Inactive System Check - can't get into safe mode

[BoarderPH]

I seem to have gotten system check now on my laptop. The problem I am having is the pc will only boot into windows regularly or safe mode, but not safe mode with networking so I can't download the files needed to remove it. When I try to log into safe mode with networking, it tells me my fingerprint scanner doesn't exist and "the system cannot log you on" when I use the same credentials that work in the other modes.

I had it previously on a desktop and managed to get it removed, so I have the normal programs downloaded and on a flash drive (unhide, iexplore, tdsskiller, malwarebytes).

How can I get unhide from the flash drive to the desktop in safe mode so I can begin removing this? The laptop is running XP.

 

[Broni]

Welcome aboard

Please, observe following rules:

• Read all of my instructions very carefully. Your mistakes during cleaning process may have very serious consequences, like unbootable computer.
• If you're stuck, or you're not sure about certain step, always ask before doing anything else.
• Please refrain from running tools or applying updates other than those I suggest.
• Never run more than one scan at a time.
• Keep updating me regarding your computer behavior, good, or bad.
• The cleaning process, once started, has to be completed. Even if your computer appears to act better, it may still be infected. Once the computer is totally clean, I'll certainly let you know.
• If you leave the topic without explanation in the middle of a cleaning process, you may not be eligible to receive any more help in malware removal forum.
• I close my topics if you have not replied in 5 days. If you need more time, simply let me know. If I closed your topic and you need it to be reopened, simply PM me.

===================================================================

What happens in normal mode?

 

[BoarderPH]

Well, strange enough I booted it normally to give a rundown of the errors (was black screen, almost all icons gone on desktop, "system check" program running, and multiple "disc read" error messages stacked up) and all the sudden at least my computer was there.

I was able to shut off the networking, run unhide/tdsskiller/malwarebytes and get it cleaned up. After a reboot I ran malwarebytes and it reports no malicious items.

Is there any other scan I should run to verify it is wiped out?

 

[Broni]

Yes.

Please, complete all steps listed here: https://www.techspot.com/community/...lware-removal-preliminary-instructions.58138/
Make sure, you PASTE all logs. If some log exceeds 50,000 characters post limit, split it between couple of replies.
Attached logs won't be reviewed.

 

[BoarderPH]

Here's the first malwarebytes log:

Database version: v2012.03.18.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
psmi :: PSMI-LT-5242010 [administrator]

3/18/2012 3:25:34 PM
mbam-log-2012-03-18 (15-25-34).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254136
Time elapsed: 11 minute(s), 22 second(s)

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|VwQGJwSURThVmE.exe (Rogue.FakeHDD) -> Data: C:\Documents and Settings\All Users\Application Data\VwQGJwSURThVmE.exe -> Quarantined and deleted successfully.

Registry Data Items Detected: 8
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|StartMenuLogoff (PUM.Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowControlPanel (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowHelp (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowMyDocs (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowRun (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced|Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> Quarantined and repaired successfully.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (PUM.Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and repaired successfully.

Folders Detected: 0
(No malicious items detected)

Files Detected: 2
C:\Documents and Settings\All Users\Application Data\VwQGJwSURThVmE.exe (Rogue.FakeHDD) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Application Data\hmdHT0ZHGQDBCP.exe (Trojan.FakeAlert) -> Quarantined and deleted successfully.

(end)

Here's the second (after cleaning):
Malwarebytes Anti-Malware 1.60.1.1000
www.malwarebytes.org

Database version: v2012.03.18.03

Windows XP Service Pack 3 x86 NTFS
Internet Explorer 8.0.6001.18702
psmi :: PSMI-LT-5242010 [administrator]

3/18/2012 4:26:58 PM
mbam-log-2012-03-18 (16-26-58).txt

Scan type: Quick scan
Scan options enabled: Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken | PUP | PUM
Scan options disabled: P2P
Objects scanned: 254582
Time elapsed: 11 minute(s),

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 0
(No malicious items detected)

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 0
(No malicious items detected)

(end)

 

[BoarderPH]

GMER output nothing, although I had to run it with symantec autoprotect enabled. (don't have the pw)

I can't seem to get DDS to run, I get no popups when I run it only notepad that opens with a bunch of characters and gibberish.

