Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hit With DOJ Moneypak, Safe Mode Impossible


  • This topic is locked This topic is locked
27 replies to this topic

#1 Makalov99

Makalov99

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 29 May 2013 - 10:17 PM

Bleepers,

 

    Dept of Justice MoneyPak has jammed my HP Pavilion desktop running Windows XP!

 

   Forget about getting into SafeMode.  It starts the SM process but after listing a bunch of files it stops at the same point everytime and restarts Safe Mode in a do-loop but never gets into SafeMode. I swear in the boot screen sometimes I get the normal language and sometimes I get a longer message I've never seen before.

 

   In Windows I have no time to run MalWareBytes or any logger S/W before it locks.    I've also tried booting from USB (DrWebLiveUSB) but I get some partition error garbage and it stops.   HitmanPro doesn't want to run from USB either.

 

   Fortunately I have a clean Win7 HP netbook that I'm using to enter this post.  

 

   What to do!?!


Edited by Makalov99, 29 May 2013 - 10:19 PM.


BC AdBot (Login to Remove)

 


#2 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 30 May 2013 - 07:06 PM

Hi Makalov99,

:welcome: to Bleeping Computer.

My name is Jason and I'll be helping you with your computer problems. You can call me by my screename jntkwx or Jason is fine.

Some things to remember while we are working together.

  • Do not run any other tool untill instructed to do so!
  • Please do not attach logs or put logs in code or quote boxes (unless explicitly asked to)
  • Tell me about any problems that have occurred during the fix.
  • Tell me of any other symptoms you may be having as these can also help.
  • Do not run anything while running a fix.
  • If you don't understand a step, please ask for clarification before continuing with any future steps.

In the upper right hand corner of the topic you will see the Follow This Topic button. Click on this then choose Receive Notification Immediately and then click Follow This Topic and you will be sent an email once I have posted a response and make the cleaning process faster.

Note to others: The instructions here are intended for the person who began this topic. If you need help, please create your own topic in the appropriate forum.

 
FRST

  • Please download Farbar Recovery Scan Tool and save it to a flash drive.

    Note: You need to run the version compatibale with your system. If you are not sure which version applies to your system download both of them and try to run them. Only one of them will run on your system, that will be the right version.

    Plug the flashdrive into the infected PC.
    :spacer:
  • Enter System Recovery Options.

    To enter System Recovery Options from the Advanced Boot Options:
    • Restart the computer.
    • As soon as the BIOS is loaded begin tapping the F8 key until Advanced Boot Options appears.
    • Use the arrow keys to select the Repair your computer menu item.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account an click Next.
    Note: In case you can not enter System Recovery Options by using F8 method, you can use Windows installation disc, or make a repair disc. Any Windows installation disc or a repair disc made on another computer can be used.
    To make a repair disk on Windows 7 consult: http://www.sevenforums.com/tutorials/2083-system-repair-disc-create.html



    To enter System Recovery Options by using Windows installation disc:
    • Insert the installation disc.
    • Restart your computer.
    • If prompted, press any key to start Windows from the installation disc. If your computer is not configured to start from a CD or DVD, check your BIOS settings.
    • Click Repair your computer.
    • Select US as the keyboard language settings, and then click Next.
    • Select the operating system you want to repair, and then click Next.
    • Select your user account and click Next.
  • On the System Recovery Options menu you will get the following options:
    Startup Repair
    System Restore
    Windows Complete PC Restore
    Windows Memory Diagnostic Tool
    Command Prompt


    Select Command Prompt
    :spacer:
  • Once in the Command Prompt:
    • In the command window type in notepad and press Enter.
    • The notepad opens. Under File menu select Open.
    • Select "Computer" and find your flash drive letter and close the notepad.
    • In the command window type e:\frst (for x64 bit version type e:\frst64) and press Enter
      Note: Replace letter e with the drive letter of your flash drive.
    • The tool will start to run.
    • When the tool opens click Yes to disclaimer.
    • Press Scan button.
    • It will make a log (FRST.txt) on the flash drive. Please copy and paste it to your reply.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#3 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 30 May 2013 - 09:23 PM

Jason,

 

  Thanks for helping.

 

   When I F8 into the boot options, I don't have the "repair" option, just plain SafeMode/SM with networking/SM with command prompt/last working config and normal windows.  Unfortunately my infected XP machine didn't come with disks, it has backup files partitioned on the hd.   And my netbook doesn't have any optical drives so making a disk won't be easy.  I do have an old external CD RW drive I can try to hook up to the netbook and go that route.

 

   But I'm a little confused- Will a Win7 repair disk help fix my XP Windows or am I reading that too literally?  Do I need to burn an XP repair disk?  



#4 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 31 May 2013 - 11:42 AM

:oopsign: No, unfortunately, you're correct. The FRST steps I gave are completely different for Windows XP.

 

Just double checking, have you tried all 3 Safe Mode options?


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#5 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 31 May 2013 - 03:07 PM

Yes, I've tried all 3 several times. I've also tried "msconfig" in the run screen to try to click safe mode on the next reboot but it usually locks before I can OK the changes!

#6 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 31 May 2013 - 03:31 PM

Run GETxPUD CD with MBR Report and Driver Search 

 

If you have any questions, please stop and ask for clarification.

