Stuck in an Infinite CkDsk Safe Mode Loop

Discussion in 'Malware Help - MG (A Specialist Will Reply)' started by tyrali, Oct 16, 2009.

  1. tyrali

    tyrali Private E-2

    My friend's computer is currently in an infinite loop with check disc while in safe mode. A virus that exists may not have caused this to happen, but is apparently taking advantage of his having tried to clean the system by scheduling a check disc on next boot in safe mode. This infinate loop began after a scan with malware bytes. Malware bytes identified a number of problems and rebooted the system after fixing/deleting the problems discovered. It is unknown which virus or viruses are on the computer, but an HJT scan revealed kernel32.exe "possibly from" babylon, kernel, "1 or 2" others. My questions are" 1. How do we get out of the infinite ckdsk loop "in safe mode"? 2. How can we get back into the system? 3. Since malware bytes apparently didn't fix the virus problem, what can I do from here on out?

    Thank you.
     
    tyrali, Oct 16, 2009
    #1
  2. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    Welcome to Major Geeks!

    For your friends education, chkdsk is not a malware removal tool and thus does not help remove malware.

    You did not even tell us what version of Windows is being used. Thus I will assume Windows XP.

    1. How was it scheduled?
    2. Do you see a message saying To skip disk checking, press any key with xx second(s) ? If so, just press a key.
    3. Does chkdsk run all the way thru to completion? If not, see #5
    4. Does it find any disk errors to repair? If yes, did it fix them?
    5. If chkdsk does not run all the way thru, you can try to run chkdsk /p /r from the Recovery Console ( see:http://support.microsoft.com/kb/314058 )
    If the above does not work/help, you will have to try doing the below to use the Recovery Console to restore an older restore point from before this problem occurred. This may or may not work.

    http://support.microsoft.com/default.aspx?scid=kb;en-us;307545&sd=tech



    Additional note: Typically when chkdsk is schedule to run at boot time, the below registry key has modified. What I'm showing below is the default. ( Reference: http://support.microsoft.com/kb/158675 )

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
    "BootExecute"="autocheck autochk *"

    If may need to be changed back to the above since it could now have additional info in it causing the scan to run. Like the BootExecute value may be autocheck autochk /k:c *

    To make this change, you need to be able to edit the registry on the drive that is stuck in this loop. Obvsiously you cannot do this from Windows if you cannot boot into Windows. But a disk like below which you can make and boot from, does allow you to do this registry edit:

    UBCD4Win
     
    Last edited: Oct 19, 2009
    chaslang, Oct 19, 2009
    #2
  3. tyrali

    tyrali Private E-2

    System: Dell P4600, OS: XP SP2, AVG8.5 (updated) with Resident Shield, MS Firewall and DSL modem firmware firewall
    Started noticing some wonkiness with the following symptoms:
    a.) MS Defrag would open but not defragment and the toolbar icon was blacked out.
    b.) Used Auslogic’s defrag app which worked fine but noticed an incredibly large amount of fragmented files being processed which is unusual since HD is defragged at least twice weekly as periodic maintenance.
    c.) System tray clock showed 24 hour notation when it should have been AM/PM but clicking to bring up the clock displayed AM/PM correctly.
    d.) Explorer would not allow renaming files or creating MS Word and Excel files through the context menu. Although, Word & Excel apps could create them..
    e.) Clicking on Google search items would sometimes, but not always, re-direct to unintended sites other than listed.
    f.) Couple of other symptoms, I can’t remember what off-hand, but nothing critical.
    * Ran MS System File Checker but no problems were indicated.
    * Ran a system Checkdisk, and it went through all stages successfully. Since at this point I was half-expecting it to find some problem but didn’t I went to “My Computer”, local disk, properties and scheduled a CheckDisk on next boot. Rebooted but no scan occurred and it went right back into Windows.
    * Tried again with the same result – no scan, immediate boot to Windows.
    * Googled “Defrag not working” and some search entries indicated a virus problem.
    * Ran AVG and Spybot S&D on full system with no problem indicated.
    * Ran HijackThis and submitted report for online analysis that indicated Kernal32.exe existed on my system, possibly installed by the names of 3 or 4 viruses.
    * Visually verified Kernal32.exe existed in Windows directory so I came to MajorGeeks for assistance.
    * Read the “Read Me First/Do Me First” and was going through that process before submitting a ticket. Was at the point of downloading and running MalwareBytes which ID’d a number of problems – none of which was Kernal32.exe. Clicked on “Fix”, visually verified that Kernal32.exe was in fact gone and selected reboot.
    * Reboot started CheckDisk. It would go through Stage1 and 3% of Stage2 then start over without indicating any errors or fixes occuring. No message to allow skipping or cancelling. It kept doing this over and over in an infinite loop, getting no further than 3% of Stage2. I was finally able to break out of it with the F8 key and it went to the DOS Setup Menu, or whatever it’s called. Selected “Boot in Safe Mode” but it went back into the infinite loop so I F8 keyed to the menu again and there I let it remain. I had a friend contact you for help on a working PC, as mine then, wasn’t.
    * Read your link on “How to recover from a corrupted registry that prevents Windows XP from starting” but can’t do that since the “Warning” says no-go on OEM installed OS’s.
    * Crossed my fingers and selected “Last known good startup” or whatever it’s called.
    Horray it went into Windows just fine but I still don’t have use of MS Defrag so maybe I still have a virus. Ran MalwareBytes again and it found 2 more quirky dll names. I haven’t been connected to the internet since last Friday. What would you recommend at this point? Should I run any app in particular? Many thanks for responding to my help request. You guys are great.
     