I've definitely still got something going on because while trying to figure out how to turn off any script blocker I am getting random redirects when I click on google results. It is routing me through "zorilla" and eventually sometimes taking me to:
http://63.209.69.107/search/web/disable+script+blocking/a08/48596-3257/v5

 

[Broni]

Download aswMBR to your desktop.
Double click the aswMBR.exe to run it.
If you see this question: Would you like to download latest Avast! virus definitions?" say "Yes".
Click the "Scan" button to start scan.
On completion of the scan click "Save log", save it to your desktop and post in your next reply.

NOTE. aswMBR will create MBR.dat file on your desktop. This is a copy of your MBR. Do NOT delete it.

==============================================================

Download Bootkit Remover to your desktop.

• Unzip downloaded file to your Desktop.
• Double-click on boot_cleaner.exe to run the program (Vista/7 users,right click on boot_cleaner.exe and click Run As Administrator).
• It will show a Black screen with some data on it.
• Right click on the screen and click Select All.
• Press CTRL+C
• Open a Notepad and press CTRL+V
• Post the output back here.

 

[BoarderPH]

aswMBR version 0.9.9.1665 Copyright(c) 2011 AVAST Software
Run date: 2012-03-18 22:14:53
-----------------------------
22:14:53.135 OS Version: Windows 5.1.2600 Service Pack 3
22:14:53.135 Number of processors: 2 586 0x602
22:14:53.135 ComputerName: PSMI-LT-5242010 UserName: psmi
22:14:54.917 Initialize success
22:18:20.553 AVAST engine defs: 12031700
22:20:45.968 Disk 0 (boot) \Device\Harddisk0\DR0 -> \Device\Scsi\ahcix861Port0Path0Target0Lun0
22:20:45.984 Disk 0 Vendor: Hitachi_ FC4O Size: 305245MB BusType: 1
22:20:46.015 Disk 0 MBR read successfully
22:20:46.031 Disk 0 MBR scan
22:20:46.093 Disk 0 Windows VISTA default MBR code
22:20:46.124 Disk 0 Partition 1 00 07 HPFS/NTFS NTFS 303178 MB offset 2048
22:20:46.171 Disk 0 Partition 2 00 0C FAT32 LBA MSDOS5.0 2047 MB offset 620928315
22:20:46.218 Disk 0 Partition 3 80 (A) 17 Hidd HPFS/NTFS NTFS 10 MB offset 625121280
22:20:46.249 Disk 0 Partition 3 **INFECTED** MBR:Alureon-K [Rtk]
22:20:46.265 Disk 0 scanning sectors +625142432
22:20:46.359 Disk 0 scanning C:\WINDOWS\system32\drivers
22:21:09.410 Service scanning
22:21:33.976 Service SafeBoot C:\WINDOWS\System32\Drivers\SafeBoot.sys **LOCKED** 32
22:21:46.588 Modules scanning
22:21:56.464 Disk 0 trace - called modules:
22:21:56.542 ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89c5cfa9]<<
22:21:56.574 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a500030]
22:21:56.605 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> [0x89c6f950]
22:21:56.652 \Driver\hpdskflt[0x8a4b14e8] -> IRP_MJ_INTERNAL_DEVICE_CONTROL -> 0x89c5cfa9
22:21:58.308 AVAST engine scan C:\WINDOWS
22:22:21.874 AVAST engine scan C:\WINDOWS\system32
22:28:00.313 AVAST engine scan C:\WINDOWS\system32\drivers
22:28:27.158 AVAST engine scan C:\Documents and Settings\psmi
22:34:37.584 AVAST engine scan C:\Documents and Settings\All Users
22:36:33.476 Scan finished successfully
22:37:10.413 Disk 0 MBR has been saved successfully to "C:\Documents and Settings\psmi\Desktop\MBR.dat"
22:37:10.460 The log file has been saved successfully to "C:\Documents and Settings\psmi\Desktop\aswMBR.txt"


