Inactive Nasty critter will not let me boot computer either in normal or safe mode

[Broni]

Really weird...

Let's forget about the CD for a moment.
When you boot computer normally, to safe mode, or last known good configuration, how far does it go? Any error messages then?

 

[Luis Guerra]

In both cases the computer doesn't boot. It shows a SONY logo (white on black screen), then it turns black and stops.

 

[Broni]

What will happen, if you select "Enable VGA mode"?

 

[Luis Guerra]

The same as in other cases..black screen

 

[Broni]

Well, at this point I'm officially stumped

The only option I can see here is to slave the drive in another computer and scan it for viruses/recover data.

 

[Luis Guerra]

Ok.... how do you do that? Is it a matter of connecting laptop to computer or do you mean take the hard drive out and installed it on another frame? I guess yo mean taking it out because if unable to log in then unable to set up as a slave.

 

[Broni]

If your good computer is a laptop, the easiest way would be to buy USB hard drive enclosure (~$20). You remove hard drive form bad computer, put it into enclosure and connect it to a laptop through USB cable (all included).

 

[Luis Guerra]

Will do Broni... shall keep ypu posted.

 

[Broni]

Please do

 

[Luis Guerra]

I already bought the USB drive. Please advice if I should run Malawarebytes once I take out hard drive and connect it to the laptop or if you feel I should use any other anti virus program to do that. By the way... I have sort of a medical emergency with my 93 old mother and I will not be able to get back to the computer problem for a couple of days. I am moving over with her and hopefully that will be enough to get her back in good shape. I will sign up again as soon as I can. Thks

 

[Broni]

I'm sorry to hear bad news about your mom.
Wish her my best.
My mom will be 89 this January, so I know what you mean.

Now....
Make sure to install this on your LAPTOP, so it won't get infected through USB enclosure...

Download, and run Flash Disinfector, and save it to your desktop (Windows Vista and Windows 7 users, scroll down)

*Please disable any AV / ScriptBlockers as they might detect Flash Disinfector to be malicious and block it. Hence, the failure in executing. You can enable them back after the cleaning process*

• Double-click Flash_Disinfector.exe to run it and follow any prompts that may appear.
• The utility may ask you to insert your flash drive and/or other removable drives. Please do so and allow the utility to clean up those drives as well.
• Hold down the Shift key when inserting the drive until Windows detects it to keep autorun.inf from executing if it is present.
• Wait until it has finished scanning and then exit the program.
• Reboot your computer when done.

Note: As part of its routine, Flash_Disinfector will create a hidden folder named autorun.inf in each partition and every USB drive that was plugged in when you ran it. Do not delete this folder...it will help protect your drives from future infection by keeping the autorun file from being installed on the root drive and running other malicious files.

Windows Vista and Windows 7 users
Flash Disinfector is not compatible with the above Windows version.
Please, use Panda USB Vaccine

When done, connect USB enclosure and scan the drive with your AV program and MBAM.

See what they'll find.

 

[Luis Guerra]

Now that I am back to working on the nasty critter problem this is where I am standing:

1) Run Mallawarebytes in laptop to make sure it had no bugs. (Report log enclosed)
2) Installed HDD on enclosure
3) Installed Flash disinfector
4) Connected enclosure to laptop
5) Run Malawarebytes AV
6) Deleted all virus
7) Restarted laptop
8) Disconected enclosure
9) Reinstalled HDD in PC

Following are Log Reports for laptop cleanup and PC cleanup:

Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5474

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/6/2011 9:48:17 PM
mbam-log-2011-01-06 (21-48-17).txt

Scan type: Full scan (C:\|D:\|)
Objects scanned: 195166
Time elapsed: 1 hour(s), 39 minute(s), 53 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)



Malwarebytes' Anti-Malware 1.50
www.malwarebytes.org

Database version: 5474

Windows 5.1.2600 Service Pack 2
Internet Explorer 7.0.5730.11

1/7/2011 2:35:08 PM
mbam-log-2011-01-07 (14-35-08).txt

Scan type: Full scan (E:\|F:\|)
Objects scanned: 238434
Time elapsed: 15 hour(s), 20 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 1
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
c:\WINDOWS\system32\arking0.dll (Malware.Packer) -> Delete on reboot.