    tyrali, Oct 20, 2009
    #3
  4. tyrali

    tyrali Private E-2

    Have attached requested files in the “Do me first” list as two posts and await your recommendations.
    1 SUPERAntiSpyware Scan Log - 10-20-2009 - 23-45-40.log
    2 mbam-log-2009-10-21 (15-12-23).txt
    3 ComboFix 10212009 log.txt
    4 10212009 20_44 RRlog.txt
    5 MGlogs.zip

    Still noticing some wonkiness with the following symptoms:
    a.) Clicking on AVG in the system tray opens and reports “There are no active components”. This even though I have Resident Shield enabled.

    b.) AVG will not update definitions when clicking on the Update button.
    * Is this evidence of a continued malware presence?
    * Do I need to re-install AVG? I believe I will because I dread going without virus protection of any kind while awaiting your response.

    c.) MS Defrag will now open and run but the toolbar icon is still blacked out and defrag took an incredibly long time even though 50% of a 112GB HD is freespace and I defrag quite often; at least before last Friday’s problem started.
    * Is this evidence of a continued malware presence?
    * Do I need to do anything here?

    d.) Noticed three new folders that I didn’t intentionally create: C:\Config.Msi which is empty and C:\9857f75965f3e3fc6b and C:\cb70b84bf5cdb3199994ead2, both with mrt.exe and mrtstub.exe files.
    * Did one of the “Do me first” routines create these?
    * If you know that one of the routines did create them, can I safely delete them?

    BTW
    + System tray clock now shows AM/PM correctly instead of 24 hour notation
    + Explorer now allows renaming files and creating MS Word and Excel files through the context menu.
    + My DSL download throughput has increased from 1.5Mbps and returned to it’s rated 6.1Mbps.
    + No further re-directs on clicking Google search links for the moment.
    + Otherwise, system performance seems decent again although until given an all-clear, I feel like it’s a minefield.
     

    Attached Files:

    tyrali, Oct 22, 2009
    #4
  5. tyrali

    tyrali Private E-2

    fifth file
     

    Attached Files:

    tyrali, Oct 22, 2009
    #5
  6. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    You are way way out of date with your version of SUPERAntiSpyware and also did not update Malwarebytes..
    • Please uninstall your current version (this is necessary).
    • Then download this SUPERAntiSpyware
    • Install this new version. It may tell you that you need to reboot to complete the installation. You must reboot at this time.
    • After the reboot, run SUPERAntiSpyware and immediately click the Check for Updates button to get more updates for the database.
    • Now run a new full scan of your system. And attach this new log.
    Now run Malwarebytes and click the Update tab. Then click the Check for Updates button so you update to the current version of the program and database. Then run a new scan with it too. Attach the new log.

    Who created the below folders?
    Code:
    2009-09-29 03:46 . 2009-09-29 03:46 -------- d-----w- C:\System32
2009-09-25 20:11 . 2009-09-25 20:11 -------- d-----w- C:\X2
2009-09-25 20:11 . 2009-09-25 20:11 -------- d-----w- C:\X0
    The System32 one should be deleted or moved elsewhere as it does not belong here and looks like malware. The other two are suspicious too.


    Run this Disable/Remove Windows Messenger to remove Windows Messenger. Do not confuse Windows Messenger with MSN Messenger because they are not the same. Windows Messenger is a frequent cause of popups.

    Uninstall the below old versions of software:
    Java(TM) 6 Update 2
    Java(TM) 6 Update 6
    Spybot - Search & Destroy 1.5.2.20

    Now we need to use ComboFix
    • Make sure that combofix.exe that you downloaded while doing the READ & RUN ME is on your Desktop but Do not run it!
      • If it is not on your Desktop, the below will not work.
    • Also make sure you have shut down all protection software (antivirus, antispyware...etc) or they may get in the way of allowing ComboFix to run properly.
    • If ComboFix tells you it has expired or need to be updated to a new version, make sure you allow it to update.
    • Open Notepad and copy/paste the text in the below quote box into it:
    • Save the above as CFscript.txt and make sure you save it to the same location (should be on your Desktop) as ComboFix.exe
    • At this point, you MUST EXIT ALL BROWSERS NOW before continuing!
    • You should have both the ComboFix.exe and CFScript.txt icons on your Desktop.
    • Now use your mouse to drag CFscript.txt on top of ComboFix.exe
    • Follow the prompts.
    • When it finishes, a log will be produced named c:\combofix.txt
    • I will ask for this log below
    Note:

    Do not mouseclick combofix's window while it is running. That may cause it to stall.


