write command during the test has failed to complete. this may be due to a memory....

[TekNoGeek]

After Googling for freeware to backup a BluRay dvd, the web site I went to nailed me. I started getting the following message in multiple message boxes:

"A write command during the test has failed to complete. This may be due to a memory reference to an invalid system memory address. It is highly recommended to run a complete hard drive scan to prevent loss of personal files."

I recognized this type of message format as some kind of virus/malware and disconnected from the web site. When I rebooted my PC, all of my DeskTop icons were gone, there were no entries under the Start->All Programs Menu and the above message boxes began to again display. Then the PC automatically rebooted.

I also get a popup in the system tray that I need to activate Windows because a lot of my hardware has changed since last activation. It has been activated for years and it is current on my Authentication/Genuine Advantage. There have been NO hardware changes made in years, so I know that this is a bogus (virus) msg.

Since my PC was unstable in normal mode, I rebooted into safe mode. After launching Explorer (from Start->Run), I found that all of my directories and files were flagged as Hidden. So I used the DOS command Attrib *.* -H /s/d to unhide everything. So now I had all of my icons back. No files were apparently deleted. I then reviewed the Windows registry and found the SOB program listed in the RUN key:
HKLM->Software->Microsoft->Windows->CurrentVersion->Run
I did not delete it, but the below downloaded software took care of it.

From my other PC, I googled the above err message and found your web site. Here's what I've done, per your site's guidance on the infected PC (in safe mode):
#1. Download:
... (a) RogueKiller - to desktop
... (b) Malwarebytes - to C:\_Malwarebytes\
... (c) TDSSKiller - to desktop
... (d) HitmanPro - to desktop
... (e) MGtools - to C:\

#2. Run the program:
... (a) RogueKiller - from the desktop. I Did not fix anything, per your instructions.
... (b) Malwarebytes - following your instructions.
... (c) TDSSKiller - does not launch. Tried several times.
... (d) HitmanPro - from desktop following your instructions.
... (e) MGtools - from C:\

#3. Logs attached: (contained in uploaded ZIP file)
... (a) RogueKiller - RKreport[1].txt
... (b) Malwarebytes - mbam-log-2012-10-09 (09-47-05).txt
... (c) TDSSKiller - No Log. Pgm did not launch.
... (d) HitmanPro - HitmanPro_20121009_1132.log
... (e) MGtools - MGlogs.zip
... (f) HiJackThis - hijackthis 2012-10-11 @ 1130am.log


Subsequently I've run the following:
#4. I then ran my Symantec AV client software. It found 5 trojans in the RECYCLER directory:
... (a) Trojan.Zeroaccess.B - Removal declared as "Partial"
... (b) Trojan.Zeroaccess.C (2 occurrences) - Removal declared as "Cleaned by deletion"
... (c) Trojan.Gen - Removal declared as "Quarantined"
... (d) Trojan.Gen.2 - Removal declared as "Quarantined"
However, when I re-ran an AV scan on just the RECYCLER folder, I got the same results again.

#5. I then Ran MSFT Malitious Software Removal Tool. It found 0 problems.

#6. I then ran HiJackThis and have attached its log. There are some entries in here that to me are a red flag on the track!:
... (a) RUNNING PROCESS: C:\Documents and Settings\HowardM\amsgujxeivwjhcfjjoxlbceph.exe
... (b) There are also some BHO Java entries that look suspicious to me.
I also confirmed that Item (a) is currently running as a Process under Windows Task Manager (and I'm running in Safe Mode).
... (c) I also noticed 2 suspicious files in C:\Documents and Settings\HowardM
...... #1 amsgujxeivwjhcfjjoxlbceph.exe
......... (a) which showed up in HiJackThis
......... (b) which also currently resides in C:\Windows\System32
...... #2 gbitpbfbosoe.exe This file name did not show up in any of your logs.
However, I found it in my registry under the following keys:
...HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Control\Session Manager
...... Name: PendingFileRenameOperations
...... Type: REG_MULTI_SZ
...... Data: \??\C:\Documents and Settings\HowardM\gbitpbfbosoe.exe
It was also found under: ControlSet001
I'll wait until I here from you on how to proceed.

TMI?

All of my logs are contianed in the uploaded ZIP file.
After reviewing my logs, please let me know how to proceed.

Thanks for the assist.

[Kestrel13!]

None of the requested logs attached I'm afraid.

[TekNoGeek]

I probably forgot to click the upload button after I browsed for the ZIP file. I'll try it again.