Bootkit Remover
(c) 2009 Esage Lab
www.esagelab.com

Program version: 1.2.0.1
OS Version: Microsoft Windows XP Professional Service Pack 3 (build 2600)

System volume is \\.\C:
\\.\C: -> \\.\PhysicalDrive0 at offset 0x00000000`00100000
ATA_Read(): DeviceIoControl() ERROR 1
Boot sector MD5 is: 0ec6b2481fc707d1e901dc2a875f2826

Size Device Name MBR Status
--------------------------------------------
298 GB \\.\PhysicalDrive0 OK (DOS/Win32 Boot code found)


Done;
Press any key to quit...

 

[Broni]

It looks like we have infected partition there.

Please download and run ListParts by Farbar (for 32-bit system) to your desktop.

Please download and run ListParts64 by Farbar (for 64-bit system) to your desktop.

Click on Scan button.

Scan result will open in Notepad.
Post it in your next reply.

 

[BoarderPH]

ListParts by Farbar Version: 12-03-2012 03
Ran by psmi (administrator) on 19-03-2012 at 06:20:00
Windows XP (X86)
Running From: C:\Documents and Settings\psmi\My Documents\Downloads
Language: 0409
************************************************************

========================= Memory info ======================

Percentage of memory in use: 76%
Total physical RAM: 1788.63 MB
Available physical RAM: 416.68 MB
Total Pagefile: 3682.54 MB
Available Pagefile: 2458.06 MB
Total Virtual: 2047.88 MB
Available Virtual: 1996.96 MB

======================= Partitions =========================

1 Drive c: () (Fixed) (Total:296.07 GB) (Free:263.39 GB) NTFS ==>[Drive with boot components (Windows XP)]
2 Drive d: (HP_TOOLS) (Fixed) (Total:2 GB) (Free:1.51 GB) FAT32

Disk ### Status Size Free Dyn Gpt
-------- ---------- ------- ------- --- ---
Disk 0 Online 298 GB 0 B

Partitions of Disk 0:
===============

Partition ### Type Size Offset
------------- ---------------- ------- -------
Partition 1 Primary 296 GB 1024 KB
Partition 2 Primary 2047 MB 296 GB
Partition 3 Unknown 10 MB 298 GB
======================================================================================================

Disk: 0
Partition 1
Type : 07
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 1 C NTFS Partition 296 GB Healthy Boot
======================================================================================================

Disk: 0
Partition 2
Type : 0C
Hidden: No
Active: No

Volume ### Ltr Label Fs Type Size Status Info
---------- --- ----------- ----- ---------- ------- --------- --------
* Volume 2 D HP_TOOLS FAT32 Partition 2047 MB Healthy
======================================================================================================

Disk: 0
Partition 3
Type : 17 (Suspicious Type)
Hidden: Yes
Active: Yes

There is no volume associated with this partition.
======================================================================================================

****** End Of Log ******

 

[Broni]

Download GETxPUD.exe to the desktop of your clean computer

• Double click on GETxPUD.exe
• A new folder will appear on the desktop.
• Open the GETxPUD folder and click on the get&burn.bat
• The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image.
• Insert blank CD into your CD drive.
• Click on Start and follow the prompts to burn the image to a CD.
• Boot bad computer from the CD
• Click Menu then Terminal Emulator
• Type parted /dev/sda set 1 boot on
• Press Enter
• Type parted /dev/sda rm 3
• Press Enter
• Remove xPUD CD, reboot, run aswMBR and post the log

 

[BoarderPH]

Uh oh...ran xpud and after:
Type parted /dev/sda rm 3
I got the error "Information: You may need to update /etc/fstab."

