the ISO file like that or extract its contents. You gotta "burn" it into the USB dongle (ISO is like a copy of a CD for you to burn it and use it as an original CD).


You can use a program like ROSA Image Writer do burn it to an USB drive, and then format the driver after you are done fixing it all. ROSA Image Writer is free and safe.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 03, 2016 1:01 am 
Offline

Joined: Wed Aug 03, 2016 12:59 am
Posts: 1
If using ninite.com to install Classic Shell, does it download from FossHub or from classicshell.net ?


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 03, 2016 1:31 am 
Offline
User avatar

Joined: Sun Jan 06, 2013 1:44 pm
Posts: 1939
The installer isnt hosted on classic shell.net only fosshub and media fire.
ninite.com WILL currently try to download the Infected fosshub version however, it wont install it; because its smart enough to check for a digital signature. This means that if it successfully installed, it was before they hacked/replaced the file. If it failed; it downloaded but did not run the infected file. (I can confirm because I JUST tried) So you should be safe.


Top
 Profile  
Reply with quote  
PostPosted: Wed Aug 03, 2016 2:04 am 
Offline

Joined: Tue Aug 02, 2016 1:55 pm
Posts: 2
That will teach me never to update things just before I go to sleep, I should have checked it better. Thanks for the correct version it's working brilliantly.


Top
 Profile  
Reply with quote  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 100 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 1 guest


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB® Forum Software © phpBB Group, Almsamim WYSIWYG Classic Shell © 2010-2016, Ivo Beltchev.
All right reserved.