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\MADOWN (Worm.Magania) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cdoosoft (Worm.Taterf) -> Value: cdoosoft -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\King_ar (Malware.Packer) -> Value: King_ar -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\Hidden\SHOWALL\CheckedValue (PUM.Hijack.System.Hidden) -> Bad: (0) Good: (1) -> Delete on reboot.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\WINDOWS\system32\arking0.dll (Malware.Packer) -> Delete on reboot.
c:\documents and settings\luis a. guerra\local settings\Temp\herss.exe (Worm.Taterf) -> Quarantined and deleted successfully.
c:\WINDOWS\system32\arking.exe (Malware.Packer) -> Quarantined and deleted successfully.
e:\w9.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
e:\ba.exe (Worm.Taterf) -> Quarantined and deleted successfully.
e:\documents and settings\luis a. guerra\local settings\application data\apple computer\Safari\History\deletable (Trojan.Goldun) -> Quarantined and deleted successfully.
e:\documents and settings\networkservice\local settings\temporary internet files\Content.IE5\QVQXUD61\dm6[1].exe (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
e:\system volume information\_restore{58e30938-66a1-4d08-9dcd-360ce25b3a88}\RP2114\A0222405.dll (Spyware.OnlineGames) -> Quarantined and deleted successfully.
e:\system volume information\_restore{91f82645-4ea1-421b-90a6-0e99a9d48a39}\RP227\A0021331.exe (Worm.Taterf) -> Quarantined and deleted successfully.
e:\WINDOWS\Temp\44.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
e:\WINDOWS\Temp\45.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
e:\WINDOWS\Temp\9.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
e:\WINDOWS\Temp\B.tmp (Rootkit.TDSS.Gen) -> Quarantined and deleted successfully.
e:\WINDOWS\system32\arking.exe (Malware.Packer) -> Quarantined and deleted successfully.
e:\WINDOWS\system32\arking1.dll (Malware.Packer) -> Quarantined and deleted successfully.
f:\i00dvoym.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\ji83j.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\lhhr8.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\9keibj.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\w9.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\ba.exe (Worm.Taterf) -> Quarantined and deleted successfully.
f:\cbbw88s.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\dqm.exe (Spyware.OnlineGames) -> Quarantined and deleted successfully.
f:\system volume information\_restore{91f82645-4ea1-421b-90a6-0e99a9d48a39}\RP227\A0021333.exe (Worm.Taterf) -> Quarantined and deleted successfully.
c:\documents and settings\luis a. guerra\local settings\Temp\cvasds0.dll (Spyware.OnlineGames) -> Delete on reboot.

Bad news though is I just turned on the PC and it still does not boot. No message... it just freezes out (black screen).

 

[Broni]

Are you getting ANY display, like computer manufacturer logo, or simply nothing?

 

[Luis Guerra]

Yes I get the computer manufacturer logo and it freezes after that before the regular screen with DOS info comes up. The F2 and F8 commands also work but I have not tried to do anything with them.

 

[Broni]

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps HERE
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[Luis Guerra]

Sure thing... will do and report.

 

[Luis Guerra]

Did everything as instructed but when I booted from C with disk this is what happened:
1) Sony logo came up
2) Specs screen came up
3) Windows XP logo came up and stayed on for a while
4) Message (Information - Out of Scan Range - 35.5 Khz /86 hz) came up and the computer stopped booting and screen turned black with message in the middle.

 

[Broni]

You're supposed to be booting from the CD not from your hard drive.
Did you check "boot order" in BIOS as described in my previous reply?

 

[Luis Guerra]

Yes I am booting from C and as a mater of fact while booting the screen shows the loading progression of OTLP program. My Bios is set to boot from C drive. If you try to boot from HDD it only shows the SONY logo and immediately the screen goes black and the HDD stops spinning and nothing else happens (no scan message either).
I am thinking though that maybe when I checked my monitor to see if it worked with other computer I used my laptop. Maybe the resolution in my laptop is lower and that is why the monitor worked. I do not have another PC bu I do have another monitor in storage so I am going to bring it home and connect it to see if I get the same message.
What bothers me is that my monitor has a menu and other keys to set up the monitor any way you want but for some reason the menu key and other keys do not work.

 

[Broni]

Keep me posted.