Now when I remove the CD and reboot, I get:
Non-system disc or disc error
replace and strike any key when ready

 

[Broni]

We need to use the Recovery Console to try to fix your issue.

• You'll need to find your Windows XP installation disk.
• Insert the Windows XP CD into the CD-ROM drive, then restart your computer.
• If prompted, click any options that are required to start the computer from the CD-ROM drive.
• When the Welcome to Setup screen appears, press R to start the Recovery Console.
• The Recovery Console will start and ask you which Windows installation you would like to log on to.
  • If you have multiple Windows installations, it will list each one, and you would enter the number associated with the installation you would like to work on and press enter. If you have just one Windows installation, type 1 and press Enter.
• It will then prompt you for the Administrator's password. If there is no password, simply press enter.
• You will now be presented with a C:\Windows> prompt
• Type with an Enter after each line:

• 
  fixmbr
  
  fixboot
  
  exit

• Restart computer.

************************

If you don't have Windows CD...
Download Windows Recovery Console: http://www.thecomputerparamedic.com/files/rc.iso
Download, and install free Imgburn: http://www.imgburn.com/index.php?act=download
Using Imgburn, burn rc.iso to a CD.
Boot to the CD...let it finish loading.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.

 

[BoarderPH]

Downloaded recovery console, burned, and booted. Now when it gets to the point where it says "setup is loading windows" though I get a blue screen of death.

 

[Broni]

Turn the computer off.
Wait 1 minute.
Try the procedure one more time.

 

[BoarderPH]

Still the same thing.

 

[Broni]

Do you have/can borrow Windows XP CD?

 

[BoarderPH]

Sorry, just getting back in town to mess with this today. I know I have an XP cd but I'll have to find it. I assume version doesn't matter since I just need the recovery console app?

I do have a win 7 disc hand, but I'm guessing it doesn't have recovery console?

 

[Broni]

Yeah, you need Windows XP CD.

 

[BoarderPH]

Same blue screen with the xp disc I found. Anything else I can try or should I just wipe this thing? I hate to lose what's on it but starting to seem like there's no other option.

 

[Broni]

Let's see, if we can look at your computer booting from an external source.

Please download OTLPE (filesize 120,9 MB)

• When downloaded double click on OTLPENet.exe and make sure there is a blank CD in your CD drive. This will automatically create a bootable CD.
• Reboot your system using the boot CD you just created.
  • Note : If you do not know how to set your computer to boot from CD follow the steps here
• Your system should now display a REATOGO-X-PE desktop.
• Depending on your type of internet connection, you should be able to get online as well so you can access this topic more easily.
• Double-click on the OTLPE icon.
• When asked Do you wish to load the remote registry, select Yes
• When asked Do you wish to load remote user profile(s) for scanning, select Yes
• Ensure the box Automatically Load All Remaining Users" is checked and press OK
• OTL should now start.
• Press Run Scan to start the scan.
• When finished, the file will be saved in drive C:\OTL.txt
• Copy this file to your USB drive if you do not have internet connection on this system
• Please post the contents of the OTL.txt file in your reply.

 

[BoarderPH]

Ran OTLPE, when it gets to the windows xp screen though I get no movement in the progress bar and then a blue screen again.

 

[Broni]

Well since we can't get to your hard drive in any possible way, Windows reinstallation seems to be the only way left.
I'm sorry I don't have better news

 

[BoarderPH]

Well that's kinda what I figured. Let me ask you one other thing, if I were to get an adapter to hook my laptop drive to my desktop, am I at a high risk of infecting it too if I pull my personal files off? I know this might be a guess, but seems like only the system files are really infected. Also, I guess I'm hoping I can even access the drive that way and that it is not completely "corrupt".

 

[Broni]

You can definitely do that but...
Install Panda USB Vaccine, or BitDefender’s USB Immunizer on GOOD computer to protect it from any infected USB device.

Then scan attached drive with your AV program.