Attached should be file
====> MajorGeeks_Upload_Logs.zip
This ZIP file should contain the following logs:
... (a) RogueKiller - RKreport[1].txt
... (b) Malwarebytes - mbam-log-2012-10-09 (09-47-05).txt
... (c) TDSSKiller - No Log. Pgm did not launch.
... (d) HitmanPro - HitmanPro_20121009_1132.log
... (e) MGtools - MGlogs.zip
... (f) HiJackThis - hijackthis 2012-10-11 @ 1130am.log

[Kestrel13!]

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Please also download MBRCheck to your desktop

• Double click MBRCheck.exe to run (vista and Win 7 right click and select Run as Administrator)
• It will show a Black screen with some information that will contain either the below line if no problem is found:
  • Done! Press ENTER to exit...
• Or you will see more information like below if a problem is found:
  • Found non-standard or infected MBR.
  • Enter 'Y' and hit ENTER for more options, or 'N' to exit:
• Either way, just choose to exit the program at this point since we want to see only the scan results to begin with.
• MBRCheck will create a log named similar to MBRCheck_07.16.10_00.32.33.txt which is random based on date and time.

[TekNoGeek]

I am currently running in safe mode because of the virus/viruses. I am afraid to startup in normal mode. The PC has been on for a couple of days now, rather than restart and possibly propogate the virus further and particularly since I have a boot sector virus too. (I ran an MBRCheck yesterday, just to see.)

TDSSKiller does not launch.

But if you would like me to startup in normal mode & try to run TDSSKiller from there, I will.

I just reran the MBRCheck from a DOS prompt and have attached a screen image print for you. Both my C: & D: have a boot sector virus.

Thanks for the assist.

P.S.

Although I unhid all of my files, almost all of the program links are gone in the Start->Programs listings, . However, I found them safely tucked away in the directory

• C:\Temp\SMPT\1\ and in
• C:\Temp\SMPT\2\

I've not returned them to their proper location yet. I'm waiting to resolve the virus issue first.

[Kestrel13!]

You got an MBR infection. Do you have you XP boot CD?

[TekNoGeek]

Quote:

Originally Posted by Kestrel13!

You got an MBR infection. Do you have you XP boot CD?

Yes I do.

I'm running Win-XP @ SP3.

I have 2 CDs:

1. XP-SP2
2. Slipstream XP-SP3

U pick.

Will the XP CD also fix the bootsector virus on the D: drive as well?

Tx.

[Kestrel13!]

Quote:

U pick.

Use the XP SP2 CD.

You need to use your Windows XP CD to boot to the Recovery Console and run the fixmbr to clear a Master Boot Record infection that you have.

You can read the below to help you do this:

http://support.microsoft.com/kb/307654


After running the fixmbr command then boot back to normal mode Windows and try running MBRCheck again now. Then attach the log. Also explain if you are still having any malware problems.

[TekNoGeek]

1. I ran FIXMBR from the recovery console
2. Booted into "normal mode" and ran MBRcheck. Boot virus still there.
3. Launching IE to MG's web site spawned a new browser instance to AMAZON.COM
4. After approx 2 minutes, PC rebooted itself.

The PC's network card activity light was blinking like it was on steroids. Apparently my PC is being used as a zombie spammer, as recent E-mail has bounced back as undeliverable because blocked using zen.spamhaus.org .

Rebooted into safe mode. boot sector virus is back. So some things obviously didn't get deleted from running the recommended pgms.

Ran your programs again. It deleted some things. Network card activity light now stable.

But I still have some undesireable/virus files hanging around. See the logs.

The folowing logs/files are contained in the uploaded ZIP file:

1. HitmanPro_20121013_2108.log
2. mbam-log-2012-10-13 (19-09-06).txt
3. MBRcheck Screen Shot 2012-10-13 @ 1833.JPG (After repair & boot to normal mode)
4. MBRCheck_10.13.12_18.33.14.txt (After repair & boot to normal mode)
5. MGlogs 2012-10-13 @ 2158.zip
6. RKreport[2].txt

What now sayest thou?

Tx.

[Kestrel13!]

When you run Hitman what option does it give you with this entry?

• Win32/Bootkit

You can have it delete everything else that it finds to but let me know about that one entry.

Yes there's more to do but we'll deal with this bit first.

[TekNoGeek]

Quote:

Originally Posted by Kestrel13!

When you run Hitman what option does it give you with this entry?

• Win32/Bootkit

You can have it delete everything else that it finds to but let me know about that one entry.

Yes there's more to do but we'll deal with this bit first.

[Sorry it took so long for me to get back to you. I've been doing a lot of research. I'm sure you appreciated your time away from me as there are sooo many others also clammoring for help.]

