TechSpot

[A] System check/delayed write failed?

By PSYOPSChaos
Jan 29, 2012
  1. I have this system check popping up and over 20 delayed write failed (failed to save all the components for the file \\system32\\000024f6. The file is corrupted or unreadable. This error may be caused by a PC hardware problem) and a couple pop ups saying critical error (hard drive critical error) and one about my RAM. The pc is useless thus I am posting using my Motorola photon. Please help, is this fixable or do I need a new laptop?
    Thanks :)
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ============================================================

    Same problems in safe mode?
     
  3. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    Safe mode is booted but when I click my start button there is nothing there.
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  5. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    I have the internet working while in safe mode. do you still want me to download the file? would a usb stick work instead of a cd?
     
  6. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    Ok, obviously I am retarded and should just fallow your instuctions exactly. I do not have any blank CD's right now, but I will get some after work tomorrow morning. Thank you for your help and I will update tomorrow.
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    If you can work from safe mode with networking....

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  8. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    downloaded avast tried to run and I get this: "the application has failed to start because its side-by-side configuration is incorrect". I am running windows vista home premium in safe mode with networking.
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Skip installing Avast.
     
  10. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    Malwarebytes Anti-Malware (Trial) 1.60.0.1800
    www.malwarebytes.org

    Database version: v2012.01.29.04

    Windows Vista Service Pack 2 x86 NTFS (Safe Mode/Networking)
    Internet Explorer 9.0.8112.16421
    Bill :: BILL-PC [administrator]

    Protection: Disabled

    1/29/2012 10:19:59 PM
    mbam-log-2012-01-29 (22-19-59).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 161221
    Time elapsed: 4 minute(s), 38 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 2
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|jLyiTUCQBK.exe (Trojan.FakeAlert) -> Data: C:\ProgramData\jLyiTUCQBK.exe -> Quarantined and deleted successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|Internet Security 2012 (Trojan.FakeAlert) -> Data: C:\ProgramData\isecurity.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 4
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 6
    C:\ProgramData\jLyiTUCQBK.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\ProgramData\isecurity.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\ProgramData\ZBa9weL2JYAlHG.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Bill\AppData\Local\Temp\4CDB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Bill\AppData\Local\Temp\EE92.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
    C:\Users\Bill\AppData\Local\Temp\Low\VesfaRqis0Yhm0.exe.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)
     
  11. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    GMER found no modifications
     
  12. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Go on..........
     
  13. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    DDS has froze my conputer.
     
  14. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ===============================================================

    Download Bootkit Remover to your Desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  15. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows Vista Home Premium Edition Service Pack 2 (build 6
    002), 32-bit

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`5dd00000

    Size Device Name MBR Status
    --------------------------------------------
    149 GB \\.\PhysicalDrive0 Controlled by rootkit!

    Boot code on some of your physical disks is hidden by a rootkit.
    To disinfect the master boot sector, use the following command:
    remover.exe fix <device_name>
    To inspect the boot code manually, dump the master boot sector:
    remover.exe dump <device_name> [output_file]


    Done;
    Press any key to quit...
     
  16. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    aswMBR will not run for some reason
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Please download and run ListParts by Farbar (for 32-bit system)

    Please download and run ListParts64 by Farbar (for 64-bit system)

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  18. PSYOPSChaos

    PSYOPSChaos TS Rookie Topic Starter

    ListParts by Farbar
    Ran by Bill on 30-01-2012 at 13:42:41
    Windows Vista (X86)
    Running From: C:\Users\Bill\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2ATOZJKW
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 29%
    Total physical RAM: 1917.32 MB
    Available physical RAM: 1360.01 MB
    Total Pagefile: 4075.92 MB
    Available Pagefile: 3648.18 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1979.56 MB

    ======================= Partitions =========================

    1 Drive c: (SQ004513V03) (Fixed) (Total:147.58 GB) (Free:104.19 GB) NTFS ==>[System with boot components (obtained from reading drive)]

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 149 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 OEM 1500 MB 1024 KB
    Partition 2 Primary 148 GB 1501 MB
    Partition 3 Primary 848 KB 149 GB

    Disk: 0
    Partition 1
    Type : 27
    Hidden: Yes
    Active: No

    There is no volume associated with this partition.

    Disk: 0
    Partition 2
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C SQ004513V03 NTFS Partition 148 GB Healthy System (partition with boot components)

    Disk: 0
    Partition 3
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.



    ****** End Of Log ******
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    We have the newest TDL rootkit there.

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Press Tool at the top
    • Choose Open Terminal
    • Type parted /dev/sda set 2 boot on
    • Press Enter
    • Type parted /dev/sda rm 3
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log

    Post new ListParts by Farbar log.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...