TechSpot

System Check - can't get into safe mode

By BoarderPH
Mar 18, 2012
  1. I seem to have gotten system check now on my laptop. The problem I am having is the pc will only boot into windows regularly or safe mode, but not safe mode with networking so I can't download the files needed to remove it. When I try to log into safe mode with networking, it tells me my fingerprint scanner doesn't exist and "the system cannot log you on" when I use the same credentials that work in the other modes.

    I had it previously on a desktop and managed to get it removed, so I have the normal programs downloaded and on a flash drive (unhide, iexplore, tdsskiller, malwarebytes).

    How can I get unhide from the flash drive to the desktop in safe mode so I can begin removing this? The laptop is running XP.
     
  2. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Welcome aboard [​IMG]

    Please, observe following rules:
    • Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
    • If you're stuck, or you're not sure about certain step, always ask before doing anything else.
    • Please refrain from running tools or applying updates other than those I suggest.
    • Never run more than one scan at a time.
    • Keep updating me regarding your computer behavior, good, or bad.
    • The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
    • If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
    • I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

    ===================================================================

    What happens in normal mode?
     
  3. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Well, strange enough I booted it normally to give a rundown of the errors (was black screen, almost all icons gone on desktop, "system check" program running, and multiple "disc read" error messages stacked up) and all the sudden at least my computer was there.

    I was able to shut off the networking, run unhide/tdsskiller/malwarebytes and get it cleaned up. After a reboot I ran malwarebytes and it reports no malicious items.

    Is there any other scan I should run to verify it is wiped out?
     
  4. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Yes.

    Please, complete all steps listed here: http://www.techspot.com/vb/topic58138.html
    Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
    Attached logs won't be reviewed.
     
  5. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Here's the first malwarebytes log:

    Database version: v2012.03.18.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    psmi :: PSMI-LT-5242010 [administrator]

    3/18/2012 3:25:34 PM
    mbam-log-2012-03-18 (15-25-34).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 254136
    Time elapsed: 11 minute(s), 22 second(s)

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 1
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VwQGJwSURThVmE.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\VwQGJwSURThVmE.exe -> Quarantined and deleted successfully.

    Registry Data Items Detected: 8
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 2
    C:\Documents and Settings\All Users\Application Data\VwQGJwSURThVmE.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
    C:\Documents and Settings\All Users\Application Data\hmdHT0ZHGQDBCP.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

    (end)

    Here's the second (after cleaning):
    Malwarebytes Anti-Malware 1.60.1.1000
    www.malwarebytes.org

    Database version: v2012.03.18.03

    Windows XP Service Pack 3 x86 NTFS
    Internet Explorer 8.0.6001.18702
    psmi :: PSMI-LT-5242010 [administrator]

    3/18/2012 4:26:58 PM
    mbam-log-2012-03-18 (16-26-58).txt

    Scan type: Quick scan
    Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
    Scan options disabled: P2P
    Objects scanned: 254582
    Time elapsed: 11 minute(s),

    Memory Processes Detected: 0
    (No malicious items detected)

    Memory Modules Detected: 0
    (No malicious items detected)

    Registry Keys Detected: 0
    (No malicious items detected)

    Registry Values Detected: 0
    (No malicious items detected)

    Registry Data Items Detected: 0
    (No malicious items detected)

    Folders Detected: 0
    (No malicious items detected)

    Files Detected: 0
    (No malicious items detected)

    (end)
     
  6. BoarderPH

    BoarderPH TS Rookie Topic Starter

    GMER output nothing, although I had to run it with symantec autoprotect enabled. (don't have the pw)

    I can't seem to get DDS to run, I get no popups when I run it only notepad that opens with a bunch of characters and gibberish.

    I've definitely still got something going on because while trying to figure out how to turn off any script blocker I am getting random redirects when I click on google results. It is routing me through "zorilla" and eventually sometimes taking me to:
    http://63.209.69.107/search/web/disable+script+blocking/a08/48596-3257/v5
     
  7. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download aswMBR to your desktop.
    Double click the aswMBR.exe to run it.
    If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
    Click the "Scan" button to start scan.
    On completion of the scan click "Save log", save it to your desktop and post in your next reply.

    NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

    ==============================================================

    Download Bootkit Remover to your desktop.

    • Unzip downloaded file to your Desktop.
    • Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
    • It will show a Black screen with some data on it.
    • Right click on the screen and click Select All.
    • Press CTRL+C
    • Open a Notepad and press CTRL+V
    • Post the output back here.
     