I don't see that entry Win32/Bootkit anywhere. Am I overlooking something. Where/when should I expect to see it?

That FAKED mbr just won't go away & the MSFT CDs don't fix it! (My MSFT CDs are originals issued by MSFT.)

====================================
MY ACTIVITY NOTES - SUNDAY 2012-10-14
====================================
I am currently running in safe mode. PC was left on since yesterday.

I mentioned prevoiusly that my network card activity light was no longer on steroids. Well, I left the PC connected to the internet, and when I returned to the PC a few hours later, the light was back on steroids. so I disconnected the data cable.

Ran HitmanPro
--->select action Delete C:\WINDOWS\msisear.exe .(This file is not found on my good PC.)

REGEDIT - (search for MSISEAR)
...Find #1 in key: HKLM\Software\msisear.exe
......string value = GUID,
......Value Data = 30a7b26e5b432934b5192a6f4fcd7ebd
...Find #2 in key: HKLM\System\ControlSet003\Services\W32serv (msisear & w32serv not found in registry on good PC.)
...the above Data Value 30a7b... was not found anywhere else in registry.

DID NOT YET REBOOT.
found these two highly suspicious files still hanging around:
[1] \%profile%\foculnyzisyadbilqbv.exe
[2] \%profile%\wqeknfettfdildk.exe
Renamed them to XX_(filename)
(FYI: Symantec AV Corp Edition does not yet recognize these as a virus.)

REGEDIT (Search for above 2 base file names):
File [1] was not found in the registry
File [2] was found in:
...HKLM\System\ControlSet001\Control\Session Manager
.....String Value = PendingFileRenameOperations
.....Type = REG_MULTI_SZ
.....Value Data = \??\C:\Documents and Settings\HowardM\wqeknfettfdildk.exe
So I Blanked out the Value Data and created:
.....String Value XX_PendingFileRenameOperations
.....with the original Value Data,
Did this for documentation purposes.
REGEDIT then automatically created a dup of my new string (XX_...) under
...HKLM\System\ControlSet\Control\Session Manager
No more occurences of the base file name found in the registry.

I renamed the file
...C:\WINDOWS\TEMP\Temp36.exe to XX_Temp36.exe
This file was not found the current malware scans but still exists. File is not found in the registry. (I had changed my %TEMP% & %TMP% dir to C:\Temp years ago. So if there's anything in the \Windows\Temp dir, it doesn't belong there.)

Deleted files in C:\Windows\Prefetch

Confirmed that the virus had not re-created any more funny file names in the same locations.

Reboot with Windows CD (XP-Pro incl SvcPk2) to run FIXMBR under Recovery Console. Ran it 2X just because...

Immediately rebooted again with same Windows CD to run FIXMBR under Recovery Console. Reviewed results.

Boot into Safe Mode W/ Networking to review the situation.
...Ran MBRcheck.
...Reviewed services running in Task Manager.
...Looked for funny file names in previously known locations.
...Connected to internet & watched the PC's network activity light. Normal (so far)
...Browse to MG web site and observe for any redirection or new browser instances being automatically launched. None.


Uploaded are the following files for your review:
[1] MajorGeeks Upload 5 Logs.zip
Containing the following 5 logs:
...[A]HitmanPro_2012-10-14_2048.log
...[B]mbam-log-2012-10-14 @ 2012.txt
...[C]MGlogs 2012-10-14 @ 2108.zip
...[D]RKreport[1] 2012-10-14 @ 2002.txt
...[E]MBRCheck_10.15.12_16.22.44.txt

[2] MSFT WinXP Process Explorer 2012-10-14 @ 2222.JPG
Interesting... I think there's an extra SVCHOST running that I didn't notice on my good PC in safe mode.


====================================
MY ACTIVITY NOTES - MONDAY 2012-10-15
====================================
Booted into Recovery Console from MSFT's original CD = Win-XP Pro No SvcPk included, since FIXMBR from my MSFT CD w/ SP2 does not fix the faked MBR.
Ran FIXMBR twice
Booted into Recovery Console this time using MSFT's original CD = Win-XP Pro SP3
Ran FIXMBR twice
Booted into Safe Mode
Ran MBRCHECK.EXE - Bootsector still FAKED! (SO8, &!%$(* & $hi!)

Booted into Normal Mode - OpSys takes > 10 minutes to almost settle down then utomatically reboots itself. Tried this 2X.
Boot into Safe Mode w/ Networking.
Ran MBRCHECK.EXE
Boot sector on both C: & D: still faked!
PC's network activity lite is back on steroids! So I am either a zombie spammer or they are uploading all of my files to th mother ship. ("mother" is one of two words!)