  • Using a clean computer download GETxPUD.exe to the desktop of your computer
  • Launch GETxPUD.exe
  • A new folder will appear on the desktop.
  • Open the GETxPUD folder and click on the get&burn.bat
  • The program will download xpud_0.9.2.iso, and upon finished will open BurnCDCC ready to burn the image
  • Click on Start and follow the prompts to burn the image to a CD.
  • Format your USB then download dumpit and driver.sh to your USB device
  • Remove the USB and insert it into the infected computer
  • Boot your infected computer with the GETxPUD CD you just burned
  • The computer must be set to boot from the CD
  • Gently tap F12 while booting to go into Setup and change Boot Sequence to boot from the CD
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 or sdc1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is completed please type the following then press Enter:

           MigAutoPlay.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply

===================================================

Things I would like to see in your next reply. :thumbsup2:

  • filefind.txt
  • report.zip
  • mbr.zip

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#7 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 31 May 2013 - 04:02 PM

Jason,

I will try this soon but I'm away from my broken computer for a few days. I'll be anxiously working to your instructions (most likely) Sunday evening June 2nd.

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 31 May 2013 - 05:11 PM

Thanks for letting me know. :)


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 03 June 2013 - 11:04 PM

Jason,

 

  I'll burn the CD tomorrow at work and try to proceed Tuesday night.



#10 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 04 June 2013 - 09:55 PM

Jason,

Sorry for the delay. As silly as it sounds I'm having a hard time burning a CD. My infected machine has the CD burner! Work laptop doesn't have one. Netbook doesn't have one. And my external CD_RW is a piece of junk apparently. It plays music but I can't get it to burn a CD. I'll try to find a desktop at work that has one.

In the meantime, is there any USB solution I can try?

#11 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 05 June 2013 - 12:16 PM

Yes, there is a USB solution:
 
Download http://unetbootin.sourceforge.net/unetbootin-xpud-windows-latest.exe & http://noahdfear.net/downloads/bootable/xPUD/xpud-0.9.2.iso to the desktop of your clean computer.

  • Insert your USB drive
  • Press Start > Computer > right click your USB drive > choose Format > Quick format (this will erase anything on your USB drive. If you want to keep anything on your USB drive, Make sure to move any files or folders from your USB drive to your clean computer.)
  • Double click the unetbootin-xpud-windmws-387.exe that you just downloaded
  • Press Run then OK
  • Select the DiskImage option then click the browse button located on the right side of the textbox field.
  • Browse to and select the xpud-0.9.2.iso file you downloaded
  • Verify the correct drive letter is selected for your USB device then click OK
  • It will install a little bootable OS on your USB device
  • Once the files have been written to the device you will be prompted to reboot ~ do not reboot and instead just Exit the UNetbootin interface
  • After it has completed do not choose to reboot the clean computer simply close the installer
  • Download dumpit and driver.sh to your USB device

 

  • Remove the USB and insert it into the infected computer
  • Boot the Sick computer
  • Press F12 and choose to boot from the USB
  • Follow the prompts
  • A Welcome to xPUD screen will appear
  • Press File
  • Expand mnt
  • sda1,2...usually corresponds to your HDD
  • sdb1 or sdc1 is likely your USB
  • Click on the folder that represents your USB drive (sdb1 ?) If it is not there remove the USB device for 5 seconds then reinsert it.
  • Double click on the Dumpit file
  • A black window will pop-up and it will dump and zip the MBR to your USB drive.
  • Click Tool at the top
  • Choose Open Terminal
  • Type bash driver.sh and press Enter
  • After it has finished a report will be located on your USB device named report.txt
  • Now type bash driver.sh -af and press Enter
  • You will be prompted to input a file name. Please type the following then press Enter:

Winlogon.exe

  • After the search is completed please type the following then press Enter:

volsnap.sys

  • After the search is completed please type the following then press Enter:

explorer.exe

  • After the search is completed please type the following then press Enter:

Userinit.exe

  • After the search is completed please type the following then press Enter:

           MigAutoPlay.exe

  • After the search is complete please type Exit and press Enter
  • A report will be located in the USB drive as filefind.txt
  • Remove the USB drive, insert it back in your working computer
  • Copy and paste the contents of filefind.txt in your reply
  • Please zip and attach report.txt to your reply
  • Please attach mbr.zip to your reply

===================================================

Things I would like to see in your next reply. :thumbsup2:

  • filefind.txt
  • report.zip
  • mbr.zip

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#12 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 05 June 2013 - 09:02 PM

Jason,

I saved the files to a USB and booted from it. In a black screen, I get

"SYSLINUX 3.72 2008-09-25 EBIOS copyright © 1994-2008 H. Peter Anvin"
Could not find kernel image: linux
boot:__"

and a blinking cursor after the colon. ?

#13 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 05 June 2013 - 09:04 PM

Try reformatting the USB drive, follow all of the instructions in my previous instructions again. It may be that this version of Linux (xPUD) might not work. There are other options we can try.


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:21 PM

Posted 08 June 2013 - 08:31 AM

Makalov99,
 
It has been three days since my last post. Do you still need help?
 
If you do, please follow my previous instructions. :thumbup2:


Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Makalov99

Makalov99
  • Topic Starter

  • Members
  • 20 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:21 PM

Posted 08 June 2013 - 06:26 PM


Jason,

No good. Reformatted and reloaded several times. It just gives the same response about Linux each time. Bleeping computer!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users