  8. BoarderPH

    BoarderPH TS Rookie Topic Starter

    aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
    Run date: 2012-03-18 22:14:53
    -----------------------------
    22:14:53.135 OS Version: Windows 5.1.2600 Service Pack 3
    22:14:53.135 Number of processors: 2 586 0x602
    22:14:53.135 ComputerName: PSMI-LT-5242010 UserName: psmi
    22:14:54.917 Initialize success
    22:18:20.553 AVAST engine defs: 12031700
    22:20:45.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861Port0Path0Target0Lun0
    22:20:45.984 Disk 0 Vendor: Hitachi_ FC4O Size: 305245MB BusType: 1
    22:20:46.015 Disk 0 MBR read successfully
    22:20:46.031 Disk 0 MBR scan
    22:20:46.093 Disk 0 Windows VISTA default MBR code
    22:20:46.124 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 303178 MB offset 2048
    22:20:46.171 Disk 0 Partition 2 00 0C FAT32 LBA MSDOS5.0 2047 MB offset 620928315
    22:20:46.218 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 10 MB offset 625121280
    22:20:46.249 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
    22:20:46.265 Disk 0 scanning sectors +625142432
    22:20:46.359 Disk 0 scanning C:\WINDOWS\system32\drivers
    22:21:09.410 Service scanning
    22:21:33.976 Service SafeBoot C:\WINDOWS\System32\Drivers\SafeBoot.sys **LOCKED** 32
    22:21:46.588 Modules scanning
    22:21:56.464 Disk 0 trace - called modules:
    22:21:56.542 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89c5cfa9]<<
    22:21:56.574 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a500030]
    22:21:56.605 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> [0x89c6f950]
    22:21:56.652 \Driver\hpdskflt[0x8a4b14e8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x89c5cfa9
    22:21:58.308 AVAST engine scan C:\WINDOWS
    22:22:21.874 AVAST engine scan C:\WINDOWS\system32
    22:28:00.313 AVAST engine scan C:\WINDOWS\system32\drivers
    22:28:27.158 AVAST engine scan C:\Documents and Settings\psmi
    22:34:37.584 AVAST engine scan C:\Documents and Settings\All Users
    22:36:33.476 Scan finished successfully
    22:37:10.413 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\psmi\Desktop\MBR.dat"
    22:37:10.460 The log file has been saved successfully to "C:\Documents and Settings\psmi\Desktop\aswMBR.txt"


    Bootkit Remover
    (c) 2009 Esage Lab
    www.esagelab.com

    Program version: 1.2.0.1
    OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

    System volume is \\.\C:
    \\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
    ATA_Read(): DeviceIoControl() ERROR 1
    Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

    Size Device Name MBR Status
    --------------------------------------------
    298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


    Done;
    Press any key to quit...
     
  9. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    It looks like we have infected partition there.

    Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

    Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

    Click on Scan button.

    Scan result will open in Notepad.
    Post it in your next reply.
     
  10. BoarderPH

    BoarderPH TS Rookie Topic Starter

    ListParts by Farbar Version: 12-03-2012 03
    Ran by psmi (administrator) on 19-03-2012 at 06:20:00
    Windows XP (X86)
    Running From: C:\Documents and Settings\psmi\My Documents\Downloads
    Language: 0409
    ************************************************************

    ========================= Memory info ======================

    Percentage of memory in use: 76%
    Total physical RAM: 1788.63 MB
    Available physical RAM: 416.68 MB
    Total Pagefile: 3682.54 MB
    Available Pagefile: 2458.06 MB
    Total Virtual: 2047.88 MB
    Available Virtual: 1996.96 MB

    ======================= Partitions =========================

    1 Drive c: () (Fixed) (Total:296.07 GB) (Free:263.39 GB) NTFS ==>[Drive with boot components (Windows XP)]
    2 Drive d: (HP_TOOLS) (Fixed) (Total:2 GB) (Free:1.51 GB) FAT32

    Disk ### Status Size Free Dyn Gpt
    -------- ---------- ------- ------- --- ---
    Disk 0 Online 298 GB 0 B

    Partitions of Disk 0:
    ===============

    Partition ### Type Size Offset
    ------------- ---------------- ------- -------
    Partition 1 Primary 296 GB 1024 KB
    Partition 2 Primary 2047 MB 296 GB
    Partition 3 Unknown 10 MB 298 GB
    ======================================================================================================

    Disk: 0
    Partition 1
    Type : 07
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 1 C NTFS Partition 296 GB Healthy Boot
    ======================================================================================================