This is one VERY STUBBORN MBR virus! What else is in your bag of tricks to try to fix that MBR?

I eagerly await your wisdom.

Tx for taking the time to assist.

[TekNoGeek]

Quote:

Originally Posted by Kestrel13!

When you run Hitman what option does it give you with this entry?

• Win32/Bootkit

You can have it delete everything else that it finds to but let me know about that one entry.

Yes there's more to do but we'll deal with this bit first.

Sorry. I again forgot to click the UPLOAD button after browsing for the files.

They should attach to this msg.

[Kestrel13!]

Fix items using RogueKiller.

Double-click RogueKiller.exe to run. (Vista/7 right-click and select Run as Administrator)
When it opens, press the Scan button
Now click the Registry tab and locate these 2 detections:

• [Services][ROGUE ST] HKLM\[...]\ControlSet001\Services\61883 (system32\DRIVERS\61883.sys) -> FOUND
• [Services][ROGUE ST] HKLM\[...]\ControlSet003\Services\61883 (system32\DRIVERS\61883.sys) -> FOUND

Place a checkmark each of these items, leave the others unchecked.
Now press the Delete button.

and the same for Files/Folders tab.

• [ZeroAccess][FILE] Desktop.ini : C:\WINDOWS\Assembly\GAC\Desktop.ini --> FOUND
• [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\n --> FOUND
• [ZeroAccess][FILE] n : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\n --> FOUND
• [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\@ --> FOUND
• [ZeroAccess][FILE] @ : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\@ --> FOUND
• [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\U --> FOUND
• [ZeroAccess][FOLDER] U : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\U --> FOUND
• [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-18\$741bdcc3d1675d6a3a9286a794e8eda2\L --> FOUND
• [ZeroAccess][FOLDER] L : C:\RECYCLER\S-1-5-21-527237240-329068152-682003330-1003\$741bdcc3d1675d6a3a9286a794e8eda2\L --> FOUND

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Reboot the machine and re run RogueKiller just a scan and attach log.
Sane for MBRCheck.

[TekNoGeek]

WOW! Your post was at 6AM. Do you ever sleep, stop to eat, stop to breathe???

Thanx for your prompt response to my last post. Really appreciate your devotion.