    After reboot, now install the current version of Sun Java from: Sun Java Runtime Environment

    Now run Ccleaner. Only use the Run Cleaner button. Do not run anything else on any other forms.

    Now run the C:\MGtools\GetLogs.bat file by double clicking on it (Note: if using Vista, don't double click, use right click and select Run As Administrator).

    Then attach the below logs:
    • C:\ComboFix.txt
    • C:\MGlogs.zip
    Make sure you tell me how things are working now!
     
    chaslang, Oct 23, 2009
    #6
  7. tyrali

    tyrali Private E-2

    Attaching the following requested files:
    1 SUPERAntiSpyware Scan Log - 10-27-2009 - 02-06-06.log
    2 mbam-log-2009-10-27 (04-22-01).txt
    3 ComboFix.txt
    4 MGlogs.zip

    Addressed the following issue recommendations:
    SUPERAntiSpyware - Uninstalled current version, installed Version: 4.29.1004, checked for updates, and ran the app.
    Malwarebytes – Verified latest version 1.41, checked for updates, and ran the app.
    C:\System32 – Deleted this folder. I don’t know what originally created it.
    C:\X2 – Kept this working folder
    C:\X0 – Kept this working folder
    MessengerDisable.exe – Ran this executable.
    Java - Uninstalled all old versions and installed version 6, update 16
    Spybot - Search & Destroy - Uninstalled
    ComboFix – Dragged the script from Desktop and ran the app.

    Question 1 –
    If MessengerDisable.exe removed Windows Messenger, it still appears in
    Control Panel > Add or Remove Programs > Add/Remove Window Components > Windows Messenger 14.3 MB
    There are actually two listings with the same title and one showing 0 MB. Both listings are unchecked. Is it reasonable that they are listed? Do I need to do anything else?

    Question 2 – Can I delete the following folders/files
    C:\MGlogs.zip
    C:\ComboFix.txt
    C:\MGtools.exe
    C:\cb70b84bf5cdb3199994ead2\mrt.exe
    C:\cb70b84bf5cdb3199994ead2\mrtstub.exe
    C:\Qoobox and Subfolders
    C:\MGtools and Subfolders
    C:\Program Files\Windows Messenger Removal

    Things definately seem to be running better now. I appreciate all your help.
     

    Attached Files:

    tyrali, Oct 27, 2009
    #7
  8. chaslang

    chaslang MajorGeeks Admin - Master Malware Expert Staff Member

    This is normal. It is just a Windows component that can be added or remove just like everything else you see on that form.

    Since your logs are clean, final instructions below will cleanup everything we have done. Anything else is up to you to keep your PC clean.


    If you are not having any other malware problems, it is time to do our final steps:
    1. We recommend you keep SUPERAntiSpyware and Malwarebytes Anti-Malware for scanning/removal of malware. Unless you purchase them, they provide no protection. They do not use any significant amount of resources ( except a little disk space ) until you run a scan.
    3. If we had you use ComboFix, uninstall ComboFix (This uninstall will only work as written if you installed ComboFix on your Desktop like we requested.)
      • Click START then RUN and enter the below into the run box and then click OK. Note the quotes are required
      • "%userprofile%\Desktop\combofix" /u
        • Notes: The space between the combofix" and the /u, it must be there.
        • This will uninstall ComboFix and also reset hidden files and folders settings back to Windows defaults.
    4. Any other miscellaneous tools we may have had you install or download can be uninstalled and deleted.
    5. If we had you download any registry patches like fixme.reg or fixWLK.reg (or any others), you can delete these files now.
    6. If running Vista, it is time to make sure you have reenabled UAC by double clicking on the C:\MGtools\enableUAC.reg file and allowing it to be added to the registry.
    7. Go to add/remove programs and uninstall HijackThis.
    8. Goto the C:\MGtools folder and find the MGclean.bat file. Double click on this file to run this cleanup program that will remove files and folders related to MGtools and some other items from our cleaning procedures.
    9. If you are running Vista, Windows XP or Windows ME, do the below:
      • Refer to the cleaning procedures in step 3 the READ ME for your Window version and see the instructions to Disable System Restore which will flush your Restore Points.
      • Then reboot and Enable System Restore to create a new clean Restore Point.
    10. After doing the above, you should work thru the below link:
     
    chaslang, Oct 30, 2009
    #8

MajorGeeks.Com Menu

Downloads All In One Tweaks \ Android \ Anti-Malware \ Anti-Virus \ Appearance \ Backup \ Browsers \ CD\DVD\Blu-Ray \ Covert Ops \ Drive Utilities \ Drivers \ Graphics \ Internet Tools \ Multimedia \ Networking \ Office Tools \ PC Games \ System Tools \ Mac/Apple/Ipad Downloads

Other News: Top Downloads \ News (Tech) \ Off Base (Other Websites News) \ Way Off Base (Offbeat Stories and Pics)

Social: Facebook \ YouTube \ Twitter \ Tumblr \ Pintrest \ RSS Feeds