    Disk: 0
    Partition 2
    Type : 0C
    Hidden: No
    Active: No

    Volume ### Ltr Label Fs Type Size Status Info
    ---------- --- ----------- ----- ---------- ------- --------- --------
    * Volume 2 D HP_TOOLS FAT32 Partition 2047 MB Healthy
    ======================================================================================================

    Disk: 0
    Partition 3
    Type : 17 (Suspicious Type)
    Hidden: Yes
    Active: Yes

    There is no volume associated with this partition.
    ======================================================================================================

    ****** End Of Log ******
     
  11. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Download GETxPUD.exe to the desktop of your clean computer

    • Double click on GETxPUD.exe
    • A new folder will appear on the desktop.
    • Open the GETxPUD folder and click on the get&burn.bat
    • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
    • Insert blank CD into your CD drive.
    • Click on Start and follow the prompts to burn the image to a CD.
    • Boot bad computer from the CD
    • Click Menu then Terminal Emulator
    • Type parted /dev/sda set 1 boot on
    • Press Enter
    • Type parted /dev/sda rm 3
    • Press Enter
    • Remove xPUD CD, reboot, run aswMBR and post the log
     
  12. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Uh oh...ran xpud and after:
    Type parted /dev/sda rm 3
    I got the error "Information: You may need to update /etc/fstab."

    Now when I remove the CD and reboot, I get:
    Non-system disc or disc error
    replace and strike any key when ready
     
  13. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    We need to use the Recovery Console to try to fix your issue.

    • You'll need to find your Windows XP installation disk.
    • Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
    • If prompted, click any options that are required to start the computer from the CD-ROM drive.
    • When the Welcome to Setup screen appears, press R to start the Recovery Console.
    • The Recovery Console will start and ask you which Windows installation you would like to log on to.
      • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
    • It will then prompt you for the Administrator's password. If there is no password, simply press enter.
    • You will now be presented with a C:\Windows> prompt
    • Type with an Enter after each line:

    • fixmbr

      fixboot

      exit
    • Restart computer.

    ************************

    If you don't have Windows CD...
    Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
    Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
    Using Imgburn, burn rc.iso to a CD.
    Boot to the CD...let it finish loading.
    When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
     
  14. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Downloaded recovery console, burned, and booted. Now when it gets to the point where it says "setup is loading windows" though I get a blue screen of death.
     
  15. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Turn the computer off.
    Wait 1 minute.
    Try the procedure one more time.
     
  16. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Still the same thing.
     
  17. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Do you have/can borrow Windows XP CD?
     
  18. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Sorry, just getting back in town to mess with this today. I know I have an XP cd but I'll have to find it. I assume version doesn't matter since I just need the recovery console app?

    I do have a win 7 disc hand, but I'm guessing it doesn't have recovery console?
     
  19. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Yeah, you need Windows XP CD.
     
  20. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Same blue screen with the xp disc I found. Anything else I can try or should I just wipe this thing? I hate to lose what's on it but starting to seem like there's no other option.
     
  21. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Let's see, if we can look at your computer booting from an external source.

    Please download OTLPE (filesize 120,9 MB)

    • When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
    • Reboot your system using the boot CD you just created.
      • Note : If you do not know how to set your computer to boot from CD follow the steps here
    • Your system should now display a REATOGO-X-PE desktop.
    • Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
    • Double-click on the OTLPE icon.
    • When asked Do you wish to load the remote registry, select Yes
    • When asked Do you wish to load remote user profile(s) for scanning, select Yes
    • Ensure the box Automatically Load All Remaining Users" is checked and press OK
    • OTL should now start.
    • Press Run Scan to start the scan.
    • When finished, the file will be saved in drive C:\OTL.txt
    • Copy this file to your USB drive if you do not have internet connection on this system
    • Please post the contents of the OTL.txt file in your reply.
     
  22. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Ran OTLPE, when it gets to the windows xp screen though I get no movement in the progress bar and then a blue screen again.
     
  23. Broni

    Broni Malware Annihilator Posts: 52,898   +344

    Well since we can't get to your hard drive in any possible way, Windows reinstallation seems to be the only way left.
    I'm sorry I don't have better news :(
     
  24. BoarderPH

    BoarderPH TS Rookie Topic Starter

    Well that's kinda what I figured. Let me ask you one other thing, if I were to get an adapter to hook my laptop drive to my desktop, am I at a high risk of infecting it too if I pull my personal files off? I know this might be a guess, but seems like only the system files are really infected. Also, I guess I'm hoping I can even access the drive that way and that it is not completely "corrupt".
     
  25. Broni

    Broni Malware Annihilator Posts: 52,898   +344

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...