RogueKiller
...Registry Tab
===>Deleted the 2 registry entries
...Files Tab
===>Deleted the 9 requested entries
``````(there were no boxes to check so I selectively highlighted the requested ones & pressed the DELETE button.)
===>Eyeballs went bonkers with tose hex strings!

Attaching RK log
...RKreport 2012-10-16 @ 1155.txt

PC left on, no reboot yet.

I was wondering if I sh copy the file 61883.SYS from my good PC to repl the one on the infected PC?

Here's the file stats on 61883.SYS :
FILE SIZE: same on both PCs = 48,128 bytes
MOD DATE: same on both PCs = 4/14/2012
CREATE DATE: Bad PC = 1/10/2012 Good PC = 12/7/2010

I was wondering if I sh copy 61883.SYS from my good PC to my infected PC. Cause if it's infected, I'll just be back in the ditch again when I reboot. Or don't viruses infect .SYS files?

Tx again.

[Kestrel13!]

I shouldn't have included the sys file in my deletion script. I'm sorry. Can it be dequarantined - check the RogueKiller Quarantine folder.

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSkiller - How to run


Also I had asked you to re run MBRCheck again. Do that now, and Can you attach that log?

Quote:

WOW! Your post was at 6AM. Do you ever sleep, stop to eat, stop to breathe???

I'm in UK.

[TekNoGeek]

Quote:

I shouldn't have included the sys file in my deletion script. I'm sorry. Can it be dequarantined - check the RogueKiller Quarantine folder.

I didn't delete the 61886.SYS file. I had RK delete the registry entry. Is it the registry entry that you want me to undo from the quarantine folder? (See attached file RK Quarantine Folder Screen Image.JPG)

Quote:

I want you to run TDSSKiller so refer to the below for how to do so.

TDSSKiller does not run on my infected PC in Safe Mode. When the infected PC is brought up in normal mode, the PC will automatically reboot before it finishes initializing. And you requested me not to reboot my infected PC just yet (or so that's what I thought you meant).

Quote:

When it is finished, there will be a log on your desktop called: RKreport[2].txt
Attach RKreport[2].txt to your next message. (How to attach)
Do not reboot your computer yet.

Reboot the machine and re run RogueKiller just a scan and attach log.

Your instructions here are not very clear.
First you say to not reboot, then immediately after you say to reboot. That's why I did not reboot after running RK. I assumed you wanted to first review my uploaded info before rebooting. You wanted me to run MBRcheck after rebooting. I don't know that anything was done to fix the MBR so it made no sense to attach a new MBRcheck Log as it is the same as prev. I'm still waiting to reboot. Are you getting me confused with the others that you are assisting? Or am I confused?

Quote:

Also I had asked you to re run MBRCheck again. Do that now, and Can you attach that log?

I was waiting for clearer instructions after your review of my last post. Please see attached.

Unanswered Question:
I was wondering if I sh copy the file 61883.SYS from my good PC to repl the one on the infected PC? Cause if the file is infected, I'll just be back in the ditch again when I reboot. Or don't viruses infect .SYS files? (See my prev post for file attribute difference between good & infected PC.)

Files & Thumbnails Attached:

1. MBRcheck Screen Image 2012-10-16 @ 2230.JPG
2. MBRCheck_10.16.12_22.28.57.txt
3. RK Quarantine Folder Screen Image.JPG

[Kestrel13!]

No, not getting confused with others. I am going to have to have a word with colleagues never the less as I don't know why my instructions in post #8 to have you fix the MBR failed. You could try those steps again whilst I seek advice.

[TekNoGeek]

I appreciate your continuing efforts on this.

I used to be a TechHead in my network integration & support services daze (er, days). I retired 5 years ago. In my 15 years of client support, I never had to deal with the MBR. So I'm a bit shy & rusty. That's why I'm here.

I have a Q. What's the difference in FIXMBR and FIXBOOT in the MSFT recovery console?

I found on my software shelf a retail copy of Norton Partition Magic v8 which supports XP. Would that help? (It's still in the shrink wrap.)

Is there a reason that you don't use other software in your arsenal to fix the MBR? (I'm thursty for knowledge.) I'm sure you have good reasons, which is why I've not gone rogue but rather await your support advice. I trust this forum & its staff.

TX

[Kestrel13!]

Quote:

I appreciate your continuing efforts on this.

No problem, we'll get to the bottom of it.

Quote:

I have a Q. What's the difference in FIXMBR and FIXBOOT in the MSFT recovery console?

FIXMBR is used to repair the Master Boot Record (MBR) of a harddisk. FIXBOOT is used to repair the boot records of a partition.

Quote:

I found on my software shelf a retail copy of Norton Partition Magic v8 which supports XP. Would that help? (It's still in the shrink wrap.)

Not sure yet. Let's see what my colleagues say. Also I want to see if Combofix finds anything nasty, so can we try running that?

Please download Combofix to your desktop. Please refer to these instructions prior to running.

Attach the log once done.

[TekNoGeek]

Quote:

Please download Combofix to your desktop. Please refer to these instructions prior to running.

Running in Safe Mode I ran Combofix. When I came back an hour later, it had locked up. (Remember, TDSSKiller does not run in safe mode either.) So I had to reboot.

Since I had to reboot, I used my XP CD to go into the Recovery console and ran FIXMBR.

Rebooted into Normal Mode and, as before, windows will auto re-boot before everything finished initializing.

Booted back into Safe Mode With Networking. Ran MBRcheck. Boot sector stilll faked. Connected network cable and after a few minutes, the net card's activity lite went bonkers! Disconendted the cable.

Ran your software again. Logs attached. Everything looks clean except for the MBR (OK, I didn't look at MGT logs).

I decided to check my Network Connections under Control Panel. When trying to display the Connection Status window, it shows me the Connection Properties window! So that ^%@$ virus got me there too. Will look into that later.

An additional GOTCHA from that virus is that it corrupted my Windows Firewall by changing/deleting registry entries. It would not launch. So I ran a .REG file from MSFT KB920074. That got the Windows Firewall operational, but I lost all of my settings (like for my HP scanner). I was able to copy the needed registry entries from my good PC to the problem PC. So the firewall settings now match that of my good PC. However, when I click on the firewall's Advance tab, I get "The network connection settings have become corrupted..." I found a download from another support forum that fixed this for another user. I will try that tomorrow. My brain has now turned to mush.

Just wanted to give you an update.

A couple of Q's for you please...

1. Why do you choose to not use the option in MBRCHECK or RogueKiller to repair the MBR? I'm sure you have your tried & true reasons. Just curious.
2. I'm sure you noticed in the Hitman log that there's a hook in the ATAPI.SYS. Is that where the virus is hiding? I may be in a catch-22 scenerio here. I clean the boot sector virus, but when I startup windows, the disk driver hook puts it back?

PS
Because my PC is out of commission, I had to MANUALLY write a check today! My first time in years & years. Oh the horror!